BrightBean
News

MCP Turns Claude Into an AI Agent

The Model Context Protocol has become the standard way to connect AI assistants to tools and data. With 97 million monthly SDK downloads and support from major AI platforms, MCP is why an assistant can act inside your workflow instead of only answering questions.

Jan Schmitz Jan Schmitz | | 10 min read
MCP Turns Claude Into an AI Agent

On this page

TL;DR: If you still use Claude, ChatGPT, or another AI assistant as a text-in, text-out chatbot, you are missing the more useful part. The Model Context Protocol (MCP), launched by Anthropic in late 2024 and now governed by the Linux Foundation, gives AI systems a standard way to connect to tools, live data, and workflows. With 97 million monthly SDK downloads, over 10,000 public servers, and support from every major AI platform, MCP is helping move conversational AI from answering questions to taking action. Here is what it is, why it matters, and where the security risks sit.

MCP Turns Claude Into an AI Agent

Most people’s mental model of AI assistants is still stuck in 2023. You type a question. You get an answer. Maybe the answer is brilliant, maybe it hallucinates a Supreme Court case that never existed. Either way, the interaction is self-contained. The AI sits apart from your tools, your data, and your work.

That model is now roughly two years out of date. The reason has a dry name: Model Context Protocol.

MCP is the layer that lets AI assistants reach outside the chat window and interact with your calendar, database, CRM, codebase, or payment processor. It is an open-source protocol that standardizes how AI models connect to external systems, and adoption over the past 18 months has moved fast.

If you build software, manage data infrastructure, or want to understand why AI tools are becoming more useful inside actual workflows, MCP is one of the important pieces of the current AI stack.

The problem MCP actually solves

Before MCP, connecting an AI model to an external tool required custom integration work. Every combination of AI application and data source needed its own connector, authentication flow, data formatting, and error handling. Five AI models and ten tools meant fifty separate integrations. The math does not scale.

This is the same problem the industry faced with peripheral devices before USB. Every printer, scanner, and keyboard needed its own cable and driver. USB collapsed that into a single interface. MCP does the same thing for AI integrations.

The official documentation uses the USB-C analogy directly: MCP gives AI applications a standard way to connect to external systems, similar to how USB-C gives devices a standard port.

The analogy is useful, but it undersells the shift. USB let you plug in a mouse. MCP lets an AI agent query your Salesforce instance, cross-reference the results with your internal wiki, draft a customer email based on what it finds, and schedule a follow-up in your calendar, all within one conversation turn.

How the protocol works under the hood

MCP uses a client-server architecture built on JSON-RPC 2.0 messaging. It has three core primitives.

Tools are functions the AI can call, such as searching a database or creating a calendar event. The model decides when and how to invoke them based on the conversation context.

Resources are data sources the host application manages, such as files, database records, or API responses. The application decides what is available.

Prompts are reusable templates and workflows that users can trigger for multi-step tasks.

The transport layer supports two modes: standard input/output (stdio) for local integrations, and server-sent events (SSE) for remote connections. Sessions are stateful, so the AI maintains context across multiple tool calls within a conversation. That differs from traditional REST APIs, where every request exists in isolation.

Dynamic discovery is what separates MCP from simply wrapping APIs in a function-calling layer. An MCP client can ask a server what tools it offers. The server responds with machine-readable descriptions of its capabilities, inputs, and outputs. The AI does not need hardcoded documentation or a pre-built connector for every service. It can inspect what is available and decide how to use it.

The adoption numbers tell the story

The growth numbers are hard to ignore. When Anthropic launched MCP in November 2024, monthly SDK downloads sat around 2 million. Then the major platforms started adding support.

  • April 2025: OpenAI added MCP support to ChatGPT. Downloads jumped to 22 million.
  • July 2025: Microsoft integrated MCP into Copilot Studio. Monthly downloads reached 45 million.
  • November 2025: AWS added native support. Downloads reached 68 million.
  • March 2026: With every major AI platform on board, monthly SDK downloads hit 97 million.

The server ecosystem has kept pace. Over 10,000 public MCP servers are now published to registries, covering Google Drive and Slack, Stripe payment processing, Blender 3D modeling, and specialized financial data platforms. Development tools like VS Code, Cursor, and Replit all speak MCP natively.

In December 2025, Anthropic donated the protocol to the newly formed Agentic AI Foundation under the Linux Foundation, co-founded with Block and OpenAI, with support from Google, Microsoft, AWS, and Cloudflare. That move shifted MCP from Anthropic’s project to an industry standard. It also reduced the risk that one company would control the protocol as it became part of AI infrastructure.

What this looks like in practice

The architecture matters because it changes what people can build. Here are four examples that show the difference between a chatbot and an agent.

In software development, Claude Code can take a Figma design file, read it through an MCP server, generate the corresponding frontend code, run it against a test suite through another MCP server, and open a pull request on GitHub. The AI is not writing code in a vacuum. It is working inside the development environment.

In recruiting, AI agents connected to HR platforms through MCP can search candidate databases, compare skills with job requirements, pull interview availability from calendars, and draft personalized outreach. Work that used to consume a recruiter’s morning can happen inside one conversation.

In financial services, investment platforms like Dakota expose their data through MCP servers so AI assistants can query portfolio performance, pull manager track records, and generate analysis reports using live, authenticated data instead of stale exports.

In procurement, an agent connected to email, contract management, and vendor databases can retrieve previous negotiation terms, analyze historical pricing, and recommend renewal strategies inside a single conversation.

These examples are already in production at companies processing real revenue. Gartner predicts that 40% of enterprise applications will include task-specific AI agents by the end of 2026, up from less than 5% a year earlier.

Why MCP succeeded where other standards did not

The AI integration space has seen plenty of proposed standards. Most faded. MCP worked for a few specific reasons.

The timing was right. MCP arrived when function calling in LLMs had become useful, but the integration layer was still messy. The pain was clear, and the solution was practical.

The protocol is also simple enough to implement. A decent developer can build a basic MCP server in an afternoon. That low barrier to entry helped the server ecosystem grow from a handful of reference implementations to more than 10,000 in under 18 months.

Anthropic handled the ownership question well. By open-sourcing the protocol from day one and later donating it to a foundation, it avoided the one-company-standard problem that often kills adoption. When OpenAI, Anthropic’s primary competitor, adopted MCP instead of building a rival protocol, the format war ended before it started.

The early adoption also came from developers, not procurement teams. Developers built MCP servers for tools they personally used. By the time enterprises started evaluating the standard, there was already an ecosystem to inspect. As Thoughtworks noted, the bottom-up innovation around MCP gave the ecosystem much of its energy.

The security picture is complicated

This is where the enthusiasm runs into a wall. MCP adoption has moved faster than MCP security maturity, and the numbers are not pretty.

According to security research, roughly two-thirds of open-source MCP servers show poor security practices. OAuth authentication flaws affect 43% of servers. The attack surface is real, and it is expanding fast.

The major threat categories are clear.

Prompt injection happens when attackers embed malicious instructions in data that gets passed to the AI through MCP connections. The model may fail to separate legitimate context from injected commands, then take harmful actions such as exfiltrating data or modifying records.

Tool poisoning happens when attackers modify tool metadata or configuration to compromise behavior. Unlike prompt injection, which targets individual sessions, a poisoned tool affects every user who connects to it. This is the supply chain attack vector, and it has already been exploited.

In the 2025 Postmark incident, attackers created a backdoor in an npm package that directed compromised MCP servers to blind-copy every outgoing email to the attackers. Internal memos, password resets, and invoices were silently forwarded. It was MCP’s first high-profile supply chain breach, and it will not be the last.

Credential theft is another problem. MCP servers are high-value targets because they often store authentication tokens for multiple services. Breach one server, and you may gain access to every connected service: CRM, email, database, payment processor.

Over-permissioned tools add more risk. Many MCP servers request broader access than they need. An AI agent that only needs read access to a calendar should not have write access to an entire Google Workspace. In practice, permissions are often configured for convenience.

Red Hat’s analysis identifies five risk layers: transport and communication, authentication and identity, context integrity and confidentiality, authorization and privilege management, and supply chain security. Each one needs independent attention.

The enterprise mitigation playbook is easy to list and harder to execute consistently.

  • Enforce least-privilege access on every MCP connection.
  • Digitally sign and version-lock all tools.
  • Require human approval for destructive operations.
  • Deploy specialized monitoring tools like MCPTox and MindGuard.
  • Maintain audit logs across all MCP interactions.
  • Treat MCP security as an ongoing process.

MCP vs. traditional APIs: The right mental model

A common misconception is that MCP replaces APIs. It does not. APIs still do the actual work: fetching data, creating records, and processing payments. MCP sits on top as a standardization and orchestration layer that makes APIs accessible to AI systems in a consistent way.

The practical crossover point is around three to five integrations. Below that threshold, direct API integration is simpler and more predictable. Above it, MCP’s standard approach saves development and maintenance time.

MCP matters most in dynamic, multi-system workflows. An AI agent that needs to act across Salesforce, Slack, a SQL database, and a document management system should not have to manage four separate API clients with four authentication schemes and four error-handling patterns. MCP gives it one protocol for that plumbing.

Stateful session management is the other major difference. REST APIs treat every request as independent. MCP maintains conversation context across tool calls, so the AI understands that “now update the status on that ticket” refers to the ticket it retrieved three turns ago. Agent-style interactions need that context, and MCP includes it in the protocol.

What’s coming next

The MCP roadmap for 2026 focuses on the gap between developer enthusiasm and production readiness.

Authentication standards need work. The current authentication picture is fragmented. The Agentic AI Foundation is working on standard flows that balance security with usability, which is difficult when AI agents need to act on behalf of users across multiple services.

Observability is another priority. As MCP deployments move from experiments to production workloads, operators need better visibility into what their AI agents are doing. Standard logging, tracing, and monitoring for MCP interactions are in active development.

Enterprise governance tooling is also coming. Large organizations need policy enforcement, compliance auditing, and centralized management for MCP infrastructure. Gartner projects that 75% of API gateway vendors will add MCP-specific features by the end of 2026.

Security hardening is the final piece. The CoSAI white paper on MCP security published earlier this year laid out a detailed threat model and mitigation framework. Expect many of those recommendations to become defaults in major MCP implementations over the next 12 months.

The bottom line

The shift from chatbot to agent depends on infrastructure, and MCP is part of that infrastructure.

Eighteen months ago, asking an AI to check your calendar and find a time to meet with the three people who commented on yesterday’s pull request was a fantasy. Today, it is a solved problem if your tools speak MCP.

The protocol is not perfect. Security needs work. Enterprise governance is still maturing. Some MCP servers are better built than others, and quality varies across a fast-growing ecosystem.

The direction is clear: 97 million monthly SDK downloads, governance under the Linux Foundation, and support from every major AI platform. MCP has moved from interesting experiment to standard infrastructure. Developers and enterprises now have to decide how quickly they can adopt it without cutting corners on security.

Stop thinking of your AI assistant as only a chatbot. Think of it as an agent that needs the right connections. MCP provides those connections.

Sources used in this article:

Tags: mcp model-context-protocol ai-agents claude anthropic agentic-ai ai-integration enterprise-ai

Share this post

Tweet LinkedIn

Related posts

News

The Website Is Not the Product, Context Is

Anthropic's crawler took 60,000 pages for every visitor it returned in mid-2025. Web publishing's distribution layer is being extracted, not visited. Here's what comes after the website, why MCP endpoints are the next surface, and which publishers are already moving.

June 6, 2026

 News

NSA's MCP Security Guidance: Federal Cyber Policy Catches Up to AI Agents

The NSA's Artificial Intelligence Security Center has issued formal security design guidance for the Model Context Protocol, the open standard now wired into Claude, ChatGPT, Copilot, and 10,000+ production servers. Here's what triggered it, what the CSI changes for enterprise teams, and why the regulatory squeeze on MCP is just starting.

May 21, 2026

 News

Wallarm: MCP Security Risks Jump 270% as AI Agents Multiply

Wallarm's latest API ThreatStats report logs a 270% quarterly surge in Model Context Protocol vulnerabilities. 315 MCP-related flaws, one already tied to a Top 10 breach, and a familiar root cause: Broken authentication. What the data says about the agent control plane and where to start hardening it.

May 21, 2026

Want structured YouTube intelligence?

Content gap analysis, title scoring, thumbnail intelligence, and hook classification. Delivered via API and MCP server.

Get your free API key →
Back to all posts