MCP in One Paragraph
Model Context Protocol is an open standard for LLMs to discover and call tools. Instead of bespoke integrations per agent, MCP servers expose capabilities; any MCP-compatible client (Claude Desktop, Cursor, Agentforce Vibes, Copilot Studio agents) can use them. Think USB for AI tools.
The specification, published by Anthropic in November 2024 and now maintained by an open working group, defines a JSON-RPC protocol over stdio or HTTP. A server advertises capabilities (tools, resources, prompts) and the client invokes them through a standardized contract. Authentication landed in the March 2026 spec via OAuth 2.0 Resource Server semantics, closing the early security gap. Major model providers ship native MCP support: Claude (all surfaces), GPT-5 via the OpenAI Agents SDK, Gemini via the GenAI SDK, plus IDE clients including Cursor, Cline, and VS Code.
CRM Vendor Support
Salesforce has hosted MCP servers (Pilot) + 3 developer MCP servers. MuleSoft Anypoint converts APIs to MCP servers. HubSpot, Zoho, and ServiceNow are each on different timelines. Check per-vendor status before committing architecture.
State as of Q2 2026. Salesforce: hosted MCP servers in Pilot for Sales, Service, and Data Cloud; three developer servers (Apex, LWC, SOQL) GA. MuleSoft: Anypoint MCP Generator converts any RAML or OpenAPI spec into an MCP server. Microsoft: Copilot Studio agents consume MCP servers, with first-party servers for Dataverse and SharePoint in preview. HubSpot: community-maintained MCP server, official roadmap commitment for 2026. ServiceNow: Now Assist Skills with MCP-compatible interface in early access. Zoho: third-party only.
Where It Fits
Replacing spokes and custom connectors when you need AI agents to call your systems. Not replacing production integrations (Integration Platforms still win on reliability, monitoring, transformation). MCP is for agent-tool plumbing.
Use MCP for: agent-to-system tool calls (read account, create case, query knowledge base). Don’t use MCP for: high-throughput batch syncs (still iPaaS or ETL territory), cross-system orchestration with complex transformations (MuleSoft, Workato, Boomi remain the right tools), event-driven pipelines (Pub/Sub, Kafka, EventBridge). The integration estate ends up layered: iPaaS for system-to-system, MCP for agent-to-system, with shared API specs as the single source of truth.
Governance
MCP’s access surface is powerful — and dangerous. An agent connected to an MCP server can do what the server exposes. Central registries, rate limits, policy enforcement are not optional; they’re how you avoid data exfil.
Required controls. Central MCP server registry with security review per server. Per-tool authorization based on calling user or agent identity, not the service account behind the server. Rate limits and per-tool spend ceilings. Logging of every tool invocation with full request and response, retained 90+ days. Prompt-injection filtering on inputs. Allowlist of which agents can call which servers. Anthropic’s “MCP Gateway” pattern (a policy proxy in front of MCP servers) is becoming the reference architecture — implement it before exposing servers to production agents.
Common Failure Modes
Five recurring patterns. Exposing a write tool that lets an injected prompt drain data (“export all contacts to…”). Service-account auth that runs every agent action as a god user. Skipping the OAuth resource-server flow because “we’ll add it later.” Letting agent developers spin up MCP servers outside the registry. Tools without schema constraints, accepting any string and passing to the underlying API.
What to Do This Week
Stand up an MCP server registry — even a spreadsheet — listing every server in use, its owner, the data it touches, and its current auth model.
