MCP: One Year in Production — What's Working, What's Broken, What Comes Next
Model Context Protocol (MCP) launched in November 2024. Eighteen months later, StackOne published a detailed retrospective based on running MCP servers in production for enterprise integrations, and the findings are sobering for teams treating MCP as a production-ready standard rather than a capable but immature protocol.
The headline wins are real. MCP's vendor-neutral design means the same server works across Claude, GPT-4, Gemini, and local models without modification. Dynamic tool discovery — agents querying available tools at runtime rather than relying on hardcoded lists — has proven genuinely useful for large tool surfaces. Adoption metrics are strong: 97 million monthly SDK downloads, over 10,000 active servers, and integration by OpenAI, Microsoft, and Google. For simple integration cases like connecting to Notion or GitHub, MCP made setup significantly easier than building custom integrations.
The critical gaps are equally concrete. Multi-tenancy is absent. MCP was designed for single-user, local deployment, and it shows. There are no native mechanisms for tool visibility controls, per-user permission boundaries, or data isolation preventing cross-tenant leaks. The Asana "Confused Deputy" vulnerability — where servers cached responses without re-verifying tenant context — is a concrete example of what happens when a protocol designed for one user is deployed for many. Authentication is similarly incomplete: OAuth 2.1 support exists technically, but SDKs assume servers double as authorization servers, making integration with enterprise identity providers like Okta or Azure AD a painful set of workarounds. Token lifecycle management with third-party authorization is consistently cited as a production blocker.
The upcoming MCP specification release candidate (final publication scheduled July 28, 2026) addresses the infrastructure pain directly. The protocol core is being made stateless, which means remote MCP servers that previously required sticky sessions, a shared session store, and deep-packet inspection at the gateway can now run behind a plain round-robin load balancer. The Extensions framework, Task primitives, MCP Apps, authorization hardening, and a formal deprecation policy are also included. The stateless shift is the most consequential change: it does not simplify the protocol for users, but it dramatically simplifies operating it at scale. A parallel development worth watching is the emerging "Agent Skills" abstraction, where MCP servers are wrapped into outcome-oriented capability packages that reduce context overhead and present use cases more intuitively than raw APIs. Anthropic's research showing that having agents write code to call MCP tools rather than directly invoking them reduces token usage by 98.7% has practical implications for teams hitting context limits in large agentic workflows.
Read more — StackOne Blog
Safe & Secure AI Agent Practices
Prompt Injection Tops OWASP LLM Top 10 for a Third Year — 2026 Defense Playbook
OWASP's LLM Top 10 for 2026 ranks prompt injection as the number one vulnerability in AI systems for the third consecutive year. The 340% year-over-year increase in attacks reflects a structural reality: production AI agents in 2026 read web pages on users' behalf, parse uploaded documents, ingest support tickets, summarize email threads, and call tools that return arbitrary text. Every one of those input streams is a potential instruction channel that a model cannot reliably distinguish from trusted operator instructions.
Security researchers have converged on a multi-layer defense model rather than a single technical control. The ICLR 2026 paper introducing PromptArmor demonstrated under 1% false positive and false negative rates on the AgentDojo benchmark, while PromptGuard reduces injection success rates by 67% — but both authors emphasize that no single technique is sufficient. The operational baseline emerging from production deployments is a seven-layer stack: input handling that structurally separates trusted from untrusted text; output filtering that validates structure before the agent acts; capability sandboxing that constrains what the agent runtime can execute; privilege separation giving each tool the minimum permissions needed; canary tokens as tripwires for data exfiltration attempts; a policy engine running deterministic checks before high-impact actions; and continuous red teaming on all ingestion surfaces. Equixly's security assessment of real-world MCP implementations found command injection vulnerabilities in 43% of tested servers, SSRF vulnerabilities in 30%, and arbitrary file access in 22% — underscoring that the problem extends beyond LLMs to the tool infrastructure agents rely on.
For development teams, the practical shift is treating AI agent pipelines with the same threat modelling discipline applied to public-facing APIs: assume all external input is untrusted, enforce least-privilege on tool permissions, require explicit confirmation for high-impact operations, and log agent decisions with enough context to detect exfiltration attempts after the fact. OWASP's LLM Application Security Verification Standard provides a structured checklist, and the NIST AI RMF's GenAI Profile (AI 600-1) maps these controls to regulatory frameworks for teams operating in regulated industries.
Read more — AIRIA
Links & Sources
You May Also Enjoy
