Model Context Protocol (MCP) is one of the hottest terms in AI. It is a new standard pitched as the universal USB-C port for agents—just plug it in and suddenly AI can reach your apps, pull the data it needs, and take action. The promise is bold: To unleash a wave of enterprise agents that can finally run your business.
But the reality today is far thinner. In most cases, MCP isn’t operating in a core business process, it is running on a developer’s laptop in an apartment. It is executing isolated tasks by talking to a few apps, fetching some narrow slices of data, and triggering a tool or two. Even in those cases, the AI is often using its limited context to produce results that are cheerily, confidently wrong.
That’s a far cry from what it takes to work in real enterprise processes, like filing an insurance claim correctly in the claims management process, or onboarding an employee without skipping steps in the Hire-to-Retire process. These enterprise processes are complex, crossing countless applications, APIs, databases, and people.
Why Enterprises Care About More Than APIs
Transformation happens in business processes, not in isolated tasks. A task is simple, like summarizing an invoice. A process is the full Order-to-Cash cycle: generating a quote, verifying inventory, getting approvals, sending invoices, collecting payment, updating the ledger. Even the most successful AI companies in the world, like OpenAI, don’t run their employee onboarding process—verifying employment eligibility, enrolling in the corporate identity system, setting up payroll, assigning a mentor, and sending out commuter benefits—in ChatGPT.
Enterprises are obsessed with reliability in these processes for good reason. If cash doesn’t flow, the business stalls. If payroll is wrong, employees lose trust. If compliance is broken, regulators step in. Every company has a “pay invoice” API, but they can never use it raw! There’s a whole review, reconcile, and approval flow that has to happen every time. This is why enterprise systems—ERPs, CRMs, HCMs—are built with layers of safeguards: identity management, role-based access, transactionality, audit trails, retries, exception handling. These are not “nice to haves.” They are the foundations of trust, and sadly most uses of MCP are skipping them entirely.
The Enterprise Bar for Most MCP Use Cases
MCP may be pitched as the protocol to unshackle AI, but to unshackle it in the enterprise, use cases will need the depth and durability that comes in these dimensions:
1. Process rigor: MCP connects API calls, not processes. It doesn’t know if a quote has to be approved before an order can ship. It doesn’t understand dependencies, handoffs, or exceptions. Without this, it can’t deliver outcomes that matter to the business.
2. Rich tools vs. API wrappers: As Anthropic recently noted, not all tools are created equal, and purpose-built tools are the right path.
3. Identity and access: MCP has no concept of user identity, roles, or entitlements. Enterprises need to know that the person—or agent—taking an action is authorized to do so. A sales rep should not have the same rights as a finance controller. Without identity, access collapses into a single backdoor.
4. Governance and explainability: A CIO recently told me their company had a great prototype of ChatGPT running a state-mandated insurance dispute resolution process—but it turned out it would often hallucinate and just skip steps. When something goes wrong, enterprises need to know who did what, when, and why. MCP alone provides no audit trail, no explainability, and no mechanism to satisfy compliance. In regulated industries, that’s an immediate showstopper.
5. Security: Many MCP pilots propose running open-source server code downloaded from the internet and granting it API credentials into core systems like Salesforce or SAP. That’s a huge red flag. Enterprises spend millions to prevent exactly this type of untrusted code execution.
6. Resilience: Real systems fail. APIs time out, networks drop, data conflicts arise. Enterprise systems are designed with retries, error handling, compensation steps, and reconciliation. MCP has no such safeguards. One missed step can create duplicate invoices, missed payments, or broken compliance.
7. Deployment reality: MCP servers are marketed as simple adapters, but in practice, they get deployed as either insecure desktop shims or fragile API clusters. They lack multi-tenant and multi-user capabilities. Companies either spin up a separate MCP server for each user—causing credential chaos—or they use a shared service account, which blows a hole in security best practices.
Taken together, these gaps make raw MCP too shallow and too fragile to carry the weight of enterprise processes: A recipe for “AI Strategy Heartburn” that will lead to canceled pilots and wasted budget.
The Bubble Risk
This isn’t just a technical critique—it’s a business one. Enterprises already spent more than $250 billion on AI by the end of 2024. The narrative has been one of breakthrough innovation. But beneath the surface is growing unease about an “AI bubble.” The reason: a notable lack of business results. As the New York Times recently put it, “Billions are pouring into AI. It has yet to pay off.” Companies can spin up pilots in every department, but those experiments rarely move the metrics that matter: DSO in finance, CSAT in support, growth rate in sales.
Agents with MCP were supposed to bridge that gap. By giving agents access to enterprise systems, the story went, the pilots could finally scale into production. But unless we use MCP in ways that work for complex processes and real-world IT environments, it risks becoming another layer of hype—fueling the bubble rather than solving it.
The Reality of Deployment
Talk to developers experimenting with MCP and you’ll hear a common story. It’s easy to get started. You can download an MCP server, run it locally, and connect it to an app like HubSpot. Your agent can now fetch a contact record or create a ticket. That’s fun, and it makes for a good demo.
But then comes the hard part: moving from a demo to enterprise deployment. Suddenly you need to manage user credentials, entitlements, logging, error handling, scaling, monitoring. You realize you’ve reinvented an API gateway—but without any of the maturity or enterprise features of the gateways that have been hardened for 20 years.
The result is credential chaos, security gaps, and fragile deployments. Enterprises quickly discover that the distance between a successful pilot and a production-ready system is not a step—it’s a chasm.
Lessons from History
We’ve been here before. Standards like EDI, SOAP, and even early Windows promised universality and future-proofing, but shipped incomplete. They took years—sometimes decades—to reach enterprise-grade stability. MCP is following that same arc. Today, it looks more like the Windows XP of AI: an amazing product with tons of use, but riddled with vulnerabilities and missing critical features.
That doesn’t mean MCP should be dismissed. Far from it. It’s a necessary step forward. The challenge is recognizing its limits now, and not over-promising transformation it cannot yet deliver.
The Road Ahead
The future of enterprise agents requires more than a protocol. It requires an enterprise approach that blends orchestration, governance, and enterprise-grade skills that can act predictably and securely in mission-critical systems. It requires context that spans not just one API call, but the full process, with all of its steps, exceptions, and signals.
MCP will play a big role in that future. We just have to use it right. As these key enterprise requirements are built around MCP, the cases of AI strategy heartburn will fade, and we’ll see real transformations take place.
Enterprises don’t need demos. They need systems that can safely and reliably move the KPIs that matter most. That is the bar AI must clear, and MCP isn’t there yet.
Adam Seligman is the CTO and GM of the AI Lab at Workato, helping customers and developers bring agents to life in the enterprise.