Agentic AIAI Architecture11 min readUpdated

MCP for Enterprise Agents: Production Architecture

By Mudassir Khan — Agentic AI Consultant & AI Systems Architect, Islamabad, Pakistan

Cover illustration for: MCP for Enterprise Agents: Production Architecture

Quick answer

What is MCP used for in enterprise AI systems? Model Context Protocol is the integration layer between AI agents and the tools and data sources they need to complete tasks. In enterprise systems, it replaces bespoke per tool API integrations with a single standardized protocol, connecting agents to databases, document stores, and internal services through a uniform JSON-RPC interface.

Section 01 · Context

What MCP actually is

Model Context Protocol is an open standard that defines a JSON-RPC 2.0 communication layer between AI agents and the tools and data sources they need. This section is context — if you already know the protocol, skip ahead.

Model Context Protocol is an open standard published by Anthropic in late 2024. It defines a JSON-RPC 2.0 based communication layer between a host application (the environment running the AI model), an MCP client (the agent or orchestrator making requests), and one or more MCP servers (processes that expose tools and data sources).

The core primitives are straightforward. Tools are functions the model can call — think “run SQL query” or “fetch document by ID”. Resources are data the model can read — structured or unstructured content available via a URI scheme. Prompts are reusable instruction templates that MCP servers can expose. The host application negotiates capabilities with each server at session initialization, producing a manifest of available tools and resources that the model can reason about.

MCP has seen rapid adoption since its introduction. As of early 2026, it has surpassed 97 million monthly SDK downloads and is supported by every major AI vendor — Anthropic, OpenAI, Google, Microsoft, and AWS. For agents that need to interact with internal enterprise systems, MCP is quickly becoming the default integration pattern.

This post is not about getting started with MCP. If you need that, Anthropic’s official documentation covers it well. This is about what happens when you take a working single tenant MCP setup and try to run it in production for an enterprise with multiple tenants, strict compliance requirements, and a need to attribute costs per business unit.

Section 02 · The Problem

Why standard MCP setup breaks at enterprise scale

The default MCP architecture makes three assumptions that hold in a developer sandbox but fail in enterprise production.

The default MCP architecture makes three assumptions that hold in a developer sandbox but fail in enterprise production.

No native multitenancy

A standard MCP server is stateful per session. When you run a single MCP server for multiple tenants, nothing in the protocol prevents one tenant's session context from being accessible to another. Data bleed between tenants is not a theoretical risk — it is a predictable consequence of running an unmodified MCP server in a shared environment.

Minimal authentication

The MCP specification makes authentication possible but not required. A scan of 518 production MCP servers found that 41 percent had no authentication at all. Even servers that implement authentication typically verify at the session level without enforcing tool-level permission checks.

No cost attribution per agent

MCP does not include any native mechanism for tracking token usage or API call costs by agent identity or tenant. In a SaaS product built on MCP, you cannot tell which tenant is consuming which resources, cannot charge back infrastructure costs to business units, and cannot detect runaway agents before they cause a significant cost incident.

Each of these is solvable. The solutions require deliberate architectural decisions that you make before you scale to production, not after.

Section 03 · Design

Multitenant MCP server design

Every piece of server state must be scoped to a tenant at the point it is created, not filtered at the point it is accessed.

The core requirement for multitenant MCP is that every piece of server state — session context, tool inputs, tool outputs, cached data — must be scoped to a tenant at the point it is created, not filtered at the point it is accessed.

Namespace isolation. Assign every session a tenant ID at authentication time and bind it to the session object. Inject the tenant ID as a first-class parameter into every tool call, even tools that do not explicitly need it. This is belt and suspenders: you do not want a tool that “obviously” only returns the current tenant’s data to silently return another tenant’s data because of a caching bug.

Per-tenant tool sets. Different tenants often have different service agreements and should not see tools they do not have access to. Implement a tool registry that returns different tool manifests based on tenant ID at the capability negotiation phase. When the MCP client initializes a session and the server advertises its tools, the tenant should only see tools it is entitled to call. Do not rely on access control checks at call time as the only guard — if the tool is not in the manifest, it cannot be called by accident.

Session scoping. MCP sessions are long lived by design — the protocol is built around a persistent JSON-RPC channel, not request response HTTP. This means session state accumulates over time. Audit what each session stores: conversation history fragments, cached tool results, resolved resource references. The safest approach is to key every session store entry on {tenantId}:{sessionId}:{key} rather than {sessionId}:{key} alone.

Context isolation between agents

In multiagent architectures where one orchestrator agent spawns sub-agents, the tenant ID must propagate down the call chain. A sub-agent that inherits a parent agent's MCP session inherits the parent's tool permissions and context. Pass the tenant context explicitly with every agent handoff rather than relying on session inheritance.

For a deeper look at how this fits into the broader architecture of production agentic systems, see the guide on agentic AI production architecture.

Section 04 · Auth

Authentication and authorization

Authentication (who is this agent?) and authorization (what is this agent allowed to do?) are separate concerns. Enterprise MCP deployments need both enforced independently.

OAuth 2.1 with PKCE is the right authentication model for production MCP servers. The MCP Authorization Specification standardizes this approach. Each agent authenticates with your identity provider using client credentials flow, receives a short-lived access token, and presents that token with every MCP session initialization. The key advantages over static API keys: automatic token expiry limits the blast radius of a compromised credential, centralized credential management at the identity provider, and auditability of every authentication event.

For environments with stronger cryptographic requirements, mutual TLS (mTLS) is supported alongside OAuth. Certificate-based authentication binds agent identity to a cryptographic key pair, making impersonation significantly harder than with bearer tokens. The operational overhead of certificate rotation is non-trivial, but for agents handling regulated data it is worth it.

API keys: when they are acceptable

API keys are acceptable for internal-only tools that operate within a trusted network perimeter, have low data sensitivity, and belong to systems where you own and control both the agent and the MCP server. They are not acceptable as the primary authentication mechanism for external-facing MCP servers or any server that handles PII, financial data, or health records.

Tool-level permission scoping is where most MCP deployments fall short. Even teams that implement session-level authentication often grant agents access to all tools on a given server. The principle of least privilege applies here as clearly as it does anywhere else in security engineering: an agent should be able to call exactly the tools its defined role requires and nothing more.

Implement a permission layer as middleware between the MCP client and the tool execution layer. The middleware intercepts every tool call, looks up the calling agent’s role in a permissions table, and allows or rejects the call before it reaches the tool implementation. The permissions table maps {agentRole}:{toolName} to allow/deny. Start with an allowlist model — deny everything by default, allow specific tools explicitly — rather than a denylist model that relies on you correctly enumerating every dangerous tool.

A practical way to define roles: create one role per agent type in your system. A research agent might have access to web search, document read, and database read tools. A write agent might additionally have document write and database write access. An admin agent might have access to configuration tools that no other role can call. Keep roles narrow. The temptation to create a single “agent” role that has access to everything is the single most common authorization mistake in production MCP deployments.

For a broader view of how authentication fits into enterprise AI systems architecture, the design decisions here connect directly to how you structure agent identity across the whole system.

Section 05 · Observability

What to log and why

Every MCP tool call should produce a structured log entry. The fields matter as much as the fact of logging.

Every MCP tool call should produce a structured log entry. The minimum fields are: tenant ID, agent ID, session ID, tool name, input hash, output hash, call latency in milliseconds, token cost (if applicable), and a timestamp. Each field has a reason.

Tenant ID and agent ID make it possible to answer “which agent from which tenant caused this incident” after the fact. Without both, post-incident investigation collapses into guesswork.

Input hash and output hash — not full content

This is the key compliance decision. Logging the full content of tool inputs and outputs is a significant data retention liability — you are storing copies of potentially sensitive data in your log system, which has different retention policies, access controls, and geographic constraints than your primary data store. Logging SHA-256 hashes lets you verify that a specific call happened with a specific input without storing the input itself.

Call latency is your primary signal for tool performance degradation. Set an alert for p95 latency exceeding a threshold per tool — a slow tool is often the leading indicator of an underlying service problem before it produces errors.

Token cost at the call level enables cost attribution per agent and per tenant. Accumulate this in a separate analytics store rather than your operational log pipeline — log pipelines are optimized for high-volume event storage, not aggregation queries.

Alerts to configure: p95 tool call latency exceeding baseline by 2x; error rate per tool exceeding 1 percent over a 5 minute window; any tool call with a tenant ID that does not match the session’s authenticated tenant ID (this should be impossible — if it fires, it is a critical incident); total token spend per tenant exceeding a configured threshold per hour.

Section 06 · Security

The three security pitfalls

These are the failure modes specific to the agent-plus-MCP architecture that expose enterprise data in production. They are distinct from standard web application security concerns.

Cross-tenant data exposure through shared context

An agent accumulates context over a session: tool results, retrieved documents, intermediate reasoning. If this context is stored in a shared layer with insufficient key scoping, a subsequent session for a different tenant can access it. Fix: key every stored piece of context on tenant ID as the outermost scope. Test by running two concurrent sessions for different tenants and verifying that neither can read the other's tool outputs.

Overly broad tool access

An agent with access to 40 tools when it only needs 5 has a blast radius 8 times larger than necessary. Language models do occasionally call tools with plausible-sounding names the model has inferred exist, even if they were not in the tool manifest. An agent that should only read documents but has been granted write access will, under certain conditions, attempt to write. Restrict tool access to what is needed, not to what seems harmless.

Prompt injection through MCP tool outputs

When an MCP tool returns a result — a retrieved web page, a database record, a file's contents — that result becomes part of the model's context. An attacker who can control the content a tool returns can embed instructions designed to hijack the model's next action. This applies to web search tools, document retrieval, and any tool that returns attacker-influenced content.

Mitigating prompt injection in tool outputs

Three-layer approach: sanitize tool outputs before they enter model context by stripping embedded instruction patterns; use structured JSON outputs with a fixed schema for tool results (instructions in structured data are harder to act on than instructions in free text); include an explicit instruction in your system prompt telling the model to treat all tool output as data, not instructions.

Section 07 · Cost Control

Cost attribution per agent

Token spend attribution requires instrumentation at the tool call boundary. MCP itself does not track token spend — the instrumentation belongs in a wrapper middleware on the MCP client.

Token spend attribution in MCP-based systems requires instrumentation at the tool call boundary because the token cost is incurred at the LLM layer, not the MCP layer. MCP itself does not track token spend — the MCP server executes a function call, but the tokens are consumed by the model during the reasoning that produced the function call and during the processing of the function result.

The practical approach is a wrapper middleware on the MCP client that intercepts tool calls and pairs each one with the token counts from the model’s response object. The OpenAI API and the Anthropic API both return token counts in the response metadata. By logging the tool call event and the associated token counts together — keyed by agent ID and tenant ID — you build a per-call cost record that rolls up into per-agent and per tenant cost totals.

For SaaS products where you are billing tenants based on usage, this attribution layer is not optional — it is the billing system’s data source. Store cost records in an analytics database (Postgres, ClickHouse, or BigQuery depending on your scale) with tenant ID, agent ID, tool name, input token count, output token count, and timestamp.

Anomaly alerting for runaway agents

A tenant whose daily token spend is 10x their normal rate has either a runaway agent or a security incident in progress. Set automated alerts for per tenant token spend anomalies — a threshold of 3x the 7-day rolling average is a reasonable starting point. Review cost attribution data daily during initial production rollout; catching runaway agents in hours is far cheaper than catching them at the month-end invoice.

Section 08 · Checklist

Enterprise MCP security checklist

Before taking an MCP-based agent system to production, verify all of the following.

  • 01Session initialization requires authentication. No unauthenticated MCP sessions.
  • 02Authentication uses OAuth 2.1 with PKCE or mTLS. Static, long lived API keys are not used for external-facing servers.
  • 03Every session is bound to a tenant ID at authentication time.
  • 04Tool manifests are per tenant: agents only see tools they are entitled to call.
  • 05A permission layer enforces tool-level access control per agent role (allowlist model).
  • 06Every tool call is logged with tenant ID, agent ID, tool name, input hash, output hash, latency, and token cost.
  • 07Session context stores are keyed on tenant ID as the outermost scope.
  • 08Tool outputs are sanitized to remove injection patterns before entering model context.
  • 09Token spend is attributed per agent and per tenant, with anomaly alerting configured.
  • 10Two concurrent sessions from different tenants have been tested to confirm isolation.
  • 11Sub-agent spawning propagates tenant context explicitly rather than relying on session inheritance.
  • 12Incident response runbook covers the three pitfalls: cross tenant leakage, overly broad tool access, and prompt injection.

Working through the enterprise concerns above is part of what agentic AI consulting looks like in practice — the architecture decisions made here shape the security and cost profile of the entire system.

FAQ

Frequently asked questions

Common questions about deploying MCP in enterprise agentic AI systems.

What is MCP used for in enterprise AI systems?

Model Context Protocol is the integration layer between AI agents and the tools and data sources they need to complete tasks. In enterprise systems, it replaces bespoke per tool API integrations with a single standardized protocol. A production enterprise agent might use MCP to connect to internal databases, document stores, third party APIs, and internal microservices — all through a uniform JSON-RPC interface rather than custom client code for each.

How does MCP handle authentication?

The MCP Authorization Specification standardizes OAuth 2.1 with PKCE as the authentication mechanism. In practice, implementation varies — a study of 518 production MCP servers found that 41 percent had no authentication at all. For enterprise deployments, OAuth 2.1 with client credentials flow against your existing identity provider is the correct implementation. The spec also supports mutual TLS for environments requiring stronger cryptographic assurance.

What is the difference between MCP tool permissions and standard API authorization?

Standard API authorization typically operates at the request level — a credential either has access to an API endpoint or it does not. MCP tool permissions operate at a finer granularity: within a single MCP session, different agent roles can be permitted to call different subsets of the tools the server exposes. This is more like function-level RBAC than endpoint-level API authorization. The enforcement mechanism is a permission middleware layer, not the MCP protocol itself.

How do you prevent prompt injection in MCP tool outputs?

Three-layer approach: first, sanitize tool outputs before they enter the model context by stripping patterns that look like embedded instructions; second, use structured JSON outputs with a fixed schema for tool results wherever possible — instructions embedded in structured data are harder to act on than instructions in free text; third, include an explicit instruction in the system prompt telling the model to treat all tool output as data, not as instructions. Monitor for tool outputs containing imperative verb phrases directed at the model and alert on them.

Is Model Context Protocol secure enough for regulated industries?

MCP is a transport protocol, not a security framework. Its security properties are entirely determined by how you build on top of it. In regulated industries — healthcare, financial services, legal — you need: strong authentication (OAuth 2.1 or mTLS), tool-level access controls enforced by a permission layer, comprehensive audit logging with immutable storage, tenant isolation verified by testing, and output sanitization against prompt injection. The protocol itself does not provide these; your implementation does.

What is the right observability setup for a production MCP deployment?

Log every tool call with structured records containing tenant ID, agent ID, tool name, input hash, output hash, latency, and token cost. Store logs in an immutable, append-only system to satisfy audit requirements. Set up four classes of alerts: latency alerts (p95 latency exceeding baseline by 2x per tool), error rate alerts (tool error rate above 1 percent over 5 minutes), tenant boundary violation alerts (tool call tenant ID mismatch with session tenant ID), and cost anomaly alerts (per tenant token spend exceeding threshold per hour).

Written by Mudassir Khan

Agentic AI consultant and AI systems architect based in Islamabad, Pakistan. CEO of Cube A Cloud. 38+ agentic AI launches delivered for global founders and CTOs.

View agentic AI consulting service

Related service

Agentic AI Consulting

See scope & pricing →

More on this topic

Need an AI systems architect?

Book a 30-minute architecture call. I will sketch the high-level design for your use case and give you an honest view of the trade-offs.

Book a strategy call →