MCP Roadmap 2026-2027: What Comes After the 2025-11-25 Spec Line
The MCP Roadmap 2026 describes the expected evolution of the Model Context Protocol after the November 2025 spec line: a shift from pure tool connectivity towards enterprise readiness with auth, audit trails, registry and discovery. The 2025-11-25 spec introduced asynchronous operations, statelessness and server identity. What comes next is forecast, not fact.
Key Takeaways
- ✓The November 2025 spec line anchored asynchronous operations, statelessness, server identity and official extensions as the new baseline - the leap from experiment to infrastructure (as of 2026).
- ✓With the donation to the Agentic AI Foundation under the Linux Foundation (9 December 2025), the roadmap formally prioritises enterprise readiness: audit trails, SSO-integrated auth, gateway behaviour and configuration portability.
- ✓Market signal as of April 2026: around 9,400 public MCP servers, roughly 97 million monthly SDK downloads and 78 percent of enterprise AI teams running at least one MCP agent in production.
- ✓The biggest open work item remains security: an 'optimistic trust model', tool poisoning, full-schema poisoning and server squatting make sandboxing, least privilege and controlled registries a deployer obligation.
- ✓Architecture consensus for DACH builds: MCP for agent-to-tool, A2A for agent-to-agent - anything else is a deviation requiring justification in 2026.
- ✓All statements about 2027/2028 are forecasts with 30-50 percent uncertainty on the timing; the structural direction is more reliable than the specific date.
The MCP Roadmap 2026 describes the expected evolution of the Model Context Protocol after the November 2025 spec line. The core movement: away from pure tool connectivity, towards enterprise readiness with auth, audit trails, registry and discovery. The reference spec (November 2025) introduced asynchronous operations, statelessness and server identity. What comes after that is clearly marked in this article as forecast, not as established fact.
This article is part of the hub The Future of Agentic AI (2026-2028) and goes deeper into the integration layer that affects almost every production agent system in DACH companies in 2026.
- Status today (as of 2026): MCP is the de facto integration layer for agent-to-tool - around 9,400 public servers, roughly 97 million monthly SDK downloads, 78 percent of enterprise AI teams with at least one MCP agent in production.
- Next step: Governance has sat with the Agentic AI Foundation (Linux Foundation) since December 2025; the roadmap formally prioritises audit trails, SSO-integrated auth, gateway behaviour and configuration portability.
- Biggest work item: Security. The "optimistic trust model" makes sandboxing, least privilege and controlled registries an operator obligation.
The starting point: what the 2025-11-25 spec line means
Anthropic introduced the Model Context Protocol on 25 November 2024 as an open standard for connecting AI applications to external systems - file systems, databases, business systems, dev tools. Technically, MCP rests on JSON-RPC 2.0 across several transports: stdio for local, originally Server-Sent Events, and since the April 2025 revision Streamable HTTP.
Development progressed in clear steps that you need to know in order to read the roadmap:
- April 2025: OAuth 2.1, JSON-RPC batching and tool annotations were added. This made MCP auth-capable in the enterprise sense for the first time.
- November 2025 (the reference line): asynchronous operations, statelessness, server identity and official extensions. This is the real leap from "tool-calling protocol" to "infrastructure building block".
- Early 2026: MCP Apps (SEP-1865) standardised the delivery of interactive UI from MCP servers to host applications such as Claude and ChatGPT.
The decisive structural shift, however, is not a spec detail but a governance event: on 9 December 2025, Anthropic donated MCP to the newly founded Agentic AI Foundation (AAIF), a Directed Fund under the Linux Foundation. Co-founded by Anthropic, Block and OpenAI, with Platinum support from AWS, Bloomberg, Cloudflare, Google and Microsoft; further members include Cisco, IBM, Okta, Oracle, SAP and Snowflake - effectively the entire agentic AI stack. Day-to-day technical governance remains with the existing maintainers; the Foundation board takes over strategic investment and member acquisition. For DACH decision-makers, this means MCP is no longer a vendor bet but a vendor-neutral standard - which substantially lowers the lock-in risk during procurement.
Where MCP stands today (as of 2026)
The market figures show that MCP has left the experimentation phase. As of April 2026, public registries list around 9,400 MCP servers with growth of roughly 18 percent month over month. The Python and TypeScript SDKs together record around 97 million monthly downloads. Survey data from enterprise AI teams shows that around 78 percent run at least one MCP-backed agent in production.
In practical terms: SAP Joule Studio 2.0 integrates MCP natively (MCP servers for ABAP, LeanIX, Integration Suite), and Microsoft 365 Copilot, Copilot Studio, Salesforce Agentforce, n8n, LangGraph, Mastra and PydanticAI all speak MCP. Anyone starting an agent project in 2026 is writing or consuming MCP servers - whether planned or not.
What matters for the architecture decision is the distinction from A2A (agent-to-agent). MCP is the foundation for agent-to-tool. It can be repurposed to expose an agent as a "server" with tool-shaped capabilities - but it was not built for that. Anthropic, Google and Microsoft consistently recommend: MCP for tools, A2A for genuine peer collaboration.
Forecast: the MCP roadmap 2026-2027
The following section is explicitly forecast, not fact. In our experience, AI roadmaps over 18-24 months carry 30-50 percent uncertainty on the timing; the structural direction is more reliable than the specific date.
The Foundation's roadmap formally prioritises enterprise readiness: audit trails, SSO-integrated auth, gateway behaviour and configuration portability. From this, the expected trajectory can be derived:
Area | Today (as of 2026) | Expected (forecast 2027-2028) |
|---|---|---|
Spec maturity | Async, statelessness, server identity, extensions (Nov 2025); MCP Apps (SEP-1865) | Enterprise extensions stabilise; extension ecosystem consolidates |
Auth / Security | OAuth 2.1 (since April 2025); hardening is a deployer matter | SSO-integrated auth and gateway policies stabilise as standard |
Registry / Discovery | ~9,400 public servers; internal MCP registries per company | Servers as standard enterprise integration; official remote servers as procurement default |
Audit / Governance | Single-trace-ID discipline as best practice | Audit trails as roadmap priority; gateway behaviour standardised |
Scaling / Reach | Agent-to-tool for LLM agents | MCP-equivalent patterns for non-LLM AI (vision, voice-native, robotics) |
Enterprise adoption | 78 percent of AI teams with >=1 MCP agent in production | SAP, Salesforce, Atlassian, Figma and others ship official remote MCP servers |
Concretely, the research outlines the following stages:
- 2026 H2: MCP is the de facto integration layer for new agent builds. Enterprise SaaS providers such as SAP, Salesforce, Atlassian and Figma ship remote MCP servers.
- 2027: MCP servers become the standard enterprise integration. Enterprise-readiness extensions (SSO, audit trails, gateway policies) stabilise. Companies should expect their major SaaS providers to ship official remote MCP servers as a procurement default.
- 2028: MCP-equivalent patterns extend to non-LLM AI (vision, voice-native, robotics). The "agentic mesh" architecture - MCP for agent-to-tool, A2A or successor protocols for agent-to-agent - consolidates.
The open work items: security, registry, trust
The biggest unresolved question is security. According to research, the attacks documented in 2025 mostly trace back to MCP's "fundamentally optimistic trust model", which confuses syntactic correctness with semantic safety:
- Indirect prompt injection via MCP server descriptions.
- Tool poisoning (Invariant Labs demonstrated this in March 2025 on a WhatsApp proof-of-concept).
- Look-alike server squatting - deceptively similarly named servers.
- Full-schema poisoning (CyberArk): not just the description - every part of a tool schema is a potential injection point.
- GitHub MCP "toxic agent flow": a malicious GitHub issue tricks the agent into leaking from private repos.
As of 2026, hardening is the operator's responsibility, not the protocol's: sandboxing, scope-limited tokens, least privilege - and above all no autonomous installation of MCP servers from an unvetted registry. This is precisely where the second work item comes in: registry and discovery. Today, large enterprises run internal MCP server registries with strict access control and place servers behind OAuth 2.1. For cross-vendor discoverability, AGNTCY's OASF directory is emerging as a plausible form - still at watchlist status, not as an established standard.
Practical example: MCP tool layer in a DACH enterprise
What this looks like concretely is shown by the reference setup for a DACH enterprise (AI Center of Excellence, 10-30 FTE, hub-and-spoke). Here the tool layer is built end to end via MCP, with an internal registry and OAuth 2.1 as a requirement. The recommended rollout sequence from the research is:
- Standardise MCP server policy (registry, access, OAuth 2.1).
- Introduce A2A within a single estate first (e.g. Salesforce only).
- Extend to a second estate (e.g. SAP).
- Publish an AgentCard registry.
- Add cross-vendor identity (AGNTCY) only once the volume justifies it.
A practical mandatory step from day one: push a single trace ID through every A2A task and every MCP call - otherwise audit gaps emerge in which the logs of one estate cannot be correlated with those of another. Without this discipline, a multi-agent system is effectively un-investigable under a supervisory request. According to the research, the budget window for platform year 1 in this class lies at roughly 2 to 20 million euros (as of 2026) - the range mainly reflects whether a single-vendor setup is extended or a genuine cross-vendor mesh with sovereign hosting is built.
What this means for agencies and B2B
For agencies and AI-native product providers, MCP is the lever for productisation: a shared MCP server repository across all client projects, plus vertical custom servers (such as an SEO keyword research server or an internal CMS server). Those who build cleanly here sell integrations instead of one-off solutions.
For B2B decision-makers, the procurement question is central: does the contract with Agentforce, Joule or Copilot Studio guarantee compliance with the MCP standards - and what happens on exit? MCP as a vendor-neutral standard under the Linux Foundation is the best available antidote to platform lock-in, but only if registry governance, OAuth 2.1 hardening and audit-trail discipline are factored in from the outset.
If you want to follow the further course of the MCP roadmap, the spec releases and the security debate without researching it yourself every week: our newsletter bundles the relevant developments around agentic AI for the DACH market - precise, without hype, with a clear separation between fact and forecast.
FAQ
What is the 2025-11-25 spec line in MCP?
Who steers the MCP roadmap after 2025?
What is expected to come to MCP in 2027?
What are the biggest unresolved problems with MCP?
Should you use MCP or A2A?
Want to go deeper?
Get new analyses straight to your inbox – or see how we put this knowledge to work for companies.