Model Context Protocol downloads exploded from 100,000 in November 2024 to 97 million monthly by year's end. That's a 970x growth rate that made MCP the fastest-adopted protocol in AI history.
But here's what most adoption stories aren't telling you: the protocol prioritized interoperability over security from day one.
The Numbers Look Incredible on Paper
OpenAI, Google, Microsoft, AWS—they all adopted MCP within months of its launch. The ecosystem now includes over 10,000 published servers covering everything from developer tools to Fortune 500 deployments. Boston Consulting Group called it "a deceptively simple idea with outsized implications."
The market projections reflect this momentum. Analysts estimate the MCP ecosystem will grow from $1.2 billion to $4.5 billion by the end of 2025. Some predict 90% of organizations will be running MCP integrations. Block, Bloomberg, Amazon, and hundreds of enterprise customers have already deployed it in production.
So what's the problem?
Security Came Second
In April 2025, security researchers at Palo Alto Networks identified five critical attack vectors: prompt injection, tool shadowing, privilege escalation, data exfiltration, and what they called "rug pull" attacks. The last one is particularly insidious—MCP tools can silently change their definitions after installation. You approve something safe-looking on Monday, and by Friday it's routing your API keys to an attacker.
The official MCP specification says there "SHOULD always be a human in the loop." Security experts at Strobes responded bluntly: treat that SHOULD as a MUST.
June 2025 brought CVE-2025-6514, a critical vulnerability (CVSS 9.6) in mcp-remote—a popular OAuth proxy with over 437,000 downloads. The flaw turned every unpatched installation into a supply chain backdoor. Attackers could execute arbitrary commands, steal cloud credentials, and grab SSH keys just by pointing an LLM host at a malicious endpoint.
Red Hat published its own analysis noting that MCP servers store OAuth tokens for services like Gmail, Google Drive, and corporate resources. Compromise one server, and you get keys to everything. Traditional account breaches trigger notifications. Token theft through MCP often looks like legitimate API access.
The December Pivot Changes the Game
On December 9, 2025, Anthropic donated MCP to the newly formed Agentic AI Foundation under the Linux Foundation. OpenAI, Google, Microsoft, AWS, Block, Bloomberg, and Cloudflare signed on as founding members.
This matters for one simple reason: enterprises don't bet on protocols controlled by single vendors. They bet on open standards with transparent governance.
The move signals that MCP is transitioning from rapid experimentation to actual infrastructure. Jim Zemlin, Linux Foundation's Executive Director, put it directly: "Bringing these projects together under the AAIF ensures they can grow with the transparency and stability that only open governance provides."
But governance alone won't fix the security gaps. The specification is maturing—the June 2025 update adopted OAuth 2.1 principles for authentication, and the November release added new primitives for long-running tasks. Still, as one researcher noted, "hundreds of MCP servers on the web today are misconfigured, unnecessarily exposing users of AI apps to cyberattacks."
What This Means for Your AI Strategy
MCP adoption isn't optional anymore. The integration efficiency gains are real—BCG found that without MCP, integration complexity rises quadratically as AI agents spread through an organization. With MCP, it increases linearly. That's a significant operational advantage.
The question isn't whether to adopt, but how to do it without creating new attack surfaces.
Three things worth considering:
First, audit every MCP server before deployment and implement allowlisting. Community-built servers vary wildly in quality and security posture.
Second, don't trust tool definitions that change. Any MCP client should alert users when server definitions evolve—if yours doesn't, that's a red flag.
Third, treat the human-in-the-loop guidance as mandatory, not optional. The protocol's flexibility is exactly what makes autonomous agent actions dangerous without explicit consent mechanisms.
MCP represents a fundamental shift in how AI systems connect to enterprise tools. The growth trajectory is undeniable. But the gap between adoption velocity and security maturity should make every technical leader pause.
What's your organization's approach to MCP security—are you building safeguards into your adoption strategy, or racing to catch up?
Sources:
Linux Foundation AAIF Announcement: https://www.linuxfoundation.org/press/linux-foundation-announces-the-formation-of-the-agentic-ai-foundation
MCP Official Blog - One Year Anniversary: https://blog.modelcontextprotocol.io/posts/2025-11-25-first-mcp-anniversary/
Palo Alto Networks MCP Security Research: https://unit42.paloaltonetworks.com/model-context-protocol-attack-vectors/
Red Hat Security Analysis: https://www.redhat.com/en/blog/model-context-protocol-mcp-understanding-security-risks-and-controls
eSentire CISO Security Guide: https://www.esentire.com/blog/model-context-protocol-security-critical-vulnerabilities-every-ciso-should-address-in-2025
Top comments (0)