*Music* Thank you everyone for coming here. I hope you're excited to figure out with me what Enterprise Ready MCP means. I'm not sure a month ago people even fully understood what MCP meant. So we're all on this journey together, but hopefully it should be fun. So I was chatting to a good friend and colleague who is giving a talk tomorrow on building MCP servers and what it looks like to build that out and his question was how do the tools of today map to the AI systems of tomorrow?

We already have some kind of concept of enterprise-ready tooling and building tools for the enterprise of production. What does it actually mean for MCP and something I kind of you know want to talk through today, chat with you guys. So for a long time from several years now we've had the model of you are a user you talk to an AI, talk to a chatbot it does stuff.

The AI's had tool calling, now they have MCP, this is the MCP logo which is just a way of interfacing between the AI and an external resource of some kind to do something. It can just be a database access, it can be performing some complicated computation, it can be pulling in a prompt, there's lots of stuff in the MCP spec that frankly you should go and read.

There's more there than most people realize. We're also seeing workloads like this where an IT admin spins up an asynchronous workflow which is we're going to call an AI agent which automates some process that is you know kind of headless and it's going and doing a thing we're trying to manage that.

That is then going to use MCP to access external tools that might be secured, might be internal enterprise tools which introduce some fun problems. I also for the sake of this kind of diagram of what is the future going to look like want to introduce this line here just to throw some some spanners in the works of users in a company using their chatbot which makes a call to an MCP server which then goes and queries an AI workload, an AI agent that's existing in the cloud performing some operation.

And so with this kind of diagram of what could happen I want us to figure out what we need to fix to make this really useful in production ready. Okay why am I why am I talking to you? I work for Work OS which is an enterprise security vendor which I'll talk about in a second.

I'm also a research fellow at Stanford working on safety for AI agents and just finished a PhD where I got to wear this really funny silly hat just a couple months ago. Open AI, Work OS is a enterprise security vendor that sells to all of the AI labs because the AI labs do not want to do the really painful annoying work to scale the security and auth operations into the enterprise.

And so we've been thinking a lot about what it means to provide the glue that means people can build agents and then just seamlessly scale it and sell it to everyone. And so I want to just tell you all the answers today whether or not you want to use us.

So let's go through the agent journey we're all here trying to build agents. Let's tell a tell a story so I found this great API that you can query and it will feed a bunch of goats that you can then see on a live stream. This is a real API you can go and use and so naturally you do what anyone would do and you're going to build an emotional support bot for employees at a company to build a SaaS and you give it tool use to query this.

Now this is fine because it's a one-time query but frankly tool use kind of sucks. We've had it for years now not as many people are using it it's really painful a lot of things go wrong. Which is why the model context protocol got invented. So why would you move to MCP?

One, there is this really robust ecosystem of tools and providers, security tooling that lets you interface between the model and the resource to make things safe and reliable. It's also really good at providing standardization to the models. The models are getting really good at learning how to use this either through RL or just kind of you know good evals on MCP usage.

It also runs a stateful connection which means you can do you know better security, better management, better context management in the way you're passing in to an AM model and maybe you're doing it just because everyone's doing it and why not have some fun right. It is genuinely quite fun to build an MCP server you can make cool things out of it.

So what do we do? We make our local server right hopefully at some point everyone's had a little play with this you tweet out check out my local host you know try and get your friends to play with it. It's great, it's hacky, it's not particularly useful to anyone except yourself you can build some fun local servers.

Frankly this is where we see a lot of people building MCP right now it's an internal demo you're gonna see if you can connect it to an API cool it works and then we don't go much further than that. And so kind of the next step where everyone has been talking about a lot of discussion in the community how do you do this really robustly is just adding authentication and authorization to these workloads which is truthfully right now the main thing you need to do.

These are links to docs that will help you do it through there you can come and chat with me and I will sit down with you anywhere in the world and help you build a really robust secure MCP server figure out some pain points. You should not have an external API that is unauthenticated that has no access controls on it things will go very wrong.

So super simple you make people log in you scope you have an admin privilege so that no one is feeding the goats too much you know make sure goats are well maintained and kept safe. And maybe if you're doing this internally with an organization you put in a VPC and you're doing that gateway to make sure no one can access it they should.

But everyone turns out in your organization loves your goat emotional support tool because who wouldn't. And so you do what anyone would do you say let's make it public let's make a public MCP server that people can add to their cord that people can build applications on top of let's add a stripe in there to make sure they've got payment rails it just sends back a URL that you can call out to click things it's pretty straightforward.

You give some users free credits because you know this is how apps work and you put it on a cloud hosting solution. Tons and tons of them are spinning up I get ads and announcements about them every day fundamentally MCP service are just a normal workload which means a lot of the cloud hosting providers can support whatever you need to host.

So there's lots and lots that we can discuss there. But you do this really well and everyone loves goat feeding and emotional support. So you end up going viral you've got a billboard on the highway mr. beast tweets you out. What happens? Now you end up with having way too much traction.

Right? You get free credit abuse on the sign ups. This is something that we see a ton of AI companies that we support happening is AI companies give you some free credits to onboard you but at the end of the day they're just querying an AI API which means that folks will sign up for an account, abuse those free credits and cycle back.

One of the AI vendors that we work with someone was using their free credits to write fan fiction stories by just this is not an application designed for writing fan fiction just because it's a convenient way to get free credits and so you end up needing bot blocking on sign ups you need kind of robust controls over the whole auth stack to make sure nothing goes wrong you're going to end up needing input validation so that no one prompt injection attacks your goats got to keep them safe and then there's a lot of niche stuff that happens with MCP so MCP servers dynamically register their clients with the server which means if you have any developer admin dashboard application dashboard that's tracking the applications that you've created they will suddenly be flooded with MCP servers because of this weird choice in how MCP servers register as applications and so essentially every auth stack you need every like management tooling you need needs to be adapted for MCP so this is something that we provide but also like a bunch of other people are working on something to be conscious of is if you scale things will start going very wrong and so everyone loves your MCP server that's super cool maybe it's just an AI agent wrapping it or you're selling the core MCP server you want to sell into enterprise what do we have to do this is like a well-worn SAS path that we're going to go through you have to do all the boring stuff you have to do the SSO the lifecycle management you're going to have to do provisioning block are this super cool company that developed goose and internally they've been provisioning AI like access to this client this chat client as well as MCP servers and I really see a future where enterprises use SSO to provision access to a ton of internal resources exposed by MCP that then employees can chat with as a default way that employees are encouraged to use AI to automate workflows and so if you're going to sell into the enterprise you end up needing all this like nitty-gritty stuff that really sucks fine-grained access controls that are highly performant are really robust audit logs for instant responses a lot of the regulations that exist right now like GDPR call out explicitly additional requirements on logging for AI workloads because the regulators like to regulate and so your audit logs that exist normally have to fit a very specific set of requirements which are not well supported widely there's something to think about as you scale these workloads and you need stuff like data loss prevention so that people aren't like uploading random things to MCP servers this becomes a significant risk when people are just chatting wildly with a ton of service and so now you have an enterprise ready server ish because there are a lot of other questions to answer this is a talk that was hidden to tell you the answers but truthfully the answers aren't entirely known yet and the protocol is very rapidly developing and so this is the the diagram we started off with this stuff's super easy right how does a user log into an AI chapel that we've solved that how do AI systems connect to MCP servers this is something that's being worked on it's pretty straightforward we can do or fair you can scan those QR codes from before build it and you have a production ready MCP server MCP servers connecting to external resources is pretty straightforward it's not too hard to do can be a bit annoying but you know you have to pass your scopes and do it properly IT admins managing AI workloads pretty straightforward and in theory you know the other end of MCP servers existing in your tenancy connecting to resources bit of a pain point but can easily be built there are lots of open questions still as to how we do this how exactly remote asynchronous workloads can do headless off into MCP servers with dynamic client registration and make sure that is you may have correct authorization controls it's actually super hard and things keep going wrong along the way how these asynchronous workloads call out to relevant users there is a new RFC in the MCP spec for elicitation so when your model doesn't know what to do it knows that it should ask a human being this is becoming supported as part of MCP that it can go and call out towards the user and say please provide additional input that you need because I'm missing details so stuff like this is actively developing and nothing is stable and then there's this very broad question that we're running into with AI workloads of passing scope between different AI workloads passing access control between AI workloads where if you have the A2 we're talking about MCP if using A2A protocol you are just telling an agent mostly in vibes what it should or shouldn't do and relying upon the alignment of that model to make sure it doesn't misbehave and so actually passing robust authorization you know scopes communicating access controls making sure that service account that AI workload might be has the correct access turns out to be a huge pain point in doing this so frankly the cloud vendors are mostly solving the cloud So when you start hosting I think the authorization and access control element of this is the hardest part of putting this into external enterprise workloads and a big thing that needs to be filled so if you want to build fun things we are actively building out this entire stack to sell to AI companies and startups and if you go to the docs we can build some cool stuff together everyone is building interesting things right now and you know it's fun to get into the nitty-gritty and see what bugs occur and then as a as a thank you for all listening to this fun talk you cannot use this on your phones to be clear you can buy this shirt only through MCP The instructions are on the website very briefly if you'd like to see let me see if I can get out of this and go to cursor you have to add the MCP server there are many ways to do this but the way I'd recommend is just going into one of your AI editors typing in the JSON that the website will give you this is like the easiest way to add you'll see that it's turned on you'll need to make an account because authorization access control etc and then you can say please buy me a shirt And of course the Wi-Fi will not work Beautiful will need my mailing address one two three hack away work OS and I want a medium and it knows my name it's authorized it's done a validation check on me we've got a bot blocker on the sign up so that people can't abuse my shirts And you'll see right there that we purchased a shirt.

So let's go back to Keynote Scan it add it to your computer if you want And you guys can have a free very nice MCP shirt that I would love to share around. Thank you very much You We'll be right back.