The Protocol Layer Grew Faster Than the Models Did
When Anthropic released the Model Context Protocol in November 2024, the initial reaction was cautious optimism: a well-designed standard, but would anyone adopt it? Eighteen months later, the answer is unambiguous. Q2 2026 closed with 9,400 published servers across the four major MCP registries, sustaining a +58% quarter-over-quarter growth rate for three consecutive quarters. The official MCP Registry API counted 9,652 latest server records as of late May 2026, and GitHub shows 15,926 repositories tagged mcp-server. Monthly SDK downloads crossed 97 million in March 2026 — up from roughly 100,000 at launch, a 4,750% increase in sixteen months.
For context: the React npm package took approximately three years to reach 100 million monthly downloads. MCP is on track to hit that milestone in under two years. The protocol layer is not just growing — it is growing faster than the models themselves have been adopted.
What the Growth Numbers Actually Mean
Raw download counts are easy to dismiss as a vanity metric. What makes these numbers structurally significant is where the growth is happening. Stacklok’s 2026 software report found that 41% of surveyed software organizations are now running MCP servers in limited or broad production. A May 2026 forecast projects 38–46% of Fortune 1000 companies will have at least one production MCP integration by end of Q3. Once that threshold passes 50%, a de facto standardization lock-in becomes almost certain.
That matters because protocol lock-in in enterprise software is extremely durable. Once IT organizations build tool chains, authentication flows, and observability pipelines around a protocol, they do not migrate without compelling reason. MCP is reaching that threshold now, in 2026, while alternatives are still maturing. The window for a serious competitor to MCP is closing.
The enterprise adoption also explains why every major AI platform moved to support MCP. OpenAI, Google, Microsoft, and Salesforce all shipped native MCP support within 13 months of the protocol’s launch — not because the spec is technically superior to every alternative, but because their enterprise customers were already building on it. Network effects in protocols work exactly this way: adoption creates adoption.
Linux Foundation Governance: What Actually Changed
In December 2025, Anthropic donated MCP to the newly formed Agentic AI Foundation (AAIF) under the Linux Foundation. The AAIF co-launched with Block and OpenAI as founding organizations, backed by AWS, Google, Microsoft, Cloudflare, Salesforce, and Snowflake as platinum members. The stated goal: ensure that agentic AI evolves through transparent, collaborative governance rather than single-vendor control.
In practice, what changes? Two things: the spec’s future direction is no longer solely Anthropic’s call, and the Foundation provides a legal and organizational home for resolving disputes, certifying compliance, and publishing security guidance. The first change is genuine. Before the AAIF, Anthropic could unilaterally alter MCP in ways that broke third-party implementations. Now, steering committee governance applies. The second change is aspirational — the AAIF’s security track record is too young to evaluate.
What hasn’t changed: the same companies that co-govern MCP are also its largest commercial users. AWS, Google, and Microsoft have strong incentives to influence the spec in directions that favor their own agent frameworks. Neutral stewardship under commercial dominance is a structural tension that the Linux Foundation has managed before (see Kubernetes), and generally handled well — but it is not the same as vendor-independent governance.
The Security Gap Is the Real Story
Alongside the growth numbers, Zuplo’s State of MCP report highlights the elephant in the room: security practices in MCP deployments are lagging significantly behind adoption. Most production MCP servers rely on basic API key authentication. Formal authorization models — role-based access, least-privilege tooling, audit logging — are the minority, not the norm.
This is the standard infrastructure maturity curve, playing out faster than usual. The analogy is REST APIs circa 2012: widespread adoption, inconsistent security, and a wave of breach disclosures that eventually forced the ecosystem to standardize on OAuth 2.0 and TLS everywhere. MCP will likely follow the same path. The difference is that agentic AI tools often have elevated permissions — write access to databases, code execution, file systems — which makes the cost of a compromised MCP server higher than a typical REST endpoint leak.
The AAIF has security working groups, and Cloudflare’s Durable Objects-based MCP server infrastructure (covered on this site in Build Persistent AI Agents with Cloudflare’s SDK) includes session isolation by design. But security hardening for the broader MCP ecosystem is a 2026–2027 problem, not a solved one.
Infrastructure Maturity Signals the Agentic Shift Is Real
The lesson from MCP’s growth is not about MCP specifically. It is about what the numbers reveal about the broader agentic AI transition. When a connectivity protocol designed for AI agents reaches enterprise-grade adoption in eighteen months, it suggests that the agentic use cases driving that demand are also real and in production — not pilot-phase experiments.
The 2026 pattern looks increasingly like 2014 for containers: the tooling (Docker, then Kubernetes) scaled first, and production workloads followed as organizations built confidence. MCP is playing the Docker role here — a standard container format for tool connections that makes the underlying complexity manageable. The 2027 story will likely be about the orchestration layer above MCP: how agents coordinate multiple tool calls, handle failures, and maintain state across sessions. That problem is still largely unsolved, which is why projects like the Cloudflare Agents SDK and Claude Code’s dynamic workflows (see Claude Code Dynamic Workflows) are drawing significant developer attention.
At 9,400 servers and growing, MCP has crossed the threshold from interesting protocol to required infrastructure. The next question is not whether it will dominate — it already does. It’s whether the governance and security layer will mature fast enough to keep the deployment wave from generating a wave of incidents.
Further Reading
- The State of MCP — Zuplo Survey Report — Detailed survey data on adoption rates, security practices, and production readiness patterns from teams actually running MCP in production.
- Anthropic: Donating MCP to the Agentic AI Foundation — The original announcement explaining the rationale behind Linux Foundation stewardship and what governance commitments it entails.
- MCP Adoption Statistics 2026 — Digital Applied — Comprehensive breakdown of registry counts, SDK downloads, and enterprise integration projections through Q3 2026.