external data sources and tools. • Foundation for scalable, modular agentic AI systems. 4 Introduction | The problem Large Language Model (LLM) knowledge cutoff Knowledge of LLMs is static, limited to what they were trained on up to a certain point in time. Retrieval-Augmented Generation (RAG) Retrieval and pre-processing of information from external data sources, augmentation of the LLM prompt with relevant retrieved data. • Outdated or incomplete answers. • Inability to answer domain- specific questions and questions requiring access to private or organizational internal data. Interface fragmentation - lack of standardized interfaces between AI-powered applications and external data sources - leading to integration complexity, increased development and maintenance efforts. ?
external data sources and tools. • Inspired by Language Server Protocol (LSP). • Follows client-server architecture. • Stateful session protocol. • Language- and framework-agnostic. • Data layer: JSON-RPC 2.0 based message exchange. • Transport layer: • For local communication - stdio (standard input/output), • For remote communication - Streamable HTTP, • Support for implementing custom transport mechanisms. MCP at a glance | Protocol overview
2024. • Since early 2025, MCP specification has been adopted by OpenAI, Google, Microsoft, AWS, and others. • Official SDKs available for Python, TypeScript, Java, Kotlin, Go, Rust, C#, Swift, Ruby, PHP. • SDKs maintained in collaboration with Google, Microsoft, JetBrains, Spring AI, Shopify, The PHP Foundation. • Rapidly growing ecosystem. More info: https://modelcontextprotocol.io/ MCP at a glance | Adoption and ecosystem
Architecture overview AI application MCP host Local data source LLM Remote service MCP client MCP server MCP client MCP server Model Context Protocol Model Context Protocol
the model. Read-only access to data sources, each resource is uniquely identified by a URI. MCP at a glance | MCP server primitives Resources Tools Prompts Executable functions that allow the model to perform actions. Prompt templates, predefined structured message templates that help guide the interaction between the user, the model and the MCP server. Application-controlled - the AI-powered application determines how to incorporate resource content into the context based on application requirements. Model-controlled - the model discovers and invokes tools based on contextual understanding and prompts. User-controlled - users trigger prompts by issuing commands through the user interface. Description Controlled by
features MCP server features Roots - the client can expose specific parts of its filesystem to the server, with client-controlled access to them. Other addressable URIs may also be exposed. Sampling - a way for the server to request LLM sampling (completions) via the client. Elicitation - a way for the server to request additional information from the user via the client. Subscription for resource changes - the client can subscribe to specific resources and receive notifications from the server when those resources change. Completion - a way for the server to communicate argument autocompletion suggestions for prompts and resource URIs to the client. Pagination - a way for the server to return results to the client in chunks. Logging - a way for the server to send structured log messages to the client. The client can control a log level / logging verbosity. MCP client and server (common) features Progress tracking - a way to notify the counterpart about a progress for a long-running operation. Cancellation - a way to request cancellation of an in-progress request. Ping - a mechanism to verify that the connection with the counterpart is still alive and the couterpart is still responsive.
The model’s tool selection accuracy may decline when presented with a large number of tools Context distraction and confusion • Context degradation syndrome - loss of focus, context cluttering, context drift • Inconsistent and inaccurate model output • Hallucination Context window overflow • Token tax • Truncation risk - potential loss of contextual information • Resource drain Backend overload • Backend resource drain and performance degradation - in extreme cases, denial of service
between the AI-powered application and external data sources. Use API gateways and other middleware tools to complement MCP servers where appropriate. • MCP proxy servers may be appropriate in certain scenarios and tools exist to automate their generation from API specifications/metadata. However, their use as a bridge to existing APIs shall be based on a case-by-case evaluation, and must not be adopted as a generic mechanism for the entire fleet of APIs. • Modern APIs are often resource-centric (and may align with MCP resources), but MCP tools must be task-oriented. Consider developing higher-level tools to encapsulate and orchestrate API interactions. • Shift focus from prompt engineering to context engineering - pay close attention to what goes into the context. • Curate MCP server responses by applying entity filtering, field pruning and selecting appropriate data formats. Key considerations (1/3)
• Consider chunking and map-reduce techniques to address some performance and context window size limitations. • Proactively address the «lethal trifecta» for AI agents - access to private data, exposure to untrusted content, ability to externally communicate - through robust controls and safeguards. • Design multi-agent systems with clearly separated agents, each operating in its own context and accessing only the MCP servers and tools relevant to its role and AI agent persona. • Implement guardrails to sanitize inputs to and outputs from the model. • Be mindful of instruction hierarchy and prioritization of privileged instructions. • Use human-in-the-loop control for critical workflow steps. Key considerations (2/3)
mitigate supply chain risks, thoroughly assess and audit onboarded MCP servers. • Review the authentication and authorization mechanisms that are currently in use, as well as the infrastructure that enables and supports them. Encourage the adoption of OAuth based authorization flows, consider the use of dynamic client registration as a part of it. • Set up observability infrastructure for MCP servers to ensure active discovery, monitoring, logging, tracing, alerting and anomaly detection. • As MCP adoption grows, the MCP registry and gateway become increasingly critical as the single entry point for publication, discovery and inventory of verified MCP servers and tools, along with centralized management of server interactions. For inspiration, see MCP Registry, Smithery, Azure API Center, Kong AI Gateway, GitHub MCP Registry, Docker MCP Catalog, Docker MCP Toolkit and Docker MCP Gateway. • MCP servers can be thought of as specialized microservices, inheriting proven and relevant best practices in areas such as development, deployment, monitoring and security. Key considerations (3/3)
applications connect to external data sources and tools, making LLMs aware of real-time data, both public and internal to the organization. MCP also introduces challenges. Many are neither new nor unique to MCP, but it enables new exploitation methods, and wider adoption amplifies both their impact and associated risks.
rights reserved. See Legal Notice on www.sap.com/legal-notice for use terms, disclaimers, disclosures, or restrictions related to this material. Thank you! Vadim Klimov https://linktr.ee/vadimklimov
vadimklimov
scottboms
chrislema
trishagee
jonyablonski
bkeepers
addyosmani
davidbonilla
mclloyd
orderedlist
speakerdeck
lara
eileencodes
