AI Agents

MCP for Agents: The Protocol That Solved AI’s M×N Integration Problem

The protocol argument is settled — competitors co-founded a foundation to govern it. What is not settled is whether you adopt it well, and there are exactly two ways teams get this wrong.

Share

If you are building an agent, you will hit this wall quickly. The model can reason. It can decide which tool to call and with what arguments. What it cannot do is find the tool. Something has to tell the agent that your database exists, what it can do, and how to reach it — and for most of the short history of this field, that something was a connector you wrote by hand, for that agent, against that system.

Do that twice and it is fine. Do it across four agents and nine systems and you are maintaining thirty-six integrations, each of which breaks when either end changes. That is the problem MCP solved, and it is why the protocol went from one company’s proposal to industry infrastructure in about eighteen months.

This piece takes the agent builder’s view: you have an agent, you want it to reach real tools, and you want to do it without creating a mess. If you are coming at this from the other direction — you own systems and are deciding what to expose to a model — that is a different question we cover separately, and it is the more important one if you have not answered it yet.

M×N becomes M+N

The cleanest way to understand why MCP exists needs no protocol knowledge at all — it is arithmetic.

Without a shared standard, connecting M AI applications to N systems takes up to M × N custom integrations. Every app wired individually to every tool. Add one new system and you write M new connectors. Change one tool’s API and you fix it in M places. The work does not grow with what you are building; it grows with the product of both sides.

MCP collapses that to M + N. Each system exposes one MCP server. Each agent speaks MCP once. Add a system and you write one server, and every agent can use it immediately. Add an agent and it inherits everything already exposed.

For a team with two agents and three tools, this is a nice-to-have. For anything real, it is the difference between an integration layer that scales and one that becomes the reason nobody wants to add the next tool. Most teams discover which of those they have at roughly the worst moment.

How it became the default

The adoption story is worth stating plainly, because the facts are more persuasive than any framing you could put on them.

Anthropic introduced MCP in November 2024. OpenAI committed to it in March 2025; Google followed in April. Then, in December 2025, Anthropic donated MCP to the Agentic AI Foundation, a new directed fund under the Linux Foundation co-founded with Block and OpenAI, with support from Google, Microsoft, AWS, Cloudflare, and Bloomberg. As of mid-2026, more than 10,000 MCP servers have been published.

That last step is the one that matters for a decision-maker, and it is easy to skim past. A protocol controlled by one AI lab is a bet on that lab. A protocol under vendor-neutral governance, co-founded by direct competitors, is infrastructure. The question stopped being “should we adopt this” somewhere around that announcement. It is now “how do we adopt it well” — which is a better question anyway, and the rest of this piece is about the two places teams get it wrong.

MCP and tool calling are different layers

This confusion is common enough to be worth thirty seconds, because it leads people to think they are choosing between the two.

Function calling answers: should the model call a tool right now, and with what arguments? That is a decision, made per request, by the model.

MCP answers: how does the agent know that tool exists and how does it reach it? That is a connection, established once, by your infrastructure.

You still do tool calling when you use MCP. Every reliability concern from the tool-calling side — validation, argument errors, contract drift, scoring the chain — applies exactly as before. MCP means you did not hand-build the plumbing underneath. It does not mean the calls got more reliable. Teams that expect MCP to fix flaky tool use are solving the wrong layer.

The context tax nobody budgets for

Here is the most practical thing in this article, and it catches almost everyone once.

MCP makes connecting a server easy. So teams connect all of them. Why not — more capability, no obvious downside. The downside is real and invisible until you look for it: every connected tool loads its schema into the context window before the agent reads a single word of the actual request.

Connect every server by defaulttool schemas — 30–50% of contextwhat is left for the actual taskExpose only the tools this agent needsschemasroom to actually reason about the taskSame agent, same tools available — only what it is told about up front changes.
Every connected tool costs roughly 550–1,400 tokens of context before the agent reads a single word of the actual request. Connect everything by default and you spend a third to half your budget describing tools the agent will never call.

Each tool costs roughly 550 to 1,400 tokens — name, description, JSON schema, field descriptions, enums. Connect three services with forty tools between them and you can burn 55,000+ tokens before any work starts, over a quarter of a 200,000-token window. In genuinely complex setups, tool definitions commonly consume 30–50% of the context budget up front.

You are paying for that on every single request, and worse, you are paying twice: once in tokens, and once in quality. A model choosing among eighty tools, most irrelevant, selects worse than a model choosing among six. Connecting everything does not make the agent more capable. Past a point it makes it more confused and more expensive at the same time.

The security problem, stated honestly

MCP’s growth has outrun its security hardening in places, and the research here is worth knowing before you connect an agent to a server you did not write.

The attack is called tool poisoning: malicious instructions hidden in a tool’s metadata — its description, its schema, its output. Your agent reads that text as trustworthy information about what the tool does, because that is exactly what tool descriptions are for.

Researchers built MCPTox, a benchmark using 45 live real-world MCP servers and 353 genuine tools, and tested 20 leading agents against it. The results are sobering: attack success rates reached 72.8%, and the best refusal rate of any model tested was under 3%. Existing safety alignment barely engages, because nothing about the attack looks unsafe — it is a legitimate tool being used for an unauthorized purpose.

None of which means avoid MCP. It means a third-party MCP server is a dependency running inside your trust boundary that gets to describe itself to your agent in text your agent believes. Vet provenance like you would vet any dependency with production credentials, prefer servers you or someone you trust maintains, and keep the scope of what any agent can reach as narrow as the job allows — because narrow scope is what limits the damage when something does slip through.

MCP vs A2A, briefly

One more distinction, since it causes real confusion. Google’s A2A (Agent-to-Agent) protocol is not a competitor to MCP. It solves the adjacent problem.

MCP: how one agent connects to its tools and data. A2A: how agents coordinate with other agents.

Wiring an agent to your data warehouse is MCP. Letting a router agent delegate to specialists is A2A territory. They are increasingly used together in the same system, and a team building multi-agent workflows against real data will likely need both. Layers, not alternatives.

Where Macrosol fits

There are two sides to this problem and they meet in the middle. The infrastructure owner asks what a model should be allowed to touch and how to prove what it did. The agent builder asks how to reach the tools without drowning the context window or trusting the wrong server. Those are the same question from opposite ends of the same connection, and the teams that do this well answer both rather than picking one. We are connecting our own internally built marketing agent to real tools right now, which is a useful vantage point — the selective-exposure lesson in this piece is one we applied rather than read about. At Macrosol Technologies we help teams integrate with existing MCP servers or build custom ones, from either end, as part of our AI & Data Science practice.

Adopt it well

The protocol argument is settled. Competitors co-founded a neutral foundation to govern it, and that does not get undone. Anyone still deciding whether MCP is worth adopting is answering a question the industry closed in December 2025.

What is not settled is whether you adopt it thoughtfully. The two failure modes are both unglamorous and both avoidable: connecting every server by default and wondering why the agent is slow, expensive, and confused; and trusting a server you did not write because the protocol made it easy to connect. Neither is a protocol flaw — MCP moved the request exactly as designed. Both are decisions about scope, and scope is still yours. It was always going to be.

Frequently Asked Questions

Common questions about ai agents

The integration math. Before a shared protocol, connecting M AI applications to N tools meant building and maintaining up to M×N custom connectors — every app wired by hand to every tool, and every change rippling through all of them. MCP makes it M+N: each tool exposes one MCP server, each agent speaks MCP once. For anything beyond a couple of tools, that is the difference between maintenance that grows quadratically and maintenance that grows linearly.

They answer different questions and are complementary rather than competing. Function calling answers "should the model call a tool right now, and with what arguments" — it is about the decision. MCP answers "how does the agent discover that the tool exists and reach it at all" — it is about the connection. You still do tool calling when you use MCP; MCP just means you did not hand-build the plumbing underneath it.

No, and this is the most common practical mistake. Every connected tool loads its schema into the context window before any work begins — roughly 550 to 1,400 tokens each. In complex setups, tool definitions can consume 30-50% of the context budget before the agent reads the actual request. Expose only the tools a given agent genuinely needs, or fetch schemas on demand. It sounds obvious and gets skipped constantly.

Treat them with real caution. Research on tool poisoning — malicious instructions hidden in a tool's metadata — found widespread vulnerability across 20 leading agents tested against real-world MCP servers, with attack success rates as high as 72.8% and refusal rates under 3% even for the best-performing model. A third-party server runs inside your trust boundary and describes itself to your agent in text your agent takes seriously. Vet provenance the way you would vet a dependency with production credentials.

Counterintuitively, often the opposite. Tool poisoning exploits instruction-following, so models that follow instructions more faithfully — larger models, or reasoning-enabled ones — can be more susceptible rather than less. Researchers describe this as an inverse scaling effect. Upgrading the model is not a security control here, and assuming it is leads to exactly the wrong risk assessment.

They solve adjacent problems and are increasingly used together. MCP governs how a single agent connects to its tools and data. Google's A2A (Agent-to-Agent) protocol governs how agents coordinate with other agents. If you are wiring an agent to your database, that is MCP. If you are wiring two agents to delegate work between themselves, that is A2A. They are layers, not alternatives.

Connecting an agent to real tools?

There are two sides to this problem and they meet in the middle: what a model should be allowed to touch, and how your agent reaches it without drowning its context window or trusting the wrong server. Macrosol Technologies helps teams integrate with existing MCP servers or build custom ones — from either end.

Talk to our integration team Connect on LinkedIn

Learn more about our AI & Data Science service.