← Back to News

Field Notes: AI — March 2026

By Del

The month in one paragraph

March 2026 was the connected-work-graph month. The real question became less "how many models are in the picker?" and more "what systems can the agent safely touch?" Tools, files, SaaS apps, repos, documents, tickets, emails, spreadsheets, and databases became the actual work graph. MCP mattered because it standardized enough of the connector surface that the hard problems moved to authorization, trust, provenance, and audit.

Actual field update

  • MCP matured as connector grammar: resources, prompts, tools, JSON-RPC, capability negotiation, progress, cancellation, error reporting, and logging became part of the common conversation.
  • Auth remained product work: MCP authorization is optional in implementations and depends on transport choices; HTTP-based systems use OAuth-style mechanisms when supported.
  • Tool safety became visible: tool descriptions, metadata, and server trust became attack surfaces.
  • Connected-app execution became the value center: the best assistant was the one that could safely operate where work already lived.

Robustness check

Strong claim: MCP standardizes tool/context attachment.

Strong claim: MCP does not by itself solve safety, orchestration, or memory.

Strong claim: connector growth increases prompt injection, tool poisoning, confused deputy, and data-exfiltration concerns.

Agentic design pattern change

The pattern became:

tool registry
→ trust classification
→ scoped auth
→ tool call
→ result normalization
→ provenance/event log

MCP standardized attachment. It did not standardize judgment.

Fallout

  • Private MCP registries and gateway layers became more attractive.
  • Tool descriptions had to be treated as untrusted unless from trusted servers.
  • Token audience binding and scoped auth became critical.
  • Agents needed provenance tracking across tool calls.

What builders should copy

  • Put MCP servers behind a gateway.
  • Track server identity, tool identity, tool version, and approval scope.
  • Separate read connectors from write connectors.
  • Reject untrusted tool metadata for high-risk decisions.
  • Add DLP/anomaly detection around tool outputs and exfiltration paths.

Resource sources

Operator math (TeX)

ΔKPI=KPIpost-connected-workflowKPIpre-connected-workflow\Delta KPI = KPI_{\text{post-connected-workflow}} - KPI_{\text{pre-connected-workflow}}

Comments (0)

No comments yet. Be the first!

You must be signed in to comment. Contribute to comment.