Cancel
Join the waitlist
Get early access and help shape the platform.
Oops! Something went wrong while submitting the form.
Getting On The MCP Bullet Train Without Leaving Governance Waiting At The Platform
Claire Barrett
January 14, 2025

As organizations rush headlong into the AI revolution, a familiar pattern is emerging. For integrations, we've seen it before with APIs, with microservices, and now with the Model Context Protocol (MCP).

The technology arrives, excitement builds, adoption accelerates—and then the cracks begin to show.

Today, many enterprises find themselves in precisely this position with MCP, caught between ambitious AI investments and the sobering realisation that their governance practices are failing to keep pace.

Case study

Sandra* is Head of API Products at a global industrial corporation. She’s been leading a successful enterprise API management function.  Under her guidance, the last seven years have seen her team strike the right balance between centralized API governance and tooling; and federated API design and deployment for engineering teams and their partners.

This level of API maturity has created the environment for a recent  commitment to “go all-in” with MCP, as an integral part of the enterprise’s AI agenda.

Sandra and her team fully understand and support the direction, except she explains: “It’s just our practices haven’t had time to catch up yet.”

The API governance and discipline built up incrementally over months that spread into years. While they made mistakes along the way, they have had to time to learn and enact change. This has included new funding models for long-running enterprise API management; working with adjacent teams looking after security or third party API consumer onboarding; and putting in place the right incentive and measurement systems to communicate the change in adopting new, federated API design and deployment practices.

It feels like there has been no such luxury for trying, learning, and adjusting with MCP.

Sandra’s focus now is on helping her colleagues and stakeholders give the time and space to manage this. She expects there will be uncomfortable conversations ahead when they find they need to slow some things down in order to get the right governance practices in place for an AI/MCP world.

She’s approaching it with the principle that “MCP is just another type of API in an already diverse API toolbox” and staying anchored to the attitude that her and her team are enablers of other teams’ success, while having an enterprise visibility and expectation of control and good standards.

The Promise and the Problem

The enthusiasm is understandable. MCP represents a significant step forward in how we integrate AI capabilities across our technology stacks. Companies are committing heavily to MCP, viewing it as fundamental to their AI strategy.

Yet beneath this commitment lies a growing tension.

Security reviews are becoming bottlenecks. Teams struggle to publish MCP servers in a governed, secure manner. What worked for traditional APIs isn't quite fitting the MCP model, and the pressure to move fast is colliding with the need to move safely.

Consider the typical scenario: a design team wants everything in Figma, whilst the analytics team is pushing for Microsoft Copilot integration. Meanwhile, nothing is making it through security reviews. Sound familiar? This fragmentation isn't a failure of technology—it's a governance gap.

Learning from API Maturity

Here's where experience becomes invaluable. Organizations that invested early in API management (APIM) disciplines understand something crucial: robust governance frameworks are the opposite of obstacles to innovation—they enable it.

API success—organisations with public programs, platforms, and API governance in place—didn’t emerge from wild experimentation followed by painful consolidation. They grew from thoughtful governance that balanced security, discoverability, and developer freedom—which evolved into platform guardrails.

The same principles apply to MCP, but with important nuance.

Yes, MCP is fundamentally "just a type of API," but it operates in a distinctly different context. Traditional APIs connect systems; MCP connects AI models to context and tools. This difference matters for security models, for access patterns, and for how we think about discovery and composition.

The MCP Strategy: Building on API Foundations

So what does an MCP strategy look like in an AI-noisy world? It starts by recognising that we needn't reinvent the wheel, but we do need to adapt it. The disciplines that made API programs successful—catalogue management, security reviews, version control, documentation standards—all have direct analogues in the MCP world.

However, we must also acknowledge the unique challenges.

MCP servers need secure registration mechanisms. Teams require clear patterns for publishing and discovering capabilities. Security frameworks must account for the dynamic nature of AI interactions whilst maintaining appropriate controls. It’s avoiding a cookie-cutter API governance model: it's about translating proven principles into a new context.

Slowing Down to Speed Up

Perhaps the hardest truth to accept is this: to move fast with MCP in the long term, most organisations will need to slow down in the short term.

This means pausing to establish proper governance frameworks, creating secure patterns for MCP server deployment, and building the registries and discovery mechanisms that will enable sustainable growth.

The alternative—continuing to rush forward without these foundations—leads to fragmentation and security paralysis.

Every team building their own approach, every security review becoming a bespoke negotiation, every integration requiring custom governance decisions.

This risks a path to technical debt that will haunt organisations—and the people trying to support them—for years.

Moving Forward

The opportunity is clear: apply the hard-won lessons from API management to MCP, and do so thoughtfully.

Recognise that while MCP shares DNA with traditional APIs, it operates in a different client and application ecosystem.

Build governance that enables rather than constrains.

And most importantly, resist the temptation to skip the foundational work in the rush to deploy AI capabilities.

Those who get this right—who invest in MCP governance now—will find themselves with a significant advantage as AI integration becomes table stakes. They'll move faster, more securely, and with greater confidence than competitors still struggling with ad-hoc approaches.

The question isn't whether to invest in MCP governance. It's whether to do so proactively or to learn these lessons the hard way.

Table of contents

More articles

Kin Lane
January 15th, 2026
Using Hypermedia to Automate Capabilities in this AI Moment
Claire Barrett
January 12th, 2026
We've Been Wrong About API Reuse All Along
Kin Lane
January 7th, 2026
Introducing Naftiko Signals: Gathering the Signals That Matter Across the Enterprise
Kin Lane
January 6th, 2025
Welcome to the Naftiko Capabilities Podcast
Kin Lane
January 5th, 2026
Our Partners and Customers Need an AI Copilot
Kin Lane
Dec 2, 2025
Reframing how we integrate software with capabilities
Kin Lane
Dec 2, 2025
Introducing a new foundation for capability-driven integration – The Nafitko Engine
Kin Lane
Dec 2, 2025
From web APIs to a web of capabilities: The architecture AI is needing
Kin Lane
Embrace your API legacy and integrate your AI future using Naftiko
Building the future of API integration
About
TeamCareersContact
Resources
NewsletterGlossary

© 2025 Naftiko. All rights reserved.

Made with waves of 🤍 + code by duo&co
Privacy PolicyTerms & Conditions