MCP has 10,000 servers and 97M monthly SDK downloads. The enterprise features that would make it safe to run inside a corporate network do not exist yet — and the working group to define them has not been formed.
image from grok
MCP has achieved massive adoption with 10,000+ active public servers and 97M+ monthly SDK downloads, yet its enterprise production requirements—audit trails, SSO, gateway behavior, and configuration portability—remain the least-defined of its four 2026 roadmap priorities, and critically, the working group to define these requirements does not yet exist. Real security incidents are already occurring in production, including a tenant isolation failure affecting over 1,000 enterprises and findings that 53% of 5,000+ MCP servers use static or hard-coded credentials. The protocol, now under the Agentic AI Foundation's Linux Foundation umbrella, plans to address enterprise gaps as extensions to the core spec rather than bloating the base protocol.
The Model Context Protocol has a numbers problem. The protocol has more than 10,000 active public MCP servers and 97 million or more monthly SDK downloads across Python and TypeScript, with adoption across ChatGPT, Cursor, Gemini, Microsoft Copilot, and Visual Studio Code. And yet the thing that enterprises actually need to run it safely inside their own infrastructure is, in the maintainers' own words, the least-defined of their four priority areas for 2026.
That gap is the story.
At the MCP Dev Summit in New York last week, MCP's lead maintainer David Soria Parra and counterparts from Anthropic, AWS, Microsoft, and OpenAI sat on a roundtable panel to discuss the protocol's enterprise roadmap. The message was broadly reassuring: governance is maturing, transport is evolving, agent-to-agent communication is on the agenda. But when the conversation turned to what enterprises need to run MCP in production environments subject to audit requirements, the honest answer was that nobody has built it yet — and the working group to define what "it" looks like does not exist.
The protocol itself is not the problem. MCP, donated to the Agentic AI Foundation (AAIF) in December 2025 by Anthropic, Block, and OpenAI, is a directed fund under the Linux Foundation. The foundation has grown to 170 members, with AWS, Google, Microsoft, Cloudflare, and Bloomberg as platinum members. The governance structure gives the founding donors structural primacy over the roadmap. This is not unusual for open-source foundations, but it means that when AWS and Microsoft show up to a working group with the most enterprise customers, their standing is defined by membership tier, not by what they've shipped into the ecosystem.
What enterprises are hitting in production is documented. An Asana MCP integration had a tenant isolation failure affecting more than 1,000 enterprises because of a scope definition error — the flaw has no publicly assigned CVE number. Astrix Security found in 2025 that 53 percent of 5,000 or more MCP servers use static or hard-coded credentials. These are not theoretical vulnerabilities — they are the result of deploying agentic infrastructure faster than the governance model can track. (For reference: CVE-2025-53109 is the Filesystem MCP Server symlink bypass, GHSA-q66q-fx2p-7w4m, a separate issue.)
The 2026 roadmap addresses four enterprise gaps: audit trails, single sign-on authentication, gateway and proxy behavior, and configuration portability across clients. The plan is to solve them as extensions to the core spec rather than bloating the base protocol for users who do not need enterprise compliance. This is the right architectural call. It is also an admission that enterprise readiness will arrive as a layer on top of the protocol, not inside it, which means the companies that build those enterprise extension layers will own a meaningful piece of the value chain, whether or not they have a seat at the AAIF table.
The risk is not that extensions will not ship. The risk is that multiple enterprise auth vendors will ship incompatible ones before the working group defines the interface. If single sign-on integrations fork along proprietary lines before a standard emerges, the portability promise of MCP fractures at exactly the layer where enterprises most need consistency. The protocol solves the integration problem. The governance gap determines whether the solution is a standard or a market.
What the roadmap offers is a timeline: extensions for enterprise readiness are expected to land in 2026. What it does not offer is a finished spec, a working group charter, or a committed deliverable. The maintainers have named the problem accurately and invited practitioners to define the work. That is honest. Whether 2026 produces usable enterprise infrastructure or just a more detailed list of gaps depends entirely on whether the right people show up to the working group — and whether the companies with the most to gain from enterprise MCP adoption have enough standing in the room to shape what gets built.
The protocol that is supposed to make AI agents interoperable is being adopted faster than its governance model can support. That is a familiar pattern in infrastructure — and a familiar warning.
Article revised after publication
Article revised after publication
Story entered the newsroom
Assigned to reporter
Research completed — 8 sources registered. Primary: MCP 2026 roadmap (modelcontextprotocol.io). The wire missed: (1) Enterprise readiness is intentionally least-defined of 4 priorities — no Ent
Draft (644 words)
Reporter revised draft based on fact-check feedback (645 words)
Approved for publication
Published (655 words)
Get the best frontier systems analysis delivered weekly. No spam, no fluff.
Agentics · 4h 37m ago · 3 min read
Agentics · 6h 34m ago · 4 min read
