Everyone is shipping MCP servers. Almost nobody is pricing them.
That gap is the most expensive thing in your agent stack right now, and it does not show up on any invoice you can read today. It shows up later, in the incident channel, in the all-hands postmortem, in the quarter you spend rebuilding what you already “shipped.” I call it the agent tax. It is the compounding cost of standing up a script-grade MCP server and calling it production.
Here is the setup. MCP won. A May 2026 pull from the official MCP Registry counted 9,652 latest server records, and Anthropic’s December 2025 ecosystem update cites more than 10,000 active public MCP servers. The protocol solved the integration problem cleanly. The trouble is what teams assume that win covers.
Protocol interoperability is not operational safety
This is the line that should be tattooed on every agent builder’s monitor. CodiLime put it precisely earlier this year. Most MCP examples, tutorials, and demo servers are built around tools with a contained blast radius: local files, test databases, issue trackers, developer APIs, where a bad tool call usually means a failed request or an embarrassing bug. Then you point that same pattern at a real system. That does not make MCP bad. It means protocol interoperability is not the same thing as operational safety.
The model will not save you here. It calls a write-capable tool not because it is malicious, but because it is doing what it was designed to do: follow instructions and complete the task. That is exactly why the model is not an authorization engine and cannot reliably enforce permission boundaries, change windows, or approval requirements unless those controls are enforced outside the model.
A script-grade server skips all of that. It works in the demo precisely because the demo has no adversary, no scope creep, and no audit requirement. Production has all three.
The tax is paid in scope, secrets, and silence
Let me itemize the bill, because vague risk talk does not move budgets. Specifics do.
Scope. An agent built to summarize Jira tickets might carry the credentials to delete them, close projects, or modify permissions, and when an injected instruction compromises that agent, the attacker inherits the full scope of what the server can do. The blast radius is determined by how over-provisioned the access control was, not by what the agent was actually supposed to do. You did not scope it down before production because the demo did not require it. The retrofit does.
Secrets. This is the line item that quietly accrues for years. Astrix analyzed over 5,200 open-source MCP server implementations and found that while 88% require credentials, over half (53%) rely on insecure, long-lived static secrets like API keys and personal access tokens, while OAuth adoption sits at just 8.5%. Static secrets are debt with interest. A compromise becomes durable access rather than a short-lived incident, and because credentials get reused across devices and agent instances, rotation and revocation become painful enough that teams delay them, which extends exposure further.
Silence. The cheapest server logs nothing useful. You lose identity and least privilege at the boundary: logs show a generic automation identity rather than the human who initiated the action, and the tool runs with the permissions of a shared credential, so role boundaries that existed upstream disappear at the point of execution. When the incident comes, you cannot answer the only question that matters: who did what, and with whose authority.
These are not hypotheticals. Over 437,000 developer environments were compromised via CVE-2025-6514, with attackers gaining access to environment variables, credentials, and internal repositories. Vendors are still arguing about fixes. An information disclosure flaw in the Alibaba RDS MCP server, stemming from the server not authenticating users before invoking its RAG tool, was reported in November and told it was “not applicable” for a fix, so it is still in the codebase.
Build the boring layer, or pay the CODN
This is where the Cost of Doing Nothing framework earns its keep. CODN is not the cost of the breach. It is the cost of the retrofit you keep deferring, compounded by the fact that you will eventually do it under incident pressure at multiples of the original price. Deferral is not a savings. It is a loan with a brutal rate.
The fix is unglamorous and known. Enforce controls at the infrastructure layer: identity-aware execution, tool-level access control, centralized credential management, human approval for destructive operations, and structured audit logs retained in your own environment. Build that once, in front of every server, and the marginal cost of the next agent drops to near zero.
The good news: the protocol is catching up. The MCP 2026-07-28 release candidate is the largest revision since launch, delivering a stateless core, a Tasks extension for long-running work, and authorization that aligns more closely with OAuth and OpenID Connect. Use it. But do not wait for the spec to enforce your org’s policy, because it never will.
The demo is free. Production sends an invoice. You can pay it on your terms now, building the control plane while the stack is small, or pay it later on the attacker’s terms, with your name in the postmortem. The teams that win the next 18 months are the ones treating MCP servers as load-bearing infrastructure today, not weekend scripts they will harden someday. Someday is the most expensive word in your roadmap.