MCP at 17,000 Servers: What the Ecosystem Boom Means for Production AI — aniketkarneai.com | aniketkarneai.com
daily

MCP at 17,000 Servers: What the Ecosystem Boom Means for Production AI

The Model Context Protocol crossed 17,000 publicly listed MCP servers and 97 million monthly SDK downloads in June 2026. Here's what that trajectory actually means for engineers building agentic systems — and why governance is now the binding constraint.

Sixteen months ago, the Model Context Protocol was a single GitHub repository with a handful of official servers. Today, according to the Zuplo State of MCP report published this month, there are over 17,000 publicly listed MCP servers and 97 million monthly SDK downloads. The protocol went from announcement to near-universal adoption faster than almost any infrastructure standard in recent memory — faster than Docker at the same stage, faster than Kubernetes.

That’s worth examining seriously, because raw numbers obscure what actually matters to engineers: what does an ecosystem at this scale mean for building real production systems?

The Adoption Curve Isn’t Normal

MCP’s growth follows an unusual pattern. Most infrastructure protocols start in enterprise and filter down — IT departments adopt first, then individual developers follow. MCP went the opposite direction. Individual developers and independent agent builders adopted it first, then enterprises followed. The Zuplo data shows 72% of MCP adopters expect their usage to increase over the next 12 months, which suggests the growth curve hasn’t plateaued.

This bottom-up adoption is visible in the types of servers that dominate the ecosystem. The official Anthropic servers handle filesystem access, Git operations, and a few cloud integrations. But the long tail — the 17,000 servers — is specialized: medical record MCP servers, legal document retrieval, real-time stock data, proprietary internal tools. Individual developers building agents for specific domains built the servers they needed, and the protocol made it trivial to publish and consume them.

The result is an ecosystem that’s simultaneously decentralized and highly siloed. Each organization tends to have its own collection of MCP servers tuned to its specific tools and data sources. There’s no equivalent of a Docker Hub for MCP servers — discovery is still fragmented.

What Production Actually Looks Like

The security report from April 2026 by Matt Mochalkin identified “Unauthenticated Access” and “Confused Deputy” attacks as the top risks in the MCP ecosystem. These aren’t hypothetical vulnerabilities — they’re natural consequences of how MCP servers are deployed.

When an MCP server runs locally, it often has access to filesystem paths, local databases, or internal APIs that the user’s broader session has permissions for. A compromised or misconfigured MCP server can potentially access resources beyond what its nominal scope should allow. The “Confused Deputy” problem is particularly subtle: an MCP server that appears to be operating on behalf of the LLM but is actually operating on behalf of a user with elevated permissions, tricking the system into granting access it shouldn’t.

The MCP roadmap published in March 2026 acknowledged this explicitly. The Streamable HTTP transport gave MCP production-readiness, but running it at scale revealed gaps around horizontal scaling, stateless operation, and — critically — authentication and authorization at the server level. The 2026 roadmap calls for “paved paths toward SSO-integrated flows,” which is bureaucratic language for “enterprises need to plug this into their identity infrastructure.”

For engineers building multi-agent systems, this means production MCP deployments require careful thought about what each server can access, how credentials are managed, and what happens when a server is compromised. The era of “just add an MCP server and the LLM can use it” is ending.

The Governance Gap

The 97 million monthly SDK downloads number is striking, but it also reveals something uncomfortable: most of those downloads are from developers experimenting, not production systems at scale. The ecosystem has massive experimentation but a smaller (though growing) production deployment base.

This creates a governance problem. When a protocol is adopted this widely this fast, the specification itself becomes the governance layer — and the MCP specification is governed by Anthropic with input from the Agentic AI Foundation. That’s a single vendor, even with community input. Compare that to the IETF process for HTTP or TLS, which involve multiple stakeholders and years of debate.

The A2A protocol, by contrast, has 150+ organizational adopters and explicit enterprise production use cases documented in its first year. A2A was designed with enterprise adoption in mind from the start — Google’s involvement brought enterprise credibility. MCP is playing catch-up on governance and enterprise-readiness while the ecosystem grows faster than any governance process can track.

For agent builders, this matters in concrete ways. If you’re building a multi-agent system that depends on MCP for tool access, you’re betting on a protocol where the specification can change in ways that break your setup, with limited formal recourse. The May 2026 release candidate for the stateless protocol core is a good step — but it also demonstrates how quickly the protocol is still evolving.

The Interesting Part: What Comes Next

The MCP ecosystem’s trajectory suggests a future where agentic systems are composed from specialized MCP servers the way modern applications are composed from microservices — each server is a discrete capability, discoverable and composable. The difference is that MCP servers are LLM-native: they’re designed to be called by language models, not HTTP clients.

The local AI tooling landscape (Ollama, LM Studio, Jan) is beginning to treat MCP as a first-class integration point. The June 2026 comparison data shows Ollama and LM Studio are within ~5% performance of each other on the same hardware because they share backend implementations (llama.cpp, MLX on Apple Silicon). The differentiation is shifting from performance to ecosystem and integration — which is where MCP matters.

What I’d watch for in the next 6 months: whether MCP servers become a standard deployment artifact that organizations package and distribute, whether a registry or discovery mechanism emerges beyond the current fragmented ecosystem, and whether the security tooling (authentication, authorization, audit logging) catches up with the deployment reality. The protocol won the adoption race. Now it has to win the production race.

The numbers — 17,000 servers, 97M monthly downloads — are impressive. But the interesting engineering challenges are in the 10% that moves from experiment to production: security hardening, governance, discovery, and the hard operational work of making a protocol that’s easy to experiment with also be safe and manageable at scale.

Aniket Karne
DevOps & AI Engineer · Amsterdam
Back to all posts