Enterprise MCP Adoption: Why the Model Context Protocol Became Infrastructure

MCP crossed the line from developer convenience to enterprise infrastructure. The proof is not a hype cycle. It is a governance model: in December 2025 Anthropic donated the Model Context Protocol to the Linux Foundation's Agentic AI Foundation, with Block, OpenAI, Google, Microsoft, AWS, Cloudflare, and Bloomberg on board. When a protocol stops belonging to one vendor and starts being governed by a cross-industry foundation, the question changes from "is this a fad?" to "what does standardizing on it actually require?"

A five-stage progression showing MCP moving from developer experiments and exploration to a standardized, governed connection layer for enterprise AI.

Is MCP an industry standard now? On the evidence, yes. Anthropic's Chief Product Officer Mike Krieger said MCP "has become the industry standard for connecting AI systems to data and tools." Microsoft CTO Kevin Scott called it "the HTTP of the agentic web" at Build 2025. That is not marketing language from a single startup. It is the shared vocabulary of the companies that build the models, the clouds, and the enterprise platforms your agents will run on.

This piece is the entry point to how enterprises should think about MCP: what the adoption evidence actually shows, what the version timeline tells you about maturity, and where the protocol stops and your architecture has to take over. Here is the distinction that governs the whole discussion.

Enterprise requirementMCP aloneMCP + governed semantic layer
Standardized tool discoveryYesYes
Identity propagation to backing systemsPartial, via OAuthEnforced at compile time
Compile-time RBAC, ABAC, row and column policyNoYes
Metric consistency across agentsNoYes
Join-path proofNoYes
Warehouse-agnostic executionDepends on the serverYes, across 16+ engines
Audit trail per queryPartialYes, per compiled SQL statement

Read the table as the argument of the whole series. The point is not to replace MCP. The point is to add a governance layer, not swap the protocol. Standardizing on MCP is a real and correct decision. It is also the first decision, not the last one.

The Linux Foundation moment: why the governance change matters

MCP started in developer circles. It was discussed alongside tool calling, agent frameworks, and weekend experiments. Teams used it to connect a model to a handful of tools and prove that an AI assistant could do more than chat. That phase is over.

The turning point was structural. Anthropic donated MCP to the Agentic AI Foundation, a directed fund of the Linux Foundation, in December 2025. The co-founders are Anthropic, Block, and OpenAI. The platinum and supporting members include Google, Microsoft, AWS, Cloudflare, and Bloomberg. Founding projects include Block's goose agent and OpenAI's AGENTS.md.

A single-vendor protocol carries single-vendor risk. A protocol governed by a foundation whose members are direct competitors carries a different signal: none of them can quietly break it, and all of them have an incentive to keep it interoperable. That is the difference between a clever integration format and enterprise infrastructure you can budget against.

The version timeline tells you it is maturing, not thrashing

A protocol you build enterprise systems on has to evolve without breaking you. MCP's revision history shows deliberate movement toward stateless, governed, long-running workloads rather than churn.

RevisionWhat it added
2024-11-05Initial launch by Anthropic. Creators David Soria Parra and Justin Spahr-Summers.
2025-03-26OAuth authorization and transport maturity.
2025-06-18Structured tool outputs, elicitation, and MCP servers reclassified as OAuth Resource Servers.
2025-11-25Current stable revision. Tasks for async work, an extensions framework, and server-side agent loops.
2026-07-28 (release candidate)A stateless protocol core, MCP Apps, OAuth 2.0 and OpenID Connect hardening, and a formal deprecation policy.

The current stable revision is 2025-11-25. The maintainers describe the upcoming release candidate as the largest revision of the protocol since launch, and it moves in exactly the direction enterprises need: stateless cores are easier to run behind a load balancer, and a formal deprecation policy is a promise about backward compatibility. For a closer look at how MCP fits next to traditional integration surfaces, see how to build an MCP semantic layer server.

The adoption numbers, with sources

Scale is the second piece of evidence. Use verifiable figures, not the inflated ones that circulate on social media.

  • 10,000+ active public MCP servers and 97M+ monthly SDK downloads, per Anthropic's ecosystem update of December 9, 2025.
  • 9,652 latest server records in the official MCP Registry API as of May 2026.
  • 41% of surveyed software organizations run MCP servers in limited or broad production, per the Stacklok 2026 software report. (Ignore the widely-copied "78% in production" figure. It has been debunked.)

For a full audit of these figures, see the 2026 MCP adoption statistics roundup. The direction is unambiguous: production, not prototype.

Who is on board: the cross-vendor evidence

Standards win when the platforms your enterprise already pays for adopt them. Every major vendor now exposes MCP.

  • OpenAI adopted MCP in March 2025 across its Agents SDK, the Responses API, and ChatGPT. The Apps SDK launched at DevDay is built on MCP, with Booking.com, Canva, Coursera, Figma, Expedia, Spotify, and Zillow as launch partners. Sam Altman: "People love MCP and we are excited to add support across our products."
  • Google confirmed MCP support across Gemini and Vertex AI in April 2025, alongside its A2A agent-to-agent protocol.
  • Microsoft shipped MCP support in Copilot Studio, added native MCP in Windows 11 with an on-device registry for identity and audit, and put registry plus allowlist controls into VS Code, Visual Studio, and JetBrains.
  • AWS open-sourced the Bedrock AgentCore MCP server, shipped AgentCore Gateway to convert OpenAPI specs into MCP tools, and made On-Behalf-Of token exchange generally available with Cedar-policy, tool-level authorization.
  • Salesforce made Hosted MCP Servers generally available in April 2026 for every Enterprise Edition org and above, with each transaction running under the authenticated user's identity and CRUD, field-level security, and sharing rules applied automatically.
  • ServiceNow launched its MCP Server Console, and Databricks ships managed MCP servers governed through Unity Catalog. Cloudflare was first to offer one-click remote MCP servers.

When Salesforce, ServiceNow, Databricks, and the three largest clouds all speak the same agent protocol, having an MCP server starts to feel as ordinary as having an API.

Real production usage, not demos

Two enterprises put concrete numbers behind the trend.

Block is the flagship. Anthropic's customer page states that "75% of our engineers now save 8 to 10+ hours every week" using Block's open-source agent (codename goose), and Block VP of Engineering Angie Jones has described "12,000 employees using them across 15 different job functions." Block's own engineering team authors every internal MCP server, and reports employees saving 50 to 75% of their time on common tasks. Read the Block case study for the full account.

Bloomberg published "Closing the Agentic AI Productionization Gap" and reported that MCP "reduced experimentation time from days to minutes." Ania Musial, Head of AI Platforms, put the problem plainly: "This 'productionization gap' was killing our velocity." Sambhav Kothari, who leads AI productivity engineering, added that the team can "now easily productionize capabilities and rapidly turn demos into dependable, connected systems at scale."

These are not pilots. They are two of the most demanding engineering organizations in finance and fintech reporting durable, measured gains.

The trajectory analysts are pricing in

Treat forecasts as projections, not facts, but the direction reinforces the case. Gartner projects that 40% of enterprise applications will include AI agents by the end of 2026, up from under 5%, and that by 2026, 75% of API-gateway vendors and 50% of iPaaS vendors will have MCP features. IDC data, via Statista, models active AI agents rising from 28.6M in 2025 toward billions by 2030. Venture analysts read it the same way: a16z's deep dive into MCP and Bessemer's State of AI both treat agent-tool standardization as a durable platform shift, not a seasonal trend. When the integration and API-management markets themselves reorganize around a protocol, the protocol is infrastructure.

But adoption alone is not enough: the semantic gap

Here is where the trend meets its hard edge. As MCP moves into enterprise infrastructure, it inherits enterprise requirements. Organizations need to know which user or service an agent acts for. They need to guarantee an agent only sees authorized data. They need policies for tool use, strong audit trails, and reliable monitoring. And they need the business meaning behind the systems the agent calls.

MCP solves connector fragmentation. It does not solve definitional fragmentation. An agent can connect to a warehouse through MCP and still choose the wrong join, still apply the wrong definition of revenue, still mix metrics from different domains, and still read data the user should never see. The protocol standardizes access. It does not standardize meaning. This is the exact failure mode we cover in RAG vs. semantic layer and in semantics for enterprise AI agents.

Two agents on the same MCP fleet, with no semantic layer behind it, will still disagree about revenue. The protocol made every connector look the same. Something else has to make every answer mean the same thing.

Fix the Context, Not the Model. A larger model on top of an ungoverned MCP endpoint does not make the join auditable or the metric consistent. Reliability comes from a governed semantic layer that resolves meaning and proves the query before execution, not from a bigger model guessing over standardized access.

What mature enterprise MCP architecture adds

A production-grade MCP architecture pairs the protocol with a control plane. The layers that turn a promising interface into enterprise-grade infrastructure are consistent across every serious deployment:

  • Identity propagation: the agent acts in the context of a real user, role, or service, not a shared service account.
  • Compile-time access control: RBAC, ABAC, and row and column predicates are evaluated before any SQL runs. Unauthorized intent fails compilation, and data is never read.
  • Governed semantics: business entities, metrics, and relationships are defined once and reused safely, so every agent uses the same definition of revenue.
  • Join-path proof: ambiguous requests fail at compile time instead of producing a confident, wrong number.
  • Observability and audit: every request, tool call, compiled statement, and result is traceable.

This is the difference between a semantic control plane and a raw connector. It is also why the build-versus-buy decision for the semantic layer is now an MCP-era decision, not a legacy-BI one.

Where Colrows fits: behind the protocol, never instead of it

Colrows is engineered to be the semantic execution layer behind your MCP fleet. Agents emit intent over MCP. Colrows resolves that intent against a typed semantic graph, proves every join, enforces RBAC, ABAC, and row and column governance at compile time, emits dialect-perfect SQL across 16+ engines, and returns a structured result with a full audit trail: graph version, definitions used, executed SQL, and identity context.

It exposes both an MCP server and a REST API surface over the same governed tools, so agent traffic and batch or dashboard traffic compile through one graph and return the same answer. See the Colrows MCP integration guide for the endpoint, OAuth flow, and tool catalog, or the MCP Tools REST API for a plain-HTTP wrapper over the same tools. MCP is the transport. The semantic layer is the logic. You need both.

The same thesis drives the wider Company Brain argument: the model is rarely the constraint, and the governed context almost always is. If you are evaluating what an enterprise agent stack needs beyond raw connectivity, the Company Brain RFS analysis maps where the durable value sits.

Frequently asked questions

What is the Model Context Protocol (MCP)?

MCP is an open standard, introduced by Anthropic in November 2024, for connecting AI applications to external systems. It gives agents a common way to discover and use tools, resources, and prompts across any MCP-compatible client and server.

Who created MCP and who controls it now?

Anthropic created MCP in November 2024. In December 2025 Anthropic donated it to the Linux Foundation's Agentic AI Foundation, whose co-founders include Anthropic, Block, and OpenAI, with Google, Microsoft, AWS, Cloudflare, and Bloomberg among the members. It is now governed by a cross-vendor foundation, not a single company.

Is MCP production-ready in 2026?

Yes. The current stable specification revision is 2025-11-25, and per the Stacklok 2026 software report, 41% of surveyed software organizations run MCP servers in limited or broad production. Bloomberg and Block document production deployments at scale.

How many MCP servers exist?

Anthropic's December 2025 ecosystem update reported over 10,000 active public MCP servers and more than 97M monthly SDK downloads. The official MCP Registry API listed 9,652 latest server records as of May 2026.

Which major companies have adopted MCP?

Anthropic, OpenAI, Google, Microsoft, AWS, Salesforce, ServiceNow, Databricks, Block, Bloomberg, and Cloudflare have all shipped MCP support across their agent platforms, developer tools, or hosted services.

How is MCP different from a regular API?

A regular API is built for a specific client integration. MCP adds standardized tool discovery, tool metadata, session semantics, and OAuth-native authorization designed for agent consumers, so any MCP client can use any MCP server without a bespoke connector.

Do enterprises need anything beyond MCP for AI agents?

Yes. MCP standardizes access, not meaning. Enterprises still need identity propagation, compile-time access control, governed metric and join semantics, deterministic execution, and per-query audit. Those belong in a governed semantic layer behind the MCP server, which is the role Colrows plays.

Standardizing on MCP? Put a governed semantic layer behind it.