What the MCP Protocol Anniversary Means for Enterprise AI Security
The Model Context Protocol turns one year old with a major spec update. Here's what enterprise security teams need to know.
One year ago, Anthropic released the Model Context Protocol as an open standard for connecting AI assistants to external data and tools. This week, the protocol's anniversary spec update — dated November 25, 2025 — signals a decisive pivot from developer convenience to enterprise readiness.
The growth numbers alone are remarkable. MCP server downloads have grown from roughly 100,000 at launch to over 8 million. There are now more than 5,800 registered MCP servers and 300 clients. Block, Bloomberg, and Amazon are running MCP in production. OpenAI, Google, and Microsoft have all adopted the protocol.
But the November 2025 spec is interesting for what it adds, not what it scales. The update introduces OAuth 2.1 authentication, asynchronous task execution, and streamlined HTTP transport. These are not features designed for developers experimenting with AI tools. These are features designed for enterprises deploying AI agents in production environments where security, auditability, and access control are non-negotiable.
This matters because MCP is fundamentally about giving AI agents the ability to take actions — read files, query databases, send messages, execute commands. Every one of those capabilities represents an attack surface. Security researchers documented multiple outstanding concerns earlier this year: prompt injection vulnerabilities, tool permissions that enable data exfiltration through tool combination, and lookalike tools that can silently replace trusted ones.
The enterprise question is not whether to adopt MCP. That train has left the station; your developers are likely already running MCP servers. The question is whether you have a governance layer between your AI agents and those tool servers that can enforce access controls, log every tool invocation, and prevent unauthorized data flows.
As MCP moves from experimental to enterprise standard, the gap between what the protocol enables and what enterprises can actually govern will only grow. Organizations that deploy MCP tool servers without centralized access control, audit logging, and policy enforcement are creating compliance gaps that no policy document can close.
The protocol has grown up. Enterprise governance needs to grow up with it.
