Progressive Tool Discovery: Using MCP Notifications To Manage Context at Scale - Billy Hickman & Lilia Abaibourova, Amazon

As MCP adoption grows, a challenge emerges: how do you expose 100’s of tools from a single server without overwhelming agent context windows? This talk introduces an MCP tool discovery mechanism we’ve built that dynamically loads tools. The platform works with a single discovery meta-tool on initialization, server-side state management to track agent context, and leveraging streamed MCP’s notifications/tools/list_changed to push relevant tool sets mid-session. Agents declare their problem context (incident response, monitoring etc) and receive only the tools they need, when they need them. Attendees will learn how this pattern keeps context windows lean while maintaining access to a broad tool ecosystem, with real examples showing how a single MCP server can serve diverse agent use cases without tool overload.

22 2

Towards Building Safe & Secure Agentic AI - Dawn Song, UC Berkeley; UC Berkeley Center for Responsible Decentralized Intelligence & Matt White, Linux Foundation/PyTorch Foundation

Recent advancements in agentic AI have unlocked powerful new capabilities, however, they also introduce fundamentally new security risks. In this talk, I present a system-level view of the security landscape of agentic AI, drawing on a comprehensive systematization of attacks and defenses across modern agent architectures.

I show how increasing agent flexibility along different dimensions expands attack surfaces and enables threats such as prompt injection, memory poisoning, unsafe data flows, credential leakage, and unauthorized execution. Using real-world incidents and CVE analyses, I illustrate how agents can be manipulated through external content, compromised tools, or poisoned internal components.

The talk also provides a systematic overview of end-to-end automatic red teaming and risk assessment for agentic AI systems as well as a defense-in-depth framework for building secure agentic systems, spanning runtime guardrails, access control, information-flow tracking, privilege separation, and secure-by-design architectures, helping practitioners assess risk, close security gaps, and deploy agents safely at scale.

0 0

Evolution, Not Revolution: How MCP Is Reshaping OAuth - Aaron Parecki, Okta

The impulse to rewrite the auth stack for AI agents is strong, but we cannot design away the fundamental relationships standards protect. This session explores how MCP is reshaping OAuth—not abandoning it—to meet the ecosystem's unique challenges:

The "Unregistered Client" Problem: Traditional OAuth requires pre-registration. MCP breaks this. We’ll see how Client ID Metadata Documents (CIMD) allow agents to bring their own identities to arbitrary servers, how it improves on Dynamic Client Registration, and how to mitigate the risks of unregistered clients.

Separation of Concerns: Why your MCP server shouldn't be your Authorization Server. We’ll cover how Protected Resource Metadata (RFC 9728) enables dynamic auth server discovery, keeping agents lightweight and security boundaries clean.

Enterprise-Managed Authorization: To stop "click-through fatigue," we’ll introduce the Identity Assertion Authorization Grant. This moves consent to the enterprise policy layer, enabling secure, scalable adoption.

Join me to secure the agent ecosystem—from discovery to governance—not by reinventing the wheel, but by making incremental improvements to the way it turns.

7 0

OCI Images as MCP Packaging: Supply Chain Security for AI Tools - Juan Antonio Osorio, Stacklok

So you found an MCP server on npm that does exactly what you need. You run npx and... now what? One reason people skip security verification for MCP servers is that it's genuinely hard to know what you're actually running. The package works, so why question it?

Here's the thing: MCP servers are getting access to your files, your APIs, your credentials. We should probably know what's in them before we hand over the keys.

In this talk, we'll dig into using OCI containers as the packaging standard for MCP servers - not because containers are trendy, but because they unlock supply chain security constructs that npm and PyPI simply don't have. We'll walk through building repackaging pipelines that verify source packages, run MCP-specific security scans, and produce attestations with Sigstore. Real pipelines, real commands, real output.

Note that this won't solve every trust problem - but it gets us a lot closer to "I know what I'm running" than the current state of affairs.

0 0

Keynote: Enterprise MCP - The Data Plane for Autonomous Agents - Adam Seligman, CTO & Zayne Turner, Developer Advocate, Workato

Connecting agents to tools is the easy part. Governing what they do with that access — what they can reach, under what conditions, with full visibility into what happened — that's the layer most enterprises are still building from scratch.

After 100+ enterprise MCP deployments across finance, HR, IT, and operations, one pattern keeps emerging: every organization is building the same missing layer. Not the model. Not the tools. The data plane that governs how autonomous systems operate inside the enterprise.

Workato CTO Adam Seligman will name the pattern and frame what that layer looks like at scale. Developer Advocate Zayne Turner will open the architecture behind a real deployment — showing how the data plane turns MCP from demo-ready integration into production-ready infrastructure.

Autonomy without control is risky. Data control without autonomy is stagnation. The enterprises that win will build both.

1 0

Keynote: Lessons Learned from Driving Enterprise MCP Adoption - Sheng Liang, CEO, Obot AI

MCP adoption in the enterprise is at an early stage and continues to grow rapidly. In the past year, Obot AI developed MCP gateways, registries, chat clients, and workflows for enterprise customers. In this talk, we will discuss the lessons we learned, the trends we observed, and the developments in MCP technologies we are particularly excited about for driving MCP adoption in the enterprise.

1 0

Keynote: Opening Remarks - Jim Zemlin, Executive Director, Agentic AI Foundation & CEO, The Linux Foundation

0 0

URL Elicitation Deep Dive: Third-party OAuth Solved (and More!) - Nate Barbettini, Arcade.dev

The Nov 2025 release of MCP introduced a new client capability: URL Elicitation. This capability is game-changing for MCP servers that interact with external systems. But don't just take our word for it... Hear it straight from the author of the spec!

In this talk, Nate (lead author of URL Elicitation) will break down the "what" and "why" of this new addition to the protocol. You'll learn about:
- Why it's a mistake to reuse or "pass through" OAuth tokens from one server to another
- The confused deputy problem and other common pitfalls to watch out for
- How URL Elicitation unlocks a secure way for MCP servers to call external services that use OAuth or API keys, require payments, or gather sensitive information
- The correct security patterns for any remote MCP server project today

No need to be a security expert to attend! Nate will break down the problems and solutions in clear, relatable language, and provide crucial guidance for anyone building MCP servers in 2026 and beyond.

1 0

Building a Workflow Engine on MCP: Orchestrating Processes With Tasks - Donnie Adams, Obot AI

What if your workflow engine wasn't just a consumer of MCP servers, but was itself built entirely on the MCP protocol? This talk explores a novel architecture that uses MCP's newest primitives to create a production-ready workflow orchestration system.

We'll demonstrate how MCP's task framework provides natural workflow step management, while sampling enables intelligent decision-making at each stage. You'll see how dynamic tool definition works at both workflow and step levels, allowing workflows to adapt their capabilities on the fly. We'll also cover practical challenges like handling OAuth authentication flows mid-execution and coordinating multiple MCP servers within a single workflow.
Through a real-world case study you'll see how MCP's composability transforms workflow design. Rather than building yet another workflow engine that happens to use MCP tools, we'll show how treating MCP as the foundation protocol unlocks new patterns for distributed, intelligent automation.

Attendees will leave with a deeper understanding of the MCP specification and how the capabilities can be composed to create production-ready workflow applications.

0 0