The Model Context Protocol (MCP) is an open standard that enables developers to build secure, two-way connections between their data sources and AI-powered tools. The architecture is straightforward: developers can either expose their capabilities through MCP servers or build AI applications (MCP clients) that connect to these servers. It will accelerate the evolution of agentic commerce (a-commerce).
What is MCP?
MCP was originally developed by Anthropic but is now also supported by OpenAI. In March, the OpenAI CEO Sam Altman said that OpenAI will add support for MCP, across its products, including the desktop app for ChatGPT. Other companies, including Block and Apollo have added MCP support for their platforms. The protocol itself allows AI models to bring in data from a variety of sources so that developers can build two-way connections between data sources and AI-powered applications, such as chatbots.
(For the technically minded: Developers expose capabilities through MCP servers and agents can then use MCP clients to connect to those servers on command. Agents query the servers to see what tools are available. The server provides metadata so that the agent knows how to use the tools. When the agent decides to use a tool, it sends a tool call request in a standardized JSON format.)
Why is this important? It is because it provides a standardized way for tools and agents to communicate and exchange context about users, tasks, data, and goals and offers:
Interoperability: MCP allows different AI models, assistants, and external applications to share context, making it easier to integrate multiple AI-powered tools and services;
Coordination: MCP helps orchestrate tasks between various AI agents and external apps, ensuring they work together smoothly without duplicating work or requiring repeated user input;
An Ecosystem: A standard like MCP enables third-party developers to build plug-ins or tools that can easily “speak the same language” as AI assistants, accelerating ecosystem growth.
Just as an example, take at look at the Google Maps MCP server. This currently offers seven capabilities to convert an address to coordinates (and vice versa), to search for places, get detailed information about a place, work out the distances between places (along with travel duration), get elevation data and, of course, to get directions.)
Who cares about MCP? Well, many organisations (including retailers, banks and others) want to develop their own AI capabilities so that their agents can interact with their customers’ agents. Look at retail as an example. Hari Vasudev, CTO of Walmart’s US business, says they will be building agents of their own to interact with the consumers’ agents to provide recommendations or additional product information, while the consumer agents could provide the retailer agents with information about preferences and so on.
Banks and retailers and others want the customers’ agents to engage with the retailers’ agents rather than use web pages or APIs to get the services that they want. Frank Young summarises this dynamic well, suggesting that organisations provide APIs to support simple flows (eg, subscriptions) using current infrastructure but for agentic commerce’s frontier (negotiation, fraud response, optimization), implement MCP servers to capture these complex, high-value scenarios.
MCP Security Not Solved
I find this vision of agentic commerce really exciting but in order to realise the benefits, it is important that we have the necessary infrastructure to make it safe, secure and cost-effective. MCP does not define a standard mechanism for servers and clients to mutually authenticate (is that Walmart’s agent? is that Dave Birch’s agent?) and nor does it set out how to delegate authentication with APIs (so that my agent can use open banking). One way to fix this would be for the MCP server to validate agent credentials against some form of registry, a rudimentary KYC for AI so that only trusted agents get in. This could be a precursor to a more sophisticated Know-Your-Agent (KYA) infrastructure.
As MCP servers are managed by independent developers and contributors, there is no centralised platform to audit, enforce, or validate security standards. This decentralised model increases the likelihood of inconsistencies in security practices, making it difficult to ensure that all MCP servers adhere to secure development principles. Moreover, the absence of a unified package management system for MCP servers complicates the installation and maintenance process, increasing the likelihood of deploying outdated or misconfigured versions. The use of unofficial installation tools across different MCP clients further introduces variability in server deployment, making it harder to maintain consistent security standards.
MCP also lacks a standardised framework for dealing with authentication of counterparties and authorisation and has no mechanism to verify identities or regulate access, without which it becomes difficult to enforce granular permissions. Since MCP also lacks a permissions model and relies on OAuth, it means that a session with a tool is either accessible or completely restricted which, as Andreessen Horowitz points out, there will be additional complexity as more agents and tools are introduced. Therefore something more will be needed and one candidate is for what is known as a policy decision point (PDP). This is a component that evaluates access control policies. Given inputs like the identity of the actor, the action, the resource, and context—it decides whether to permit or deny the operation.
Mike Schwartz, founder of cybersecurity startup Gluu, asserts that while PDPs were once heavyweight infrastructure running on servers or mainframes, PDPs using the Cedar open-source policy language are small and fast enough to run embedded in a mobile application, and should evolve as an essential component of the agentic AI stack. In 2024 AWS announced the Cedar policy syntax after extensive scientific research on the topic of automated reasoning. Importantly, Cedar is deterministic–given the same input you will always get the same answer. Determinism in security is required to build trust, which requires doing the same thing over and over. An embeddable Cedar based PDP, as Mike says, checks all the boxes for agentic AI.
A New Start With MCP
This is not just another kind of e-commerce. As Jamie Smith points out, when you tell your agent “Find me a hotel in Paris under $400 with a view of the Eiffel Tower” it doesn’t just go off to Google and search. It packages the request up with your verified credentials (from your digital wallet), payment preferences, loyalty schemes (etc) with constraints like price cap, date ranges and loyalty programs. This is the “structured context payload” that goes to the various travel sites who have the capabilities to respond to, and interact with your agent.
Unlike e-commerce, built on an internet that never had a security layer (so no digital money and no digital identity), a-commerce will be built on an infrastructure that delivers real security to market participants. Putting this secure infrastructure in place is a fantastic opportunity for fintechs and other startups who want to provide digital money and digital identity as core components. As the identification, authentication and authorisation mechanisms around MCP are standardised, there is no reason not expect the rapid acceleration of a-commerce across the mass market.
Read the full article here
