Join us for the Year end Webinar on "The State of Agentic AI Security": Top Trends in 2025.

Join us for the Year end Webinar on "The State of Agentic AI Security": Top Trends in 2025.

Join us for the Year end Webinar on "The State of Agentic AI Security": Top Trends in 2025.

One Year of MCP: How it Became the Foundation for Enterprise Agentic AI

In just one year, the Model Context Protocol (MCP) evolved from a niche spec into the core interface layer powering enterprise agentic AI. Learn how adoption accelerated, why security emerged as a critical category, and what this means for the future of AI-driven workflows in 2026.

Ankita Gupta, Akto CEO

Ankita Gupta

Dec 1, 2025

One Year of MCP
One Year of MCP
One Year of MCP

Twelve months ago, MCP (Model Context Protocol) was a niche spec discussed mostly by early AI engineers. Today, it’s the connective tissue behind agentic workflows inside enterprises powering IDEs, AI Agents, secure tool calling, and platform teams building their first AI agents.

In one year, MCP went from:

spec → adoption → ecosystem → attack surface → security category.

I am writing this post to break down what actually happened in last one year and what's the future of MCP.

The Promise: Why MCP Even Mattered (Dec 2024 - Feb 2025)

The early thesis was simple:

Agents need structured, permissioned access to tools, APIs, and data without everyone reinventing wrappers.

In the first 60 days:

  • Cursor shipped an MCP-based dev environment.

  • LangChain, Modal, and others hinted at early support.

  • Internal platform teams at big companies started writing their own MCP servers to expose internal data sources.

  • Enterprises realized MCP could unify 100+ internal systems behind one agent interface.

The inflection: MCP wasn’t framed as an “OpenAI thing.” It became a plumbing layer.

Adoption Hits Escape Velocity (Mar - Jun 2025)

MCP’s breakout moment came between March and June 2025, when it shifted from an early-adopter experiment to a mainstream enterprise interface. AI tooling vendors and internal platform teams began standardizing on MCP simultaneously, creating a rapid flywheel of adoption.

Signals of rapid adoption:

  • AI IDEs like Cursor, VS Code, JetBrains, and Zed shipped MCP support, making it the default wiring layer for agent workflows.

  • Enterprise platform teams wrapped core systems with MCP servers including JIRA, Confluence, GitHub, Datadog, AWS services, and dozens of internal CRUD APIs.

The biggest surprise: Even companies that banned AI agents especially banks, insurers, and large healthcare organizations still permitted MCP servers because they offered deterministic, permission-controlled access. MCP gave enterprises a structured, controllable interface layer, effectively becoming the API gateway of the agentic ecosystem.

MCP didn’t just give agents tools; it gave enterprises a new interface layer.

The Security Reality Check (Jun – Aug 2025)

Adoption brought sprawling and that brought visibility concern. Security teams quickly realized something uncomfortable: MCP servers behave like high-privilege micro-applications inside enterprise environments. They can read sensitive data, write to production systems, execute commands, run code, store API tokens, and sit directly on developer machines or CI/CD pipelines often with more effective privilege than internal microservices themselves.

By mid-2025, multiple public analyses and open-source audits highlighted a pattern of real-world MCP vulnerabilities emerging across community and enterprise deployments. These included overly permissive tool definitions that allowed unintended actions, weak authentication between agents and servers, servers exposing broad filesystem access without sandboxing, and command-execution endpoints that lacked parameter validation.

Several GitHub-hosted MCP servers were found with hardcoded tokens, missing access controls, or insecure defaults, making them susceptible to impersonation or misuse. Security researchers also pointed out that local MCP servers often ran with user-level privileges inside IDEs, meaning any untrusted or misconfigured server could quietly influence local development environments or access sensitive workspace files.

These issues reflected the natural immaturity of a rapidly growing ecosystem. But taken together, they forced security teams to confront the architectural truth: MCP introduced a new, highly privileged interface layer, and without guardrails, it expanded the attack surface across developer workflows, internal tooling, and production automation.

The Birth of MCP Security as a Category (July – Oct 2025)

As MCP spread across engineering workflows, two powerful forces emerged inside enterprises and they were directly at odds. Security leaders demanded governance. Developers demanded enablement. MCP Security was born at the intersection of these two needs.

A. Security Teams Wanted Governance & Guardrails

By late 2025, CISOs and security architects recognized that MCP had become a high-privilege interface touching identity, data, infrastructure, and production systems - yet it operated outside traditional IAM, PAM, API gateways, or DevSecOps tooling. They urgently needed:

  • Control: Who can create, install, or run MCP servers?

  • Permission boundaries: What can each tool do? What actions are allowed, restricted, or denied?

  • Token governance: How are API keys, credentials, and secrets handled across servers?

  • Execution rules: Under what conditions can an agent call a tool, escalate its actions, or modify systems?

  • Visibility: Are there logs, session traces, and audit trails for MCP-driven activity?

  • Risk reduction: How to prevent over-privilege, impersonation, and accidental destructive actions?

The shared realization was clear: MCP servers had become a new, ungoverned attack surface. Security needed visibility, guardrails, and policy enforcement before adoption could scale safely.

Akto was the first MCP Security platform launched in July 2025

B. Developers Wanted Enablement & Adoption

At the exact same time, developer teams were embracing MCP faster than any new workflow interface in years. They used it to automate releases, triage incidents, generate documentation, manage PRs, interact with cloud resources, and build internal agents. Their expectation was simple:

  • “Let me install and build MCP servers without slow approvals.”

  • “Don’t block automation, help me move faster.”

  • “Give me a safe environment where I can experiment without waiting weeks for sign-off.”

For developers, MCP represented velocity a unified framework to automate everything they touched. And they wanted that velocity without friction, bottlenecks, or ticket queues.

What the First Year Taught us and What 2026 Will Bring

The first year showed that MCP servers hold meaningful privilege: they access data, trigger actions, and operate inside IDEs and CI pipelines. This required teams to treat MCP servers like microservices using authentication, scoped permissions, logging, and version control.

Enterprises also saw gaps in visibility. Most could not answer questions like which MCP servers existed, what actions they enabled, or who created them. This led to the first internal MCP policies, approved server lists, and review processes.

In 2026, MCP will solidify as a standard interface layer for enterprise AI operations. Teams will publish and manage MCP servers the way they manage APIs. Security will move toward action-level controls: permission boundaries, policy enforcement, and runtime guardrails. MCP Security platforms will become necessary to provide discovery, permissions, and oversight as usage scales.

Final Thoughts

MCP has crossed the “adoption” threshold.

Now comes the harder part: governance, standardization, security, and enterprise-grade controls.

The First Year of MCP Was Plumbing. The Next Will Be Governance.

More Resources:

Follow us for more updates

Experience enterprise-grade Agentic Security solution

Book a demo

Book a demo

Start now

Start now