What Does Enterprise Ready MCP Mean?
A practical journey from local demo to production deployment with Tobin South from WorkOS
Why MCP Was Invented
"Frankly, tool use kind of sucks. We've had it for years now. Not as many people are using it. It's really painful. A lot of things go wrong, which is why the model context protocol got invented."
— Tobin South, WorkOS
Timestamp: 00:03:26The Agent Journey
The Goat Bot Story 🐐
Tobin uses the metaphor of building an "emotional support goat feeding bot" to illustrate the journey from local development to enterprise deployment. It starts with a simple idea: help employees check in on emotional support goats.
Tool Use → MCP Migration: The bot starts with traditional tool calling but encounters the pain points that led to MCP's invention: stateless connections, poor error handling, and limited ecosystem support.
Local Server Phase
"Check out my localhost" — Most MCP servers today live in this phase. Internal demos, hacky prototypes, running on localhost with minimal security.
Characteristics: No authentication, internal network only, manual restarts, direct API calls to LLM providers. This is where innovation happens, but it's not enterprise-ready.
Adding Authentication
The next critical step: Adding user login, privilege scoping, and admin controls. Now users can authenticate, but the server is still designed for internal use in a VPC.
"You should not have an external API that is unauthenticated that has no access controls on it. Things will go very wrong."
Timestamp: 00:05:11
Going Public
Stripe integration, cloud hosting, free credits — The bot becomes a real SaaS product. But then come the scaling challenges...
Reality check: When Mr. Beast tweets your product and you get 10,000 signups overnight, you discover that free credits + no bot blocking = abuse.
Why MCP vs. Traditional Tool Calling
MCP's Key Advantages
"One, there is this really robust ecosystem of tools and providers, security tooling that lets you interface between the model and the resource to make things safe and reliable. It's also really good at providing standardization to the models. The models are getting really good at learning how to use this either through RL or just kind of you know good eval usage. It also runs a stateful connection which means you can do you know better security better management better context management"Timestamp: 00:03:42
Traditional Tool Calling
- • Stateless connections
- • Painful error handling
- • Limited ecosystem
- • One-time queries
- • Poor security management
MCP Protocol
- • Stateful connections
- • Better security & management
- • Robust ecosystem
- • Better context management
- • Standardized for models
Viral Success: When Things Go Wrong
Free Credit Abuse
When you offer free credits to onboard users, abuse follows. One AI vendor discovered users were signing up, abusing credits to write fanfiction, then cycling to new accounts.
Timestamp: 00:06:38"Someone was using their free credits to write fanfiction stories just because it's a convenient way to get free credits."
Bot Blocking on Signups
You end up needing bot blocking on signups — a surprising operational overhead for AI products. Real users vs. automated abuse becomes a daily battle.
Reality: The moment you go public with free credits, you need enterprise-grade bot detection and prevention.
Prompt Injection & Input Validation
Input validation is non-negotiable — users might attempt prompt injection attacks against your MCP server.
Timestamp: 00:07:15"You're going to end up needing input validation so that no one prompt injection attacks your goats."
MCP-Specific Challenge: Dynamic Registration
MCP servers dynamically register as "applications," which floods admin dashboards and breaks existing management tooling.
Timestamp: 00:07:26"They will suddenly be flooded with MCP servers because of this weird choice in how MCP servers register as applications. And so essentially every orth stack you need, every like management tooling you need needs to be adapted for MCP."
The Enterprise Readiness Checklist
You Have to Do All the Boring Stuff
"You have to do all of the boring stuff. You have to do the SSO, the lifecycle management. You're going to have to do provisioning."Timestamp: 00:08:10
Authentication & Authorization
- SSO (Single Sign-On) - Enterprise requirement
- SCIM Provisioning - User lifecycle management
- Fine-grained access controls - Highly performant
Compliance & Logging
- Robust audit logs - GDPR AI workload requirements
- Data loss prevention - Prevent uploads to wrong servers
- Rate limiting & quotas - Abuse prevention
GDPR AI Logging Requirements
Regulations explicitly call out additional requirements for AI workload logging. Your existing audit logs aren't enough.
Timestamp: 00:08:57"A lot of the regulations that exist right now like GDPR call out explicitly additional requirements on logging for AI workloads because the regulators like to regulate"
The Future: Enterprise AI + MCP
Tobin's Vision for Enterprise AI
"I really see a future where enterprises use SSO to provision access to a ton of internal resources exposed via MCP that then employees can chat with as a default way that employees are encouraged to use AI to automate workflows."Timestamp: 00:08:32
Real Example: Block (Goose) already provisions AI access + MCP servers via SSO internally. Employees chat with internal resources through MCP as part of their daily workflow.
SSO Provisioning
Enterprises provision MCP resources like SaaS apps
Internal Resources
MCP exposes internal data and tools securely
Workflow Automation
Default way employees use AI
Open Questions & Unsolved Problems
The Hardest Part: Authorization
"The authorization and access control element of this is the hardest part of putting this into external enterprise workloads and a big thing that needs to be filled."Timestamp: 00:12:00
Known (Solved)
- ✅ User → AI chat authentication
- ✅ AI → MCP server connections
- ✅ MCP server → External resources
- ✅ IT admin managing AI workloads
- ✅ Cloud hosting for MCP servers
Unknown (Open Problems)
- ❌ Asynchronous workload authorization
- ❌ Human elicitation workflow (new RFC)
- ❌ Scope passing between AI workloads
- ❌ Service account access controls
- ❌ Multi-agent authorization (beyond "vibes")
The "Vibes" Problem
Current agent-to-agent (A2A) protocols rely on telling agents "in vibes" what they should or shouldn't do, then hoping model alignment prevents misbehavior.
Timestamp: 00:11:19"If you're using A2A protocol you are just telling an agent mostly in vibes what it should or shouldn't do and relying upon the alignment of that model to make sure it doesn't misbehave"
New RFC: Human Elicitation
A new RFC in the MCP spec allows models to request human input when uncertain.
Timestamp: 00:10:53"There is a new RFC in the MCP spec for elicitation. So when your model doesn't know what to do, it knows that it should ask a human being and this is becoming supported as part of MCP that it can go and call out towards a user and say please provide additional input that you need because I'm missing details."
Actionable Takeaways
For Developers
- ✓ Start with security: Add auth before going public
- ✓ Plan for scale: MCP dynamic registration floods dashboards
- ✓ Audit logs from day one: GDPR AI requirements
- ✓ Use existing tools: Cloud vendors solve hosting
For Enterprise Teams
- ✓ SSO provisioning: Treat MCP servers like SaaS apps
- ✓ Fine-grained controls: What can access, not just can access
- ✓ Monitor for abuse: Bot blocking, rate limiting
- ✓ DLP is critical: Employees chat with many servers
For AI Labs
- ✓ WorkOS pattern: Security vendors handle ops
- ✓ Focus on product: Not enterprise glue
- ✓ Enterprise expectation: Security is table stakes
Key Insight
"Truthfully the answers aren't entirely known yet and the protocol is very rapidly developing."
— Timestamp: 00:09:40
Watch the Full Talk
Video Metadata
Speaker
Tobin South
Company
WorkOS
Event
AI Engineer Summit 2024
Duration
~14 minutes