It is fascinating to watch all the pundits jump and respond to the MCP rush on top of the AI hype happening. Everyone was quick to point out that MCP does not have the adequate authentication and access control which has become common place in the world of APIs. Everyone at the trough was quick to point out that MCP is in its early stages and of course authentication is coming, it is just early days and it will be coming shortly. However, everyone treated the lack of authentication as an oversight or bug in the early version of the MCP spec, when in reality it is a feature.
The lens in which most developers view the world seriously concerns me. My desire to look past the technology of APIs over the years and learn more about the business and politics of APIs began as a need to reconcile my own short sightedness and understand why things kept going over my head and MBA after MBA kept taking advantage of me in startups. However I have come to learn that technologists are perfectly happen to say in their lane, and business people are perfectly happy staying in their lane, but both enjoy using the canyon in between as an accountability sink to distance themselves from the impact of our technological choices.
Back to the MCP authentication version of this. Technologists are unable to see that the prioritization that goes into the original MCP specification is an intentional oversight because ideally you don’t need any authentication and access control—-you are given the highest level access possible. This is why there is so much desire to circumvent the whole API layer and get directly at databases and file systems. If you need evidence of this in action, take a look at what the current administration is doing with AI using their DOGE crew. Authentication and access control isn’t part of the equation—-you just want access to all of the data and the AI will make sense of everything else. This is what the intent is with MCP, to gain access to all of your enterprise resources as quickly as possible with the promise that AI will figure things out, and if it doesn’t. Oh well, that is your problem.
I have long been frustrated by us technologists being so easily blinded to the business and politics of APIs. However, it has reached unacceptable levels for me when you have unfettered AI access stitching together federal government databases into a single solution for identifying and rounding up human beings for deportation and disappearing, alongside unobstructed sales and grift within Silicon Valley startups to gain access to enterprises resources, and so many technologists willing to say it is just an oversight. When in reality the shifting of the conversation from OpenAPI, Arazzo, and Overlays to a new specification without authentication is deliberate, intentional, and a feature. What is happening in DC and Silicon Valley just reveals to me the power of keeping people isolated in information controlled environments and is something that leaves AI as a big no for me bro.
