Field Notes: AI — March 2026
The month in one paragraph
March 2026 was the connected-work-graph month. The real question became less "how many models are in the picker?" and more "what systems can the agent safely touch?" Tools, files, SaaS apps, repos, documents, tickets, emails, spreadsheets, and databases became the actual work graph. MCP mattered because it standardized enough of the connector surface that the hard problems moved to authorization, trust, provenance, and audit.
Actual field update
- MCP matured as connector grammar: resources, prompts, tools, JSON-RPC, capability negotiation, progress, cancellation, error reporting, and logging became part of the common conversation.
- Auth remained product work: MCP authorization is optional in implementations and depends on transport choices; HTTP-based systems use OAuth-style mechanisms when supported.
- Tool safety became visible: tool descriptions, metadata, and server trust became attack surfaces.
- Connected-app execution became the value center: the best assistant was the one that could safely operate where work already lived.
Robustness check
Strong claim: MCP standardizes tool/context attachment.
Strong claim: MCP does not by itself solve safety, orchestration, or memory.
Strong claim: connector growth increases prompt injection, tool poisoning, confused deputy, and data-exfiltration concerns.
Agentic design pattern change
The pattern became:
tool registry
→ trust classification
→ scoped auth
→ tool call
→ result normalization
→ provenance/event log
MCP standardized attachment. It did not standardize judgment.
Fallout
- Private MCP registries and gateway layers became more attractive.
- Tool descriptions had to be treated as untrusted unless from trusted servers.
- Token audience binding and scoped auth became critical.
- Agents needed provenance tracking across tool calls.
What builders should copy
- Put MCP servers behind a gateway.
- Track server identity, tool identity, tool version, and approval scope.
- Separate read connectors from write connectors.
- Reject untrusted tool metadata for high-risk decisions.
- Add DLP/anomaly detection around tool outputs and exfiltration paths.
Resource sources
- MCP Specification 2025-06-18: https://modelcontextprotocol.io/specification/2025-06-18
- MCP Authorization: https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization
- MCP Threat Modeling / Tool Poisoning: https://arxiv.org/abs/2603.22489
- Securing MCP — Risks, Controls, Governance: https://arxiv.org/abs/2511.20920
