Model Context Protocol (MCP)

Designed for AI consumption

APIs were designed for humans and developers, with CRUD-based create/update/delete operations that don’t map to how a model would call a tool. MCP servers redesign that surface for agent use. Jiquan Ngiam, founder of MintMCP, gave the Notion example in the Coursera episode: the v1 MCP server was a one-to-one wrapper around the existing API; the v2 server was rebuilt from scratch with a different vocabulary designed for AI. In Salesforce, a useful MCP tool exposes a single business-level operation. It wraps multiple SOQL queries, validates the results, and returns a clean response to the model.

An underlying API key can read and write records, and there’s no clean way to tell it “you can read but you cannot delete.” An MCP server exposes only the operations you want (read, search, lookup), while the underlying credentials retain full access on the server side. The boundary is enforced at the abstraction layer. Credentials stay on the server.

How enterprises are deploying MCP at scale

At Coursera, MCP usage grew ad hoc before any central oversight. Mustafa Furniturewala, CTO, described the state that pushed him to adopt a gateway:

“MCP usage was going up. My worry was that this was happening in a very ad hoc way across the company. There were a lot of API tokens everywhere. If someone asked what MCP tools are available, there wasn’t a clear answer. I had my own experience of using some AI IDEs to add MCPs and there would be 50 of them and they would not connect.”

— Mustafa Furniturewala, CTO, Coursera

He also flagged that blocking MCP entirely backfires:

“When you block certain tools, you see people use patterns that are very unsafe. If you block MCP access, they’ll start copying data from one place to another, or creating some temporary data store, which is worse from a security perspective.”

— Mustafa Furniturewala, CTO, Coursera

At RBC, Vinh Tran’s platform team uses the same gateway pattern with metadata on every tool: each MCP call carries the tool’s risk profile, and material actions require a human-in-the-loop plan approval before the agent can proceed. Most enterprises run multiple AI clients at once (Claude for engineering, ChatGPT for research, Cursor for IDE work). Without a gateway, IT installs MCPs in five separate places. With a gateway, IT installs each MCP once and every AI client gets a single click into the same set, with single-pane visibility across all of them.

Coursera bundles MCP installations by role. A developer installs the developer package and gets the right MCPs configured. A product manager installs the productivity package. Mustafa reports that more than 25% of Claude usage at Coursera now comes from non-engineering co-work, enabled by giving business users the right MCP tools through the gateway.

MCP in commerce

In e-commerce, MCP is one of four mechanisms brands use to expose product catalogs to LLM platforms, alongside SEO/structured feeds, ACP, and UCP. Deepa Shekhar, Director of E-commerce Technologies at Logitech, sees today’s deployment as in-LLM apps (a Target MCP inside ChatGPT, for example), and expects the next phase to be agent-to-agent commerce: LLMs invoking brand-owned agents to retrieve real-time product and inventory information. (Covered in the Logitech episode.)

Supply-chain risk

MCP servers are software packages, which means they inherit the supply-chain risks of their package ecosystems. In March 2026, the popular Python package litellm was compromised on PyPI (versions 1.82.7 and 1.82.8 were live for about 40 minutes before quarantine, downloaded over 119,000 times). Any developer with an MCP server that pulled litellm in could be attacked simply by opening Cursor. The malicious payload installed a .pth file that triggered on every Python interpreter startup. The mcp-slack package on PyPI is community-built and not official Slack code, though the naming suggests otherwise. A gateway gives IT a single place to vet which MCP servers are installed across the organization and to remove unofficial ones.