Enterprise AI is reaching an inflection point. The Model Context Protocol (MCP) is emerging as the standard for connecting AI agents with enterprise data and tools. But one question looms large for CIOs, CISOs, and platform teams: can MCP truly be trusted with mission-critical workloads?

For organizations handling healthcare records, financial transactions, or regulated customer data, the stakes could not be higher. MCP adoption at scale depends on solving three interconnected problems—security, governance, and observability. Without them, the most valuable data will remain locked away, leaving agentic workflows confined to low-risk use cases. As Randy Bias, VP of Strategy & Technology at Mirantis, put it: the issue isn’t whether MCP works. It’s whether enterprises can make it work safely in production.

Shadow Agents and Data Risks

Bias warns that enterprises are already seeing a new form of shadow IT: “shadow agents.” Developers are spinning up MCP servers on laptops or in unauthorized environments, often connecting to data sources without oversight. The parallels to early cloud adoption are striking—when AWS accounts proliferated outside IT’s purview—but the risks are sharper when sensitive PII or healthcare records are involved.

To mitigate those risks, organizations need control planes that can enforce data residency and prevent unauthorized access. “There are going to be times where you specifically need agents to talk to some of your high-sensitivity data, but you may want them to use on-prem inference engines,” Bias explained. Enterprises can’t risk sending regulated data to external LLMs, so guardrails must ensure certain workflows remain strictly local.

Kubernetes as the Foundation

The good news: the underlying infrastructure isn’t the problem. “AI-native apps are just another form of cloud-native apps, and that’s Kubernetes,” said Bias. Enterprises already know how to scale and operate Kubernetes-based systems. The orchestration and resource management patterns are proven.

The missing piece is policy. Open source projects are beginning to fill gaps—secure MCP gateways such as AgentGateway and ArchGW allow enterprises to enforce guardrails, while Anthropic’s MCP Registry adds discoverability. But a fully integrated, enterprise-grade product does not exist yet. “Nobody’s got that really yet,” Bias admitted. As with early cloud-native adoption, production patterns are still being figured out through trial and error.

Mirantis’ Fast Track Approach

To accelerate adoption, Mirantis is rolling out Fast Track services and blueprints for secure MCP control planes. These services combine professional consulting with reference architectures to help enterprises deploy MCP responsibly today. Training is also part of the plan, equipping “agentic engineers” with the knowledge to use MCP securely and effectively.

Bias stressed the need for flexibility. With the MCP ecosystem evolving rapidly, Mirantis is positioning itself to help customers stitch together today’s disparate tools while preparing for tomorrow’s integrated solutions.

Non-Deterministic Business Logic

Beyond infrastructure, MCP represents a shift in how business logic is handled. Traditional applications rely on deterministic code paths that can be audited and tested. Agentic workflows, by contrast, outsource logic to large language models, creating continuous loops of non-deterministic behavior.

“Your business logic, in effect, right now, is being outsourced to the LLMs,” said Bias. This raises new governance challenges. Enterprises need a mix of safeguards—guardrails that block certain requests, virtual air-gapping that forces sensitive data to stay on-prem, and AI-assisted monitoring of LLM interactions in real time. Policies must evolve beyond static rule sets to handle the dynamic nature of agentic workflows.

The Observability Gap

If security is hard, observability may be harder. Bias described current observability for MCP-driven systems as “very, very nascent.” Complexity grows as agents call tools, tools get wrapped as additional agents — and execution spans both on-premises and cloud inference engines.

CIOs want a bird’s-eye view, but today’s monitoring tools are not built for agentic architectures. Evaluation frameworks are also missing—enterprises need the equivalent of A/B testing for AI models to assess accuracy and performance after changes. “You want to make sure you’re not regressing in terms of performance and capabilities each time you do a new release, or even change your GPUs,” Bias noted. Right now, that’s an open research problem.

Guardrails, Not Gates

Governance must strike a delicate balance. Enterprises can’t afford to slow down innovation—developers will simply route around restrictive controls. But too little oversight risks data leakage or compliance failures. Bias summarized the tension: “Somehow we’ve got to thread the needle of allowing engineers to go as fast as possible, while doing it in a secure and compliant way.”

This means policy frameworks need to be adaptive, context-aware, and capable of spanning global regulatory differences. For instance, enterprises in Thailand must block queries about the monarchy, while EU organizations face stringent AI governance requirements. Each company must own its policies, but MCP needs to provide the control plane to enforce them.

What Comes Next

Bias compared today’s MCP landscape to the early OpenStack days. Enterprises relied heavily on services-based engagements, best practices took years to emerge, and eventually a smaller set of defaults coalesced into de facto standards. MCP will likely follow the same trajectory.

Right now, enterprises should focus on training, experimentation, and building internal expertise. Adopt MCP for lower-sensitivity data. Instrument for observability, even with immature tools. Define clear policies early, even if enforcement mechanisms evolve later. The organizations that start learning now will be better positioned when standards solidify.

“We’re all in learning mode right now,” said Bias. “Over time, the best practices will emerge. But if enterprises wait for perfect tooling, they may find themselves years behind competitors who learned by doing.”