David Soria Parra, co-creator of the Model Context Protocol (MCP) and Member of Technical Staff at Anthropic, delivers the keynote on where MCP has been and where it's headed. With 110M+ SDK downloads per month — outpacing React's first 3 years in just 16 months — MCP has become the de facto integration standard for agentic AI systems.

In this talk, David shares the 2026 roadmap, addresses the context bloat criticism head-on, and reveals upcoming features like triggers, streaming, and skills that will reshape how AI agents connect to enterprise systems.

What you'll learn:

110M+ Monthly Downloads — MCP's explosive growth and why it outpaced React's adoption curve
Enterprise Behind the Firewall — The biggest MCP deployments you never hear about: CRMs, Jira, Snowflake, internal wikis
Transport Evolution — Why the current streamable HTTP protocol needs a stateless redesign for hyperscale deployments
Long-Running Tasks — The new "Tasks" primitive enabling agentic communication for autonomous work
Cross-App Access — Seamless enterprise auth that eliminates OAuth flows by talking directly to identity providers
MCP Triggers — Webhooks for MCP, enabling servers to proactively notify clients of new data
Native Streaming — Incremental tool results are finally coming to the protocol
Skills Over MCP — Bundling domain-specific knowledge with MCP servers so agents know how to use them
Context Bloat Fix — Progressive discovery and tool search as the answer to the #1 MCP criticism
SDK v2 — Python and TypeScript SDK rewrites for better ergonomics, shipping in the coming months
This talk is essential for AI engineers, platform builders, and enterprise teams deploying agentic AI systems in production.

Links & Resources:

MCP Specification: https://modelcontextprotocol.io
MCP GitHub: https://github.com/modelcontextprotocol/modelcontextprotocol
Agentic AI Foundation (Linux Foundation): https://agenticai.org
MCP 2026 Roadmap (WorkOS writeup): https://workos.com/blog/2026-mcp-roadmap-enterprise-readiness
David Soria Parra on Software Engineering Daily: https://softwareengineeringdaily.com/2025/05/13/anthropic-and-the-model-context-protocol-with-david-soria-parra/
Timestamps (approximate — adjust after review):

00:00 — Introduction & MCP by the numbers
02:11 — What people built: from reference servers to SaaS integrations
03:36 — The weird and creative: Blender, Ableton, 3D printers
04:21 — The hidden story: MCP behind corporate firewalls
05:45 — Protocol evolution: remote servers, auth, elicitations, structured output
07:28 — MCP Extensions & MCP Apps
08:14 — Donating MCP to the Agentic AI Foundation
08:54 — MCP is the integration protocol: the 2026 mission
10:38 — Transport evolution: stateless HTTP for hyperscale
12:18 — Long-running tasks & agentic communication
13:44 — Enterprise readiness & cross-app access
14:56 — On the horizon: triggers, streaming, and skills
16:35 — Ecosystem work: SDK v2 for Python & TypeScript
17:44 — Building better clients & solving context bloat
19:46 — Composability through code & structured outputs
21:07 — Community call to action
22:14 — Closing
#MCP #AgenticAI #EnterpriseAI

285 11

Progressive Tool Discovery: Using MCP Notifications To Manage Context at Scale - Billy Hickman & Lilia Abaibourova, Amazon

As MCP adoption grows, a challenge emerges: how do you expose 100’s of tools from a single server without overwhelming agent context windows? This talk introduces an MCP tool discovery mechanism we’ve built that dynamically loads tools. The platform works with a single discovery meta-tool on initialization, server-side state management to track agent context, and leveraging streamed MCP’s notifications/tools/list_changed to push relevant tool sets mid-session. Agents declare their problem context (incident response, monitoring etc) and receive only the tools they need, when they need them. Attendees will learn how this pattern keeps context windows lean while maintaining access to a broad tool ecosystem, with real examples showing how a single MCP server can serve diverse agent use cases without tool overload.

28 2

Matt White (Global CTO of AI at the Linux Foundation, CTO of the Agentic AI Foundation and PyTorch Foundation) delivers Professor Dawn Song's (UC Berkeley) blueprint for building safe and secure agentic AI. This talk walks through the OpenClaw inbox-deletion incident, the 12 agentic attack vectors mapped to the OWASP Agentic Top 10 for 2026, the 8-layer agent attack surface, and 10 concrete recommendations you can hand your security team on Monday.
If you are building, deploying, or governing AI agents that hold credentials, call tools, or touch production systems, this is the most concise threat model available right now.
What is covered:
- The OpenClaw Incident: How a context-window compaction silently dropped a safety instruction and the agent bulk-deleted a Meta AI safety director's inbox while she watched helplessly over WhatsApp.
- Why Agentic Is Not Incremental: The shift from text-to-action, session-to-state, and single-to-multi-agent that makes agent security an order of magnitude harder than LLM safety.
- The 7 Spectrums of Agent Design: How data access, action scope, memory, MCP tool discovery, and rich UIs compound risk rather than just adding to it.
- The 12 Attack Vectors in 4 Tiers: Goal hijacking (OWASP ASI01), indirect prompt injection, tool misuse, identity abuse, MCP supply chain compromise, memory poisoning, inter-agent attacks, and rogue agents.
- The 8-Layer Agent Attack Surface: From the reasoning core down to the external environment, with concrete defenses for each layer.
- Threat Actors in the Wild: Environment poisoners, black-box manipulators, insiders, autonomous AI attackers, configuration abusers, and credential harvesters (3.3 billion credentials compromised in 2025).
- Agent Vigil and Agent Exploit: Dawn Song's red-teaming projects that achieved 100 percent prompt extraction against defended models and fully automated exploitation from a single poisoned GitHub issue.
- Cyber Gym and Bounty Bench: Frontier model exploit capability is doubling every 6 months (Claude Opus 4.6 at 65 percent), while autonomous vulnerability discovery is still only 5 percent. The defender window is closing.
- The Autonomous AI Trifecta: Why autonomy times power must always be matched by proportional assurance, and why most organizations have an exploitable gap today.
- Defense in Depth: Four layers from sanitization and model defense to Dawn Song's ProG framework for programmable privilege, plus monitoring, kill switches, and behavioral baselines.
This is essential watching for AI platform teams, security leads, CISOs, AI governance owners, and anyone deploying agents with tool access inside an enterprise.
Links and Resources:
- Agentic AI Foundation: https://agenticaifoundation.org
- Linux Foundation AI: https://lfaidata.foundation
- Dawn Song's research group (UC Berkeley): https://dawnsong.io
- Berkeley Center for Responsible Decentralized Intelligence (RDI): https://rdi.berkeley.edu
- OWASP Top 10 for Agentic Applications 2026: https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/
- Agent X competition at UC Berkeley RDI

Timestamps (approximate, adjust as needed):
00:00 Intro: Matt White presenting Dawn Song's research
00:50 What this talk covers
01:12 The OpenClaw incident: a safety director's inbox gets deleted
02:39 Four lessons: confused deputy, override failure, trifecta, not isolated
03:42 LLM era vs Agentic era: the risk model shift
04:40 Three shifts: text to action, session to state, single to multi-agent
05:38 Architecture of an agentic AI system
07:58 The 7 spectrums of agent design risk
09:19 The 12 attack vectors across 4 tiers
09:33 Tier 1: Goal hijacking and indirect prompt injection
10:10 Tier 2: Tool misuse, identity abuse, MCP supply chain
10:55 Tier 3: Code execution and memory poisoning
11:25 Tier 4: Inter-agent attacks, cascading failures, rogue agents
11:25 The 8-layer agent attack surface
14:06 Threat actors: poisoners, insiders, autonomous AI attackers
16:08 Anatomy of an indirect prompt injection (Agent Vigil)
18:04 The Agent Exploit case study
18:31 Cyber Gym and Bounty Bench: the exploit capability curve
20:15 The Autonomous AI Trifecta framework
21:43 Defense in depth: the 4 required layers
23:55 Closing: secure by design
#AgenticAI #AISecurity #OWASP

16 2

Putting the Single Back in Single Sign-On: Cross-App Access for MCP - Paul Carleton, Anthropic & Max Gerber, Twilio

MCP makes it easy for AI agents to connect to tools, but authorization hasn't kept up. Users connecting an MCP client to a dozen MCP servers face a dozen separate OAuth flows, one for each server, each with its own login and token lifecycle. If we have Single Sign-On, why are users signing in so many times? It's not just a UX problem. Enterprise environments can quickly run into governance issues with unmanaged or scattered permissions. Security teams can't answer basic questions about which agent can access which system under what policy. Every agent-to-server connection is another point-to-point relationship with no central visibility. Cross-App Access (XAA), built on the Identity Assertion JWT Authorization Grant (ID-JAG), solves both problems. By leveraging the existing trust between the MCP client, MCP server, and the organization's Identity Provider, the IdP can broker token exchanges from the user's initial login. Agents gain access to everything the admin has approved with one sign-in. No additional user interaction required. The IdP becomes the policy decision point for approving, scoping, and auditing delegated access across MCP integrations. In this session, Paul Carleton (Anthropic) and Max Gerber (Twilio) explain the technical underpinnings that enable enterprise admins to enforce policies about which users, clients, and servers can interact. They'll also demo an MCP client completing an XAA flow from beginning to end to obtain access tokens securely and silently. Attendees will leave understanding how Cross-App Access works and how to integrate with it.

14 0

Combine Skills and MCP To Close the Context Gap - Pedro Rodrigues, Supabase

As AI agents become more capable, their biggest limitation is no longer reasoning — it’s context. Without access to procedural knowledge and domain-specific understanding, agents struggle to perform real work reliably. In this talk, we’ll explore how Skills address this gap by giving agents on-demand access to company-, team-, and user-specific context.

We’ll look at how Skills can be combined with MCP servers to build safer, more reliable agents, and walk through a real-world example of managing a Postgres database. Using evals, we’ll compare agent performance with and without Postgres-specific Skills, showing how MCP enables secure database access while dramatically improving outcomes.

8 1

Aaron Wang, Software Engineer on Duolingo's DevXAI team, shares how they built an AI-powered Slack assistant that connects to 180+ MCP tools across 30+ servers. This keynote from MCP Dev Summit North America 2026 walks through Duolingo's full journey: from painful manual MCP setup, to a centralized app store, to standardization, and finally to bringing AI directly to employees via Slack.

The MCP adoption problem - Why even a one-click setup was too much friction for most engineers
MCP standardization strategy - How Duolingo categorized and hosted 30+ servers behind a unified HTTP config
Building with FastMCP - The internal Python library that lets any team convert their service into an MCP server
Slack app architecture - Using Claude Agent SDK and Slack Bot SDK to connect 15+ MCP servers with read-only tools
Auto-responding to help desk and incidents - The bot triages PagerDuty alerts using Grafana, Honeycomb, and Sentry behind the scenes
Human-in-the-loop for write operations - Approval workflows for creating PRs, Jira tickets, and staging deploys via Temporal
Per-channel customization - Custom skills, sub-agents, and system prompts tailored to individual team needs
Security and privacy model - Role-based access, sandboxed VMs, no cross-user data leakage, no logging of DMs
Eval tests and feedback loops - 20+ eval tests, upvote/downvote tracking, and iterative improvement to reach 80% approval
Adoption results - Growing from 20 to 250+ weekly active users, roughly 30% of the company
Open source announcement - Duolingo is releasing the core Slack AI agent code publicly
This talk is for engineering leaders, platform teams, and developers exploring how to deploy MCP-based AI agents at the enterprise level.

Links & Resources

Duolingo Slack AI Agent (open source): https://github.com/duolingo/slack-ai-agent
Duolingo Engineering Blog: https://blog.duolingo.com
Model Context Protocol: https://modelcontextprotocol.io
Claude Agent SDK: https://docs.anthropic.com/en/docs/agents-and-tools/claude-agent-sdk
Timestamps (approximate, may need adjusting)
0:00 - Introduction
0:17 - The early MCP adoption problem (Nov 2024)
1:04 - Centralized MCP setup page (May 2025)
1:45 - The MCP server fragmentation problem
2:27 - MCP standardization effort (Aug 2025)
4:58 - 30 servers, 300+ tools today
5:44 - If they won't configure it, bring it to them: the Slack app (Sep 2025)
5:57 - Slack app architecture: Claude Agent SDK + Slack Bot SDK
6:30 - Key features: auto-respond, human-in-the-loop, per-channel customization
7:33 - Feedback collection and eval tests
8:19 - Security and privacy principles
9:58 - Demo: help desk auto-response
10:26 - Demo: PagerDuty alert triage
11:02 - Demo: human-in-the-loop PR creation
11:51 - Adoption and approval rate results (April 2026)
12:50 - Open source announcement
13:20 - Closing

#MCP

11 0

Alex Hancock is a software engineer at Block, a core maintainer of Goose (the open-source AI agent now governed by the Linux Foundation's Agentic AI Foundation), and a maintainer of the MCP Rust SDK. In this talk, Alex makes the case that Goose is the ideal proving ground for experimental MCP features: real users, real usage, neutral governance, and a maintainer group willing to ship unusual ideas fast.
What you will learn in this talk:
- What makes an agent worth keeping: Performance, interoperability, willingness to experiment, and neutral governance as the four pillars of a serious open-source agent.
- Code Mode explained: How generating a TypeScript interface of all MCP tools and executing model-written code in a sandbox can cut token usage by roughly 30 percent and sidestep the LLM as a control-flow primitive.
- The Port of Context collaboration: A real-world story of open-source compounding, where a two-hour NYC hacking session shrank Goose's Code Mode implementation overnight.
- Agent Client Protocol (ACP): The MCP-style standard for the client side of agents, demoed across a new terminal UI, Toad, the rewritten Goose desktop app, and Zed.
- Proposed HTTP support for ACP: Why this unlocks mixing local agents with remote MCP servers (and vice versa) in a fully interoperable way.
- MCP Apps and MCP UI: How Goose adopted MCP UI early, plus a live Excalidraw MCP App demo where an app takes over the full Goose window and the model can edit the drawing in place.
- Sampling from app front-end code: A new experimental idea Goose is incubating, letting MCP Apps themselves call the host's model to become AI-powered UIs.
- An open call for contributors: What kinds of PRs Alex and the Goose maintainers actively want to merge, including long-running tasks support.
Who this is for: MCP contributors, agent engineers, open-source maintainers, and anyone building on top of the MCP or ACP ecosystems who wants a place to test bold ideas with real users.
Links and Resources:
- Goose (Block, Linux Foundation): https://github.com/block/goose
- Goose documentation: https://block.github.io/goose/
- Code Mode deep dive on the Goose blog: https://block.github.io/goose/blog/2026/02/06/8-things-you-didnt-know-about-code-mode/
- Cloudflare's original Code Mode post: https://blog.cloudflare.com/code-mode/
- Agent Client Protocol: https://agentclientprotocol.com/
- ACP on Zed: https://zed.dev/acp
- MCP Apps overview: https://modelcontextprotocol.io/extensions/apps/overview
- MCP Apps spec repo: https://github.com/modelcontextprotocol/ext-apps
- Agentic AI Foundation (Linux Foundation): https://agenticaifoundation.org/
Timestamps (approximate, please adjust after upload):
00:00 - Opening: Closing the gap between MCP ideas and places to ship them
01:00 - What Goose is: Open-source agent from Block, now at the Linux Foundation
02:40 - Why keep an agent as a permanent project in an age of generated agents
03:00 - Four pillars: Performance, interoperability, experimentation, governance
05:00 - Goose as an open host for the MCP ecosystem
07:40 - Code Mode: The problem with traditional tool calling
09:20 - How Code Mode works: TypeScript interfaces plus a sandboxed execution context
11:00 - The Port of Context story: Open-source collaboration in practice
12:40 - Agent Client Protocol (ACP): Standardizing the client side
14:20 - ACP demos: Terminal UI, Toad, new Goose desktop, Zed
16:00 - Proposing HTTP transport for ACP
16:45 - MCP Apps and MCP UI in Goose
17:40 - Excalidraw MCP App live demo
18:45 - Experimental: Sampling from app front-end code
20:10 - Call for contributors: Ship your crazy MCP ideas
20:45 - Q and A: Sampling statefulness, long-running tasks support
#MCP #Goose #AgentClientProtocol

8 0

MCP Vs CLIs: Why Agents Need Purpose-Built Interfaces - Sam Morrow, GitHub

You approve one sudo command (Ubuntu's default timeout is 15 minutes), so now your agent can `rm -rf /` your entire machine without asking again. You could run in a sandbox, but even there, `gh` can add a public SSH key to your account, or leak a token into the context window.

These aren't hypotheticals. Agents have deleted production databases and wiped drives using interfaces designed for humans, not autonomous AI. CLIs optimize for human ergonomics; APIs optimize for programmatic flexibility. Neither provides what agents need: structural safety boundaries, workflow context, graceful error recovery and auditable actions.

MCP can solve virtually all of these. This talk explores what breaks when agents use CLIs and APIs, and how MCP addresses these failures through protocol-level security, structured tool definitions, workflow guidance, consent flows, and registries.

We'll see why MCP offers the only sane path forward for safe agentic AI, and how it enables enterprise governance that unlocks mass corporate adoption. We'll also discuss gaps that still need addressing. You'll leave knowing exactly why "just use CLIs" is dangerous advice—and what to do instead.

13 0

Evolution, Not Revolution: How MCP Is Reshaping OAuth - Aaron Parecki, Okta

The impulse to rewrite the auth stack for AI agents is strong, but we cannot design away the fundamental relationships standards protect. This session explores how MCP is reshaping OAuth—not abandoning it—to meet the ecosystem's unique challenges:

The "Unregistered Client" Problem: Traditional OAuth requires pre-registration. MCP breaks this. We’ll see how Client ID Metadata Documents (CIMD) allow agents to bring their own identities to arbitrary servers, how it improves on Dynamic Client Registration, and how to mitigate the risks of unregistered clients.

Separation of Concerns: Why your MCP server shouldn't be your Authorization Server. We’ll cover how Protected Resource Metadata (RFC 9728) enables dynamic auth server discovery, keeping agents lightweight and security boundaries clean.

Enterprise-Managed Authorization: To stop "click-through fatigue," we’ll introduce the Identity Assertion Authorization Grant. This moves consent to the enterprise policy layer, enabling secure, scalable adoption.

Join me to secure the agent ecosystem—from discovery to governance—not by reinventing the wheel, but by making incremental improvements to the way it turns.

7 0