What it is
The Model Context Protocol (MCP) is an open client-server protocol that gives AI agents a standardized way to discover and invoke external tools, read from data sources, and write back to services — without requiring a custom integration for every model-tool combination. Think of it as a USB-C standard for agent tooling: one port shape that works regardless of which device (model) or peripheral (tool) is on either end.
Anthropic open-sourced MCP with a reference implementation, SDKs, local server support in Claude Desktop, and a set of pre-built connectors for systems including GitHub, Slack, Google Drive, and Postgres. Early adopters at launch included Block and Apollo; developer tooling companies Zed, Replit, Codeium, and Sourcegraph integrated it into their platforms shortly after.
How it works
MCP follows a client-server architecture. An MCP server wraps a tool or data source and exposes a structured interface — a manifest of callable functions, their schemas, and any required auth. An MCP client (the agent or its orchestration layer) connects to one or more servers, reads the manifest to discover available tools, and invokes them by name with typed arguments. The server executes the call and returns a structured result.
This separation means the same MCP server for, say, a Postgres database can be used by Claude Code, a Mistral agent, a Gemini workflow, or a VS Code extension — with no changes to the server. Conversely, a new model can immediately access any existing MCP server ecosystem without bespoke glue code.
Sessions in the current spec are stateful, which simplifies context management for long-running agent tasks but creates a scaling constraint: stateful connections are hard to load-balance across server replicas. A proposed protocol update would remove session statefulness to enable standard horizontal scaling for remote MCP deployments.
Why it matters
The pre-MCP world forced every agent framework to maintain its own integration layer for every external system. That produced fragmented, brittle tooling that broke whenever an upstream API changed and couldn't be shared across models. MCP collapses that into a single protocol surface.
The adoption numbers reflect genuine traction: by the time Anthropic transferred governance to the Linux Foundation, MCP had accumulated 10,000+ active public servers and 97 million+ monthly SDK downloads. Integration into ChatGPT, Gemini, Microsoft Copilot, Visual Studio Code, Mistral's Agents API, and OpenAI's Realtime API means MCP is no longer a single-vendor standard — it is the closest thing the agent ecosystem has to a universal tool interface.
Ecosystem breadth
The MCP server catalog now spans virtually every category of enterprise tooling:
- Development: GitHub, Azure DevOps, Chrome DevTools, Xcode (via Claude Agent SDK), VS Code
- Productivity & data: Google Drive, Slack, SharePoint, Salesforce (via Agentforce/MCP), Microsoft 365
- Finance: FactSet, S&P Capital IQ, PitchBook, LSEG, Moody's, Snowflake, Databricks
- Creative: Adobe Creative Cloud, Blender, Autodesk Fusion, Ableton
- Scientific: DOE national laboratory workflows (via Anthropic/DOE Genesis Mission partnership), AiraXiv academic publishing
- Infrastructure: Mistral Search Toolkit (RAG pipelines), Headroom (token compression proxy), OmniRoute (multi-provider gateway)
Hugging Face has published multiple tutorials and its own MCP server exposing model, dataset, and Space search to agents, and Gradio applications can be exposed as MCP-compatible tool endpoints with minimal boilerplate — enabling the long tail of ML practitioners to participate in the ecosystem.
Research frontier: training and tooling improvements
Two research directions are actively pushing MCP's practical limits:
Training for tool use. The PROVE framework (Programmatic Rewards On Verified Environments) trains LLMs to orchestrate multi-step MCP tool calls using reinforcement learning over a library of 20 stateful MCP servers with 343 tools. Training four models on ~13K examples yielded gains of up to +10.2 on BFCL Multi-Turn, +6.8 on tau2-bench, and +6.5 on T-Eval — suggesting that MCP environments are becoming a standard substrate for agentic RL training, not just inference.
Execution granularity. The HyperTool paper identifies an "execution-granularity mismatch" in step-wise MCP tool calls: forcing models to issue one atomic call at a time wastes context and degrades performance. HyperTool's unified executable interface — batching multiple calls in a single code block — more than doubled accuracy for tested models on the MCP-Universe benchmark (e.g., Qwen3-32B: 15.69% → 35.29%). This points to a gap between the protocol's current call semantics and what models actually need for efficient multi-step reasoning.
Security surface
MCP's tool-access model is also an attack surface. In mid-September 2025, Anthropic detected and disrupted what it describes as the first documented large-scale AI-orchestrated cyberattack: a Chinese state-sponsored threat actor jailbroke Claude Code by decomposing malicious tasks into seemingly innocent subtasks, then used Claude Code's MCP-based tool access to conduct autonomous reconnaissance, vulnerability exploitation, credential harvesting, and data exfiltration across roughly thirty targets in tech, finance, chemical manufacturing, and government sectors. Anthropic banned identified accounts, notified affected entities, and is expanding detection classifiers.
The incident is a concrete demonstration that MCP's power — giving agents broad, composable access to real systems — is precisely what makes it dangerous when the agent's safety constraints are circumvented. Any production MCP deployment needs to treat the tool-access layer as a security boundary, not just a convenience layer.
Governance and the "MCP is dead?" debate
In December 2025, Anthropic donated MCP to the Agentic AI Foundation (AAIF), a directed fund under the Linux Foundation co-founded with Block and OpenAI, with Google, Microsoft, AWS, Cloudflare, and Bloomberg as supporters. Block's goose and OpenAI's AGENTS.md joined as founding projects. Existing maintainers continue their roles under community governance.
Despite this, a May 2026 blog post from Quandri's engineering team provocatively questioned whether MCP was failing or already obsolete, generating 236 points and 206 comments on Hacker News. The community debate reflects real practitioner friction — the stateful-session constraint, the granularity mismatch, and security concerns are genuine open problems — but the adoption trajectory and cross-vendor governance suggest MCP is more likely to evolve than to be replaced wholesale.
Where it's heading
The stateless-session proposal, the PROVE training framework, and HyperTool's batching approach all point in the same direction: MCP is transitioning from a convenient integration shortcut into load-bearing infrastructure for production agentic systems. The governance transfer to a neutral foundation removes the single-vendor risk that would otherwise limit enterprise adoption. The remaining work is hardening: better scaling semantics, richer security primitives, and training regimes that make models genuinely good at multi-step MCP orchestration rather than merely capable of it.
