Part of the allure of Model Context Protocol is that it is so dang easy to build. Successfully using MCP — — the open standard for connecting AI assistants to data sources and external tools — requires a lot more effort.
“Connecting is easy,” said Anand Chandrasekaran, principal engineer at Arya Health, a provider of AI agents. “Surviving production is hard.”
Although MCP makes it incredibly fast to hook a large language model (LLM) up to a database, Chandrasekaran said the speed isn’t a victory, it’s actually a risk. “Speed of implementation usually correlates with speed of exploitation,” he explained. In other words, easy to do but risky to use.
Where’s the payoff for CIOs, and how can they achieve it?
Mohith Shrivastava, principal developer advocate at Salesforce, explained that while MCP holds considerable promise for enterprises, realizing its full potential is not straightforward.
“Agentic AI has proven its value for rapid proof-of-concept work and zero-to-one ideation,” he said. “However, taking these powerful workflows from an isolated workstation to a live production environment has been fraught with challenges.”
The hope for MCP servers was to provide increased security, governance and infrastructure for AI agents to operate effectively. Reality falls a bit short of that, he noted, as MCP is not yet enterprise-ready. Work is underway, though, to help overcome MCP shortfalls.
“The true power of remote MCP is realized through centralized ‘agent gateways’ where these servers are registered and managed. This model delivers the essential guardrails that enterprises require,” Shrivastava said.
That said, agent gateways do come with their own caveats.
“While gateways provide security, managing a growing ecosystem of dozens or even hundreds of registered MCP tools introduces a new challenge: orchestration,” he said. “The most scalable approach is to add another layer of abstraction: organizing toolchains into ‘topics’ based on the ‘job to be done.'”
Platforms and ecosystems have evolved to assist with this, including Salesforce’s Agentforce and AgentExchange, among others. While these steps help, there are still issues to be dealt with and obstacles to overcome. Below are five of the top problems to watch for in implementing MCP — and their fixes.
1. Plug and pray: Address security risks in MCP connectivity
The plug-and-play aspect of MCP has become a “plug and play” problem, Chandrasekaran said. “MCP is just the standard plug; it handles connectivity, not the antivirus or the surge protection,” he said.
The fix: The solution lies in the On-Behalf-Of (OBO) token pattern, which ensures that agents operate under strict identity controls rather than generic service accounts — a “huge risk,” according to Chandrasekaran.
“When I chat with an agent, it should take my SSO token and exchange it for a downstream agent token that mimics my exact identity. If I lose access to a repo in GitHub, the agent’s OBO token should instantly lose access, too,” Chandrasekaran explained. “The bot is just a digital extension of me; it is not a separate superuser.”
2. Tool overload: Manage LLM access to external tools
Another major issue is an LLM tool overload, which increases the “risk of hallucinations and misuse,” said Dominik Tomicevic, CEO of Memgraph, an open source graph database built for real-time streaming.
“When a large language model is granted access to multiple external tools via the protocol, there is a significant risk that it may choose the wrong tool, misuse the correct one, or become confused and produce nonsensical or irrelevant outputs, whether through classic hallucinations or incorrect tool use,” he explained.
The fix: Tomicevic recommended limiting tool access at two levels.
“To mitigate this, CIOs should, at the policy level, expose only the most relevant tools for each task, minimizing potential confusion; dynamically enable or disable tools based on immediate task requirements; and encourage breaking complex objectives into smaller subtasks, each paired with a curated set of options,” he said.
“At the implementation level, developers should provide rich context about each tool’s function, its constraints and the data it can access, and enforce least-privilege access and strong guardrails,” Tomicevic added.
3. Multi-agent traffic jams: Scaling challenges in MCP environments
MCP’s scaling limits also present a huge obstacle. The scaling limits exist “because the protocol was never designed to coordinate large, distributed networks of agents,” said James Urquhart, field CTO and technology evangelist at Kamiwaza AI, a provider of products that orchestrate and deploy autonomous AI agents.
MCP works well in small, controlled environments, but “it assumes instant responses between agents,” he said — an unrealistic expectation once systems grow and “multiple agents compete for processing time, memory or bandwidth.”
Without built-in queuing, scheduling or structured message-passing, “agents can overwhelm shared resources, create unpredictable behavior and generate inconsistent performance,” he said.
The fix: Don’t abandon MCP — strengthen both the protocol and the orchestration infrastructure around it.
“Enterprises should add explicit scheduling, prioritization and queuing mechanisms to prevent agents from competing chaotically for resources,” Urquhart said. “They should also introduce shared metadata models, schemas and coordination APIs that enforce predictable patterns of interaction across systems.”
4. Production gaps: Bridge the gap between testing and live systems
Perhaps the biggest challenge with MCP is the gap between a working server and a working system, according to Nuha Hashem, co-founder and CTO at Cozmo AI and a Y Combinator founder . Reliability, she explained, depends on how each request is shaped and how the access rules behave under live traffic.
“An AI agent needs a narrow prompt and a defined scope, or it starts to guess at intent. That guesswork is where regulated teams run into trouble, because the result lacks the policy context needed to guide a safe step. The server may respond, the decision may not hold up when reviewed,” Hashem explained.
At least the issue is recognizable. “When MCP systems drift, the pattern is almost always the same,” she said. Inevitably, the agent pulls in more data than the task needs, and the reply loses focus.
“Reviews take longer, and people have a harder time seeing why the system moved in a certain direction,” she said.
The fix: Hashem advised tightening the scope of the agent tasks. “Teams do that by limiting the agent to a small slice of data and asking for a short reply. That gives the company a clearer view of what was asked and what came back, which is the part that keeps the work manageable,” Hashem said.
5. Security — what security? Bolster MCP governance and compliance
Exposing internal data to agents through MCP is a hair-raising exercise.
“MCP doesn’t inherently understand permission boundaries, lineage, compliance constraints or data minimization requirements,” said Nik Kale, principal engineer and product architect at Cisco Systems. Indeed, once an agent accesses your internal systems, there’s no telling what it’ll do in there.
“You have to worry about whether it is pulling the right data, the right amount of data and whether it’s doing so in a way that aligns with regulatory or audit expectations,” Kale said.
In short, MCP is promising, but enterprises should recognize that it is not yet an enterprise-ready abstraction, he explained. “It becomes powerful only when surrounded by governance, safety and resilience layers that MCP itself does not provide,” he said.
Echoing other experts in this article, Kale also emphasized that building the MCP is the easy part. “The hard part is building the guardrails that make AI agents behave predictably and safely at scale,” he said.
While security professionals are working diligently to secure MCP servers, the task is far from complete. Unfortunately, there are no easy or pat fixes for this problem.
Proceed with caution
MCP offers immense potential for connecting AI agents to tools and data, but its speed and simplicity come with significant risks.
Henrik Plate, a security researcher at Endor Labs, explained that developers often rely on sensitive APIs, which demand strict controls to prevent MCP security vulnerabilities. The rise in the number of CVEs — publicly disclosed security flaws — and the emergence of malicious MCP servers underscore the need for caution, he said, advising that “the adoption of this technology must not be rushed, but follow common security best practices, especially in enterprise contexts.”
