On this page
The Future of MCP: Why the Standard Wins Despite Its Cracks
The Model Context Protocol has become the de facto standard for AI agent tool integration in under 18 months, but faces critical gaps in security, pricing transparency, and governance maturity. Explosive adoption coexists with poor implementation: 36.7% of public MCP servers have SSRF vulnerabilities and only 8.5% use OAuth, creating significant enterprise risk. Teams adopting MCP should mandate OAuth 2.1 authentication and security audits before production deployment.
The Model Context Protocol went from Anthropic’s internal experiment to the de facto standard for AI agent tool integration in under eighteen months. That kind of adoption curve is rare — and it raises a harder question: can a protocol this young actually hold up under the weight of enterprise production, regulatory scrutiny, and a security landscape that’s still catching up?
The short answer is yes, but not without significant growing pains. What I call the Stack Gap pattern is playing out in real time: MCP’s protocol-market fit has dramatically outpaced its commercial and security maturity. The transport layer is settling, but the layers above it — pricing transparency, authentication standards, governance tooling — remain contested and immature. That gap is where most of the risk lives for teams adopting MCP today.
The Adoption Numbers Are Real, but They Tell Two Stories
Let’s start with what’s verifiable. MCP SDK downloads hit 97 million per month by March 2026, up from roughly 2 million at launch in November 2024. The official registry contained 9,652 active public server records as of May 24, 2026, and Anthropic cites over 10,000 active public servers. Stacklok’s 2026 survey found 41% of surveyed software organizations in limited or broad production with MCP servers. Twenty-eight percent of Fortune 500 companies have deployed MCP servers for production AI workflows.
Those are the numbers that make MCP look unstoppable. But here’s the other side of the same data: BlueRock Security’s research found that 36.7% of public MCP servers carry SSRF (server-side request forgery) vulnerabilities, 41% have no authentication at all, and only 8.5% use OAuth. Thirty-plus CVEs were filed in January and February 2026 alone.
The contradiction is stark. Explosive adoption is happening alongside degraded implementation quality. MCP has become the standard precisely because the N×M integration problem it solves is so painful — but the protocol explicitly leaves identity and security out of scope, which means the security burden falls entirely on server implementers. Most of them aren’t equipped for it.
The July 2026 Spec Revision: Maturity Through Constraint
The 2026-07-28 MCP specification release candidate is the most significant revision since launch, and it signals that the maintainers understand the maturity gap. The headline change is a stateless protocol core — session IDs are removed, the initialize/initialized handshake disappears, and every request becomes self-contained with client info traveling in _meta headers.
This matters more than it sounds. In the previous spec, remote MCP servers needed sticky sessions and shared session stores, which meant gateways had to understand MCP-specific routing. That’s a deployment headache that scales poorly. The new stateless design means any server instance can handle any request, and ordinary HTTP infrastructure — round-robin load balancers, standard reverse proxies — works without protocol-specific logic.
The release candidate also tightens OAuth requirements, aligning more closely with OAuth 2.1 and OpenID Connect deployments. That’s a direct response to the authentication gap: if the protocol won’t mandate identity, it can at least make proper identity easier to implement. The final spec ships July 28, 2026, and it contains breaking changes — teams running remote servers against the current spec will need to migrate.
For a deeper breakdown of the protocol’s architecture and what the spec changes mean for your integration strategy, see our full MCP developer guide.
The Pricing Problem Nobody Wants to Talk About
MCP server pricing is structurally opaque. Vendors use per-tool, per-call, per-seat, per-workspace, or flat-rate models, and the headline sticker rarely matches what teams actually pay after token costs, overage charges, and EU-hosting premiums land in the renewal invoice.
Here’s where it gets painful. Mid-market teams running 12 connectors burn €20,000–€80,000 annually on Anthropic token costs alone, before platform fees. A single Claude conversation now averages 8–15 tool calls, so per-call pricing scales roughly 4x faster than headcount. Agentic loops — where an agent iteratively calls tools to complete a task — multiply that further.
| Cost Component | Range | Notes |
|---|---|---|
| Platform fees (mid-market) | — | Varies by vendor; verify with provider |
| Anthropic token costs | €20,000–€80,000/year | Mid-market, 12 connectors, per Peliqan |
| MCP server development | $25,000–$400,000+ | Per Bacancy Technology; $40K–$120K for most production builds |
| Enterprise token cost reduction | 67% YoY drop | Multi-model routing achieves 71% median reduction, per AICC Report |
The counterintuitive part: enterprise token costs dropped 67% year-over-year as of April 2026, with multi-model routing achieving median cost reductions of 71% versus single-provider deployments. Open-source models captured 38% of enterprise token volume for the first time. So while sticker shock is real for teams locked into a single provider, the overall cost trajectory is sharply downward for organizations willing to route intelligently.
The vendors winning the MCP platform race are optimizing for the wrong layer. They’re wrapping the cheap, standardized transport while the expensive, unstandardized risks — token spend and server-side security — leak through the seams. Their opaque pricing models actively obscure the total cost collapse happening in token spend.
For a detailed breakdown of platform pricing models and hidden costs, see our MCP tools and platforms comparison.
The Regulatory Paradox: Compliance Deadlines on Hold
The EU AI Act’s high-risk system rules were originally scheduled to enter force on August 2, 2026, requiring audit-grade gateway logs for agents touching credit, employment, healthcare, or critical infrastructure data. That deadline would have made MCP governance infrastructure a hard requirement for European enterprises almost overnight.
Then the European Parliament voted in March 2026 to delay enforcement until December 2027. Product-embedded AI systems get until August 2028.
This creates a compliance planning paradox. Enterprises that built governance infrastructure to meet the August 2026 deadline may have over-invested on a compressed timeline. Enterprises that waited may find themselves scrambling if the political winds shift again. The smart move is to build governance that’s modular — gateway logs, RBAC, audit trails — without assuming a fixed enforcement date.
What Enterprise Teams Should Actually Do
The protocol is settling. The security is not. The pricing is opaque but improving. And the regulatory landscape is in flux. Given all that, here’s the framework that makes sense:
Require OAuth 2.1 as a hard procurement gate. The protocol’s explicit exclusion of identity management means the security burden falls entirely on the server implementer. With only 8.5% of public servers using OAuth, gateways alone can’t fix the gap. Make authentication a vendor qualification criterion, not a nice-to-have.
Separate platform cost from token cost in your budgeting. They scale differently. Platform fees are predictable; token costs are a function of agentic loop depth and model routing strategy. Multi-model routing can cut token spend by 71%, but only if your architecture supports it from the start.
Plan for the July 2026 spec migration now. The breaking changes in the 2026-07-28 release candidate aren’t optional — spec-tracking clients like Claude will negotiate the new version. If you’re running remote MCP servers, start testing against the release candidate today.
Don’t wait for regulation to force governance. The EU AI Act delay is a reprieve, not a cancellation. Build audit logging and access control into your MCP deployment now, so you’re not retrofitting under pressure in 2027.
For teams evaluating the enterprise tradeoffs in more depth, our MCP for enterprise teams guide covers the centralized control plane requirements most organizations underbudget for.
The Real Question
MCP isn’t becoming the standard because it’s perfect. It’s becoming the standard because the alternative — N×M custom integrations for every AI model and every tool — is worse. The protocol solved a genuine architectural problem, and the industry consolidated around it faster than the security, pricing, and governance layers could mature.
That’s not a reason to avoid MCP. It’s a reason to adopt it with clear eyes about where the gaps are, and to build your infrastructure assuming that the layers above the protocol will take another two to three years to catch up. The teams that win won’t be the ones that waited for MCP to be “ready.” They’ll be the ones that adopted early, gated hard on security, and built governance that doesn’t depend on a regulatory deadline to justify its existence.