The Model Context Protocol started as a cleaner way to connect AI systems to tools and data.
That was useful. It was also only the beginning.
The more interesting shift is happening now: MCP is turning into operational infrastructure for agents. Not just a connector format. Not just a developer convenience. A shared layer where discovery, authorization, routing, audit, long-running work, and user consent all have to become boring enough for production.
That is the real story in the latest MCP cycle.
The recent signals are not subtle. The MCP project has a major 2026-07-28 specification release candidate on the table. OpenAI is documenting remote MCP servers for ChatGPT apps, deep research, and API integrations. Cloudflare is making MCP part of its agent platform. Microsoft is putting MCP behind Windows discovery, containment, admin control, logging, and Dynamics 365 business operations. The official MCP registry is becoming the public catalog layer.
Taken together, this looks less like a protocol fad and more like the early shape of the agent operating model.
The short version
MCP is moving from "how does my agent call a tool?" to "how does an organization let agents use tools safely?"
That changes the center of gravity.
The first wave of MCP adoption was about integration speed. A developer could expose a database, repo, browser, CRM, payment provider, or internal API as a server, then let an MCP-compatible client discover and call it.
The next wave is about production control:
- Which tools can this agent discover?
- Who approved this server?
- What identity is the agent acting under?
- What permissions were granted?
- Can the request be routed, cached, traced, and rate-limited?
- Can a user or admin audit what happened later?
- What happens when the work takes minutes instead of milliseconds?
Those questions sound less exciting than a demo. They are also the questions that decide whether agents are allowed anywhere near real business systems.
The 2026 MCP release candidate is about scale, not novelty
The most important recent MCP development is the 2026-07-28 specification release candidate, published by the MCP maintainers on May 21, 2026 (Model Context Protocol).
The headline features are big: a stateless protocol core, first-class extensions, Tasks, MCP Apps, authorization hardening, full JSON Schema 2020-12 support for tools, and a formal deprecation policy.
The practical message is even bigger.
MCP is being reshaped so remote servers can behave more like ordinary production HTTP services.
In earlier versions, Streamable HTTP relied on protocol-level sessions. That made sense for early implementations, but it complicated horizontal scaling. Sticky routing and shared session stores are exactly the kind of infrastructure detail that turns a clean protocol into a fragile deployment.
The release candidate removes the handshake and protocol-level session. A request can carry the protocol version, client information, and capabilities with it. A tool call can land on any server instance. Routing metadata moves into headers. List and resource reads can include cache guidance. Trace context is documented so observability can follow a call through the host, client SDK, MCP server, and downstream services.
That is not just a developer ergonomics improvement. It is a sign that MCP is growing up into something cloud platforms, gateways, security teams, and operations teams can understand.
The same release also moves long-running work into a Tasks extension. That matters because real agent work is often not a single fast function call. It may involve waiting for an external system, polling status, reconciling state, or letting a human approve a step before continuing.
The old question was whether an agent could call a tool.
The production question is whether an agent can start work, pause cleanly, resume safely, and leave a useful trail behind.
Remote MCP is becoming the default mental model
Local MCP servers made the protocol tangible. They were easy to run, easy to inspect, and especially natural inside developer tools.
But the industry direction is clearly remote.
OpenAI's developer documentation describes building MCP servers for ChatGPT apps, deep research, and API integrations. It frames MCP as an industry standard for extending AI models with additional tools and knowledge, with remote servers connecting models over the Internet to new data sources and capabilities (OpenAI).
Cloudflare's agent documentation also puts remote MCP directly in the platform story. It describes building and deploying MCP servers on Cloudflare, with remote MCP clients connecting over the Internet using Streamable HTTP and authorizing access to user account resources through OAuth (Cloudflare).
This is the turn that matters.
Local servers are useful when the user and the tool live on the same machine. Remote servers are what you need when the tool is a product, an enterprise system, a hosted workflow, or a service used across many users and agents.
Remote MCP also forces the hard questions into the open. Authentication cannot be a local config file forever. Server discovery cannot be a pasted URL forever. Tool trust cannot be "someone on GitHub published a wrapper." Data handling cannot be a shrug.
Once MCP servers are remote, they become part of the same operational world as APIs: identity, permissions, monitoring, incident response, vendor trust, and lifecycle management.
That may sound obvious. It is still a major step for the agent ecosystem.
Registries are becoming the map
The official MCP registry is another important signal (MCP Registry, GitHub).
At a surface level, a registry is a directory: a place to discover Model Context Protocol servers. Underneath that, it points to a deeper problem. Agents need a way to find capabilities, but organizations need a way to decide which capabilities are allowed.
There will not be one registry for everything.
Public registries help developers discover servers. Private registries and enterprise catalogs help companies approve internal tools. Platform-specific registries help operating systems, IDEs, agent platforms, and app stores keep their own policy boundaries.
This is already visible in Microsoft's approach. MCP on Windows includes an On-device Agent Registry for discovering and using agent connectors from local apps and remote servers. The stated benefits are not just discovery. They include containment, approved resource access, user and admin control, logging, and auditability (Microsoft Learn).
That is the registry story in miniature.
For hobby projects, discovery is convenience. For companies, discovery is governance.
Microsoft is showing what enterprise MCP might look like
Microsoft's recent MCP work is worth watching because it pushes the protocol into places where permissions and audit matter.
On Windows, MCP is tied to the On-device Agent Registry, with controls for users and IT administrators. That makes MCP connectors look less like random developer extensions and more like managed system capabilities.
In Dynamics 365 finance and operations apps, Microsoft documents a dynamic ERP MCP server that lets agents work with data and business logic through data tools, form tools, and action tools. The older static server with a fixed set of tools is being retired in the 2026 calendar year in favor of the dynamic server (Microsoft Learn).
That is a useful marker for the whole ecosystem.
The first version of an MCP server often looks like a wrapper around a few obvious operations. The mature version starts to reflect the actual shape of the application: data operations, page-level workflows, actions, permissions, and business logic.
Enterprise MCP will not be won by the longest tool list.
It will be won by the servers that respect the underlying product's permission model, expose useful actions at the right level of abstraction, and make agent behavior legible to the people responsible for the system.
Security is moving from warning label to architecture
MCP has always had an uncomfortable security profile: it gives models access to tools.
That is the point. It is also the risk.
The current direction suggests the ecosystem is getting more honest about this. The MCP release candidate hardens authorization, including closer alignment with OAuth and OpenID Connect patterns. OpenAI's MCP documentation warns builders and users to connect only to trusted servers, especially official servers operated by the service provider itself, because an MCP server may receive sensitive data during an interaction.
This is the right kind of discomfort.
It is not enough to say "be careful." Production MCP needs default patterns that reduce the chance of a bad connection in the first place.
That means:
- official servers for major services
- clear server identity and ownership
- scoped authorization
- user-visible consent
- admin allowlists and denylists
- tool descriptions that do not smuggle instructions
- audit logs that explain what the agent did
- revocation that works after the demo is over
The security story is not separate from the MCP story. It is the MCP story, once agents start doing real work.
MCP Apps may blur the line between tool and interface
One of the more interesting pieces in the 2026 release candidate is MCP Apps: server-rendered user interfaces that hosts can display in sandboxed iframes.
This sounds small until you think through the workflow.
Some agent actions should not be completed through text alone. A user may need to compare options, approve a risky action, review a generated object, choose between accounts, or inspect the state of a system before the agent continues.
If every MCP interaction is only a text exchange plus tool call, builders will keep reinventing tiny confirmation UIs around the protocol. MCP Apps suggests a more standardized path: the server can provide an interface, the host can render it safely, and the resulting action can still travel through the same consent and audit path as a tool call.
That could make MCP more than a back-end integration layer.
It could become the place where agent actions, human approval, and service-specific UI meet.
What builders should do now
If you are building MCP servers, the direction is clear.
Design for remote operation even if you start locally. That means explicit state handles, clean authorization boundaries, predictable tool schemas, and logs that help someone debug an agent action after the fact.
Treat discovery as part of the product. A server that cannot be found, identified, trusted, versioned, and retired cleanly will age badly.
Prefer narrow, high-confidence tools over broad, magical ones. The best tool is not the one that gives the model unlimited power. It is the one that lets the model complete a meaningful task inside a permission boundary a human can understand.
Plan for approval flows. Elicitation, Tasks, MCP Apps, and host-level consent all point in the same direction: serious agents will need to stop and ask before certain actions.
Follow the authorization work closely. The details may feel tedious, but they are where production trust is built.
And if you run an enterprise platform, start thinking about MCP the way you think about APIs, browser extensions, OAuth apps, and SaaS integrations. It needs an owner. It needs policy. It needs monitoring. It needs a lifecycle.
For AIvikings, this is exactly why our MCP surface is intentionally focused. Domain operations are not harmless autocomplete. Checking availability, registering a domain, changing nameservers, renewing, and reconciling state need a tool layer that agents can use without turning production systems into a guessing game. The AIvikings MCP walkthrough, docs, and comparison page explain how we think about that boundary.
The boring layer is the important layer
MCP's next phase will probably be less flashy than its first.
That is a good sign.
The early excitement was about giving agents tools. The next step is giving organizations confidence that those tools can be discovered, authorized, routed, observed, governed, and shut off when necessary.
That is what makes agents useful outside the demo loop.
The industry does not need every application to bolt on a chatbot. It needs a reliable way for agents to interact with the systems businesses already depend on.
MCP is not guaranteed to own that layer forever. Standards can fragment. Vendors can overreach. Security failures can slow adoption. But the latest developments show the ecosystem working on the right class of problem.
Not "Can the agent call the tool?"
"Can the agent call the right tool, with the right permission, through the right path, and leave enough evidence that everyone can trust what happened?"
That is the agent infrastructure question now. For teams thinking about agent-native domain operations, contact us.
Sources
- The 2026-07-28 MCP Specification Release Candidate
- Official MCP Registry
- modelcontextprotocol/registry on GitHub
- OpenAI: Building MCP servers for ChatGPT Apps and API integrations
- OpenAI: New tools and features in the Responses API
- Cloudflare Agents docs: Model Context Protocol
- Microsoft Learn: MCP on Windows overview
- Microsoft Learn: Use Model Context Protocol for finance and operations apps