By Matt Topper, President & CEO, UberEther
Every enterprise we talk to is asking the same question: how do we let AI agents touch production systems without lighting our security architecture on fire? Until now, the honest answer involved a lot of duct tape. The Model Context Protocol gave agents a standard way to reach tools and data, but it asked enterprises to accept things no security architect wants to accept — sticky sessions that break behind load balancers, transport-level state that hides from your gateways, and an authorization story that left too much to interpretation.
The MCP 2026-07-28 Release Candidate changes that. It’s the largest revision of the protocol since launch, and while most of the coverage will focus on developer ergonomics, the real story is this: MCP is now a protocol your existing security infrastructure can see, route, inspect, and govern. Here’s why that matters if you’re responsible for securing an enterprise — especially a federal one.
Stateless by Design Means Governable by Default
The headline change is that MCP is now stateless at the protocol layer. The initialize handshake and the Mcp-Session-Id header are gone. Every request is self-contained, carrying protocol version and client identity in the payload itself.
If you’ve spent your career in identity and access management, you know exactly why this matters. Hidden session state is where security goes to die. When a protocol pins clients to server instances and stashes context in transport metadata, your zero trust controls go blind. You can’t evaluate what you can’t see.
With 2026-07-28, an MCP deployment looks like ordinary HTTP traffic:
- No shared session store to protect, replicate, or worry about as an attack surface
- No sticky routing, so any request can land on any instance behind a plain load balancer — the same horizontal patterns your infrastructure and DR playbooks already assume
-
Mandatory
Mcp-MethodandMcp-Nameheaders, so your API gateways, WAFs, and rate limiters can enforce policy per-operation without deep packet inspection
That last point deserves emphasis. Your gateway can now say “this client may call tools/call on search but never on delete_records” by reading a header. That’s policy enforcement at the edge, using the infrastructure you already own and have already accredited. For anyone carrying a compliance-burdened authorization boundary, fewer bespoke components inside the boundary is a direct reduction in assessment scope and ongoing continuous monitoring burden.
And where state genuinely matters, the spec pushes it into the open: servers mint explicit handles that the model passes as ordinary tool arguments. State becomes visible, auditable, and policy-enforceable instead of buried in transport plumbing. That’s the zero trust philosophy applied to protocol design — make everything explicit, evaluate everything.
Authorization Hardening: OAuth the Way It’s Actually Deployed
This is the section that made our team sit up. Six Specification Enhancement Proposals harden MCP authorization to align with how OAuth 2.0 and OpenID Connect actually run in production — not how they look in a whiteboard diagram.
The standouts:
Mandatory iss validation (RFC 9207). MCP’s deployment pattern — one client talking to many servers, each potentially fronted by a different authorization server — is precisely the topology where authorization server mix-up attacks thrive. Clients must now validate the issuer on authorization responses, and future versions will reject responses that omit it. If you run an authorization server, start emitting iss today.
Credentials bound to the issuing authorization server. Clients bind registered credentials to the AS issuer and must re-register when a resource migrates. No more credential reuse across trust boundaries — a quiet but meaningful containment control.
application_type declared at Dynamic Client Registration. Desktop and CLI agents no longer get mis-registered as web clients with broken redirect URI handling. Small fix, real-world impact: DCR failures are exactly where developers start improvising, and improvisation in auth flows is how shadow credentials are born.
Documented refresh token and step-up scope semantics. Long-running agents need token lifecycle management that doesn’t rely on vendor-specific guesswork. The spec now says how.
For high-security ICAM programs staring down agentic AI adoption, this is the foundation you’ve been waiting for. Non-person entities — agents, workloads, services — calling tools on behalf of humans is the next great identity governance challenge. A protocol that takes issuer validation, credential binding, and scope discipline seriously is a protocol you can actually build an NPE identity architecture on.
Every Action Traces Back to a Human
Two changes in this release close what we’d call the “phantom prompt” problem. Server-initiated requests — elicitations, input prompts — may now only occur while the server is actively processing a client request. It was a recommendation before; it’s a requirement now. A user is never prompted out of nowhere, and every interaction traces back to something a human or their agent initiated. That’s not a nice-to-have. That’s the difference between an auditable system and a social engineering vector.
MCP Apps, now a first-class extension, extends the same discipline to interactive UIs. Servers declare their UI templates ahead of time so hosts can prefetch and security-review them before anything renders, the UI runs in a sandboxed iframe, and every action it takes flows through the same JSON-RPC consent and audit path as a direct tool call. No side channels. No unauditable UI magic.
And with W3C Trace Context propagation now locked into the spec, a single trace follows a request from the host application through the client SDK, the MCP server, and everything downstream — landing in your OpenTelemetry backend as one span tree. When your SOC asks “what did the agent actually do, and who asked it to?” you’ll have an answer with timestamps.
Governance You Can Build an ATO On
Here’s the part compliance leaders should care about most: this release ships with a formal feature lifecycle policy. Every feature is Active, Deprecated, or Removed, with a minimum twelve months between deprecation and removal. New capabilities land as opt-in extensions and prove themselves before touching the core. And no Standards Track proposal reaches Final without a matching scenario in the official conformance suite.
Anyone who has carried a system through assessment knows why this matters. You cannot build a security authorization on a protocol that breaks underneath you every six months. Predictable deprecation windows, conformance testing, and tiered SDK expectations turn MCP from a fast-moving open source project into infrastructure you can put in a System Security Plan with a straight face.
What You Should Do Now
The release candidate is locked; the final specification ships July 28, 2026. This release contains breaking changes, and the ten-week window exists so implementers can validate against real workloads. Our recommendations:
iss on authorization responses, support application_type in DCR, and review refresh token issuance for agent clients.Mcp-Method/Mcp-Name headers._meta means your observability stack can finally see agentic workflows end to end. Turn it on.Agentic AI is coming to the enterprise whether your security architecture is ready or not. The 2026-07-28 spec is the protocol community doing its part. The rest is on us — the architects, the ICAM programs, the platform teams — to build identity-first foundations underneath it.
That’s exactly the work we do every day. If you’re wrestling with how AI agents fit into your zero trust and ICAM strategy, let’s talk.
Bringing AI agents into your Zero Trust strategy?
Let’s talk about building identity-first foundations for agentic AI in your environment.
Start the ConversationUberEther builds and runs the identity, credential, and access management platforms protecting many of the nation’s most critical systems. IAM Advantage is FedRAMP High and DoD IL5 authorized, serving over 4 million users across 3,000+ enterprise applications. Learn more at uberether.com.