Every regulated enterprise I talk to right now is asking the same question — how do we actually roll out MCP without lighting a supply-chain risk fire? For episode 26 of the Naftiko Capabilities Podcast I sat down with Manu PK from Schneider Electric, who has been doing exactly that for a 5,000-developer organization on GitHub Copilot.
We walk through why the registry was needed, how the allow-list policy and vulnerability scanning actually wrap around it in production, what’s on the registry today, and the API administration concern that’s quietly the next shoe to drop — when every developer’s agents start firing 300-issue Jira queries at the same upstream APIs, the receiving end is going to feel it.
Three things to take away from this one:
-
The registry itself is the small artifact. It’s a JSON file. The discipline that wraps it — the allow-list policy, vulnerability scanning, per-team configuration guides — is the bigger investment.
-
The API administration concern is the next shoe to drop. If your developers are firing 300-issue Jira queries through Copilot, the receiving APIs are going to feel it. Plan for it before it shows up in an on-call rotation.
-
Content gaps for enterprise practitioners are real. Most MCP material out there is consumer-grade. The people doing the work at scale need to keep publishing what they’re learning — Manu’s site is one of the better signals out there for the enterprise side of this conversation.
Thanks to Manu for the time, and for being one of the practitioners willing to walk through the whole rollout on tape.
