MCP – Hype, Risk, and Enterprise Reality

Scott King

Alright John, it seems like there’s something always new. You know, since AI has been thrust upon us, there’s always a new term. We had, you know, agentic, and now we have MCP, Model Context Protocol. I looked into this a little bit, and you know, I got it, but I fail to understand the business context. So, you know, if I was a developer and I was developing one small little widget for me, like I get it. But it just seems like it’s pretty limited. So could you walk me through exactly, you know, I don’t want to cover what it is because there’s already 100 YouTube videos on it. But maybe explain just at a high level what it is and maybe why Anthropic released this and why they built it and what their intention is and then we’ll kind go from there.

John Michelsen

Yeah, yeah. So we won’t explain it in depth. How’s that? Correct. Correcting. Yeah, yeah.

Scott King

Yeah, not in depth, right? Because I watched two, there’s actually a guy, I’ll link to his videos. I think he’s an English guy, watched two of his videos. They’re actually very entertaining. He did a great job, so I’ll link to that.

John Michelsen

Great, great, great, Yeah, so for the short version of lots of 10 minute hypey videos that you could obviously watch if you wanted to watch a bunch of hypey videos, MCP is a protocol, that’s the P in MCP, really a bridge type protocol in order to get large language models to be able to connect to tools that are not already connected to them and invoke them on demand. So the concept is pretty cool. As a part of what I want LLM to do for me, it’s not just to re- how about fix all that terrible grammar in this email and send it for me.

Well, the end send it for me is impossible, right? Unless I can connect my email account to that large language model. And MCP is a protocol that allows me to be able to, if other things are present, me to be able to make that happen. It’s also real simple practical stuff. It doesn’t know what time it is unless you connect a capability for it to know the time. It doesn’t know where you are unless you do the same. So the is model. Okay. So the is model, of course, all the AI stuff likes the word model. C is context. And context is really where it’s at. Because so much of what a large language model could do, it cannot without context. In fact, we talk about this all the time quite a bit of use case to the language capability of a large language model. But without context, becomes just a different way to read what would otherwise be a traditional Google search. It’s a more linguistic version of what used to be just a bunch of chunks of text sitting on a page.

Scott King

Well, it’s still like a Google search. If you’ve enabled location, it has one level of context. It knows where you are.

John Michelsen

Yes, and all the surveillance work that it’s done over the many years of you using your browser, it has all of that context too. So yes, it does. Exactly. And, and LLMs need their version of that. And so MC model context. And of course we had to the P protocol. So that’s how we, that’s what it’s about. And yes, we could, could over-hype this thing like crazy. I think from a personal productivity standpoint, it could be really nice, but in a, in in a business context, we’re to have to basically say not applicable.

Scott King

It knows exactly where you go, yeah.

John Michelsen

Conceptually brilliant, absolutely. We need a commoditized open standard for how we’ll say decisioning models and process models and thought models are capable of accessing capabilities, we definitely need that. But we need one that is, I mean, even realistically, secureable. What we have right now, and by the way, I’m not trying to throw dirt at Anthropic, this was a good step to make. We’re talking about a protocol that was announced November 5th of 24. We’re now in March of 25 and already there are hundreds of MCP servers. There’s nothing but goodness here and there’s nothing, all of that. But we’re gonna have to keep it, let’s stay sane here, right? So most of those hypey YouTube videos within the first five or eight words are gonna say secure, which is complete idiocy. There’s nothing safe or secure about this at all. One really simple way to kind of draw a parallel is way back you know, Scott doesn’t show his age quite like I do. But we’re not all that far apart in terms of age. So he’ll remember this, and I bet a bunch of you are way too young to know this, but back in the day, Microsoft in the early in the web days, so we’re talking mid late 90s, I guess late 90s Microsoft was way behind the eight ball with the internet. They completely missed the web. They rushed to the web trying to do whatever they could. They brought out Internet Explorer. They thought, we’ll put our really cool ActiveX into our browser. So we’re going to make it so that you can write programs, little programs. Remember Java applets? This was the same idea.

We’re going to build these little programming capabilities. We’re to plug them into your browser, and we’re going to make it so the websites can deliver those down to you, or you can embed them into things, and they’re all going to do that. And then we realized that’s sort of like saying, hey, guys, let’s take any lock or any password off anything you ever built from a cyber perspective. ActiveX controls became the single most obviously stupid thing you could possibly do to secure an environment.

The reverse. I’ll say it in the proactive, it is the absolute best way to ensure you are the most vulnerable you could possibly be in a web experience. So ActiveX died very quickly as soon as it became that obvious. MCP is essentially ActiveX controls accessed via a large language model, only we’ve already talked about how large language models should be treated, if you will, like a vast amount of knowledge in a very immature brain, right? We’ve got to be a whole lot more precise with them than we would a person. The intuition isn’t quite there. The possibility they, you know, do completely random things is there, happens all the time. And you’ve just given it a bunch of capabilities to run stuff on your own computer.

Scott King

Is this, though, from your security concerns, is this why the MCP servers, like right now, they only run locally on your own machine? So you’re in charge of running your own security, right? But you can’t give this to somebody else, because they’re not cloud-based, right?

John Michelsen

No. So anything likely. Well, so MCP as a protocol will need some enhancements and some future revisions and all that. And it’ll go through that. I’m actually, again, we need a little little c, little p. We need a model context protocol. We need a middleware for AI models to be able to participate. We know we need it so bad, we’ve already built all that stuff, right? That’s how Krista elegantly orchestrates people, systems, and AI. It has a model context protocol, we call it CAM, that in fact does exactly what we’re talking. So this is positive, right? But we’re gonna have to really distinguish between the personal productivity use case and very carefully decide what we want to give a third-party AI model access to, be able to execute, and make that very careful choice, even as individuals, but certainly as an organization, right? When you think about it, right, I got my 500, 5,000, 50,000 people. Now,wouldn’t this be something I could roll out to them? Well, let’s start with, even that’s mistake. You don’t roll this out. They just run Claude or some other program that supports MCP, and they’re just stuffing the connectivity to your tools and your enterprise systems into their desktop and exposing them out onto public LLMs, and you are not stopping any of that. So we’ve talked a few times about how we really think that customers, well, our customers generally do this. Even folks that are not going to consider Krista, they really do need to consider. We love large language models. We do not love publicly, you know, promptable large language models, right? You want to be really careful about what your company’s data, its data loss prevention, DLP, has been a space with massive amounts of loss and of course attempts at prevention and recovery for decades, this is a huge exposure. We talked about it. A number of people have, right? It’s the number one, at least it’s the number one security awareness thing we see in AI models. What we, or the public large language models at least. But what we’re dealing with here is you wiring up that large language model to stuff on your desktop or of course what your desktop can reach.

Right? And now we’re in trouble. And so there’s no way to consistently deploy them or maintain them either. you know, again, this is since November. Let’s be fair. I don’t mean to, I’m not trying to diminish that particular effort, which I like. I’m trying to basically say, look, let’s wear two hats here.

Let’s think from a personal productivity standpoint, if I want that large language model to do things while I’m sitting in front of it and I’m doing a task and I have confidence in the model and the MCP server producer knows all these folks are just downloading these things and plugging them into their cloud application and just running them, right? We’re so happy to finally have a pretty clean Android app store, aren’t we? Or Google Play Store, I should say.

And of course, Apple has spent enormous amounts of effort to try to keep its place totally clean. Those thousands of servers I talked to you about since November, zero police, zero policing, right? So we just have to be super grounded in just what are we exposing ourselves to? How could that be weaponized against us? Organizations have to be really cognizant of this sort of stuff. And they just aren’t, right? I mean, the discussion around MCP, short of the one we are having, I have, honest to goodness, not heard a single syllable on, well, gee, isn’t that pretty much how to open up anybody’s desktop to a language model that could be weaponized, that could be itself hacked, that could itself be a bad actor?

I mean, especially if it’s an unpaid model, is your data in through that transmission, is that also part of the training? Well, for goodness sakes, then you can’t give it a file system access, but actually that’s one of most popular ones.

One of the most popular MCP servers that’s out there is, hey, let it see C colon backslash and now I can have it do stuff with my local files. Well, that does sound great, but do what with your local files? I mean, that’s what we have to be a little bit. Okay, so I hate to have spent too much time in cybersecurity myself in my career to constantly think this way, but frankly, this is the paranoia you’re supposed to have and then you’re supposed to dial it down to something where you talk about the tension between value productivity and the exposure and then you come to a conclusion. None of what I just said happens. Instead, there’s this euphoric rush. Everyone’s watching a bunch of YouTube videos or blogs and stuff. Everybody’s installing tools on their desktops and they’re at companies when they’re doing it. Or it’s on company equipment at home, whatever, right? This is where it gets really, really gnarly for me.

So let’s just roll it all the way back real quick so that it’s not all one-sided, right? Because again, the notion of interconnecting everything in a much more fluid way, absolutely great. In fact, I myself, hypocrite, I use MCP tools. Of course, I’ve gone through the process that I just described, that I just claimed at least, most I believe are not going through. But I’ve even turned on YOLO mode on Programming IDE, which is you only live once. You just let the thing, you don’t require the confirmation of every command that it’s going to run. But of course, I highly constrained what I make it act, make, give it access to. I put guidelines around it that it mostly follows, but in fact, just last night it did not. It deleted a class when the instruction is very clearly do not do anything that would remove content, delete a file or a directory literally word for word. But does a large language model always precisely follow all of its rules? No.

Scott King

No, a lot of times it says, it forgets the do not. It says, do not delete this file. It’s like, delete this file.

John Michelsen

So delete this file. Yeah. Well, and that’s a human thing, So I know that I’m wandering a little bit, but just to tie it off, these are all fantastic concepts, right? And they just have a lot of maturing that they need to do. And I’m not going to now say, so let’s spend five years navel gazing with the standards committee and all of that. No, no, no, of course not.

Let’s get really practical though about what we should and shouldn’t be letting, you know, keep the scope super tight as individuals, right? As organizations, keep this stuff out until you decide and go through the business process you have to, the business decision process, right? What is it worth for me to give this type of access? What am I getting for it? What does it cost me in terms of dollars and vulnerability to inappropriate use of the data, right? So let’s have those conversations and I’m, you know, if anything I’m just calling us, calling for that because, you know, we’re gonna be the one, the one post on YouTube that isn’t, my gosh, this is the game changer, the whole world changed, Anthropic’s done it again. All that may be true, right? But this is true too, how’s that?

Scott King

When you were experimenting with this, you obviously took some precautions and creating a VM where it doesn’t have any access and yada, yada, yada. So is this like from where the MCP stands today, is it best fit for experimentation on the weekend, not on your work machine, you’re running an experiment. Like nobody would do this like at work yet, would they? Because it seems like it’s too easily weaponized.

John Michelsen

Well. It is, so the final clause, absolutely true. It is, without real scrutiny and looking over it, is possible to weaponize. But I am even using it in a work context. I’m writing code for the company and I’m using it in IDEs that are given access, that I give access to MCP servers.

Scott King

Yes, I think everybody else builds agentic platforms outside of John Michelson’s work.

John Michelsen

Right. And they didn’t read the code. And they didn’t read the code of the server that they downloaded before they used it. And of course, like I was just saying, most of the time have to validate every single time that a tool is invoked and exactly what the payload looks like. And I’ve got a little really handy little tool. Shout out to the company that made it. Little snitch lets you see every single byte of traffic that flows in and out of your computer. It allows you, right, that’s a Mac app. There’s lots of Wireshark can get lots of tools you can find that’ll do this on lots of platforms.

So there, yes, I mean, I’m obviously incredibly careful about our IP and about the work that we’re doing and all that. So, and yet, I want the productivity boost. I wanna see that thing, and at times when I’m doing certain tasks, I even want it in, just run those tasks and go crazy. And sometimes it does, and I gotta literally hit stop and, you know, where are you going, right? But it’s, but I’m Again, hoping not to sound like a hypocrite. I’m being incredibly thoughtful about what value it gives me, what exposure it gives me and our company in the process, and I’m making very conscious decisions based on that. And I like where we’re falling in terms of the risk reward. That just needs to happen. And by the way, couldn’t widely deploy this in the way that I’m doing it right now anyway, because there’s no common way to configure and deploy this kind of stuff. You’re literally modifying JSON files in the Claude client, as an example, or modifying, again, properties type files in other programs. Soon Krista itself will be an MCP host.

And again, not because it’s not because I’m attempting to be hypocritical, but because it’s actually a way for us to curate those servers for customers and actually automatically deploy them across and into those clients. So the companies don’t have the, want to be able to do this. I want to be able to get that kind of access and get that kind of enrichment into the agentic workflows. But obviously I don’t want to have to go from every to every single computer and start modifying JSON files, nor do I want to abandon what I’m using in terms of access to AI and run yet another tool just to be able to have it know how to send an email for me. So we’re gonna play, we’re gonna help, right? We’re gonna move MCP along. But we’ve gotta recognize that there’s a lot of work to be done. And yes, you actually right at the beginning brought up one of the topics which is it really can’t run from individual desktops, or at least not exclusively, right? There’s certain things that must happen from an individual desktop. Most actually shouldn’t. So right now MCP is more, is capable of being used reasonably from a desktop, but not from a remote server. But that’ll change.

Scott King

How big or small are the MCP servers? I think they’re pretty small, right?

John Michelsen

They are, but what they can do is big, because again, they’re a bridge. So if we’re connecting a large language model to a little thing, it’s a little MCP server. If we’re connecting a large language model to your ERP, it’s still a little MCP server, but connecting to something really big.

Scott King

Yeah, I mean that makes sense. from, you know, I guess a CIO CTO perspective at a company that is trying to figure out how to orchestrate, you know, processes. Like how far like just guess right? I mean, we’re how far into MCP would they get before they figure out like, okay, this is not going to work. Because it’s new and it’s gonna evolve and we find these people on these research projects all the time and they’re just like, they’re researching stuff that you can buy for like $5, you know? And they’ll spend five weeks on it and I’m like, come on, like what? Like your sales organization doesn’t work like this. They’re trying to sell products as fast as possible and everybody thinks that they’re gonna build all this stuff.

Scott King

How far are they going to get before they’re like, okay, this is no good.

John Michelsen

Well, so I mean, too broad a question to have any kind of precise answer, but I mean, your point is well made. We tend to look at this stuff and we tend to think the old way that we used to do things and trying to apply it to the new thing that actually changes the game on how I should do things. So I’m going to try to use the new thing the old way, which means sort of by definition, I don’t get nearly the outcome I should have.

We could use analogies like crazy on this, but you would never in a million years drive today’s modern cars the way you would the original cars built in the turn of the 19th century, right? You just wouldn’t even think about it. They have to be treated completely differently.

You would have the same thing here, right? You just would have to completely rethink, and it’s time really to completely rethink. There’s a shocking breakthrough for guys in our line of work is there is a certain amount of truth to the recent quote from Anthropic’s CEO that AI is gonna be writing just about every line of code that exists in about six months. That is probably true.

Don’t go too far with that because that’ll be guided by a developer who must be very skilled in order to know if that model actually did produce the required output and then knows to even tell that model what needed to be done to begin with. This isn’t all the developers gonna be out on the street holding up the placard, “will work for food.” This is another step toward they’re gonna be even more valuable because those with a skill to be able to leverage a really great tool produces more at a reduced cost. That makes them more valuable, right? So we just have to remain super grounded there. If you aren’t thinking, wait, I’m no longer going to be, most of the effort is actually about to go away. You might be thinking, great, I’m just gonna keep writing a whole bunch of code. No, because the real value of this is you shouldn’t even be thinking about code anymore. The tooling is such that you don’t actually even need to be writing code.

You don’t need your developer sitting and curating code that’s being generated. By the way, generation of code’s been around for 30 plus, actually 40 plus years. It’s actually the changing of code that is the breakthrough recently. We’ve been generating code forever. It’s just been ugly and been impossible for that same, the tool that generated the code had no ability to modify it, or at least not knowability, it was great. There’s all these really obvious tokens in the code that said, don’t touch any of this, you can modify this, don’t touch any of this, and then if it ever tried to change anything, it tried to keep your stuff and change only this, it was nightmare.  And you know, these models are, some of these models are doing an absolutely fantastic job on tasks in between doing a terrible job.

But that’s fine, right? They’ll continue to get better. We’ll continue to be productive. But even writing all that code itself is not really the goal. And it’s funny because the other day I was thinking, you know, without billions of lines of code to train on, we’ll never get a new programming language. Because if the Anthropic quote is correct, AI is going to generate all the code. Well then who can create the new programming language that is untrained that AI is gonna generate for us. So either that will have to be incorrect, right, that AI’s gonna generate all the code. Because otherwise, remember, these things don’t build the next thing. They take the current thing and they make it more efficient. They’re still machines, right? that’s, right.

So anyway, we’re gonna still have a, there’s still gonna be a world for programmers because someone’s gonna figure out how this, what, name your favorite language. Or a few non-techies out there are thinking, my gosh, programming language? No, yeah, natural language is the programming language we’ve been, right, developing with. Our authors are mostly language-based, English language-based programmers.

Scott King

Yeah, yeah. Alright, well super cool. Well thanks, I learned a little bit more after watching the YouTube videos and yeah, I definitely want to pay attention to see how this evolves, right? I’m looking for the next big iteration for MCP and know, hopefully we’d obviously we’re going to be on on top of it and be looking how to connect with Krista with all these different services.

John Michelsen

Yeah, yeah. Well, in our event, we’ll always be, I mean, we’re obviously individuals, we use computers all day, but we’ll always have an orientation toward how should a business be looking at this or should a business rush to this or run away from it. Right now, it’s actually protecting yourself from it, in all candor. But, recognize that this is a very important evolutionary step. Commoditizing the communication protocol between these types of new tech is absolutely an important step. So we like it, we don’t like it, we’re speaking out of both sides of our, who coined that phrase? Only ventriloquists actually speak out of one side of their mouth. We all, anyway, I don’t even know why.

Scott King

They or do they just speak one side or no sides right they try not to move their mouths at all.

John Michelsen

Yeah, and you know how it actually works. Yeah, exactly. No, I mean, that’s a pretty cool skill, right? But they speak out of one side of their mouth. We say, hey, I’m not speaking out of both sides of my mouth. Well, wait, don’t we all all the time? Unless you’re a ventriloquist, you still do most of the time. OK, we’re wasting people’s time.

Scott King

Thanks, John. I appreciate it. Until next time.

John Michelsen

Great to chat. Of course. Take care now.