The Quiet Standard: How the Model Context Protocol Became the USB-C of AI
May 31, 2026 · 7 min read
The releases that change an industry are rarely the loud ones. In November 2024, while attention was fixed on the next model and the next benchmark, Anthropic open-sourced a protocol. It had no parameters, set no leaderboard record, and could not write a poem. Eighteen months later it had been adopted by OpenAI, Google, and Microsoft, governed by a foundation, and embedded in products from rival labs that agree on almost nothing else. The Model Context Protocol is the most important AI release of its season precisely because it was not a model. It was plumbing, and plumbing is what lets everything else connect.
The problem every integration standard is born to kill
Before a standard exists, integration is a multiplication problem. If you have N applications that need to talk to M data sources or tools, the naive world requires building and maintaining roughly N times M bespoke connectors. Every new app must be wired to every existing tool; every new tool must be wired to every existing app. The cost does not add, it multiplies, and it strangles ecosystems in their infancy.
This is not a new problem and MCP is not the first answer to it. The history of computing is a graveyard of N times M problems killed by N plus M standards.
| Standard | Year | The N-times-M problem it killed |
|---|---|---|
| HTTP | 1989-1991 | Every browser talking to every server its own way |
| ODBC | 1992 | Every application writing a custom driver for every database |
| USB | from 1996; USB-C 2014 | Every peripheral needing its own port and cable |
| Language Server Protocol | 2016 | Every editor reimplementing support for every language |
| Model Context Protocol | 2024 | Every AI app writing a custom connector for every tool |
The pattern is identical each time. A standard turns a multiplicative cost into an additive one. Build to the standard once, and you connect to everything that also speaks it.
"A USB-C port for AI"
The analogy that stuck is not marketing folklore; it is in the official documentation, verbatim: "Think of MCP like a USB-C port for AI applications. Just as USB-C provides a standardized way to connect electronic devices, MCP provides a standardized way to connect AI applications to external systems." The comparison is exact in a way most analogies are not. USB-C, whose Type-C specification was published on 11 August 2014, collapsed a drawer full of incompatible connectors into one reversible port that carries data, video, and power. MCP collapses a codebase full of incompatible connectors into one protocol that carries tools, resources, and prompts.
Technically, MCP is a client-server protocol built on JSON-RPC 2.0. A host application coordinates one or more clients, and each client holds a stateful connection to a server (architecture docs). Servers expose three primitives: tools (executable functions), resources (context data), and prompts (reusable templates). Connections run over two transports: stdio for local subprocesses and streamable HTTP for remote servers. That is the entire surface area, and its smallness is the point. A standard succeeds by being boring enough to implement in an afternoon.
The lineage it admits to
Good standards know their ancestors. MCP's specification is unusually candid about its debt, stating outright that "MCP takes some inspiration from the Language Server Protocol, which standardizes how to add support for programming languages across a whole ecosystem of development tools" (MCP specification, 2025-11-25). The parallel is precise. LSP, announced in 2016, solved the editor-times-language explosion by decoupling language intelligence from the editor: write one language server, and every LSP-speaking editor gets your language for free. MCP applies the identical move to AI: write one MCP server for your tool, and every MCP-speaking model gets it for free. The intellectual genealogy runs straight from LSP to MCP, and the spec says so itself.
How a protocol becomes a standard: adoption
A protocol is a proposal until rivals adopt it. MCP's adoption curve is what separates it from a thousand well-intentioned specs that died alone.
- OpenAI, in March 2025, adopted MCP across its Agents SDK, Responses API, and ChatGPT desktop. Sam Altman: "People love MCP and we are excited to add support across our products."
- Google DeepMind, on 9 April 2025, committed to MCP support in Gemini. Demis Hassabis called it "a good protocol and it's rapidly becoming an open standard for the AI agentic era."
- Microsoft brought MCP into Copilot Studio in March 2025 and later into Windows.
The decisive moment for any standard is when its creator gives up control of it. MCP cleared that bar. In July 2025 Anthropic introduced a formal governance model with a steering group and a specification-enhancement process modelled on Python's PEPs. Then, on 9 December 2025, Anthropic donated MCP to the Linux Foundation's new Agentic AI Foundation, alongside Block and OpenAI as co-founders, with Google, Microsoft, AWS, Cloudflare, and Bloomberg as supporters. A protocol owned by one lab is a product. A protocol owned by a foundation is a standard. MCP made that transition in thirteen months, which is fast.
The part the analogy hides
USB-C cannot be tricked into exfiltrating your data. MCP can, and honesty requires saying so. Because MCP servers expose tools, and tools are arbitrary code that the model is induced to call, the protocol opens a genuine attack surface. Microsoft's security team has documented the main vectors: indirect prompt injection, where malicious instructions are hidden in content the model reads; tool poisoning, where hostile instructions are buried in a tool's description; and "rug pulls," where a tool's definition is altered after a user has approved it. "Compromised descriptions can manipulate the model into executing unintended tool calls, bypassing security controls."
The specification does not hide from this. Its own security section concedes that "tools represent arbitrary code execution and must be treated with appropriate caution," that tool descriptions "should be considered untrusted, unless obtained from a trusted server," and, most candidly, that "MCP itself cannot enforce these security principles at the protocol level" (MCP specification). That admission is to the protocol's credit. A standard that pretends to be safe is more dangerous than one that tells you exactly where the sharp edges are. The mitigations, least privilege, supply-chain verification of servers, and human approval for consequential actions, are the same disciplines that secure any system that runs untrusted code.
Why this is the release that mattered
It is tempting to measure AI progress in model capability, because that is what the benchmarks measure. But capability without connection is a brain in a jar. The reason an agent in 2026 can read your calendar, query your warehouse, and file your ticket is not that the model got smarter; it is that a single protocol let it reach all three through one interface instead of three bespoke ones. HTTP did not make computers faster. It made them a web. MCP did not make models smarter. It made them a network. That is why the quietest release of the season was the loudest one in retrospect.
Sources and further reading
- Anthropic, Introducing the Model Context Protocol; Donating MCP to the Agentic AI Foundation
- MCP docs: Introduction, Architecture, Specification 2025-11-25, Governance, Joining the AAIF
- Adoption: TechCrunch on Google, Microsoft Copilot Studio MCP
- Security: Microsoft, indirect prompt injection in MCP
- Standards background: HTTP, ODBC, USB-C, Language Server Protocol, Model Context Protocol
- Image: USB-C, Wikimedia Commons (CC BY-SA 4.0, Wikideas1)