When I published my first blog on the Model Context Protocol in April, MCP was still a fresh idea making its way from early adopters into enterprise conversations. Just a few months later, the landscape has already shifted.

A new version of the specification has been released, newer software platforms have embraced it as a native capability, and a wave of academic and industry attention has placed its security and governance gaps under the spotlight. Yet, many of the fundamentals I described back then remain valid. MCP is still a protocol, not a platform. It is still wiring, not intelligence. And its success continues to hinge on the ecosystem built around it.

What Has Changed

The most obvious development is the June 2025 update to the specification. This revision brought more maturity and depth to the protocol without changing its essence. The client–server model built on JSON-RPC remains the backbone, but the schema has grown to cover a richer set of capabilities. New constructs such as client roots, elicitation methods, and server-side resources and prompts reflect the lived experience of developers who needed more nuanced interactions.

In practice, this means agents are no longer limited to invoking tools in isolation but can operate with greater awareness of context, state, and system-level constraints. The spec is evolving in a way that reflects real adoption: steady, incremental, and always anchored in interoperability.

Alongside the protocol’s refinement, adoption has accelerated at a remarkable pace. When I wrote my first piece, Anthropic, OpenAI, Microsoft, and Salesforce were among the leading voices exploring MCP. Today, the circle has widened.

OpenAI has made MCP integral to its desktop client, its Responses API, and its Agents SDK. Google DeepMind has committed support in its Gemini models. And perhaps most notably, Microsoft has made MCP a first-class citizen in Windows itself through the new Windows AI Foundry.

With this step, MCP is no longer just a developer-focused standard but something woven into the everyday operating environment of knowledge workers. The Windows implementation not only provides technical plumbing, it also brings in a secure registry of trusted servers, consent prompts for users, and integration with system resources like file systems and subsystems. What was once an experiment is now something users will experience directly in mainstream products.

MCP’s adoption has broadened beyond big tech. Payment providers such as Stripe and Adyen are experimenting with MCP for natural language-driven workflows like generating payment links on demand. In academia, tools like Zotero are embracing it for research management. Even web-building platforms like Wix are adding support.

These are not theoretical scenarios, but production integrations that prove MCP is adaptable across industries, domains, and problem spaces. The original vision of a “USB-C for AI agents” is no longer just rhetoric; it is becoming tangible through real use cases that demonstrate its portability.

At the same time, the questions of governance and security that I raised in April have only grown louder. If the spring was about excitement, the summer has been about caution. A string of academic studies has highlighted risks such as prompt injection, tool poisoning, credential theft, and tool-squatting. Researchers have gone as far as releasing scanners that test for vulnerabilities in MCP servers before deployment, and new extensions such as ETDI have been proposed to introduce cryptographic signing, immutable versioning, OAuth integration, and policy-based access control.

Microsoft’s own Windows preview took these concerns to heart by restricting MCP servers to a vetted registry and surfacing user consent flows at runtime. The ecosystem is learning quickly that without trust, the protocol’s promise will stall.

What Still Matters

What has not changed is the basic nature of MCP itself. It remains a coordination layer, not a full platform. It still does not provide identity management, observability, or lifecycle governance out of the box. The same responsibilities I outlined in April — ensuring high-quality data, reliable tools, proper authentication, and structured governance — still fall on the shoulders of enterprises and vendors building on top of MCP. The new specification gives agents a broader vocabulary, but it does not change the fact that the value lies in the ecosystem. Without the surrounding scaffolding of governance, security, and platform integration, MCP is powerful plumbing with nowhere safe to flow.

What Comes Next

MCP is maturing faster than most people anticipated. The spec is expanding cautiously but steadily. Adoption is moving from niche developer communities to mainstream enterprise platforms. Security is emerging as a defining factor of its enterprise readiness. And yet the core truths remain: MCP is an enabler, not a solution. It is the interface, not the intelligence.

The future of enterprise AI will not be built on MCP alone, but on the platforms that use it as their connective tissue, embedding governance, identity, and trust at every layer.

The story of MCP is no longer about whether it will be adopted, but how responsibly it will be deployed. Its foundations are strong, its reach is widening, and its risks are better understood. For enterprises, the challenge now is not to decide whether MCP matters, but to ensure they are ready for the secure, governed, and agent-native future it is ushering in.

Find out how Boomi can help you turn APIs into strategic enablers of AI transformation with our six-step playbook.

This blog was written with the assistance of AI.