Skip to main content

The #1 agentic semantic tool search: 91.6% first-try accuracy on S1 Search Bench Explore Tool Discovery

Guillaume Lebedel Guillaume Lebedel · · 5 min read
The New MCP Spec Won't Get Your Agents Into Production

The New MCP Spec Won't Get Your Agents Into Production

Table of Contents

The Model Context Protocol just shipped its 2026-07-28 release candidate, and most of it is what production teams have been asking for. It also won’t move a single agent from pilot to production.

Both things are true. The spec got better at the layer it owns, and that layer was never the one blocking enterprise rollouts.

About 97% of companies say they deployed an AI agent in the past year. Roughly 11% run one in production at real scale. The rest sit in what analysts now call pilot purgatory: built, demoed, funded, and quietly never shipped. The new spec sits on the wrong side of that gap.

The protocol grew up

The release candidate is a genuine step forward, and it’s worth reading in full if you build on MCP.

The headline change is a stateless core. The spec removes the initialization handshake and session management, so any request can land on any server instance. No sticky routing, no shared session store. That alone makes MCP servers far easier to run on ordinary HTTP infrastructure.

There’s real authorization work too. Clients now validate the issuer per RFC 9207, and the spec aligns more closely with OAuth 2.1 and OpenID Connect. If you’re standing up agent auth properly, owning the OAuth app matters more than the shared-app shortcut, a point worth reading on why you should register and own your own OAuth app.

Then there’s a formal deprecation policy. Features move through Active, Deprecated, and Removed, with at least twelve months between deprecation and the earliest possible removal. Roots, Sampling, and Logging are already deprecated. A versioned protocol with a removal clock is the kind of boring guarantee you want before you bet a roadmap on it.

New extensions round it out: Tasks for long-running work, and MCP Apps for server-rendered UI inside a sandboxed iframe. MCP keeps doing what it does well, which is wrap your APIs in a consistent shape an agent can discover at request time, a tradeoff we wrote up after what 200+ connector builds taught us about MCP versus direct APIs.

What it deliberately doesn’t cover

Read the spec for the part most teams actually need, and it isn’t there.

Diagram comparing what the MCP spec standardizes (transport, auth handshake, tool description, lifecycle) versus the execution and governance decisions left to the deployer (which action is allowed, who approved a write, what was logged)

The spec standardizes how a tool is described, how it’s called, and how that call is transported. It says nothing about whether a given agent should run a given action against a given system of record. That’s by design, not an oversight. The protocol is the wire format; authorization belongs to the deployer.

For a functional lead wiring a copilot into Workday, or a developer shipping an internal finance-ops agent, three questions decide whether the thing reaches production:

  • which actions this agent is allowed to run, and against which account
  • who approved a write to a system of record, and how
  • what was logged, and whether you can still query it six months later

None of those have a field in the protocol. And the most common answer to the second one, a human approval prompt, doesn’t hold up under volume. Approval clicks degrade with attention, which is why guardrails belong in scoped credentials, not approval prompts.

Why rollouts stall here, not at the model

The model is rarely the reason an agent stays in a pilot.

Bar chart: about 97% of companies deployed an AI agent in the past year, while roughly 11% run one in production at scale

A demo runs on clean inputs and a cooperative operator. Production runs against real systems of record, real permissions, and an auditor who will eventually ask what the agent did and on whose authority. The gap between those two worlds is operational, and a smarter protocol or a smarter model doesn’t close it.

This is the execution and governance layer: the part that decides what an agent is allowed to do, enforces it on every call, and keeps a record. It’s the work that doesn’t fit in the spec, and it’s exactly where most enterprise agents get stuck.

The layer the spec leaves to you

That’s the layer we build at StackOne, because we kept hitting it ourselves.

An agent connects once and then acts as itself, not as a shared admin key. Each end-user connection gets its own scoped account, and read, write, and delete are granted separately rather than as a single blanket grant. Every call runs through a permission check in under a millisecond across 420+ systems, and every action is logged. When the auditor asks which record the agent changed, when, and under what authority, the answer is a query, not a forensic project.

None of that competes with MCP. The protocol still describes and transports the tool call. The execution and governance layer decides whether that call should happen and writes down that it did. They sit at different layers, and a mature spec at one layer doesn’t fill the other.

Before you wire the next agent

If you own an agent rollout, the spec upgrade is a reason to revisit the layer it doesn’t touch. Decide per-action scope before the agent ever calls a system of record. Replace the human approval click with a structural limit the agent can’t talk its way past. And stand up an audit log you can actually query, because a six-month answer can’t be backfilled after an incident.

The protocol layer is in good hands. The layer that gets agents to production is still yours to build. If you want to see how per-action scoping and audit logging work in practice, the StackOne docs walk through the account model and what gets recorded on every call.

Frequently Asked Questions

What does the 2026-07-28 MCP specification change?
The 2026-07-28 MCP release candidate introduces a stateless core (the initialization handshake and session management are removed, so any request can land on any server instance), OAuth 2.1 / OpenID Connect authorization hardening with RFC 9207 issuer validation, a formal deprecation policy with at least twelve months between deprecation and removal, and new extensions including Tasks and MCP Apps. The final specification publishes July 28, 2026.
Does the MCP spec handle agent authorization?
No. The MCP specification standardizes how a tool is described, called, and transported. It does not decide whether a given agent should run a given action against a given system of record, who approved a write, or what gets logged. That authorization and audit work is left to the deployer — it lives at the execution and governance layer, not in the protocol.
Why do most enterprise AI agents fail to reach production?
Roughly 97% of companies report deploying an AI agent in the past year, but only about 11% run one in production at real scale (WRITER 2026 Enterprise AI survey; McKinsey 2026). The gap is operational, not a model problem: production requires per-action scope, a structural approval model, and an audit log you can query months later — controls the protocol layer does not provide.
How does StackOne handle agent action authorization and audit?
With StackOne, an agent connects once and acts as itself rather than through a shared admin key. Each end-user connection gets its own scoped account, read, write, and delete are granted separately, every call runs through a permission check in under a millisecond across 420+ systems, and every action is logged for later query.

Put your AI agents to work

All the tools you need to build and scale AI agent integrations, with best-in-class connectivity, execution, and security.