The agentic AI conversation has changed. Here’s what I saw at the MCP Dev Summit.

146 organizations, 95 sessions, and a clear signal that agentic AI infrastructure is being defined in the open.

I spent April 2–3 in New York City at the Agentic AI Foundation’s (AAIF) MCP Dev Summit, that included a foundation dinner that brought together leaders from AWS, Microsoft, Cloudflare, Red Hat, and dozens more. The energy was unmistakable: more than 95 sessions, 146 member organizations, and a governing board chaired by David Nalley of AWS. This community is no longer a vendor-led island. It’s an active, fast-moving, and open ecosystem.

But what struck me most wasn’t the scale of the gathering. It was the nature of the conversation. The industry has moved past asking who has GPUs. The question now is: who can run fleets of autonomous agents securely, reliably, and at scale?

The real problem is orchestration, not compute

Throughout the summit, one theme dominated: the shift from single-model execution to multi-agent, multi-system architectures. Speakers from Anthropic, Microsoft, Datadog, and Hugging Face described a world where agents operate like distributed microservices, calling tools, delegating tasks to other agents, and coordinating workflows in real time. Companies like Workato are already building agent orchestration frameworks to address this, and the protocol stack is crystallizing around MCP for agent-to-tool connections and Google’s A2A for peer-to-peer agent communication.

But the control planes, workflow engines, and coordination standards that will make this production-grade? They remain largely undefined. Traditional cloud-native infrastructure like Kubernetes is being adapted for AI-specific workloads and hardware, but this is fundamentally a new distributed computing model. A phrase kept coming up: the “Internet of Agents.” 

That framing captures the scale of what’s being built.

Read more: How to secure agentic AI with Agent Identity Protocol (AIP)

Security was the dominant conversation

Security and governance occupied more airtime than any other topic at the summit. The panelists acknowledged that the cybersecurity community, particularly at RSAC the prior week, has been scrutinizing MCP’s security posture. One panelist framed this constructively, noting that what she called the most underappreciated risk is the unintentional mixing of data sources: an MCP server pulling from multiple databases, combining results, and writing data back in ways that violate data boundaries. There is, she said, a significant burden on developers to catch this at design time.

Discussion also addressed the “lethal trifecta”, a framework from the security research community describing the structural risk when an agent simultaneously accesses private data, processes untrusted content, and can communicate externally. Each step may be individually authorized; the sequence still constitutes a breach. The consensus was clear: MCP alone won’t solve all security challenges. The ecosystem needs agent gateways, policy engines, registries, and IT administrator controls layered around it.

On authentication and identity, it was noted that MCP’s authorization layer is built on OAuth 2.1 rather than inventing a proprietary scheme. An Anthropic maintainer explained that the MCP extensions mechanism, introduced late last year, provides a lower-risk space for exploring approaches like verifiable credentials and delegated authentication before promoting them to the core protocol. This deliberate philosophy, where only durable patterns enter the core, was a recurring design principle throughout the event.

Governance is the biggest gap

I spoke with David Nalley about where the AAIF most needs help. His answer was unambiguous: governance (the working group is actively looking for new contributors). Despite the foundation’s rapid growth, including new executive director Mazin Gilbert and a growing roster of working groups in governance, security, and commerce, the majority of agentic AI use cases remain proofs of concept. Standards for how agents interact, delegate authority, and maintain trust across organizational boundaries do not yet exist. That gap represents both high risk and high opportunity.

The Agentic Commerce working group caught my attention in particular. It’s focused on defining acceptable-use standards for agent-driven transactions, a topic with direct implications for retail and e-commerce customers navigating this new landscape.

MCP: Alive, early, and worth watching

The summit also addressed the “MCP is dead” discourse head-on, from the keynote stage. The take was nuanced: CLIs, APIs, SDKs, and MCP serve different scenarios. Local development agents with full sandbox environments may work fine with CLIs; agents running on websites or in constrained compute environments still benefit from MCP. One panelist drew a useful parallel to how cloud providers ship APIs, SDKs, and CLIs for their platforms because different developer contexts demand different interfaces.

A pointed exchange on MCP server quality stood out. The protocol’s creator emphasized that wrapping an existing API with hundreds of endpoints and calling it an MCP server is explicitly something you should not do. MCP’s original contribution was forcing developers to think about designing interfaces for model consumption, a fundamentally different audience than human developers. Best practices exist but haven’t been communicated well enough. That admission of early-stage maturity was refreshing.

Read more: Deep dive into the Model Context Protocol

MCP = More code in process

The AAIF described MCP as a “seed” rather than the foundation’s entire scope. They’re open to new protocols and projects, drawing an analogy to CNCF’s early days. That framing is important. We are watching the infrastructure layer of agentic AI being defined in real time, and the patterns established now will shape how these systems run for years.

For those of us who work on distributed systems, edge computing, and security infrastructure, the takeaway is clear. The conversation has shifted from who has GPUs to who can run agentic systems at the edge, with governance, observability, and trust built in from the start. The organizations that engage early in shaping these standards will be best positioned as the ecosystem matures.

I’ll be tracking the AAIF’s working groups closely, and I’d encourage anyone building or deploying AI-driven systems to do the same. The next major events, AGNTCon + MCPCon Europe in Amsterdam (September) and North America in San Jose (October), will be worth watching.

More from We Love Open Source

• OpenClaw: Anatomy of a viral open source AI agent
• How to secure agentic AI with Agent Identity Protocol (AIP)
• Getting started with OpenClaw: Complex tasks from a simple chat
• The AI slop problem threatening open source maintainers
• Stop opening firewall ports and start using identity