New York City · Agentic AI Foundation & Linux Foundation
The biggest ideas and sharpest insights from MCP Dev Summit North America: where the builders, contributors, and organizations shaping the future of agentic AI came together in New York City.
With 1,200 people at this year’s MCP Dev Summit (double from the previous one), it’s clear that MCP will just keep growing. The questions around MCP are becoming more challenging: How do you run it at 10,000-service scale? How do you secure it against supply chain attacks? How do you make it production-ready for enterprises that can’t afford to get it wrong?
Here’s what mattered most from the summit.
By the Numbers
Opening: The Linux of Agents – Jim Zemlin, CEO at The Linux Foundation
Jim Zemlin opened the day by placing MCP in a lineage that the Linux Foundation knows well. “The Linux Foundation is the home of Linux. It’s the home of the Cloud Native Computing Foundation and Kubernetes which is the linux Of the cloud. And now it’s the home of the Agentic AI Foundation and MCP which is the linux of agents. We’re going to keep going.”
Before handing the stage over, Zemlin made a leadership announcement: he is stepping down as interim Executive Director of the AAIF. His replacement is Mazin Gilbert, a PhD who wrote his thesis on neural networks, an MBA from Wharton, and someone who just spent five years building AI solutions at Google. As agentic AI moves from research to enterprise deployment, the AAIF demands fluency in both languages, a requirement that Gilbert fulfills.
The State of the AAIF: Four Months In, Moving Fast – David Nalley, AWS
David Nalley, Governing Board Chair of the AAIF, came to the stage with a slide he’d had to update that morning as the membership count had changed again in the last 48 hours! Now 170 organizations, reached in under four months, which is more than double the membership CNCF had at the same stage of its life.
The most significant milestone was governance. The Technical Steering Committee has now approved a formal project lifecycle policy: three stages (Growth, Impact, and Emeritus), opening the door for external projects to join the foundation for the first time. Since December, Nalley’s inbox had been flooded with teams asking how to bring their projects in. Now there’s a documented answer. The current flagship projects: MCP, Goose, and AGENTS.md, are already in. Whatever comes next, the door is open.
“Open source works when people participate. Come participate with us.” — David Nalley, Governing Board Chair, AAIF
Where MCP Has Been and Where It’s Going – David Soria Parra, Antrophic
David Soria Parra, co-creator of MCP, gave the headline keynote of Day 1. He started with the number that stops people cold: more than 110 million SDK downloads every single month. OpenAI’s agent SDK pulls MCP in as a dependency. So does LangChain.
The reason, he argued, wasn’t that MCP was exceptional. It was that the alternative was untenable. Before MCP, connecting tools to AI systems meant building the same integration M times for N proprietary APIs. People didn’t adopt it because it was hyped, but because the alternative of writing the same integrations over and over was miserable.
What surprised him most about the ecosystem’s growth wasn’t the enterprise deployments. It was the creativity. Someone connected MCP servers to 3D printers. Someone built a Fantasy Premier League MCP server. He loves all of it. But the part that rarely gets talked about is the part he thinks matters most: behind corporate firewalls, teams are connecting MCP to Salesforce, Jira, internal wikis, and Snowflake every single day. These are internal servers connecting AI to the actual systems that get work done. Even at Anthropic, the most-used internal MCP servers are the ones wired to the knowledge base and Slack. Unglamorous but essential. This is where MCP actually lives.
His framing was that 2025 proved MCP was needed, and 2026 is about making it production-ready. He closed with the context bloat criticism head-on. The problem isn’t the protocol, it’s clients naively dumping every tool into context at once. Before Claude Code implemented tool search, MCP tools consumed 22% of a 200k token window. After, essentially zero. “These are very solvable problems. And they’re client problems, not protocol problems.”
“Behind every corporate firewall, we’re quietly wiring MCPs to systems of record and company data all day long. Your Salesforce CRM, your Jira tickets, internal wikis, Snowflake warehouses, HR systems. You never really see or hear about it on Twitter or Hacker News.” — David Soria, MCP Co-creator, Anthropic
What Enterprise MCP Actually Looks Like — Amazon, Uber & Arcade
Three talks across both days painted the clearest picture of what MCP at scale actually requires, and what happens when you get it wrong.
At Amazon, James Hood (Senior Principal Engineer, AWS) described a company with tens of thousands of builders, a toolchain most AI models have never been trained on, and compliance requirements that would give most CTOs nightmares. The unlock: rather than treating MCP and skills as competing choices, Amazon treats both as ingredients in an agent configuration: a first-class primitive teams can create, share, and install. The central registry is a discovery tool and a security tool, categorizing MCP servers against what Hood called the “lethal trifecta” (private data access, untrusted content exposure, and external communication) and scanning agent configurations for dangerous combinations before they cause problems.
At Uber, Meghana Somasundara and Rush Tehrani came with numbers that reframe what “scale” means: 5,000+ engineers, 10,000+ internal services, 1,500+ monthly active agents, 60,000+ agent executions per week. “MCPs are not just important,” Somasundara said. “They are what make AI usable at Uber.” Their solution was an MCP gateway and registry that auto-translates Uber’s service endpoints into MCP tools by crawling internal files and using an LLM to generate descriptions, service owners stay in control, but the heavy lifting is automated. Third-party MCP servers go through significantly more rigorous scrutiny than internal ones. A deliberate two-tier trust model. The gateway today powers a no-code agent builder, customer-facing products, and Minions, a background coding agent producing 1,800 code changes per week, used by 95% of Uber’s engineering organization.
At Arcade, Alex Salazar (Founder & CEO) made the point everyone else had been circling without saying directly: you cannot trust an agent to enforce its own policies. The reasoning layer may or may not do the right thing. The control plane has to be correct every single time. He walked through why the two common approaches both fail: service accounts create authorization bypass vulnerabilities, user credentials don’t scale past a single laptop, and argued for the model that works: the intersection of what the agent is allowed to do AND what the user is allowed to do, checked on every single request. An AND gate, not an OR gate. OAuth 2.1. Not new. But most organizations have authentication without authorization enforcement. That gap is where agents fall through.
“The agent can hallucinate all it wants about robbing a bank. Nobody cares. The only time anybody cares is when it pulls a gun.” — Alex Salazar, Founder & CEO, Arcade
Your Local MCP Server Is Not as Safe as You Think — Jonathan Leitschuh, Security Researcher
This was the talk that made people uncomfortable in the best possible way.
Jonathan Leitschuh spent his session demonstrating a class of vulnerabilities that has existed in browsers for nineteen years and that almost nobody building MCP servers is protected against. The attack: DNS rebinding. The short version is that a malicious website can use your browser as a proxy to make tool calls against any MCP server running on your local machine. In Chrome, the exploit takes about three seconds.
He walked through a history of the same attack hitting JetBrains IDEs, Zoom, Dell, and Trend Micro. Then turned to MCP. His tool (MCPwned) successfully made arbitrary tool calls against the official MCP Inspector, Google Cloud Run, Google’s Database Toolbox, Apollo’s GraphQL server, Docker’s MCP gateway, and an AWS Labs MCP server. Docker had published a blog post claiming their gateway was protected. It wasn’t. He disclosed a 0-day in Google’s Database Toolbox from the stage: a vulnerability Google had been aware of for over 90 days without patching.
The fix is not complicated. The MCP specification already includes a warning about this. The TypeScript SDK was patched after his research. But most developers don’t know this is an issue, many SDKs still don’t implement the fix by default, and most browsers don’t reliably prevent it. The practical advice: check your SDK tier, ensure origin header validation is enabled, and don’t assume local means safe.
Context Is the New Code — Ryan Cooke, WorkOS
Ryan Cooke gave a talk that quietly landed harder than most of the technical sessions. His argument: we talk about tools constantly, but what actually determines whether an agent succeeds or fails is context, and almost nobody manages it well.
WorkOS built a context engine: a pipeline that runs before the agent ever reaches an LLM. It resolves who the person behind the agent actually is, understands what resources they can access, and injects precise, task-specific information about how to use the relevant tools. By the time the model gets involved, it already knows what it needs to know. Instructions are loaded lazily, only when the agent is about to invoke the relevant tool, so they don’t bloat the context window. When the task is done, they’re discarded. A shared semantic definition layer (stored as MCP resources) ensures every agent across WorkOS uses the same vocabulary for the same things. What does “sales transaction” mean at WorkOS? One definition. Everywhere.
The Bottom Line
Across two days in New York, the same story emerged from every direction. MCP started as a protocol for connecting AI to tools. It has become the connective tissue of an entirely new way of building software, and the community that showed up is why it happened this fast. The “will it work?” phase is over. The questions now are about production, security, and what comes next. And from what was on stage this week, a lot of people already have answers.
Get involved: Join the AAIF community on Discord, participate in a working group, contribute to MCP, Goose, or AGENTS.md, or submit a project for consideration under the new project lifecycle policy at aaif.io.
MCP Dev Summit is going global — Bengaluru, Mumbai, Seoul, Shanghai, Tokyo, Toronto, Nairobi — plus AgenCon + MCPCon Europe in Amsterdam (September 17–18) and North America (October 22–23).