Scott Wueschinski
← All articles

Insight

MCP servers are the only durable IP in your AI stack

Models churn. Vendors churn. Frameworks churn. The only piece of your AI stack that compounds is the MCP servers wrapping your proprietary data and workflows. Build them like you mean it.

· 7 min read

Models will churn. Vendors will churn. Frameworks will churn.

The only piece of your AI stack that compounds is the MCP servers wrapping your proprietary data and workflows. Build them like you mean it — because everything else is renting.

This article is the long-form expansion of an argument I’ve been making across client engagements through 2025 and 2026: in an AI stack where the model layer turns over every nine months, the integration layer is where durable IP lives. Most teams are still investing the wrong way.

What “MCP server” means in this context

Model Context Protocol — MCP — is the specification for how language models talk to tools and data. An MCP server is a program that exposes a set of tools and resources over the protocol; any MCP-aware client (Claude Code, Claude API, Cursor, custom agent runtimes, every major IDE in 2026) can use those tools.

What goes in an MCP server depends on the workspace:

  • Read access to your CRM (filtered by row-level policy, not “give me everything”)
  • Write access to specific systems (open a ticket, send a message, post a draft, update a record)
  • Read access to your knowledge base (with source attribution back to canonical docs)
  • Read access to your warehouse (with eval-harness instrumentation on every query)
  • Read/write access to internal tools that don’t have public APIs (this is where the IP lives)

The tools you expose are the operating handles your agents use to do work. The data you expose is the context your agents reason against. The MCP server is the engineered surface where both happen.

Why the MCP layer is durable in a way the model layer isn’t

Three reasons, in increasing order of importance.

1. The model is replaceable. The integration is not.

Every nine months, a new model materially changes the optimum for some agent workload. Claude 4.6 to Claude 4.7. GPT-4 to GPT-5. A new specialized model for code, or for routing, or for synthesis.

If your integration layer is welded to a specific model SDK, every model upgrade is a rewrite. If your integration layer is MCP, every model upgrade is a configuration change.

That’s not a minor difference. It’s the difference between a team that can experiment with models in days and a team that defers model decisions for quarters because the rewrite cost is too high. The compounding advantage to the first team is enormous.

2. Every MCP server you build accelerates every future agent.

The first agent in an MCP-native stack feels like more work than the equivalent agent in a one-off framework. The MCP server has a real spec. Auth is structured. Tool surfaces are deliberate. You spend an extra week or two on the server design.

The second agent shipped against the same MCP servers takes a fraction of the time. The third takes less. By the fifth agent, the team is shipping agentic features in days that would have taken quarters in the bespoke world.

This is the same compounding-leverage curve we saw with REST APIs in the 2010s: the first one is more work than the alternative; the tenth is unrecognizably faster.

3. The MCP server is where your unique business knowledge gets encoded.

The model knows English. The model does not know your customer support taxonomy, your product’s edge cases, your sales team’s escalation paths, your company’s pricing philosophy, or how your CRM actually got customized over six years.

That knowledge is your IP. The MCP servers are where you encode it — not as a prompt that gets re-injected on every agent call (expensive, brittle, leaks across contexts), but as tools and resources the agent calls when needed (auditable, scoped, structured).

A team that has built ten well-designed MCP servers has a defensible AI moat. A team that has wired up ten Anthropic SDK integrations has a maintenance burden.

What “build them like you mean it” looks like

Most teams that ship MCP servers in 2026 ship them like internal scripts: minimal auth, minimal logging, minimal error handling, minimal documentation. That’s a wasted opportunity. The MCP layer is going to outlive most of the rest of your AI stack — design accordingly.

Five things to bake in from day one:

1. Row-level auth, not “give the agent everything”

The default mistake is to give the agent admin access to the underlying data source. It’s faster to ship that way. It’s also a security audit failure waiting to happen.

The right pattern: the MCP server takes the requesting user’s identity (Slack user, GitHub user, API consumer) and applies row-level policy when it queries the underlying data. The agent never has more access than the user it’s acting on behalf of.

This is a meaningful design lift the first time. The lift compounds against you if you skip it — every agent built against the unscoped MCP server is later affected by the auth model fix.

2. Tool descriptions that read like onboarding docs

The MCP tool description is the prompt-engineering surface that most teams under-invest in. The model reads the tool description before deciding whether to call it. A vague description leads to wrong calls or no calls; a sharp one leads to right calls.

Treat tool descriptions like onboarding documentation. Include: what the tool does, when to call it, when not to call it, what the input means, what the output looks like, common mistakes. A good tool description is 4-8 sentences. A bad one is 1.

3. Eval harness on the MCP layer, not just the agent layer

You’d run an eval harness against the production agent using the MCP server. Run a separate harness against the MCP server itself. Does the tool return the right shape on the inputs that real agents send? Does the auth scope behave correctly under each user role? Are there edge cases in the data that produce empty or malformed responses?

This catches a class of failures that agent-layer evals miss — because the agent-layer eval is testing whether the agent makes the right decision given a working MCP server. The MCP-layer eval is testing whether the MCP server is working in the first place.

4. Versioning + a deprecation path

Tools will change. Data shapes will change. Auth scopes will tighten. If your MCP server has no versioning story, every change is a breaking change for every agent in production.

Adopt the same versioning hygiene you’d use for a public API: explicit version numbers in tool names or in the server identifier, a deprecation period for breaking changes, telemetry on which agents are still calling the old version. None of this is hard. All of it gets harder if you skip it.

5. Documentation aimed at the agent operator, not the human reader

The MCP server’s primary consumers are agents, not humans. Document accordingly:

  • Schema definitions in machine-readable form (JSONSchema, OpenAPI, or MCP’s native tool descriptors)
  • Example calls with example outputs, in code
  • Failure-mode taxonomy: when does this tool return an error, what kind, how should the agent recover?
  • Telemetry hooks: how do you observe what the tool did and how often, in production?

Human-readable docs are a layer on top of the machine-readable docs, not a replacement for them.

What this means for the build-vs-buy decision

For most B2B SaaS teams in 2026, the MCP-native build-vs-buy framework is roughly:

  • Build — MCP servers wrapping proprietary data, internal tools, and company-specific workflows. This is your moat.
  • Buy — generic MCP servers (filesystem, GitHub, Slack, Jira) where the surface is identical across customers and the differentiation is zero.
  • Build cautiously — semi-generic MCP servers (CRM, warehouse, marketing automation) where the off-the-shelf version exists but lacks the auth model or telemetry your enterprise needs. Often easier to wrap an existing API in your own MCP server than to retrofit auth into a vendor’s MCP server.

The thesis: build the IP, buy the substrate. Same as I argued in What ‘AI-native’ actually means when you ship it.

The CODN angle

The cost of treating the MCP layer as a script-grade afterthought:

  • Every model upgrade becomes an integration rewrite. Compounds quarterly.
  • Every new agent ships at base velocity. No leverage from the prior agent’s integration work.
  • The audit and security debt accumulates. The retrofit becomes harder every quarter.
  • The unique business knowledge stays in prompts and Notion docs instead of in scoped tools. Knowledge transfer becomes a hiring problem, not an infrastructure problem.
  • Talent flight risk. Senior AI engineers in 2026 evaluate teams partly by their MCP architecture. Teams without one don’t get the senior candidates.

The CODN of skipping MCP discipline in 2026 is roughly: an extra 30-50% on the cost of every future AI build, plus a senior-talent gap that compounds. Numbers vary; direction does not.

The bottom line

Models churn. Vendors churn. Frameworks churn.

The MCP servers wrapping your proprietary data and workflows are the only piece of your AI stack that compounds. They’re also the layer where most teams are under-investing right now — shipping internal-script-grade implementations that won’t survive their first auth audit, let alone their first model upgrade.

The teams treating MCP servers as load-bearing IP today are the ones that will have a defensible AI moat in 2027. The teams that treat MCP as glue code will be doing the rewrite their competitors finished a year earlier.

Build them like you mean it.