I recently built a Model Context Protocol (MCP) integration for my Oura Ring. Not because I needed MCP, but because I wanted to test the hype: Could an AI agent make sense of my sleep and recovery data?
It worked. But halfway through I realized something. I could have just used the Oura REST API directly with a simple wrapper. What I ended up building was basically the same thing, just with extra ceremony.
As someone who has architected enterprise AI systems, I understand the appeal. Reliability isn’t optional, and protocols like MCP promise standardization. To be clear, MCP wasn’t designed to fix hallucinations or context drift. It’s a coordination protocol. But the experiment left me wondering: Are we solving the real problems or just adding layers?
The Wrapper Pattern That Won’t Go Away
MCP joins a long list of frameworks like LangChain, LangGraph, SmolAgents, and LlamaIndex, each offering a slightly different spin on coordination. But at heart, they’re all wrappers around the same issue, getting LLMs to use tools consistently.
Take CrewAI. On paper, it looked elegant with agents organized into “crews,” each with roles and tools. The demos showed frictionless orchestration. In practice? The agents ignored instructions, produced invalid JSON even after careful prompting, and burned days in debugging loops. When I dropped down to a lower-level tool like LangGraph, the problems vanished. CrewAI’s middleware hadn’t added resilience, it had hidden the bugs.
This isn’t an isolated frustration. Billions of dollars are flowing into frameworks while fundamentals like building reliable agentic systems remain unsettled. MCP risks following the same path. Standardizing communication may sound mature, but without solving hallucinations and context loss, it’s just more scaffolding on shaky foundations.
What We’re Not Solving
The industry has been busy launching integration frameworks, yet the harder challenges remain stubbornly in place:
- Hallucinations and context loss – Models still produce unreliable outputs and lose track of key information. A protocol can’t fix that.
- Tool selection errors – More tools mean more decisions. MCP makes it easier to connect them, but agents still reach for the wrong one. The integration problem multiplies.
- Security in probabilistic systems – Security rules are deterministic, while model reasoning isn’t. Simon Willison showed how even a trivial prompt injection can trick an LLM into leaking sensitive data. That vulnerability isn’t a bug in MCP, it’s a feature of the whole paradigm.
As CData notes, these aren’t just implementation gaps. They’re fundamental challenges.
What the Experiments Actually Reveal
Working with MCP brought a sharper lesson. The difficulty isn’t about APIs or data formats. It’s about reliability and security.
When I connected my Oura data, I was effectively giving an AI agent access to intimate health information. MCP’s “standardization” amounted to JSON-RPC endpoints. That doesn’t address the deeper issue: How do you enforce “don’t share my health data” in a system that reasons probabilistically?
To be fair, there’s progress. Auth0 has rolled out authentication updates, and Anthropic has improved Claude’s function-calling reliability. But these are incremental fixes. They don’t resolve the architectural gap that protocols alone can’t bridge.
The Evidence Is Piling Up
The risks aren’t theoretical anymore. Security researchers keep uncovering cracks:
- Simon Willison – Prompt injection leading to WhatsApp message exfiltration.
- CyberArk – 13 vulnerabilities in MCP, from chaining exploits to admin bypasses.
- Dark Reading – Hundreds of MCP servers exposed to remote code execution.
- Asana – An MCP feature taken offline for two weeks after cross-organization data leaks.
Meanwhile, fragmentation accelerates. Merge.dev lists half a dozen MCP alternatives. Zilliz documents the “Great AI Agent Protocol Race.” Every new protocol claims to patch what the last one missed.
Why This Goes Deeper Than Protocol Wars
The adoption curve is steep. Academic analysis shows MCP servers grew from around 1,000 early this year to over 14,000 by mid-2025. With $50B+ in AI funding at stake, we’re not just tinkering with middleware; we’re building infrastructure on unsettled ground.
Protocols like MCP can be valuable scaffolding. Enterprises with many tools and models do need coordination layers. But the real breakthroughs come from facing harder questions head-on:
- Identity management – Who really made this request: the user, the agent, or a shared system account?
- Reliable tool selection – How do agents choose the right tool in a growing sea of options?
- Security boundaries – How do you make “don’t share this data” a hard stop in a probabilistic reasoning system?
These problems exist no matter the protocol. And until they’re addressed, standardization risks becoming a distraction.
The question isn’t whether MCP is useful; it’s whether the focus on protocol standardization is proportional to the underlying challenges.
So Where Does That Leave Us?
There’s nothing wrong with building integration frameworks. They smooth edges and create shared patterns. But we should be honest about what they don’t solve.
For many use cases, native function calling or simple REST wrappers get the job done with less overhead. MCP helps in larger enterprise contexts. Yet the core challenges, reliability and security, remain active research problems.
That’s where the true opportunity lies. Not in racing to the next protocol, but in tackling the questions that sit at the heart of agentic systems.
Protocols are scaffolding. They’re not the main event.
The pace of AI change can feel relentless with tools, processes, and practices evolving almost weekly. We help organizations navigate this landscape with clarity, balancing experimentation with governance, and turning AI’s potential into practical, measurable outcomes. If you’re looking to explore how AI can work inside your organization—not just in theory, but in practice—we’d love to be a partner in that journey. Request a strategy session.
