MCP stopped being plug-and-pray.

MCP is useful because it lets agents discover and use tools. That is also why it is sensitive: when an agent discovers tools, it discovers authority.

Integration is now security

A production MCP server is not a decorative plugin. It is a boundary around resources, user intent, scopes, and execution. If that boundary is loose, the agent can read more than it should, execute outside intent, or turn untrusted text into a durable action.

The product questions

• Which user authorized this call?
• Which exact resource can the tool touch?
• What scopes are granted and how are they revoked?
• What audit event is emitted?
• What happens when the agent misunderstands intent?

If you cannot answer those questions, you do not have an integration. You have exposure.

The CORTEX route

MCP tool result
-> treat as untrusted input
-> validate and redact
-> attach source and scope
-> admit only if policy passes

The future is not more tools. It is tools with identity, intention, and limits.