TL;DREvery few years a piece of infrastructure shows up that quietly redraws the lines of what's possible. Most of the time we don't notice while it's happening — the change looks like "a slightly better way to do this" rathe…

Every few years a piece of infrastructure shows up that quietly redraws the lines of what's possible. Most of the time we don't notice while it's happening — the change looks like "a slightly better way to do this" rather than "a tectonic shift". The MCP-style tool protocol that emerged in 2024 and matured through 2025 is one of those shifts. If you build with AI agents and you haven't yet absorbed what it does to the architecture, you are about to be surprised by your competitors.

This piece is what I would tell a technically-fluent founder over coffee. What it is, why it matters, what changes when you adopt it, and what the operator-grade version looks like in practice.

The problem MCP-style protocols solve

Before standardised tool protocols, every AI-agent stack invented its own way of giving the model access to tools. You'd write a plugin specification, hand-craft prompt sections describing the tools, parse hand-rolled JSON outputs from the model, validate, dispatch. Every framework had a slightly different shape for the same problem. Switching frameworks meant rewriting tool layers. Sharing tools across systems was impractical. Each application was an island.

The MCP-style protocol fixes this by defining a common shape: a server exposes capabilities (tools, resources, prompts) over a well-defined transport, and any compliant client can discover and use them. It's the same architectural move as the language server protocol made for code editors a decade ago — define the interface once, and an explosion of interoperability follows.

The operator's read on this is: your tools become assets, not implementation details. Once you've built a server that exposes "check inventory", "create invoice", "search the knowledge graph", any AI surface in your stack — chat, voice, agent workflows, autonomous overnight processes — can use those same tools. You stop rebuilding the tool layer for every new agent.

What an MCP-style server actually exposes

The protocol gives you three things to expose:

  1. Tools — functions the model can call. Each one has a name, a description (which the model reads to decide whether to invoke), and a JSON schema for its input. Calls return results the model uses to compose its response.
  2. Resources — data the model can read but not modify. URLs, document references, structured records. The model can pull these into context when relevant.
  3. Prompts — pre-defined prompt templates the model or the user can invoke. Useful for surfacing reusable workflows the agent layer should know about.

The shape is intentionally minimal. The discipline is in the descriptions. A tool with a vague description gets called when it shouldn't and ignored when it should be. Treat the description as the user manual for a non-deterministic caller and rewrite it until you trust the call patterns.

Why this changes the architecture so much

The non-obvious effect is on how you partition responsibilities in the system. Pre-protocol, you'd have an agent runtime that knew about all your tools because the prompts that described them lived inside the runtime. Post-protocol, the tools live in their own servers, exposed over a network protocol, discoverable at runtime. The runtime no longer needs to be redeployed when you add a tool. The team that owns the tool can iterate independently of the team that owns the agent.

For larger setups, you end up with a constellation of small purpose-built servers — one for CRM operations, one for the knowledge graph, one for the home-automation engine, one for the calendar, one for monitoring. Each is small, testable, and owned by whoever owns the underlying domain. The agent runtime becomes a thin coordinator that discovers the constellation at startup and dispatches.

This is the same evolutionary pattern that took us from monolithic web applications to microservices, with the same tradeoffs. The benefit is decoupling and scale; the cost is the operational complexity of running more services and observing them well. Worth it for organisations beyond a certain size; debatable below.

The operator-grade version: what good looks like

The naïve version of an MCP-style deployment is a single server exposing thirty tools. It works. It is also a maintenance nightmare. The operator-grade version organises tools into domain servers, each one tightly scoped:

  • One server per business domain — CRM, knowledge graph, home automation, monitoring, content production, etc. Each server owns its tools end-to-end.
  • Authentication at the protocol layer — bearer tokens or equivalent on every call, scoped per server, rotated regularly.
  • Schemas validated on every call, both inbound (the model's call must match the tool's input schema) and outbound (the response must match the declared output shape).
  • Observability hooks — every call logs caller, tool, parameters, latency, success/failure, and any token/cost data.
  • Rate-limiting and circuit-breaking — agents can and will hammer a tool. Defend the server.
  • Versioning — when a tool's contract changes, version it explicitly and run old and new in parallel until callers migrate.

The reward is that adding a new agent is trivial. Add it to the network, point it at the discovery endpoint, give it credentials, and it inherits the entire toolbox.

The dark patterns to avoid

  1. Mega-tools. A single tool that does too many things, controlled by a discriminator parameter, is harder for models to call correctly than five small focused tools. Resist.
  2. Implicit state. A tool that requires the model to remember a session ID or sequence of calls in a specific order will fail. Make tools idempotent and stateless wherever possible.
  3. Hallucinated parameters. The model will pass values it shouldn't. Validate ruthlessly. Reject malformed calls loudly so the model gets feedback and corrects.
  4. Tool descriptions written for humans. The audience for the description is the model. Write it like a function signature with semantics, not like marketing copy.
  5. Skipping the audit log. A tool that mutates state without an audit trail is a future incident waiting to happen. Log everything.

The discovery and orchestration question

Once you have many MCP-style servers, two operational problems show up: the model needs to discover them, and the system needs to orchestrate them. Discovery is solved at the protocol layer — clients query servers for their tool lists at startup or on demand. Orchestration is harder.

The pattern that has worked for me is a thin orchestration layer sitting between the agent runtime and the constellation of servers. It owns the registry of which servers exist, which credentials they need, and which agents are allowed to call which tools. When an agent fires up, the orchestration layer hands it a constrained, audited view of the tool surface. When the agent calls a tool, the orchestration layer logs the call before forwarding.

This middle layer is also where you can implement policy: rate-limiting per agent, scope-of-action constraints (this agent can read but not write), spend caps per workflow, and emergency kill-switches that revoke an agent's access without redeploying anything.

What this unlocks for the long term

The compounding effect of MCP-style architecture is that the value of your tool surface grows superlinearly with the number of agents and clients consuming it. A new chat surface? Plug it in, it inherits everything. A new automation? Plug it in. A new voice assistant? Plug it in. Each consumer pays the integration cost once for the protocol, not once per tool.

It also lets you separate the capability from the UX. The same "create CRM lead" tool can be invoked from a messaging bot, a chat widget, a voice command in the smart home, or an autonomous outbound workflow. None of those surfaces need to know how the CRM works. They just call the tool.

For anyone building a serious AI-augmented operating layer, this is the architectural move that pays for itself many times over. Not in the first month. By month six it's obvious why you did it.

Practical onboarding sequence

If you're starting from scratch, the right sequence is incremental:

  1. Pick the highest-value domain. Usually the CRM or the knowledge graph. Stand up the first MCP-style server exposing 5–10 well-scoped tools. Don't try to expose everything; the tools you expose first set the conventions for everything that follows.
  2. Wire one consumer. A chat surface, an existing agent, anything that exercises the tools end-to-end. Use this to shake out the schema, descriptions, error handling and authentication before you have ten consumers depending on it.
  3. Add the orchestration layer. Even at one server, the orchestration layer is worth standing up — it owns auth, observability and policy in a place that scales.
  4. Add the second domain server. Now you've validated the pattern works across two domains. The second server should reuse the conventions established by the first.
  5. Add the second consumer. Now you've validated that two consumers can share servers cleanly. The work that survived this stage is your conventions.
  6. Scale out. From here, adding servers and consumers is a known operation. Each one inherits everything that came before.

The mistake to avoid is the big-bang rebuild. Don't try to expose your entire surface area on day one. Start narrow, validate the conventions, scale out. The patterns you set early are the patterns you'll live with.

Security posture for tool servers

An MCP-style server is, in effect, a remote procedure call surface that an LLM can drive. That changes the security model from "normal API" in three ways. First, the caller is non-deterministic and may attempt operations the developer didn't anticipate. Second, the inputs may include adversarial content if the agent itself was prompted by an external user. Third, the blast radius of a compromised tool is whatever the tool can do — and tools are, by design, capable.

The defensive posture: every tool runs with the minimum privilege needed for its job. Read-only tools get read-only credentials. Mutation tools have explicit allow-lists. Destructive operations require a separate, manual confirmation flow rather than being invokable directly from an agent context. Authentication is per-tool, not per-server. Logging is comprehensive enough that a post-hoc audit can reconstruct exactly what was invoked, by whom, with what arguments.

None of this is special to MCP — it's the same defensive posture you'd apply to any production API surface. What's special is the awareness that the caller is, in some sense, an attacker every time. Build accordingly.

The MCP-style tool protocol is not a flashy capability. It's a piece of plumbing. Plumbing changes architectures more than capabilities do. The teams that adopt it well end up with tool surfaces that compound; the teams that ignore it end up rewriting the same tool layer on every new agent project.

If you're building anything beyond a single-purpose chatbot, set the architectural shape now. Stand up your first MCP-style server. Wire one agent to it. The rest follows naturally.

Build your tool surface properly Designing the constellation of MCP-style servers and the orchestration layer above them is one of the highest-leverage architectural decisions in any modern AI stack. Book a sovereign-infrastructure consultation to design yours. Book a sovereign-infrastructure consultation →

Across the network

Reference · EcoSaving Hub
UK retrofit & energy glossary
91 terms — A-Z reference for retrofit, energy, smart home, grants.

Related insights

AI cluster
Designing AI-agent workflows that actually compound: an operator's pattern library
AI cluster
Sovereign AI vs Cloud AI: a working operator's framework for choosing where inference happens
AI cluster
Replacing SaaS with on-premise AI: the unit economics that make sovereign-AI inevitable
AI cluster
Multi-tenant AI