MCP servers are the orchestration layer, not the demo.

§ I — Cover concept

The context behind the article.

Journal 043

7 min

Image direction

Schematic of three small rectangles connected by clean lines, ink on cream, draftsman style

Agentic AI

7 min

Article

Most AI tooling lives one paste away from the systems it could help with. Model Context Protocol servers close that gap without giving up the security posture an enterprise can defend.

Why it belongs in the journal

This entry exists to make the operating logic visible: not just the system we would build, but the constraint, tradeoff, or failure mode that forced the architecture to matter in the first place.

§ II — Article

The bridge problem

A team we worked with spent three weeks building a deployment bot. It pulled from GitHub, ran checks against their staging environment, posted results to Slack, and updated Jira. Nineteen API integrations. Four hundred lines of glue code. A credentials file the security team would not sign off on.

Then staging changed its auth flow, and the whole thing broke in a way that took two engineers a day to untangle.

That story repeats itself everywhere AI tooling meets enterprise reality. The model is capable. The systems are capable. What is missing is a defensible way to connect them. Most teams either build brittle glue code or paste output back and forth between the two.

What MCP actually is

The Model Context Protocol is a small specification — a way to expose a set of tools (named functions with typed inputs) to an AI client over standard input/output. Three properties matter for enterprise use:

Local processes. An MCP server runs on the developer's machine or inside the company's network. It is not an internet-facing service.
Stdio transport. The AI client talks to the server through standard streams, the same way the shell talks to any CLI. No HTTP endpoint. No port to open. No firewall rule.
Declarative tool surface. The server tells the client what tools exist, what inputs they expect, and what they return. The client decides when to call them.

Credentials never leave the local environment. The attack surface is the same as the attack surface of the CLI tools the developer already runs. Security teams can reason about it without a new threat model.

What it replaces

Look at any enterprise AI stack today and you will find one of three patterns connecting the model to the rest of the company:

Paste in, paste out. The human is the integration layer. Slow, error-prone, but auditable.
A bespoke gateway. Some team built an HTTP shim that proxies model calls to internal APIs. Custom auth, custom rate limits, custom maintenance. Eventually unowned.
Vendor-locked plugin. The AI vendor's own connector. Works only with their model, only against the integrations they prioritize.

MCP replaces all three with one project-scoped configuration file, .mcp.json, that lives in the repo and declares which local servers the AI session should start. Same config, different developers, same integrations.

{
  "mcpServers": {
    "deploy":   { "command": "python", "args": ["./tools/deploy.py"] },
    "database": { "command": "npx", "args": ["-y", "@org/mcp-postgres"] }
  }
}

The economics

The MCP ecosystem has crossed the threshold where building your own server is cheaper than buying a connector. Over ten thousand active public MCP servers and seventy-five official connectors exist as of early 2026, with adoption across the major AI clients (Claude, ChatGPT, Cursor, Gemini, Microsoft Copilot, VS Code). The protocol is governed by a foundation, not a single vendor.

That changes the make-vs-buy math. A custom MCP server for your internal billing API is a one-afternoon project, written once, used by every developer with an AI client, replaceable in place when you switch models. A vendor connector is a recurring line item, locked to a single client, and unmaintained the day the vendor pivots.

What we recommend

For most engineering teams the right starting point is small and concrete:

One MCP server per system of record the team actually queries during development — your DB, your deploy pipeline, your ticket tracker. Not all of them. The ones a developer reaches for daily.
A .mcp.json in the repository. Treat it like .editorconfig — version controlled, reviewed in PRs, applies to every contributor.
No production secrets in the server's env. The MCP server should read the same credentials a developer would use locally. Production access goes through the production deployment, not the AI session.

MCP is not the headline feature. It is the plumbing that makes the headline feature actually safe to plug in. Most AI projects fail at the plumbing, not the model.

§ III — Reading note

What the article is really about.

Operating tension

Most AI tooling lives one paste away from the systems it could help with. Model Context Protocol servers close that gap without giving up the security posture an enterprise can defend. In practice, the hard part is usually not implementation syntax but aligning delivery, controls, and operator trust so the thing can survive contact with a real team.

Kleio view

We treat these articles as public design memos: short, opinionated, and anchored in systems that have to be bought, operated, and defended long after launch week.

§ III — Continue reading

Three adjacent articles.

Cloud Computing

Modernization is a pipeline, not a rewrite.

We killed a $400K rewrite in week two and replaced it with a three-tier modernization pipeline. Eleven modules extracted, 19,000 lines of dead code retired, drift down 62% — without a single big-bang cutover.

AI

Audit before you automate.

An association almost spent $180K automating a workflow that ate twenty-four hours per year, while an 8,680-hour problem sat untouched. The fifteen-minute audit that caught it is the cheapest piece of work in any AI engagement.

How we work

How an engagement with us actually works.

Discovery sprint, pod, managed platform, or staff augmentation. The model depends on what you need; the discipline does not change.

Back to journal