Model Context Protocol (MCP): How AI Agents Talk to Enterprise Systems¶
Model Context Protocol (MCP) is rapidly emerging as the industry standard for connecting AI agents to external systems, databases and APIs. If you’re building enterprise AI in 2026, MCP is the infrastructure you can’t avoid.
What Is MCP and Why Does It Matter¶
MCP is an open protocol designed by Anthropic that standardises communication between LLM agents and external data sources and tools. The idea is simple: instead of every developer writing their own integration for every tool, there is one protocol that handles everything.
Analogy: MCP is to AI agents what HTTP is to web browsers — a universal language that enables interoperability.
MCP Architecture¶
The protocol defines three core components:
- MCP Server — provides access to data or functions (databases, APIs, filesystem)
- MCP Client — the AI agent or application that consumes MCP servers
- MCP Host — the environment where the client runs (Claude Desktop, OpenClaw, custom app)
┌─────────────┐ MCP Protocol ┌─────────────────────┐
│ LLM Agent │◄──────────────────►│ MCP Server │
│ (Client) │ │ - Database │
└─────────────┘ │ - CRM │
│ - Internal API │
│ - Filesystem │
└─────────────────────┘
The Three MCP Primitives¶
MCP defines three types of what a server can offer:
1. Resources¶
Static or semi-static data the agent can read. For example: - Documents, manuals, knowledge base - System configuration - Historical data
{
"uri": "company://hr/policies/vacation",
"name": "Vacation Policy 2026",
"mimeType": "text/markdown"
}
2. Tools¶
Actions the agent can perform — database queries, API calls, calculations:
{
"name": "query_crm",
"description": "Search customers in CRM by criteria",
"inputSchema": {
"type": "object",
"properties": {
"company": {"type": "string"},
"status": {"enum": ["active", "churned", "prospect"]}
}
}
}
3. Prompts¶
Pre-defined prompt templates for recurring tasks — ensuring output consistency.
Enterprise Implementation — A Practical Approach¶
Step 1: Map Your Integration Points¶
Before implementation, map what your AI agent needs to work with:
| System | Access Type | MCP Primitive |
|---|---|---|
| CRM (Salesforce) | Read/write | Tools |
| Knowledge base | Read-only | Resources |
| ERP (SAP) | Read + specific actions | Tools |
| Internal Confluence | Read | Resources |
| PostgreSQL database | SQL queries | Tools |
Step 2: Security Model¶
MCP introduces new security risks. Key principles:
Least privilege — each MCP server should have only the minimum necessary permissions:
# Bad — permissions too broad
permissions = ["database.read", "database.write", "database.delete", "admin.*"]
# Good — granular permissions
permissions = ["crm.customers.read", "crm.opportunities.read"]
Tool schema validation — always validate inputs server-side, not just client-side.
Audit logging — log every tool call with context:
{
"timestamp": "2026-02-26T04:00:00Z",
"agent_id": "sales-copilot-v2",
"tool": "query_crm",
"user": "[email protected]",
"params": {"company": "Acme Corp"},
"result_size": 127,
"latency_ms": 234
}
Step 3: MCP Server in Practice (Python SDK)¶
from mcp.server import Server
from mcp.server.models import InitializationOptions
import mcp.types as types
app = Server("core-crm-server")
@app.list_tools()
async def handle_list_tools() -> list[types.Tool]:
return [
types.Tool(
name="search_customers",
description="Search customers in the CRM database",
inputSchema={
"type": "object",
"properties": {
"query": {"type": "string", "description": "Company name or ID"},
"limit": {"type": "integer", "default": 10}
},
"required": ["query"]
}
)
]
@app.call_tool()
async def handle_call_tool(name: str, arguments: dict) -> list[types.TextContent]:
if name == "search_customers":
results = await crm.search(
query=arguments["query"],
limit=arguments.get("limit", 10)
)
return [types.TextContent(type="text", text=str(results))]
Production Architecture with MCP¶
┌────────────────────────────────────┐
│ Enterprise AI Platform │
│ │
User ────────────►│ ┌──────────┐ ┌──────────────┐ │
│ │ LLM │ │ MCP Client │ │
│ │ (Opus) │◄─►│ (Router) │ │
│ └──────────┘ └──────┬───────┘ │
│ │ │
└────────────────────────┼───────────┘
│
┌────────────────────────▼───────────┐
│ MCP Server Hub │
│ │
│ ┌──────┐ ┌──────┐ ┌──────┐ │
│ │ CRM │ │ ERP │ │ DB │ │
│ │ MCP │ │ MCP │ │ MCP │ │
│ └──────┘ └──────┘ └──────┘ │
└────────────────────────────────────┘
MCP Server Hub — a central registry of all MCP servers in the organisation. Benefits: - Single point of governance - Unified authentication (OAuth 2.0) - Rate limiting and quota management - Monitoring of all calls
Ecosystem Adoption in 2026¶
MCP is supported today by: - Claude (Anthropic) — native support since v3 - OpenAI Agents SDK — MCP-compatible tool calling - LangChain / LangGraph — MCP adapter - Microsoft Copilot Studio — preview support - AWS Bedrock Agents — GA Q1 2026 - 27+ enterprise platforms (HubSpot, Salesforce, Atlassian, GitHub)
MCP vs Custom API — When to Use Which¶
| Scenario | Recommendation |
|---|---|
| Standard integrations (GitHub, Slack, DB) | MCP — ready-made servers exist |
| Proprietary internal API | Custom MCP server (2–4h implementation) |
| One-off integrations | Custom tool calling |
| Multi-tenant SaaS | MCP with per-tenant OAuth |
| High-frequency (>1,000 req/s) | Custom — MCP has overhead |
How CORE Can Help¶
CORE Systems implements MCP architectures for enterprise environments — from security model design and custom MCP server development for proprietary systems to production deployment and monitoring.
The result: an AI agent that works securely with your internal systems, with full auditability and no compromises on data security.
CORE Systems — AI infrastructure for enterprise. Want to know how to integrate MCP into your architecture? Get in touch →
Need help with implementation?
Our experts can help with design, implementation, and operations. From architecture to production.
Contact us