#2 Model Context Protocol (MCP)
The Missing Standard Layer Powering Tool-Native AI
Artificial intelligence has crossed a critical threshold. Models are no longer evaluated solely on how well they generate text or code, but on how effectively they act, how they retrieve live knowledge, operate tools, modify files, inspect systems, and collaborate with humans in real workflows. Yet until recently, the ecosystem lacked a clean, interoperable way to connect models to tools. This gap is precisely what Model Context Protocol (MCP) aims to close. Often described as USB-C for AI, MCP is rapidly emerging as the standard interface layer that allows AI models to securely, audibly, and extensibly interact with external systems. With backing from major players including its transfer to the Linux Foundation MCP is no longer an experiment. It is becoming infrastructure. This article explores MCP’s architecture, why it matters now, current real-world developments, its standardisation journey, and what the future demands of MCP-based AI systems will look like.
For years, AI systems have been powerful yet fundamentally isolated from the environments in which real work happens. Even the most advanced models lacked reliable access to real-time or proprietary data, could not safely run commands, inspect browsers, or modify files, and depended on fragile, vendor-specific tool integrations built as one-off solutions. Crucially, there was no consistent mechanism to audit, approve, or trace model actions, making it difficult to deploy AI in safety-critical, enterprise, or regulated contexts with confidence. This created what many developers called ‘prompt-level intelligence trapped in a sandbox’.
MCP changes this by separating reasoning from capability execution. Instead of embedding tools inside the model or building brittle plugins MCP defines a standard protocol by which any AI client can connect to any compatible tool server, using a shared language and lifecycle. In other words: models think, MCP lets them do.
At its core, MCP is an open protocol that connects AI models to external tools and context providers. Conceptually, MCP introduces three clean layers:
AI Client: The model or agent (e.g., Codex, IDE assistants, autonomous agents)
MCP Interface: A standardized JSON-RPC–based protocol for tool discovery, invocation, streaming, and approval
MCP Servers: Tool providers: browsers, file systems, GitHub, databases, design tools, logs, cloud services
This separation introduces a set of critical advantages that fundamentally change how AI systems operate in real environments. By decoupling models from tools, MCP enables true interoperability, allowing the same tools to work seamlessly across different models and clients. Security is strengthened through explicit approval mechanisms for risky actions, ensuring that sensitive operations remain under human control. At the same time, every tool invocation is structured and traceable, making AI behavior auditable by design rather than by after-the-fact logging. Finally, the protocol’s openness makes it inherently extensible, allowing anyone to build and integrate new MCP servers. The result is an ecosystem in which AI systems gain powerful new capabilities without sacrificing oversight, safety, or control.
The most mature MCP deployment today exists within OpenAI Codex. Codex treats MCP as a first-class system component rather than a plugin. Through MCP, Codex is able to move beyond passive code generation and operate as a genuinely tool-aware system. It can inspect and control browsers using interfaces such as Chrome DevTools and Playwright, safely read from and write to files within defined sandboxes, and execute shell commands under explicit approval workflows. MCP also allows Codex to retrieve up-to-date knowledge from documentation servers like Context7 and to interact directly with GitHub repositories, issues, and pull requests, enabling end-to-end workflows that remain transparent, auditable, and under human control.
Codex stores MCP configuration in a unified config.toml file that is shared seamlessly across the CLI, IDE extensions, and headless execution modes. This single source of truth ensures consistent behavior regardless of how Codex is invoked, reducing configuration drift and operational complexity. Once an MCP server is defined in this shared configuration, it becomes universally available across all Codex interfaces, eliminating the need for repeated setup or environment-specific rewiring and enabling more reliable, reproducible AI workflows.
One of MCP’s most understated yet powerful features is its built-in event streaming model. Every action an AI system takes whether executing a command, applying a file patch, or interacting with a browser is emitted as a structured sequence of events, from initiation through intermediate outputs to completion, with explicit approval requests where required. This event-level transparency makes AI behavior continuously observable and debuggable, rather than opaque and retrospective, providing the level of traceability and control that enterprise, safety-critical, and regulated environments increasingly demand.
A recurring criticism of agentic AI is its potential to act unsafely. MCP directly addresses this through protocol-level controls. MCP embeds security and governance directly into how AI systems act by supporting explicit approval modes, ranging from prompt-based and session-wide approvals to persistent permissions or full denial of specific actions. Before executing shell commands or modifying files, the AI must formally request permission, with the decision made by the client rather than the model itself. In parallel, MCP integrates sandboxing options such as read-only access, workspace-limited writes, or fully granted access ensuring that AI operates strictly within predefined boundaries. Together, these mechanisms enforce a principle of least privilege for AI systems, aligning MCP closely with modern security practices and emerging AI governance and compliance frameworks.
MCP’s architecture is deliberately designed to foster a rich and growing third-party ecosystem. Today, commonly used MCP servers already span browser control through Chrome DevTools and Playwright, design workflows via local and remote Figma integrations, core developer tooling such as GitHub, Git, and CI logs, observability platforms like Sentry, documentation services such as Context7, and access to file systems and databases. Crucially, these servers are tool-agnostic: a GitHub MCP server functions the same way regardless of whether the client is Codex, another large language model, or a future autonomous agent. In this sense, MCP begins to resemble POSIX for AI tools, a shared, stable contract that enables interoperability without locking developers into a single platform or vendor.
MCP’s legitimacy accelerated dramatically when Anthropic, one of its early champions, transferred MCP stewardship to the Linux Foundation. This move is significant because it establishes MCP as a genuinely neutral and durable standard rather than a vendor-controlled initiative. By placing governance in the hands of an independent body, no single company dictates the protocol’s direction, and its evolution proceeds through open, transparent processes. This neutrality is critical for enterprise adoption, as organizations are far more willing to invest in standards backed by trusted foundations rather than proprietary roadmaps. As a result, MCP gains long-term credibility and stability, positioning itself much like Kubernetes or OpenTelemetry as shared infrastructure for the AI ecosystem rather than a competitive differentiator owned by any one provider.
MCP is not itself a safety or ethics framework, but it complements many of them by providing the technical mechanisms they implicitly rely on. It aligns naturally with standards such as ISO/IEC 42001 for AI management systems, the NIST AI Risk Management Framework’s governance and control requirements, and the EU AI Act’s expectations around traceability, transparency, and human oversight. By making AI actions explicit, inspectable, and controllable at the protocol level, MCP supplies the technical substrate that governance frameworks often assume but rarely define. In practice, this is how concepts like human-in-the-loop become operational and enforceable, rather than remaining purely aspirational principles.
While MCP already provides a strong foundation, its next phase of evolution will need to address increasingly complex operational and governance demands. Enterprise adoption will require deeper integration with identity and access management systems, role-based controls, and compliance-grade logging. As AI systems become more agentic, MCP can also evolve into a coordination layer for multi-agent collaboration, enabling agents to safely share tools, state, and responsibilities. At the infrastructure level, support for cloud-native and edge deployments will allow lightweight MCP servers to power capable on-device AI. Looking ahead, formal verification and explicit tool contracts may provide verifiable guarantees around side effects, latency, and safety, while regulatory-aware tooling can embed jurisdictional constraints such as data locality and audit retention directly into MCP servers.
Model performance will continue to converge. Tool access will not converge in the same way models do, and this is where the real competitive advantage in AI will emerge. The differentiator will be how effectively models integrate into real workflows, how safely they are able to operate live systems, and how transparently they can justify and trace their actions. MCP is the enabling layer that makes all of this possible, providing structured access to tools and context while preserving openness, interoperability, and human control.
Model Context Protocol is not just another developer convenience. It is a structural shift in how intelligence is deployed. By standardising the interface between reasoning and action, MCP transforms AI from a conversational engine into a reliable, auditable, tool-native system. With open governance, a growing ecosystem, and deep integration into production-grade tools like Codex, MCP is fast becoming what every serious AI system will need not optionally, but inevitably. The question is no longer whether MCP will matter. It’s how fast the rest of the AI world will catch up.