I’m not going to waste your time arguing whether Model Context Protocol “won.” If you ship software in 2026, you’ve already felt it — tools showing up the same way across editors, vendors, little local servers that make your LLM suddenly useful.
The interesting part starts the day someone says: cool demo, can we put this behind SSO for twelve thousand people?
That’s when the romance ends and the plumbing begins.
The year the conversation changed
For a while it felt like the whole industry was arguing about standards the way we used to argue about JSON vs XML. Then the argument moved, almost without anyone announcing it.
The public MCP roadmap for 2026 isn’t poetry — it’s load balancers, session semantics, gateways, audit trails. Dry reading, honestly. Also the first sign that grown-ups showed up: the protocol isn’t a TikTok trend anymore; it’s infrastructure.
I’m glad. Infrastructure is where my anxiety lives, and it should live there.
Two different products with the same acronym
On my machine, MCP is almost unfairly pleasant. Spin up a server, pipe stdio, watch the client light up. Tweak a tool schema, reload, repeat. The feedback loop feels like the early days of React — messy, sure, but alive.
Production is the version where nobody cares how fast you iterated locally.
Who is this session as? Which tenant’s rows can those tool calls touch? What happens when an agent loops and hammers your rate limit? What if the client updated Tuesday and the server didn’t?
If your rollout plan only describes the left column, you don’t have a platform strategy. You have a neat party trick — and party tricks don’t survive compliance questionnaires.
The thing nobody wants to say at the showcase
Every tool an LLM can call is a little API someone can misuse — accidentally, maliciously, or helpfully in exactly the wrong way.
Prompt injection isn’t some academic scare story; it’s “the model did what the text told it, and the text wasn’t yours.” Add over-broad tool permissions and you’re one creative conversation away from a very exciting Monday.
So the habits that felt obvious on REST suddenly matter again:
Prefer small, boring tools over one “do it all” god-function. Enforce auth where the data lives, not in the model’s good intentions. When you can, make scary operations idempotent or reversible. Log the thing you wish you had in the postmortem — tool name, hashed args, correlation id, outcome.
None of this is MCP-specific. That’s the point. New protocol, same adult table.
If you can’t see it, you can’t own it
Here’s a quiet truth I’ve learned the hard way: an agent trace is a distributed system whether you instrument it or not.
If you can’t answer “which tool flaked after how many retries,” or “which customer blew our budget,” you’re not going to defend the roadmap when finance shows up with graphs.
Draw the span across model, gateway, and server. Spend the afternoon. Future you owes you coffee.
Gateways are unsexy and that’s why they work
Almost every serious enterprise story I’ve heard converges on a handful of boring ideas: a hub that terminates TLS and applies policy, pinned server versions with CI checks, kill switches when a specific tool goes sideways.
Not cynicism. Survivor bias.
Why I’m still glad MCP exists
Standards are how we stop reinventing the same fragile glue for every product team. MCP did something genuinely useful: it made “expose capability to a model” feel normal.
The work that’s left isn’t a headline; it’s auth, audit, scaling, failure. The teams that treat that as product engineering — not a weekend hack squeezed between model launches — are the ones whose agents survive first contact with paying humans.
The rest stays in the demo video. You know the one.
