MCP Has Become AI's USB-C. 200,000 Servers Were Compromised in April.

MCP exploded overnight — and nobody grasped the consequences until it was too late.

When Anthropic released Model Context Protocol as an open standard in November 2024, it looked like a technical curiosity for specialists. Eighteen months later, the protocol has more than 200,000 active servers, adoption from OpenAI, Google and Microsoft-backed Cursor, and a security situation keeping enterprise security teams up at night. The question is no longer whether MCP will shape AI infrastructure. The question is whether anyone will manage to secure it in time.

What exactly is MCP?

Model Context Protocol is — simply put — a universal plug socket for AI. Imagine an AI assistant that needs to fetch data from a database, send an email, read a file and then call a payments API. Without MCP, developers had to write custom integration code for every single tool, for every single AI model. With MCP, you define one server that exposes the tools, and any compatible AI client can use them.

That is where the USB-C analogy comes in — and where it also starts to limp.

> PULLQUOTE: "USB-C solves physical connectivity. MCP solves logical connectivity. But neither answers the question of whether you can trust what is sitting at the other end."

How the architecture works

MCP architecture has two core components:

The client automatically discovers available servers and routes requests between the AI model and external tools. Servers define their own tools via JSON schemas that the model can read and understand directly.

The protocol supports three primary patterns, according to the official MCP specification:

TIMELINE: From idea to infrastructure

November 2024 — Anthropic launches MCP as an open standard. Claude Desktop is the first client.

Q1 2025 — OpenAI adopts MCP in the ChatGPT desktop app. Cursor and Zed follow.

Q3 2025 — Vercel integrates MCP into its agent platform. Public server count passes 10,000.

November 2025 — Google announces MCP support in Gemini at the Search IO 2026 conference.

April 2026 — Over 200,000 active MCP servers globally. Security researchers begin sounding the alarm.

Who is using it — and for what?

The list of MCP adopters reads like a who's who of tech. OpenAI uses the protocol in ChatGPT for agentic commerce — shopping, bookings and payments directly within the conversation interface. Anthropic uses it in Claude Code to give the AI assistant access to codebases and the terminal. Vercel is building serverless MCP infrastructure for web applications. Cursor gives developers AI agents that can read and write files directly inside a project.

But what can an MCP server actually do? The answers are far-reaching: file system access, SQL database queries, email dispatch, webhook calls, payment processing and API integrations. In principle, a single MCP server can give an AI agent access to everything a human employee would have.

KEYFIGURE

200,000 active MCP servers globally as of April 2026

73% of enterprise AI systems with external access are vulnerable to prompt injection (Palo Alto Unit 42, May 2026)

0 central certification bodies for MCP servers exist today

What MCP does not solve

This is what the industry is not talking about enough.

MCP standardises connectivity. It does not standardise trust. A compromised MCP server can return manipulated data, execute unauthorised actions or steer an AI agent into doing something the user never approved. The attack vector is called "tool poisoning" — and according to security research published on arXiv in May 2026, it is underestimated in almost every production environment.

Palo Alto Networks' Unit 42 published an analysis in May 2026 concluding that 73 percent of enterprise AI systems with external access are vulnerable to prompt injection. MCP servers are particularly exposed because they typically run with high system privileges.

> HIGHLIGHT: The standard protocol is missing four critical security features: no central server certification, no standardised logging, no built-in sandboxing, and no mandatory permission management. These gaps are not technical flaws — they are deliberate design choices that prioritised adoption speed over security.

Most MCP servers today run locally or in development environments. Enterprise deployment with proper security controls is still the exception, not the rule, according to the production patterns analysis published on arXiv in March 2026.

The EU AI Act sets the deadline

From August 2026, the EU AI Act requires high-risk AI systems to maintain complete logging and audit trails. This directly targets MCP-based agents handling sensitive data — customer records, health data, financial transactions. Organisations that cannot document what their agent did, via which MCP server and with which permissions, face significant fines.

This is the industry's next major headache, and the timeline is already tight.

Does MCP replace APIs?

Short answer: no. MCP is complementary to existing API infrastructure. The protocol does not change how backend systems communicate with each other — it standardises how AI models discover and use those systems. Think of it as a navigation layer on top of existing motorways, not a new motorway.

BOTTOM LINE

MCP is real infrastructure, not hype. The protocol solves a genuine problem: AI agents need a standardised way to interact with the world, and MCP delivers it. Two hundred thousand active servers in eighteen months is a rare sign of organic adoption in enterprise tech.

But growth has outrun security. Missing certification, no mandatory logging and zero built-in sandboxing turn every connection point into a potential attack surface. The EU AI Act sets a hard deadline in August 2026. The industry has barely enough time to catch up.

MCP is USB-C for AI. But just as you would not blindly trust an unknown charger, you should not blindly trust an unknown MCP server.

Verified against 6 open primary sources.