My ongoing research this week continues to echo each of the massive blog pulls I do each week. MCP. Discovery. Governance. Pulling and processing all of the blog posts costs me about $50.00 using Claude, because I am not just pulling RSS feeds. I am pulling raw blogs too. Then I have a handful of skills that help me sift through the different topics to settle in on what the themes are going to be. I find myself spending the entire weekend pulling, reading, and sifting through what is here to settle in on these weekly newsletters.

3,699 posts went out in the last seven days across the 2,534 API-bearing API providers that I track on, and 2,649 of them carried an API related signal in the title. One theme dominated the week. Last week MCP stopped announcing and started shipping GA. This week it grew the thing every maturing technology eventually grows: a control plane. Gateways, registries, shadow-MCP detection, governance frameworks, and — inevitably — its first real attack chain. The protocol is no longer the story. The operations around the protocol are.

Let me walk through what I saw.

MCP Grew a Control Plane This Week

The gateway and governance layer that was racing the deployment wave last week stopped racing and started shipping. The pieces that showed up this week are, collectively, an MCP control plane:

• Microsoft shipped "Controlling Tool Access with APIM MCP Gateway" — Azure API Management fronting MCP and gating which tools a client can even see. The single most important governance primitive — tool-level access control — landing in a mainstream API gateway.

• Speakeasy shipped two halves of the same problem: "Build your MCP registry" and "Shadow MCP detection and governance." I called "shadow MCP" a term-of-art-in-waiting last week; this week a vendor shipped a detector for it. That was fast.

• TrueFoundry published "MCP Apps and Tasks: Governing the New First-Class MCP Extensions" — governance moving up the stack as the spec itself grows new surface (Apps, Tasks) to govern.

• Tetrate published "MCP Without the Sprawl: What Regulated Enterprises Actually Need" — the service-mesh crowd framing MCP as exactly the east-west sprawl problem they already solve.

• Vantage launched MCP Connectors for its FinOps Agent — the cost-governance layer wiring itself into the agent loop, which is the natural answer to "how do we pay for all these agents" from last week.

Put it together and the message is clear: MCP is being absorbed into the same gateway/registry/governance machinery we built for APIs over the last decade — because, as I keep saying, it is an API. The control plane isn't new. The acronym on it is.

The Gateway Became the Blast Radius

Last week the worm reached the agents. This week the AI gateway — the very layer everyone is rushing to deploy for safety — turned out to be the soft target itself.

• Permit.io published "When the AI Gateway Becomes the Blast Radius: Lessons from the LiteLLM MCP RCE Chain." A remote-code-execution chain through a popular AI gateway's MCP handling. The thing you put in the middle to contain the agents became the way in. This is the sharpest security story of the week, and it is the concrete sequel to the Cequence/Mitiga Claude Code attack from last week.

• Nightfall published "AI Agent Security Explained: Agents, MCP, Prompt Injection, and the AI Harness" — the field assembling a shared threat model for the agent stack.

• Socket shipped "Socket MCP Adds Org Alerts, Threat Feed Review, and Package Inspection" — supply-chain defense delivered as an MCP server, so the agent can inspect packages inside its own workflow. Defense is moving into the same surface as the attack.

• TrueFoundry published "Claude Code Security Best Practices for Enterprise Teams: SSO, AI Gateways, and MCP Governance" — the enterprise hardening guide for the most popular agentic coding tool.

The pattern is clear: every layer we add to control agents becomes a new layer to attack. The LiteLLM RCE is the proof. If you are deploying an AI gateway this quarter, the gateway is now part of your attack surface, not just your defense — threat-model it accordingly.

The NSA Wrote the MCP Requirements Document

Governance didn't just come from vendors this week — it came from the top.

• Arcade published "The NSA Just Wrote the MCP Requirements Document." When a national signals-intelligence agency's guidance reads like a spec for how to deploy your protocol safely, the protocol has officially left the frontier and entered the regulated era.

• FINOS published "Operationalizing AI Governance: The FINOS AIGF MCP Server" — the financial-services open-source foundation shipping an MCP server for its own AI governance framework. Governance-as-an-MCP-tool is a genuinely new shape, and finance is, as usual, first to it.

• FusionAuth published "Protect an MCP server with an Authorization Server" — the identity vendors converging on the same OAuth-2.1-in-front-of-MCP answer I keep seeing across the network.

This is the part of the cycle I find most telling. A year ago MCP was a clever way to wire tools into a chat window. This week the NSA and FINOS are effectively publishing conformance requirements for it. It is good to see. Things are hardening.

MCP Is Now a Generated Artifact

Underneath the governance noise, the build pipeline kept maturing — and it is exactly the pipeline I argued for in my new paper this week, Publishing a Public MCP Server: your MCP server is the next thing generated from your OpenAPI, not a hand-written science project.

• Stainless and Speakeasy keep shipping the OpenAPI→MCP path — generate the server, then register and govern it.

• Truto ran a whole run of MCP-engineering content — testing and mocking MCP servers in CI/CD, docs-MCP to stop hallucinated integrations, transform-code guides. MCP is getting a real SDLC.

• apilayer published the "Turn Any REST API Into an MCP Server" pillar guide, and GitBook shipped "auto-generate API documentation from an OpenAPI spec." The OpenAPI contract is quietly becoming the source of truth for three artifacts at once: docs, SDKs, and now the agent interface.

This is the thread I care most about, because it is the one with the least hype and the most leverage. If your OpenAPI is good, your MCP server is mostly free. If it is weak, you are about to find out — because it is becoming your agent interface whether you curate it or not.

The Fundamentals Didn't Go Anywhere

For all the MCP gravity, the most quietly reassuring thread this week was how much plain old API fundamentals content kept shipping — the stuff that actually carries the load underneath every agent.

• Sportmonks had a prolific week of exactly the right kind of boring: "Football Data API Stack: REST vs GraphQL vs WebSockets," "Bearer Token vs API Key," "OAuth 2.0 in Sports APIs," and "What Is a JWT."

• Reform shipped "7 Tips for Storing OAuth Tokens Securely."

• Meta shipped "Tokenless Access to Meta oEmbed APIs" — going the other direction and removing an auth requirement, which is its own kind of design decision worth noticing in a week obsessed with adding control.

This is the week's quiet argument, and it is the same one I made in my own post this week about the real API design struggle continuing with MCP: the design tension between generality and safety, the auth choices, the token handling — none of it went away because agents showed up. We just pointed it at a new consumer. The providers writing clear OAuth and token-storage explainers are doing more for the agent era than most of the MCP listicles are.

A Few Other Threads Worth Noting

Felt followed last week's public beta with developer APIs and a Python SDK — geospatial tooling opening its surface to the agent-building wave, exactly the pattern I flagged a week ago.

Harness wired its MCP server into Google's Antigravity IDE, and Red Hat published deploying the MemPalace MCP Server on OpenShift AI — MCP continuing to colonize every IDE and platform surface.

Google shipped "A2UI + MCP Apps: Combining the best of declarative and custom agentic UIs" — the UI layer for agents starting to standardize, which is the next frontier after the tool layer settles.

Chainguard opened its Agent Skills to everyone with a private registry for internal skills — the "agent skills" packaging pattern getting its own registry story, in parallel to MCP's.

And MoneyGram joined the Solana Developer Platform — the crypto-rails-for-payments thread that keeps simmering under the AI noise.

What I Am Watching Going Into Next Week

Three things.

Whether the control plane consolidates or fragments. This week we got an MCP gateway, an MCP registry, shadow-MCP detection, and tool-level access control — from four different vendors. The open question is whether these converge on shared standards (a real registry spec, a common access-control model) or whether every gateway vendor ships its own incompatible control plane and we spend 2027 integrating them. I have seen this movie before with API gateways. I am watching for the standards conversation to start.

The MCP attack surface. The LiteLLM RCE isa concrete "the gateway itself is the vulnerability" story, and that class of bug tends to get copied fast. I expect more gateway and MCP-server CVEs, more "we were affected" disclosures, and — importantly — the first serious incident at a provider who deployed an MCP server without governing it. The Socket-MCP-as-defense move is the early sign that the security vendors see the same thing.

Governance going official. The NSA guidance and the FINOS AIGF MCP server are the leading edge of regulators and standards bodies writing MCP requirements. Watch for more of this — a NIST profile, a cloud provider's "compliant MCP" reference architecture, an industry-body conformance checklist. When the requirements documents arrive before most providers have shipped a server, the providers who move now get to shape the requirements instead of scrambling to meet them.

This was the week MCP grew up a little — and, like everything that grows up, it immediately acquired a bureaucracy, a security problem, and a regulator. I find all of it fascinating, and a little exhausting, which is about right for this stage of the cycle. While pulling the whole network this week the signal is the same as always: the fundamentals still carry the load, and the providers doing the unglamorous design work are the ones who will be fine. Get outside, touch some grass, and hug the hoomans you love.