I spent June 14-15 at MCP Dev Summit Mumbai, capturing every talk I could with a custom slide scanner app I built during the conference itself. By the end, I had 638 slides across 22 talks, 8 full audio transcripts, and a database of 337 unique, deduplicated insights.
What I found isn't just technically interesting. It's a map of where the entire AI agent ecosystem is heading — and the three forces that will shape it.
The Numbers That Frame Everything
MCP SDK downloads are approaching 100 million. The registry has grown 8x. 67% of CTOs are now considering MCP as their default standard. The July 29 release candidate makes MCP a stateless protocol — fundamentally changing how agents maintain context.
But here's the number that matters most: every major MCP security incident in 2025-2026 passed authentication. The Asana leak (1,000 orgs). The mcp-remote RCE. The first malicious MCP server in the wild (800M+ emails). 21,000 agent instances exposed online. The NSA publishing a formal advisory.
All authenticated. All breached.
Force 1: The Offensive Perspective
Akash Mahajan from KLOUDLE walked through Simon Willison's Lethal Trifecta: the three properties that make MCP servers uniquely dangerous when combined.
- Untrusted input flowing through the system
- Tool access with real-world side effects
- An LLM that cannot distinguish instructions from data
Any two of these are manageable. All three together are lethal. And every MCP server has all three.
Force 2: The Defensive Perspective
What surprised me most was how the defensive talks, from completely different companies and perspectives, fit together like puzzle pieces.
**AWS** demonstrated a complete confused deputy attack on an Amazon Bedrock multi-agent pipeline. Their three-layer defense — Preserve Intent, Reduce Authority, Validate Actions — is the most detailed authorization framework I've seen for multi-agent systems.
**Google** launched the MCP Toolbox for Databases with a deceptively simple principle: the model never supplies identity parameters. The username comes from the verified JWT token. Period.
**Palo Alto Networks** argued that Docker is a "concrete bunker" — too heavy for AI agents. WebAssembly is a "glass box": transparent, sealed, with controlled air holes. For AI agents that need microsecond startup, Wasm wins.
Force 3: The Governance Perspective
Navin Pai (StackGen) and Archana Rajkumar (SentinelOne) delivered the most strategically important talk. Their MCP Governance Maturity Model:
- - Level 0 — Shadow: "We have no idea what's running."
- - Level 1 — Visibility: "We know every agent, server, and connection."
- - Level 2 — Identity: "Every tool call is attributable."
- - Level 3 — Policy: "Every tool call passes a deterministic check."
- - Level 4 — Audit: "We can prove what any agent did, and why it was allowed."
One line crystallized it: "Governance is a program, not a checkpoint."
The Bottom Line
Three forces are converging on AI agent security: offensive researchers finding real vulnerabilities, defensive builders creating layered protections, and governance frameworks giving enterprises a path from shadow to sanctioned.
The playbook exists. The tools are emerging. The question is whether you'll implement them proactively or reactively.
I know which one costs less.