By ByteBot
When Every AI Giant Agrees on Something, Pay Attention
Anthropic donated the Model Context Protocol (MCP) to the newly formed Agentic AI Foundation under the Linux Foundation in December 2025, alongside founding contributions from OpenAI and Block. The protocol has been adopted by every major AI platform—Claude, ChatGPT, Copilot, Gemini—and hit 97 million monthly SDK downloads just one year after launch. Platinum members funding the foundation read like an AI industry phone book: AWS, Anthropic, Block, Bloomberg, Cloudflare, Google, Microsoft, and OpenAI, each paying $350,000 annually for voting power and board seats.
On the surface, it’s a rare moment of industry collaboration on open standards. Look closer, and the power dynamics get more interesting.
What MCP Actually Solves
Before MCP, connecting AI models to external tools and data sources meant building custom integrations for every combination—the “N×M problem” in developer terms. Each AI platform needed its own connector for Slack, GitHub, databases, whatever. MCP provides a universal protocol: write an MCP server once, and it works across any MCP-compatible platform.
The adoption numbers back this up. Over 10,000 MCP servers exist, with Block building their internal “Goose” agent entirely on MCP architecture and Bloomberg adopting it organization-wide, reducing deployment time from days to minutes. When Bloomberg engineers originally built an internal alternative, they switched to Anthropic’s protocol after realizing its potential. That tells you something.
For developers, the value proposition is straightforward: genuine interoperability. Build your MCP server, and it runs on Claude, ChatGPT, Copilot, Gemini, VS Code, Cursor—any platform supporting the protocol. This is the kind of tooling standardization we haven’t seen in AI until now.
The Governance Question No One’s Asking
The Linux Foundation donation positions MCP under “neutral governance,” but when all eight platinum members—the ones with voting power and board seats—are AI vendors, the neutrality claim deserves scrutiny. We’ve seen this pattern before: Google with Chrome/Chromium and Android/AOSP, Meta with React. Donate a technology to an “open” foundation after it already has market momentum, claim neutrality, then benefit from ecosystem adoption while maintaining implementation advantage.
Linux Foundation’s Jim Zemlin argues funding doesn’t equal control, pointing to technical steering committees where no single member dominates. Fair point. There’s genuine value in preventing fragmentation—better one open standard than five proprietary alternatives. But the first major conflict between platinum members will reveal whether the governance model actually works or whether deeper pockets win.
Is this collaboration or consolidation? That’s not rhetorical. Time will tell.
Security Risks Are Not Theoretical
MCP’s adoption has outpaced its security hardening, and the vulnerabilities are real. Tool poisoning occurs when attackers embed malicious instructions in MCP tool descriptions—the metadata LLMs use to decide which tools to invoke. Worse, hosted MCP servers can change tool definitions after user approval, creating “rug pull” scenarios.
Prompt injection through MCP isn’t just an information leak risk. Security researchers demonstrated a SCADA attack where hidden instructions in a PDF led to industrial equipment damage through an agent’s legitimate credentials and MCP integration. This transforms prompt injection from a data problem into an operational threat with physical consequences.
Mitigation, as security researchers emphasize, requires architecture, not optimism. Trust boundaries, context isolation, output verification, strict tool-call validation, least-privilege design, and continuous red teaming aren’t optional for production MCP deployments. As enterprise adoption accelerates in 2026, the attack surface expands.
What Developers Should Actually Do
MCP solves real integration problems, and the ecosystem momentum makes it the de facto standard for agent-to-tool connections. That’s valuable infrastructure. But adopting it responsibly means understanding the tradeoffs.
Build with MCP where it reduces complexity, but architect defensively. Implement trust boundaries between MCP servers and critical systems. Validate tool calls strictly—don’t trust metadata blindly. Apply least-privilege permissions to MCP servers. Stay current on emerging vulnerabilities.
The Linux Foundation governance model is a work in progress, not a solved problem. These companies benefit from ecosystem adoption, and the foundation structure doesn’t change that reality. Judge MCP by what it does, not what it claims. The protocol itself is useful; the power dynamics around it deserve watching.
The MCP Dev Summit in New York on April 2-3, 2026 will provide a clearer picture of where the community and governance head next. Until then, use the protocol where it makes sense, but keep your eyes open about who’s steering the ship.
