What does Enterprise Ready MCP mean? — Tobin South, WorkOS
00:00:00.000 | *Music*
00:00:14.600 | Thank you everyone for coming here. I hope you're excited to figure out with me what
00:00:18.400 | Enterprise Ready MCP means. I'm not sure a month ago people even fully
00:00:23.240 | understood what MCP meant. So we're all on this journey together, but hopefully
00:00:28.880 | it should be fun. So I was chatting to a good friend and colleague who is giving
00:00:34.380 | a talk tomorrow on building MCP servers and what it looks like to build that out
00:00:37.580 | and his question was how do the tools of today map to the AI systems of tomorrow?
00:00:43.060 | We already have some kind of concept of enterprise-ready tooling and building
00:00:48.200 | tools for the enterprise of production. What does it actually mean for MCP and
00:00:51.920 | something I kind of you know want to talk through today, chat with you guys. So for a
00:00:56.780 | long time from several years now we've had the model of you are a user you talk to
00:01:00.620 | an AI, talk to a chatbot it does stuff. The AI's had tool calling, now they have MCP,
00:01:06.500 | this is the MCP logo which is just a way of interfacing between the AI and an
00:01:11.020 | external resource of some kind to do something. It can just be a database
00:01:15.200 | access, it can be performing some complicated computation, it can be
00:01:19.020 | pulling in a prompt, there's lots of stuff in the MCP spec that frankly you
00:01:22.280 | should go and read. There's more there than most people realize. We're also
00:01:26.240 | seeing workloads like this where an IT admin spins up an asynchronous workflow
00:01:30.860 | which is we're going to call an AI agent which automates some process that is you
00:01:35.780 | know kind of headless and it's going and doing a thing we're trying to manage that.
00:01:38.720 | That is then going to use MCP to access external tools that might be secured, might
00:01:43.880 | be internal enterprise tools which introduce some fun problems. I also for the
00:01:48.560 | sake of this kind of diagram of what is the future going to look like want to
00:01:52.360 | introduce this line here just to throw some some spanners in the works of users
00:01:58.920 | in a company using their chatbot which makes a call to an MCP server which then
00:02:04.580 | goes and queries an AI workload, an AI agent that's existing in the cloud
00:02:07.700 | performing some operation. And so with this kind of diagram of what could happen I
00:02:12.260 | want us to figure out what we need to fix to make this really useful in
00:02:16.100 | production ready. Okay why am I why am I talking to you? I work for Work OS which
00:02:20.960 | is an enterprise security vendor which I'll talk about in a second. I'm also a
00:02:24.980 | research fellow at Stanford working on safety for AI agents and just finished a
00:02:27.800 | PhD where I got to wear this really funny silly hat just a couple months ago.
00:02:32.540 | Open AI, Work OS is a enterprise security vendor that sells to all of the AI labs because the AI labs do not want to do the really painful annoying work to scale
00:02:44.480 | the security and auth operations into the enterprise. And so we've been thinking a lot
00:02:48.860 | about what it means to provide the glue that means people can build agents and then
00:02:53.300 | just seamlessly scale it and sell it to everyone. And so I want to just tell you
00:02:56.900 | all the answers today whether or not you want to use us. So let's go through the
00:03:01.040 | agent journey we're all here trying to build agents. Let's tell a tell a story so I
00:03:05.300 | found this great API that you can query and it will feed a bunch of goats that
00:03:10.920 | you can then see on a live stream. This is a real API you can go and use and so
00:03:15.560 | naturally you do what anyone would do and you're going to build an emotional support
00:03:18.680 | bot for employees at a company to build a SaaS and you give it tool use to query this.
00:03:23.680 | Now this is fine because it's a one-time query but frankly tool use kind of sucks. We've had
00:03:30.100 | it for years now not as many people are using it it's really painful a lot of
00:03:33.280 | things go wrong. Which is why the model context protocol got invented. So why would
00:03:37.440 | you move to MCP? One, there is this really robust ecosystem of tools and providers, security
00:03:45.560 | tooling that lets you interface between the model and the resource to make things safe and
00:03:51.000 | reliable. It's also really good at providing standardization to the models. The models are
00:03:55.400 | getting really good at learning how to use this either through RL or just kind
00:03:58.620 | of you know good evals on MCP usage. It also runs a stateful connection which means
00:04:03.620 | you can do you know better security, better management, better context
00:04:07.260 | management in the way you're passing in to an AM model and maybe you're doing it
00:04:10.560 | just because everyone's doing it and why not have some fun right. It is genuinely
00:04:14.240 | quite fun to build an MCP server you can make cool things out of it. So what do we do? We
00:04:19.500 | make our local server right hopefully at some point everyone's had a little play
00:04:22.900 | with this you tweet out check out my local host you know try and get your friends to
00:04:27.840 | play with it. It's great, it's hacky, it's not particularly useful to anyone except
00:04:32.400 | yourself you can build some fun local servers. Frankly this is where we see a lot
00:04:36.320 | of people building MCP right now it's an internal demo you're gonna see if you can
00:04:40.080 | connect it to an API cool it works and then we don't go much further than that. And so kind of the next step where
00:04:47.900 | everyone has been talking about a lot of discussion in the community how do you do
00:04:50.700 | this really robustly is just adding authentication and authorization to these
00:04:54.860 | workloads which is truthfully right now the main thing you need to do. These are
00:04:59.860 | links to docs that will help you do it through there you can come and chat with
00:05:03.680 | me and I will sit down with you anywhere in the world and help you build a really
00:05:07.040 | robust secure MCP server figure out some pain points. You should not have an external API
00:05:14.180 | that is unauthenticated that has no access controls on it things will go very wrong.
00:05:20.060 | So super simple you make people log in you scope you have an admin privilege so
00:05:25.300 | that no one is feeding the goats too much you know make sure goats are well
00:05:28.620 | maintained and kept safe. And maybe if you're doing this internally with an
00:05:32.660 | organization you put in a VPC and you're doing that gateway to make sure no one can
00:05:35.620 | access it they should. But everyone turns out in your organization loves your goat
00:05:40.980 | emotional support tool because who wouldn't. And so you do what anyone would do you say let's make it public
00:05:46.860 | let's make a public MCP server that people can add to their cord that people can build
00:05:51.180 | applications on top of let's add a stripe in there to make sure they've got
00:05:54.660 | payment rails it just sends back a URL that you can call out to click things it's
00:05:57.740 | pretty straightforward. You give some users free credits because you know this is how
00:06:01.500 | apps work and you put it on a cloud hosting solution. Tons and tons of them are
00:06:05.640 | spinning up I get ads and announcements about them every day fundamentally MCP
00:06:10.520 | service are just a normal workload which means a lot of the cloud hosting
00:06:13.680 | providers can support whatever you need to host. So there's lots and lots that we can
00:06:18.640 | discuss there. But you do this really well and everyone loves goat feeding and
00:06:23.520 | emotional support. So you end up going viral you've got a billboard on the highway
00:06:28.400 | mr. beast tweets you out. What happens? Now you end up with having way too much traction.
00:06:34.280 | Right? You get free credit abuse on the sign ups. This is something that we see a ton of AI
00:06:39.440 | companies that we support happening is AI companies give you some free credits to
00:06:43.760 | onboard you but at the end of the day they're just querying an AI API which means
00:06:49.040 | that folks will sign up for an account, abuse those free credits and cycle back. One of the AI
00:06:54.200 | vendors that we work with someone was using their free credits to write fan
00:06:58.600 | fiction stories by just this is not an application designed for writing fan
00:07:03.020 | fiction just because it's a convenient way to get free credits and so you end up
00:07:07.400 | needing bot blocking on sign ups you need kind of robust controls over the whole
00:07:12.240 | auth stack to make sure nothing goes wrong you're going to end up needing input
00:07:16.640 | validation so that no one prompt injection attacks your goats got to keep them safe
00:07:20.080 | and then there's a lot of niche stuff that happens with MCP so MCP servers
00:07:25.900 | dynamically register their clients with the server which means if you have any
00:07:30.400 | developer admin dashboard application dashboard that's tracking the
00:07:34.660 | applications that you've created they will suddenly be flooded with MCP servers
00:07:38.680 | because of this weird choice in how MCP servers register as applications and so
00:07:44.740 | essentially every auth stack you need every like management tooling you need needs to
00:07:49.200 | be adapted for MCP so this is something that we provide but also like a bunch of
00:07:53.440 | other people are working on something to be conscious of is if you scale things will
00:07:56.740 | start going very wrong and so everyone loves your MCP server that's super cool maybe
00:08:02.020 | it's just an AI agent wrapping it or you're selling the core MCP server you want to
00:08:05.920 | sell into enterprise what do we have to do this is like a well-worn SAS path that
00:08:10.620 | we're going to go through you have to do all the boring stuff you have to do the SSO the
00:08:15.160 | lifecycle management you're going to have to do provisioning block are this super
00:08:21.240 | cool company that developed goose and internally they've been provisioning AI like
00:08:27.960 | access to this client this chat client as well as MCP servers and I really see a
00:08:32.740 | future where enterprises use SSO to provision access to a ton of internal
00:08:37.920 | resources exposed by MCP that then employees can chat with as a default way
00:08:43.260 | that employees are encouraged to use AI to automate workflows and so if you're
00:08:47.920 | going to sell into the enterprise you end up needing all this like nitty-gritty
00:08:50.340 | stuff that really sucks fine-grained access controls that are highly
00:08:53.100 | performant are really robust audit logs for instant responses a lot of the
00:08:57.760 | regulations that exist right now like GDPR call out explicitly additional
00:09:03.360 | requirements on logging for AI workloads because the regulators like to regulate and
00:09:08.700 | so your audit logs that exist normally have to fit a very specific set of
00:09:12.700 | requirements which are not well supported widely there's something to think about
00:09:16.620 | as you scale these workloads and you need stuff like data loss prevention so that
00:09:20.520 | people aren't like uploading random things to MCP servers this becomes a
00:09:23.940 | significant risk when people are just chatting wildly with a ton of service and
00:09:28.360 | so now you have an enterprise ready server ish because there are a lot of other
00:09:34.860 | questions to answer this is a talk that was hidden to tell you the answers but
00:09:38.700 | truthfully the answers aren't entirely known yet and the protocol is very rapidly
00:09:42.520 | developing and so this is the the diagram we started off with this stuff's super easy
00:09:48.700 | right how does a user log into an AI chapel that we've solved that how do AI systems
00:09:55.080 | connect to MCP servers this is something that's being worked on it's pretty
00:09:58.720 | straightforward we can do or fair you can scan those QR codes from before build it
00:10:02.440 | and you have a production ready MCP server MCP servers connecting to external
00:10:07.040 | resources is pretty straightforward it's not too hard to do can be a bit annoying but
00:10:11.460 | you know you have to pass your scopes and do it properly IT admins managing AI
00:10:17.280 | workloads pretty straightforward and in theory you know the other end of MCP
00:10:22.680 | servers existing in your tenancy connecting to resources bit of a pain
00:10:26.400 | point but can easily be built there are lots of open questions still as to how we
00:10:30.180 | do this how exactly remote asynchronous workloads can do headless off into MCP
00:10:37.380 | servers with dynamic client registration and make sure that is you may have
00:10:42.060 | correct authorization controls it's actually super hard and things keep going
00:10:46.200 | wrong along the way how these asynchronous workloads call out to relevant
00:10:50.740 | users there is a new RFC in the MCP spec for elicitation so when your model
00:10:58.700 | doesn't know what to do it knows that it should ask a human being this is becoming
00:11:03.780 | supported as part of MCP that it can go and call out towards the user and say
00:11:08.940 | please provide additional input that you need because I'm missing details so stuff
00:11:13.080 | like this is actively developing and nothing is stable and then there's this
00:11:17.160 | very broad question that we're running into with AI workloads of passing scope
00:11:24.340 | between different AI workloads passing access control between AI workloads where if you
00:11:29.640 | have the A2 we're talking about MCP if using A2A protocol you are just telling an agent mostly in vibes what it should or shouldn't do and relying upon the alignment of that model to make sure it doesn't misbehave
00:11:42.780 | and so actually passing robust authorization you know scopes communicating access controls making
00:11:49.860 | sure that service account that AI workload might be has the correct access turns out to be a huge pain point in doing this so frankly the cloud vendors are mostly solving the cloud
00:11:59.440 | So when you start hosting I think the authorization and access control element of this is the hardest part of putting
00:12:04.600 | this into external enterprise workloads and a big thing that needs to be filled
00:12:09.600 | so if you want to build fun things we are actively building out this entire stack to sell to AI companies and startups
00:12:18.600 | and if you go to the docs we can build some cool stuff together everyone is building interesting things right now and you know it's fun to get into the nitty-gritty and see what bugs occur and then as a
00:12:29.240 | as a thank you for all listening to this fun talk you cannot use this on your phones to be
00:12:34.400 | clear you can buy this shirt only through MCP
00:12:37.400 | The instructions are on the website very briefly if you'd like to see let me see if I can get out of this
00:12:44.400 | and go to cursor you have to add the MCP server there are many ways to do this but the way I'd recommend is just going into one of your AI editors typing in the JSON that the website will give you this is like the easiest way to add you'll see that it's turned on you'll need to make an account because authorization access control etc and then you can say please buy me a shirt
00:13:07.560 | And of course the Wi-Fi will not work
00:13:12.720 | Beautiful will need my mailing address one two three hack away
00:13:18.880 | work OS and I want a medium
00:13:22.880 | and it knows my name it's authorized it's done a validation check on me we've got a bot blocker on the sign up so that people can't abuse my shirts
00:13:31.880 | And you'll see right there that we purchased a shirt. So let's go back to Keynote
00:13:37.380 | Scan it add it to your computer if you want
00:13:40.580 | And you guys can have a free very nice MCP shirt that I would love to share around. Thank you very much
00:13:47.000 | You
00:13:49.000 | We'll be right back.