AAIF's MCP Dev Summit: Gateways, gRPC, and Observability Signal Protocol Hardening

The MCP Dev Summit North America 2026, held April 2-3 at the New York Marriott Marquis, drew roughly 1,200 attendees to what has become the flagship event of the Model Context Protocol ecosystem. Organized under the Linux Foundation's Agentic AI Foundation, the two-day conference made clear that the protocol has moved well beyond its experimental origins. With more than 97 million SDK downloads per month as of early 2026, a figure that took React roughly three years to reach and MCP accomplished in about sixteen months, the event's central message was that 2026 is the year MCP must prove it is ready for production agentic systems at enterprise scale.

David Soria Parra, co-creator of MCP and member of technical staff at Anthropic, delivered a keynote titled "MCP: The Integration Protocol" and laid out the protocol's trajectory. He traced MCP's evolution from local stdio-only servers to the current landscape of remote servers, authorization, elicitations, structured outputs, and the experimental tasks primitive for long-running agentic communication. The most significant technical thread was the new transport work, anchored by SEP-1442 and led inside the Transport Working Group by Google Cloud's Kurtis Van Gent and Shaun Smith, that will move MCP from stateful sessions toward stateless, independent requests. The goal is to enable hyperscaler-scale deployments where servers can scale horizontally without sticky sessions or distributed state stores, with the next specification release tentatively slated for June 2026.

Perhaps the strongest signal of enterprise commitment came from Amazon. James Hood, a principal software engineer who has described himself as a former AI skeptic, explained how MCP has become a core building block for connecting agents to internal systems at the company. Amazon built internal MCP discovery infrastructure and has been formalizing the bundling of MCP tools, agent skills, context files, and Standard Operating Procedures into composable, shareable agent configurations, work reflected in his open-source agent-sop project. Hood and other Amazon engineers have leaned on Simon Willison's "lethal trifecta" framework, which categorizes risk by the combination of access to private data, exposure to untrusted content, and the ability to communicate externally. Hood has publicly described going from concept to a pull request in two days and to a production launch within a week as the moment that converted him.

Uber's agentic platform team, represented by Meghana Somasundara and Rush Tehrani in a keynote titled "Operating MCPs at Enterprise Scale: Uber's Journey," described internal MCP usage at a scale that puts the protocol firmly in production. Uber CTO Praveen Neppalli Naga has publicly stated that 95 percent of Uber engineers use AI tools every month and that roughly 1,800 code changes per week are now written entirely by Uber's internal background coding agent, called Minion, which supports Claude Code, Codex, Copilot, and other harnesses. The company built an MCP Gateway and Registry as its control plane, automatically exposing thousands of internal Thrift, Protobuf, and HTTP endpoints to agents through MCP, with all agentic traffic flowing through the GenAI Gateway, a Go-based proxy that performs PII redaction and scrubs internal identifiers before requests reach external models. Tens of thousands of agent executions now run through the platform each week.

The gateway pattern emerged as the dominant architectural consensus across the conference. Multiple enterprise speakers and sponsors, including Amazon Web Services, Uber, Docker, Kong, and Solo.io, converged on the same conclusion that organizations deploying MCP at scale need a centralized gateway paired with a registry as the control plane for all agent interactions. Alex Salazar, co-founder and CEO of Arcade.dev, made the case for the pattern by drawing a sharp line between the reasoning layer where LLMs operate and the action layer where governance, authorization, and mutation control must live. Arcade's own MCP Gateway product, documented at docs.arcade.dev, exposes curated tool collections through a single URL with cross-client compatibility for Cursor, Claude Desktop, VS Code, and ChatGPT. Adam Seligman, CTO of Workato, delivered a keynote titled "Enterprise MCP: The Data Plane for Autonomous Agents," which extended the data and control plane framing to enterprise integration patterns. Workato has written extensively about the discipline required to make MCP work for enterprise tool calling, including the use of idempotency keys to recover safely from partial failures when probabilistic callers retry, designing composable skills that express intent rather than implementation details, and enforcing least privilege access through the gateway rather than at the application boundary. The recurring point was that mutations and writes need to live in deterministic infrastructure, not in the LLM's reasoning layer.

Context bloat, the problem of MCP tool definitions consuming too much of the model's context window, was reframed across multiple talks as a client-side problem rather than a protocol deficiency. Claude Code now uses progressive tool discovery and an MCP tool search capability, automatically deferring tools when their descriptions would otherwise consume more than 10 percent of the context window. Anthropic has published benchmarks showing roughly 85 percent reductions in token usage, while other community work, including Speakeasy's dynamic toolsets and Matthew Kruczek's progressive disclosure benchmarks, has reported even larger savings, in some cases approaching 100x or more on tool-heavy MCP servers.

MCP Apps, the first official MCP extension enabling servers to provide interactive UI to clients, was one of the most prominently featured technical advancements of the summit. Officially released on January 26, 2026, the spec lets tools declare a UI resource pointing to HTML, JavaScript, and CSS that is rendered in a sandboxed iframe, with bidirectional JSON-RPC over postMessage for interaction. Within months of launch, MCP Apps had been adopted by Claude, ChatGPT, VS Code with GitHub Copilot, Goose, Postman, and MCPJam. The creators frame the vision as inverting the traditional app model, with the assistant composing small UI components from many services into a single conversation while preserving each service's branding and identity.

Security dominated the conversation across both days. Independent security researcher Jonathan Leitschuh delivered a talk titled "MCPwned: Hacking MCP Servers With One Skeleton Key Vulnerability," demonstrating DNS rebinding attacks against locally running MCP servers. The root cause is that DNS rebinding protection was not enabled by default in the MCP TypeScript SDK for HTTP-based servers, an issue tracked as CVE-2025-66414 and patched in version 1.24.0. The same root cause cascaded into downstream MCP servers, and a confirmed advisory exists for Docker's MCP Gateway, tracked as GHSA-46gc-mwh4-cc5r and patched in v0.28.0. Several other MCP servers, including those from Google, Apollo, and AWS Labs, have introduced explicit Host header validation and allow-list flags in response to similar concerns.

Ania Musial, Head of AI Platforms in Bloomberg's Office of the CTO, delivered a keynote titled "Interoperability Isn't Enough: Building Trustworthy AI Infrastructure with MCP," focused on what it takes to ship agentic AI on the Bloomberg Terminal. In a related session, Bloomberg engineers Kurt Degiorgio and Cannis Chan presented on interceptors, captured in SEP-1763, which would add validators and mutators at MCP protocol extension points, functioning much like Kubernetes admission webhooks and enabling organizations to inspect, block, transform, redact, or enrich payloads flowing through the protocol. Musial's broader argument was that for high-stakes regulated environments, trustworthiness has to be designed in from the ground up, not bolted on after the fact.

The foundation itself announced significant organizational milestones. Jim Zemlin, executive director of the Linux Foundation, has highlighted the rapid growth of the Agentic AI Foundation, formed in December 2025, which has already added well over a hundred members across Platinum, Gold, and Silver tiers and is anchored by major contributions including MCP, Block's goose, and OpenAI's AGENTS.md. Mazin Gilbert, who holds an MBA from Wharton and a PhD with a thesis on neural networks for articulatory speech synthesis, was announced as the foundation's executive director. The summit series is also expanding globally to Bengaluru, Mumbai, Seoul, Shanghai, Tokyo, Toronto, and Nairobi, with larger AGNTCon and MCPCon events planned for Amsterdam in September and San Jose in October.

Diamond Bishop, director of engineering and applied AI at Datadog, delivered a keynote titled "The First 100 Agents: Scaling With MCP From Prototype To Platform," which amounted to a field guide for organizations moving from prototype agents to production. Bishop, who leads Datadog's Bits AI group, has consistently emphasized making interfaces agent-friendly, designing for agents as users rather than as an afterthought, and investing heavily in eval and feedback loops alongside observability and security. He has argued that as models get cheaper and more capable, intelligence stops being the bottleneck, and the real constraints become things like code review, distribution, and production readiness, with proactive, background, event-driven agents running in containers rather than on local laptops as the next horizon.

Aaron Wang, a software engineer on Duolingo's DevXAI team, presented a practical case study of building an AI Slackbot that exposes more than 180 MCP tools to internal users, performing tasks like answering help desk questions, doing root cause analysis on PagerDuty alerts, and requiring human approval for write operations. Duolingo open-sourced a related component, an OAuth-based multi-user Slack MCP server with HTTP transport, under Apache 2.0. Ola Hungerford and Sandeep Bhat from Nordstrom followed with a keynote titled "One-To-Many: Enabling MCP, Agents, and Intelligent Systems at Nordstrom," focused on how disciplined platform engineering, registries, internal SDKs, and feedback loops are what make MCP sustainable in production rather than the protocol itself.

The two-day event also surfaced several emerging themes that are likely to shape the next phase of the protocol's evolution. The tasks primitive, captured in SEP-1686 and shipped as experimental in the November 25, 2025 spec revision, lets servers return a durable handle immediately while real work continues in the background, with retry semantics and result expiration policies among the lifecycle gaps the community is working to close. Triggers, essentially webhooks for MCP that would let servers proactively notify clients of new data, are being driven by a community Triggers and Events Working Group with a published charter. Separately, the Linux Foundation also launched the x402 Foundation on April 2, 2026, with founding members including Amazon Web Services, Stripe, Mastercard, Cloudflare, Google, and Visa, formalizing an HTTP 402-based protocol for agent micropayments using stablecoin transactions that settle in roughly two seconds.

Developers interested in learning more can watch the full livestream recordings for Day 1 and Day 2 on YouTube, browse the full event schedule, or visit the Model Context Protocol specification site for the latest roadmap details.