# Adoption of MCP

## Initial adoption and usage of MCP

#### Reminder: what is MCP?

* MCP (Model Context Protocol) is an open standard, first released by Anthropic in November 2024, that defines how LLMs can securely connect with external data sources and tools using a JSON-RPC‑style "USB‑C for AI" interface.
* It includes client/server SDKs and reference implementations for platforms like Google Drive, GitHub, Slack, Postgres, Puppeteer, Stripe, and more.


#### Adoption & AI Platforms

* **Anthropic’s Claude**: Claude Desktop uses a local MCP server to securely access user data, files, and system tools.
* **OpenAI**: Incorporated MCP in March 2025—via Agents SDK, ChatGPT desktop, and Response API—enabling seamless third-party MCP server connections.
* **Google DeepMind**: Gemini models and related infrastructure prepared to support MCP starting April 2025.
* **Microsoft**:

  * Integrated MCP in Copilot Studio for enterprise data connectivity and governance.
  * Enabled MCP in Windows (AI Foundry) to let agent apps like Perplexity search local files and system tools via user-approved registry entries.
* **Replit**, **Sourcegraph**, **Zed**, **Codeium**, **Block** (formerly Square) and others have embedded MCP to feed project code, internal knowledge, or CRM info into AI agents.


#### Use Cases & Real‑World Applications

1. **Developer tooling**

   * IDEs like Zed, Replit, Sourcegraph use MCP so AI assistants maintain full project awareness—and help with “vibe coding”.
   * MIT-style telemetry frameworks (e.g., Opik) use MCP to inject runtime and version-control data into AI-assisted development.

2. **Enterprise assistants**

   * Block uses MCP in internal agents tied to requested documents, CRM systems, and knowledge bases.
   * Clinical research tools bridge LLMs with EHR data (FHIR) to support note summarization, decision support, and patient communication via MCP‑FHIR frameworks.

3. **Multi‑tool agent workflows**

   * MCP lets AI chain tasks: search docs, run messaging APIs, compute results—passing context between tools in complex sequences.
   * Manufacturing automation and industrial systems expose device capabilities via MCP so LLMs can monitor and execute multi-stage processes.

4. **Database query assistants**

   * Language-to‑SQL apps (e.g. AI2SQL) use MCP to translate natural language into SQL, run queries, and present structured results.

5. **Academic research**

   * Integrations with Zotero via open-source MCP‑Zotero servers allow AI to search, annotate PDFs, and draft literature reviews.

6. **Personal desktop automation**

   * Claude Desktop can summarize files, open documents, or run safe commands.
   * Perplexity on Windows uses MCP to search your document folders naturally, replacing manual file browsing.

7. **SaaS platforms**

   * Tools like FuseBase (formerly Nimbus Note) embed MCP to enable AI-driven client portals and collaboration environments.


#### Challenges & Security

* While MCP enables powerful integrations, security remains a top concern: prompt injection, token mismanagement, tool poisoning, and governance issues are being widely studied.
* Providers like Microsoft are enforcing registry-based consent prompts, governance feeds in Copilot Studio, and restrictive MCP registries to mitigate risks.


#### Summary: Who's Using MCP & Why

| **Users / Apps**                       | **Use Cases**                                     |
| -------------------------------------- | ------------------------------------------------- |
| **Claude Desktop**                     | File management, system tool access               |
| **OpenAI Agents & ChatGPT desktop**    | Tool integrations via third-party MCP servers     |
| **Gemini (DeepMind)**                  | Planned support for future model integrations     |
| **Microsoft Copilot Studio & Windows** | Enterprise data/workflows + system-level AI tasks |
| **Replit, Zed, Sourcegraph, Codeium**  | IDE-level context & intelligent code suggestions  |
| **Block (Square)**                     | Internal knowledge assistants                     |
| **Clinical/EHR frameworks**            | EHR summarization via MCP-FHIR                    |
| **Manufacturing systems**              | Industrial automation & device orchestration      |
| **Research tools (Zotero)**            | Literature review and document access             |
| **SaaS (FuseBase)**                    | AI collaboration portals                          |
| **AI2SQL and others**                  | Natural-language database querying                |


#### Why It's Gaining Traction

* MCP is fast becoming **the universal protocol** for AI agents to connect meaningfully to real-world tools and data—much like USB-C standardized hardware connectivity.
* It's supported by major AI platforms (Anthropic, OpenAI, DeepMind, Microsoft) and integrated by developer and enterprise tools.
* It enables **multi-tool orchestration**, **developer productivity**, and **data retrieval**, all while maintaining security safeguards.


#### Bottom line:

MCP is now started to be used across AI apps for code assistance, enterprise bots, research, and desktop automation. Though still young, it’s quickly maturing through broad adoption and ecosystem growth—making LLMs not just smart, but actually *useful* in real workflows. Still in a very early-stage, it is worthy to experiment with it and keep it in your radar.

## Warning: Important Security Concerns
The **Model Context Protocol (MCP)**, which governs how context and state are shared across AI models, brings several **security concerns**:

#### Context Leakage

* **Risk**: Sensitive data passed through the protocol (e.g., PII, trade secrets) could be unintentionally exposed to models or systems not authorized to see it.
* **Concern**: Inadequate access controls or encryption during context sharing.

#### Unauthorized Context Injection

* **Risk**: Attackers could inject malicious or misleading context into the protocol to manipulate model behavior (context poisoning).
* **Concern**: Lack of strong integrity checks or authentication for context inputs.

#### Model Over-Reliance on Context

* **Risk**: Models may rely too heavily on prior context, making them vulnerable to **context-based attacks** (like prompt injections or subtle manipulation of prior state).
* **Concern**: Insecure design without context validation mechanisms.

#### Inconsistent Context Boundaries

* **Risk**: Poorly defined boundaries between models or sessions could cause context bleeding across users, violating data privacy.
* **Concern**: Weak session isolation in multi-user environments.

#### Logging and Storage Risks

* **Risk**: Persistent storage or logging of contextual data could inadvertently capture sensitive information.
* **Concern**: Lack of encryption, retention policies, or data minimization.

#### Replay Attacks

* **Risk**: Captured context data could be resent to models to reproduce or trigger unintended outputs.
* **Concern**: No timestamping or session-bound encryption.

#### Inference Attacks

* **Risk**: Adversaries could craft queries to infer sensitive context that the model has access to.
* **Concern**: Models trained or configured without defenses against **membership inference** or **model inversion attacks**.

#### Ways to Mitigate this Security Concerns

* **Encryption (in transit & at rest)** of all context data.
* **Strict access controls** and **authentication** on context handling APIs.
* **Context integrity checks** using signatures or hashing.
* **Session isolation** and **context expiration** policies.
* **Auditing and monitoring** for anomalous context changes.

## Our advice
MCP is still in a very early-stage. For advanced students, we recommend to experiment with it with caution. Pay attention to these **practical guidelines** to balance learning with security awareness:

#### Start with Non-Sensitive Data

* **Advice**: Only use **public or dummy data** when passing context via MCP.
* **Why**: Avoid accidental leakage of personal, confidential, or proprietary information while learning.

#### Understand Context Scope

* **Advice**: Learn and define the **scope of the context** you are passing (e.g., session-based, user-specific).
* **Why**: Prevent accidental context mixing between users or sessions in experiments.

#### Practice Basic Access Controls

* **Advice**: If building apps or APIs with MCP, **limit access** to trusted users only and **authenticate interactions**.
* **Why**: This reduces the risk of unauthorized context injection or tampering.

#### Sanitize Context Inputs

* **Advice**: Implement **input validation and sanitization** before feeding context into a model.
* **Why**: Helps defend against **prompt injection** and malicious payloads.

#### Monitor and Log Carefully

* **Advice**: Enable logging for debugging but ensure **logs do not store sensitive context**.
* **Why**: Beginners often overlook that logs can unintentionally become a liability.

#### Practice Session Isolation

* **Advice**: Design experiments where each test or user interaction has its **own isolated context**.
* **Why**: Prevents context leakage and simplifies debugging.

#### Learn Basic Encryption Concepts

* **Advice**: Explore the basics of **encryption for data in transit** (e.g., HTTPS, TLS) when sharing context between services.
* **Why**: It’s a foundational security skill for any data pipeline.

#### Reflect on Context Expiration

* **Advice**: Set **clear rules for context lifetime** (e.g., auto-expire after session ends).
* **Why**: Reduces long-term risks if context is mishandled.

#### Final Note

* **Advice**: Always ask: *"What if this data gets exposed? Would it harm anyone?"*
* **Why**: This mindset fosters responsible experimentation.