MCP Anniversary: Key Takeaways

A year ago, MCP sounded like a neat idea: a standard way for LLMs to talk to tools without bespoke integrations. Today, MCP is no longer a toy. It’s becoming the default way serious companies expose internal systems to agents — and simultaneously the source of new reliability, security, and complexity issues that early adopters are now surfacing.

Block runs 60+ MCP servers powering its internal agent (Goose). AWS, Microsoft, and Pulumi ship first-party MCP integrations. Twilio’s benchmark shows MCP workflows completing tasks faster with fewer API calls, albeit with higher token usage. And tens of thousands of developers now rely on MCP through clients like Claude Desktop, Cursor, VS Code, and Amazon Q.

But beneath the surface, teams are also hitting failure modes that feel very familiar: hallucinated tool calls, overloaded tool catalogs, flakiness between clients, and real security incidents caused by over-scoped permissions.

The real story? MCP is becoming critical infrastructure for agent workflows — but it’s not magic. It demands curation, guardrails, and discipline.

Block’s Goose is the clearest example of MCP done seriously. Instead of wiring agents directly to dozens of internal systems, Block exposes everything through curated MCP servers: Snowflake, GitHub, Jira, Slack, incident tooling, compliance systems, and more. Every developer gets Goose preinstalled. Every server is vetted. Tool access is gated by allow-lists.

This is becoming the blueprint for large organizations: MCP as the internal platform API for agents.

Pulumi’s MCP server lets agents inspect stacks, generate IaC programs, and trigger previews. AWS publishes official MCP servers for cloud resource inspection, logs, infra analysis, and Amazon Q Developer uses MCP as the integration fabric.

These integrations aren’t about “chat with your cloud.” They reduce context switching and give non-experts guided access to infrastructure without requiring deep CLI knowledge.

GitHub’s MCP server surfaces repositories, issues, PRs, and Actions into agent workflows. Devs can ask an agent to summarize failing builds, inspect logs, or deploy to staging — all without leaving the IDE. CI debugging, log inspection, and issue triage become linear conversations instead of multi-tab scavenger hunts.

Healthcare and fintech vendors are already implementing specialized MCP gateways with strict OIDC, audit trails, and tenant isolation. MCP is not the compliance layer — but with the right wrappers, it becomes the safe interface between agents and PHI, KYC, or risk systems.

Across all these cases, the pattern is the same: MCP becomes a front door for agent access to real systems.

The shift is immediate. Once GitHub, Jira, Figma, Pulumi, and cloud resources are available as MCP tools, developers stay inside their IDE or agent client. Common tasks like:

…happen in one place, through natural language, with fewer context switches.

Security alerts, on-call triage, and cross-system workflows stop being “jump across five tools” tasks. MCP lets an agent grab data from source control, observability, and infra in a single chain.

The productivity gain isn’t that the agent “does everything.” It’s that the human no longer has to reassemble the context manually. One great example of this is Bloomberg’s AI infrastructure team.

Product managers and designers start triggering environment creation, reading logs, or modifying test data — actions traditionally gated by CLI or tribal knowledge. MCP doesn’t make novices into SREs, but it removes friction around safe, scoped operations.

With service catalogs, runbooks, and internal docs exposed as MCP resources, new hires ask “what owns this endpoint?” or “how do we deploy staging?” and get grounded, internal answers immediately. Teams report onboarding compression from days to hours.

The biggest win is collapsing multi-system sequences into a single conversational workflow. MCP effectively turns infrastructure, CI, source control, and internal APIs into a unified action surface.

A single MCP server works across Claude, Cursor, Amazon Q, Windsurf, Raycast, VS Code, and more. Companies finally escape the M×N integration problem; instead of building integrations per vendor, they build one MCP wrapper per system.

Pulumi and AWS MCP servers demonstrate how agents can guide infra tasks safely — with previews, diffs, and policy checks — instead of handing over raw credentials or hoping the model generates correct YAML.

Sentry, Playwright, and GitHub MCP servers enable agents to correlate stack traces, browser accessibility trees, and recent commits before the human even starts investigating.

Large observability studies show 2–8% tool hallucination rates even in mature MCP deployments. When models see dozens of tools, they:

This isn’t MCP “being wrong” — it’s MCP exposing weaknesses in LLM reasoning. But the outcome is the same: flakiness you must plan for.

GitHub’s MCP server ships with 50+ tools, and Cursor warns this degrades accuracy. Vercel, BCG, and others explicitly advise curation — not loading everything. Tool bloat increases:

More tools ≠ more power. More tools = more noise.

We’ve already seen prompt-injection data thefts, malicious MCP packages, and hundreds of other horror stories on Reddit.

MCP is powerful — and anything powerful becomes an attack surface.

For log streaming, high-frequency metrics, deploy rollouts, and batch workloads, CLIs and APIs remain faster and safer. MCP adds overhead that doesn’t belong on the hot path.

MCP is becoming the plumbing layer of agent systems — not because it’s elegant, but because it’s the only workable way to expose real systems to LLMs at scale. Companies that adopt MCP see developers spending less time in dashboards, fewer context switches, faster triage, and smoother onboarding. But they also inherit new risks: hallucinated tool usage, bloated catalogs, inconsistent client behavior, and meaningful security exposure.

Where is MCP headed?
Toward a heavier, more governed, more enterprise-grade layer — closer to Kubernetes than to USB-C. The winning pattern is already emerging: small curated toolsets, strict security boundaries, and MCP used for orchestration, not execution.

Treat MCP like infrastructure, not a plugin. It pays off — if you respect its limits.

Till next time,