MCP Dev Summit North America

AI agents are quickly becoming the new browsers, changing how users consume content and get work done. That shift is increasingly powered by a new generation of agentic apps that don’t just present text but deliver interactive experiences within any MCP host. By standardizing interactive UI on MCP, the MCP Apps official extension (SEP-1865) is poised to become the new agentic app runtime, serving as the backbone of the future and removing adoption obstacles that previously hindered the protocol.

Join us to learn more about:

The new web -
How MCP Apps reshapes the traditional app landscape and transforms the way users interact with the web

MCP Apps -
- Architecture
- Real-world use cases
- What's ahead?
- Getting started (+community and #mcp-apps-wg)

Future vision

Speakers

Liad Yosef

Co-creator, MCP Apps

Liad Yosef is a seasoned AI lead and software architect. He is the co-builder of MCP-UI, the co-author and maintainer of MCP Apps on the MCP Steering Committee, and a co-creator of GitMCP. Previously AI Lead in Shopify's CEO office, leading agentic interfaces, and currently the c... Read More →

Ido Salomon

Creator, MCP-UI

Ido Salomon is a seasoned AI lead and software architect. He is the creator of MCP-UI and AgentCraft, a co-author and maintainer of MCP Apps on the MCP Steering Committee, and a co-creator of GitMCP. Previously, Ido led end-user AI at Palo Alto Networks. He is an avid open-source... Read More →

Friday April 3, 2026 9:00am - 9:20am EDT
Broadway Ballroom (6th Floor)

Keynote Sessions

Audience Experience Level Any

9:20am EDT

Keynote: Context is More Than Tools - Why the "C" in MCP is More Relevant Than Ever - Ryan Cooke, Engineering Lead, WorkOS

Friday April 3, 2026 9:20am - 9:30am EDT

Large language models excel at navigating information spread across files, tools, and systems. They can grep, synthesize, and reason about what to look for in response to user prompts. And while this capability improves, a different constraint is emerging: semantic alignment.
This talk focuses on the premise of context engines. These are systems that encode how an organization’s knowledge is structured and interpreted. In many companies, a term like “customer,” “account,” or “environment” means different things depending on the team or workflow. A context engine captures those relationships and semantics, making them usable both for search and as structured context for LLMs.
Unlike naive RAG approaches that retrieve documents, context engines provide meaning. They help LLMs interpret intent, disambiguate internal terminology, and reason within the mental model of a specific organization or domain. The same semantic layer that improves search also improves prompting, tool selection, and response quality.
We’ll explore why the “C” in MCP matters more than ever, how context engines complement modern LLM workflows, and what it looks like to move beyond tools toward shared, durable context.

Speakers

Ryan Cooke

Engineering Lead, WorkOS

Ryan Cooke is a technologist and founder with two decades of experience building early-stage startups. Despite several founding roles, he remains a developer at heart, drawn to hard problems in information retrieval, security and data modeling. He’s led engineering teams across... Read More →

Friday April 3, 2026 9:20am - 9:30am EDT
Broadway Ballroom (6th Floor)

Keynote Sessions

9:35am EDT

Keynote: MCP x MCP - Nick Cooper, Member of Technical Staff, OpenAI

Friday April 3, 2026 9:35am - 9:50am EDT

Layering and connecting multiple MCP systems

Speakers

Nick Cooper

Member of Technical Staff, OpenAI

Nick Cooper is a senior member of technical staff at OpenAI working with a particular focus on scalable patterns to make life easy while iterating quickly. He is the technical lead at OpenAI for protocols, MCP Core maintainer and AAIF governing board member. He comes from a brief... Read More →

Friday April 3, 2026 9:35am - 9:50am EDT
Broadway Ballroom (6th Floor)

Keynote Sessions

about <br>

9:50am EDT

Keynote: Building a Unified Control Plane for MCP Across Servers, Clients, and Teams - Cecilia Liu, Senior Product Manager, Docker

Friday April 3, 2026 9:50am - 10:00am EDT

Today, there are tens of thousands of MCP servers available, and developers are increasingly pulling unvetted servers from the open internet. While this accelerates experimentation, it also introduces real security risks, leaving enterprises flying blind, with limited visibility into what’s being used and increased exposure to emerging threats such as tool poisoning and prompt injection.
For MCP to scale effectively in enterprise environments, organizations must strike a balance between developer velocity and enterprise-grade visibility and control. A key enabler is a gateway that acts as a unified control plane across MCP servers, clients, and teams.
In this talk, we’ll explore why a gateway is foundational to enterprise MCP adoption and how it enables centralized visibility, secure data flow management, and policy enforcement to mitigate security risks. We’ll also share practical guidance on evaluating MCP gateway solutions including what capabilities matter most, how to choose a solution that fits your needs today, and how to ensure it can scale as MCP adoption grows.

Speakers

Cecilia Liu

Sr Product Manager, Docker

Cecilia Liu is a Senior Product Manager at Docker, leading product strategy for Docker's MCP Platform—Docker's solution for running MCP servers securely and at scale through containerization. She drives Docker's AI strategy across both enterprise and developer ecosystems, helping... Read More →

Friday April 3, 2026 9:50am - 10:00am EDT
Broadway Ballroom (6th Floor)

Keynote Sessions

10:00am EDT

Keynote: One-To-Many: Enabling MCP, Agents, and Intelligent Systems at Nordstrom - Ola Hungerford, Principal Engineer & Sandeep Bhat, Engineer, Nordstrom

Friday April 3, 2026 10:00am - 10:15am EDT

Natural language is becoming a universal interface. Connecting that interface to enterprise systems requires more than protocols. It requires active, thoughtful, and sustained work.

This talk shares Nordstrom's journey enabling MCP and AI agents across the organization: building secure MCP server standards, navigating OAuth and token management for agent workflows, and creating governance frameworks that let teams experiment while ensuring supportability. We'll cover practical challenges and solutions that make the C in MCP reliable, accurate and secure: knowledge feedback loops, layered access management, and evaluation techniques that make "one-to-many" enablement possible.

Beyond the technical, we'll also touch on the human systems work: coordinating across teams when AI initiatives emerge organically, building documentation that drives the right patterns from the start, and patiently creating the organizational foundations that let others follow and build on what you've started.

Speakers

Ola Hungerford

Principal Engineer, Nordstrom

Ola Hungerford is a Principal Engineer at Nordstrom and a maintainer and community moderator for the Model Context Protocol. She leads AI enablement initiatives while contributing to MCP's specification, developer tooling, documentation, and community governance. Ola comes from a... Read More →

Sandeep Bhat

Engineer, Nordstrom

I work on the AI Enablement team at Nordstrom, focusing on platform engineering for MCP and AI agents. My past background in security grounds my decision-making, allowing me to balance safe architecture with a passion for AI productivity. I build infrastructure that empowers internal... Read More →

Friday April 3, 2026 10:00am - 10:15am EDT
Broadway Ballroom (6th Floor)

Keynote Sessions

Audience Experience Level Intermediate

10:20am EDT

Keynote: Using MCP for Skills Orchestration and Enterprise Integration - Jacob Wilson, PwC Principal, GenAI Transformation Leader

Friday April 3, 2026 10:20am - 10:30am EDT

Most enterprise AI experiences break down at the system boundary, where users know what they need but not which application, process, or data is required to complete it. This session uses procurement as a practical example of a different pattern: a single conversational interface powered by MCP that hides backend complexity while orchestrating work across multiple systems. We’ll show how MCP supports both skills orchestration and enterprise integration, enabling flows such as request classification, requisition creation, status lookup, and intelligent routing between procurement systems. The result is a practical blueprint for scaling system-agnostic workflows across ERP and other back-office functions.

Speakers

Jacob Wilson

PwC Principal, GenAI Transformation Leader, PwC

Jacob is a Principal in PwC's Advisory Analytics practice, specializing in delivering business-driven AI and Generative AI (GenAI) solutions for the firm and its clients. In addition to his client-facing responsibilities, Jacob serves as the lead Principal for PwC's GenAI delivery... Read More →

Friday April 3, 2026 10:20am - 10:30am EDT
Broadway Ballroom (6th Floor)

Keynote Sessions

10:30am EDT

Keynote: Interoperability Isn’t Enough: Building Trustworthy AI Infrastructure with MCP - Ania Musial, Head of AI Platforms Product, Office of the CTO, Bloomberg

Friday April 3, 2026 10:30am - 10:40am EDT

Last year, we spoke about our adoption of Model Context Protocol (MCP) as a foundation for interoperable AI agents and tools at Bloomberg. What we’ve learned since then is that interoperability is the easy part; building trustworthy and interoperable AI infrastructure is the hard part.

Today, MCP powers Bloomberg’s flagship agentic AI solution (ASKB), underpins the experience the firm’s engineers have with our AI development platform, and drives production workflows across Bloomberg. Scaling all of this required more than standardizing tool calls.

In this update, we’ll share how our approach to building trustworthy agentic AI infrastructure down to its core: interceptors to constrain & guide agentic behavior, tool variants to support different models and surfaces, and governance strong enough to let teams innovate quickly without compromising control. Interoperability may get your AI agents connected, but trustworthiness is what enables your agentic AI systems to scale.

Speakers

Ania Musial

Head of AI Platforms Product, Office of the CTO, Bloomberg

Friday April 3, 2026 10:30am - 10:40am EDT
Broadway Ballroom (6th Floor)

Keynote Sessions

10:45am EDT

Coffee Break

Friday April 3, 2026 10:45am - 11:30am EDT

Friday April 3, 2026 10:45am - 11:30am EDT
Solutions Showcase, Westside Ballroom (5th Floor)

Special Events / Exhibits / Breaks

10:45am EDT

Solutions Showcase

Friday April 3, 2026 10:45am - 4:20pm EDT

Friday April 3, 2026 10:45am - 4:20pm EDT
Solutions Showcase, Westside Ballroom (5th Floor)

Special Events / Exhibits / Breaks

10:55am EDT

Sponsor Activity - Coffee & Demos: Explore Obot AI's MCP Gateway Demos and Grab Exclusive Swag

Friday April 3, 2026 10:55am - 11:05am EDT

Make the most of your breaks — grab a coffee and visit Obot AI at booth #D/P1 for hands-on demos of our MCP Gateway, redefining how AI agents connect to the tools they need. And pick up exclusive Obot AI swag while you're at it!

Sponsor: Obot AI
Location: Booth D/P1 within the Solutions Showcase

In order to facilitate networking and business relationships at the event, you may choose to visit a third party's booth or access sponsored content. You are never required to visit third party booths or to access sponsored content. When visiting a booth or participating in sponsored activities, the third party will receive some of your registration data. This data includes your first name, last name, title, company, address, email, standard demographics questions (i.e. job function, industry), consenting to receipt and use of such data by the third-party recipients, which will be subject to their own privacy policies.

Friday April 3, 2026 10:55am - 11:05am EDT
Solutions Showcase, Westside Ballroom (5th Floor)

Sponsor Booth Interactions

11:10am EDT

Sponsor Activity - A Faster Way to Run and Share MCP Servers

Friday April 3, 2026 11:10am - 11:20am EDT

Build with Docker’s MCP Catalog, Toolkit, and Gateway to see how easy it is to discover, configure, run, and share MCP servers. This demo shows a faster, cleaner path from MCP experimentation to real team use, without giving up control. Stop by for a chance to win a Docker hoodie!

Sponsor: Docker
Location: Booth D/P9 within the Solutions Showcase

In order to facilitate networking and business relationships at the event, you may choose to visit a third party's booth or access sponsored content. You are never required to visit third party booths or to access sponsored content. When visiting a booth or participating in sponsored activities, the third party will receive some of your registration data. This data includes your first name, last name, title, company, address, email, standard demographics questions (i.e. job function, industry), consenting to receipt and use of such data by the third-party recipients, which will be subject to their own privacy policies.

Friday April 3, 2026 11:10am - 11:20am EDT
Solutions Showcase, Westside Ballroom (5th Floor)

Sponsor Booth Interactions

11:30am EDT

RPC > MCP: Turning a Decade of APIs Into Agentic Tools - Ze'ev Klapow, HubSpot

Friday April 3, 2026 11:30am - 11:55am EDT

At HubSpot, we recognized that any RPC with a schema is already a tool definition, so we built our AI tooling infrastructure on top of our existing RPC framework instead of starting from scratch. Engineering teams can now expose any API to internal agents, public MCP clients, and customer-facing AI products with just two annotations, enabling rapid development and tool reuse across all of our AI systems. This talk covers the architecture, the tradeoffs, and how this approach let us ship agentic capabilities faster than we ever expected.

Speakers

Ze'ev Klapow

Distinguished Software Engineer, HubSpot

Ze'ev Klapow is a Principal Software Engineer at HubSpot, where he has spent 13 years building infrastructure. He currently leads efforts to bring AI tooling to HubSpot engineers and designed the unified agent infrastructure that powers both internal and customer-facing AI produc... Read More →

slides pdf

Friday April 3, 2026 11:30am - 11:55am EDT
Juilliard Complex (5th Floor)

Audience Experience Level Any
Session Slides Yes

11:30am EDT

Code Mode Without the Code - Bob Dickinson, TeamSpark

Friday April 3, 2026 11:30am - 11:55am EDT

Astor Ballroom (7th Floor)

Major AI players (Cloudflare, Anthropic, Docker) advocate "Code Mode" - having LLMs generate wrapper MCP servers to orchestrate tools, drastically reducing context usage. However, executing LLM-generated code introduces security risks and compliance challenges.

mcpGraph provides Code Mode benefits without code execution risks. It's a YAML-based DSL for declarative MCP tool orchestration using directed graphs. Tools are defined as graphs with MCP nodes, JSONata transforms, and JSON Logic conditionals, all inspectable and auditable, and exposed to agents as MCP tools themselves.

We'll cover and demo three MCP servers: mcpGraph (the core engine), mcpGraphToolkit (agent development tools for building/testing/deploying graphs, with associated agent skills), and mcpGraphUX (visual inspection and debugging).

This approach delivers Code Mode efficiency while maintaining security, observability, and compliance—no arbitrary code execution required.

mcpGraph is open source and available at: https://github.com/TeamSparkAI/mcpGraph

The presentation will be largely based on this document (and referenced videos): https://github.com/TeamSparkAI/mcpGraph/blob/main/docs/no-code-code-mode.md

Speakers

Bob Dickinson

Founder, TeamSpark

Serial founder, CTO at scale, and always a hands-on builder. Creator of MCP Tool Vault and the open source projects tsAgent and mcpGraph. Maintainer of MCP Registry and MCP Inspector. Background in security, including as CTO of OneLogin and Censys.

Code Mode without the Code pdf

Friday April 3, 2026 11:30am - 11:55am EDT
Astor Ballroom (7th Floor)

Audience Experience Level Intermediate
Session Slides Yes

11:30am EDT

Human in the Loop, Agent in the Flow - Harald Kirschner & Connor Peet, Microsoft

Friday April 3, 2026 11:30am - 11:55am EDT

The AI hype cycle promised full automation. Reality delivered hallucinations and agents that guess when they should ask. The MCP spec offers a different vision—humans in control through rich, interactive collaboration rather than micromanaging every step.

This talk explores how recent MCP primitives transform the protocol from text-in-text-out tool-calling into interactive human-agent workflows. We'll cover elicitations that let servers ask clarifying questions with structured forms, async tasks that pause for human decisions and resume seamlessly, and MCP Apps that render interactive UIs—charts, dashboards, confirmations—in sandboxed iframes. Each makes feedback loops faster and agent interactions richer.

Using VS Code's implementation as reference, we'll demonstrate patterns for adaptive autonomy, progressive input gathering, and bidirectional workflows where servers drive the conversation. You'll leave with concrete patterns for building MCP integrations that treat collaboration as a feature, not a fallback.

Speakers

Harald Kirschner

Principal PM, Microsoft

Harald Kirschner is a Principal Product Manager at Microsoft, building AI coding experiences in VS Code and GitHub Copilot for 40+ million developers. Before Microsoft, he led Firefox DevTools at Mozilla and helped ship Firefox Quantum. His engineering roots (MooTools, early web... Read More →

Connor Peet

Principal Software Engineer, Microsoft

Connor is a principal software engineer working on VS Code since 2019.

mcp vscode human in the loop url

Friday April 3, 2026 11:30am - 11:55am EDT
Broadway Ballroom South (6th Floor)

Audience Experience Level Intermediate
Session Slides Yes

11:30am EDT

Goose as a Proving Ground for New MCP Features, and How To Use Them - Alex Hancock, Block

Friday April 3, 2026 11:30am - 11:55am EDT

Goose serves as a real-world proving ground for new MCP capabilities before they're widely adopted. In this talk, you'll learn how to use advanced and early versions of MCP features that go beyond basic tool calling—with practical examples from production.

You'll see:

* Code mode MCP: handling massive tool catalogs without overwhelming context windows
* MCP Apps: rich user experiences for MCP servers that go beyond chat
* How ACP (Agent Client Protocol) can complement and interoperate with an MCP-aware agent, and how we use it in goose

The audience will learn from our experience building goose how they can use and contribute to emerging MCP features.

Speakers

Alex Hancock

Software Engineer, Block

Alex is a core maintainer of goose, and maintainer of the Rust SDK for the Model Context Protocol. Alongside teammates at Block he built and contributed goose as a founding project of the Agentic AI Foundation. He lives in Connecticut in the US with his wonderful family.

Friday April 3, 2026 11:30am - 11:55am EDT
Broadway Ballroom North (6th Floor)

Audience Experience Level Intermediate

11:30am EDT

Demistifying Client ID Metadata Documents in MCP - Den Delimarsky, Anthropic

Friday April 3, 2026 11:30am - 11:55am EDT

Empire Complex (7th Floor)

With the recent specification update, MCP moved away from using DCR as the default in favor of Client ID Metadata Documents (CIMD). It's a new approach to client registration already adopted by such projects like Bluesky, and now making its way to the MCP ecosystem. CIMD is significantly easier to use than DCR while providing the same security guarantees and a much more flexible approach to client governance. In this session, you will learn about the transition from DCR to CIMD, how you should design your MCP servers (and MCP clients) around this new requirement, and what the future holds for broader CIMD adoption.

Speakers

Den Delimarsky

Member of Technical Staff, Anthropic

Den is an avid reverse engineer, passionate about APIs, protocols, and security. He leads MCP technical programs at Anthropic and prior to that built authentication and authorization libraries used by millions of developers around the globe. You can learn more about his work on h... Read More →

Friday April 3, 2026 11:30am - 11:55am EDT
Empire Complex (7th Floor)

Audience Experience Level Intermediate

12:00pm EDT

From One MCP Server To an Ecosystem: When MCP Stops Being a Server and Becomes a Platform - Vaibhav Tupe, Equinix

Friday April 3, 2026 12:00pm - 12:25pm EDT

As MCP adoption grows, teams quickly discover that scaling from a single MCP server to a multi-server ecosystem introduces new architectural, operational, and governance challenges. Patterns that work for standalone MCP implementations often break down when MCP becomes a shared platform capability across multiple domains, teams, and clients.

In this talk, we share practical lessons from building and operating an MCP server ecosystem at infrastructure scale at Equinix. What began as a single MCP server evolved into multiple coordinated MCP servers spanning networking and infrastructure domains, each with distinct tools, lifecycles, and operational constraints.

Attendees will learn:
1. How MCP architecture changes when scaling from one server to an ecosystem
2. Design patterns to avoid tight coupling and fragmentation across MCP servers
3. Practical approaches to tool discovery, versioning, and backward compatibility
4. Operational lessons for reliability, rate limiting, and failure isolation
5. Governance best practices for ownership, change management, and ecosystem growth

Speakers

Vaibhav Tupe

Tech Lead - Principal Engineer, Equinix

Vaibhav Tupe is a distinguished Technology Advisory Board Member and Engineering Leader specializing in cybersecurity, cloud, and AI-ready data center infrastructure. With over 13 years of experience, he currently serves as a Technology Leader at Equinix USA, where he drives high-performance... Read More →

MCP DevSummit Final pptx

Friday April 3, 2026 12:00pm - 12:25pm EDT
Juilliard Complex (5th Floor)

Audience Experience Level Intermediate
Session Slides Yes

12:00pm EDT

Distributing MCP Servers With OCI To Power Agent Skills - Bobby House, Docker

Friday April 3, 2026 12:00pm - 12:25pm EDT

While it is now considered a best practice for agent skills to leverage MCP servers, there is still no widely accepted approach for how those MCP servers should be distributed, versioned, and shared as dependencies.

This talk presents a practical pattern for using OCI artifacts as a distribution mechanism for MCP servers and configurations that agent skills depend on, enabling reproducible, shareable, and composable agent capabilities.

We’ll walk through creating an agent skill that can build and run an MCP project as a containerized service, then publish supporting artifacts such as the MCP server’s configuration.

Rather than bundling dependencies directly, the agent skill references an OCI artifact by OCI ref, pulls it at runtime, and activates the required MCP servers automatically. This ensures that when prompts expect specific MCP servers to be available, they already are.

By treating OCI as a universal distribution layer for agent tooling metadata and configurations, this approach makes agent skills easier to share, reproduce, and evolve across teams and environments.

Speakers

Bobby House

Sr Software Engineer, Docker

Bobby House is a senior software engineer at Docker that enjoys building products for engineers. His recent work centers on integrating MCP into enterprise environments by enabling organizations to publish and manage private catalogs of MCP servers as OCI artifacts.

agent skill dependencies pdf

Friday April 3, 2026 12:00pm - 12:25pm EDT
Broadway Ballroom South (6th Floor)

Audience Experience Level Intermediate
Session Slides Yes

12:00pm EDT

MCP Live: Streaming Context To AI Agents - Harshit Kohli, Amazon Web Services

Friday April 3, 2026 12:00pm - 12:25pm EDT

Astor Ballroom (7th Floor)

Most MCP servers work like snapshots - ask for context, get a response, done. But what happens when your code changes while the AI is working? Or system metrics spike during deployment? Your agent has stale data.

I've been building streaming MCP servers that push live updates to AI agents. Think file watchers notifying code changes, system monitors streaming metrics, or database triggers sending updates as they happen.

I'll walk through building a live log monitoring MCP server from scratch. We'll extend the basic MCP protocol to handle streaming data using WebSockets, implement event subscriptions, and keep agents synchronized with rapidly changing data.

The demo shows an AI agent monitoring application logs in real-time, detecting anomalies and suggesting fixes as errors occur - not minutes later when someone checks the logs.

This isn't theoretical - I'm using similar patterns in production for DevOps monitoring and trading systems. I'll share the code, discuss gotchas, and show how streaming MCP opens up new use cases.

You'll leave with practical patterns for building reactive MCP servers that keep your AI agents always current.

Speakers

Harshit Kohli

Sr Technical Account Manager, Amazon Web Services

GenAI/Data Driven individual who has 15+ years of experience. Proven experience with AWS Data Analytics/GenAI services, Cloudera Hadoop, Hortonworks Hadoop and Mapr Hadoop. Achieved customer wins over Amazon Q , Bedrock, Amazon Managed Kafka, Amazon Data Firehose, Kinesis Streams... Read More →

HarshitKohli MCP Live Streaming Context pdf

Friday April 3, 2026 12:00pm - 12:25pm EDT
Astor Ballroom (7th Floor)

Audience Experience Level Intermediate
Session Slides Yes

12:00pm EDT

Path to V2 for MCP SDKs - Max Isbey, Anthropic

Friday April 3, 2026 12:00pm - 12:25pm EDT

Speakers

Max Isbey

Member of Technical Staff, Anthropic

Software Engineer from New Zealand, previously worked at Rocket Lab designing and maintaining telemetry and command systems for rockets and satellites. Now relocated to London and working at Anthropic primarily focused on maintaining the MCP Python SDK.

MCP Summit Talk Max Isbey pdf

Friday April 3, 2026 12:00pm - 12:25pm EDT
Broadway Ballroom North (6th Floor)

Audience Experience Level Any
Session Slides Yes

12:00pm EDT

Threat Modeling Authorization in MCP - Sarah Cecchetti, OpenID Foundation

Friday April 3, 2026 12:00pm - 12:25pm EDT

Empire Complex (7th Floor)

This session will describe the work of the AI Threat Modeling working group within the OpenID Foundation. Security considerations in OAuth were a concern before MCP, and MCP's use of OAuth raises additional concerns including malicious elicitation and code execution requests. I will describe MCP attacks which enable attackers to exfiltrate sensitive data, compromise password-protected accounts, and gain remote control of local machines.

Speakers

Sarah Cecchetti

Chair of AI Threat Modeling Working Group, OpenID Foundation

By day, Sarah is Director of Product Management for Semperis, a Series C startup. She also chairs the AI threat modeling group in the OpenID Foundation. Prior to that she spent five years at AWS where she led the open-sourcing of Cedar. She co-founded IDPro and co-authored NIST SP... Read More →

presentation pdf

Friday April 3, 2026 12:00pm - 12:25pm EDT
Empire Complex (7th Floor)

Audience Experience Level Beginner
Session Slides Yes

12:30pm EDT

Challenges in Delivering Unstructured Content Efficiently Over MCP - Kailas Krivanka & Fernando Cerenza, Box

Friday April 3, 2026 12:30pm - 12:55pm EDT

Delivering unstructured file content over MCP introduces various challenges in performance, efficiency, and security. We will explore the questions that arise when building an MCP server for content management and some of the approaches that can be used to tackle them. As enterprise environments require a more conservative security posture, we’ll also break down strategies for mitigating data exfiltration risks and prompt injection attacks through granular, configurable guardrails.

Why large content operations can fail: latency, data corruption
Techniques for managing context efficiently and minimizing LLM token usage
The benefits of programmatic tool calling for MCP tool composability
Tradeoffs between MCP and CLI for content operations
Handling safety risks when untrusted content becomes a data exfiltration vector
Balancing functionality and security when designing tool guardrails

By starting from first principles and reviewing specific examples attendees will leave with techniques for building MCP servers that process unstructured content efficiently and securely in enterprise environments.

Speakers

Fernando Cerenza

Senior Director of Product Management, Box

Fernando Cerenza leads Box’s partner integration ecosystem, where he oversees a vast network of over 1,500 application integrations. He is currently spearheading Box’s AI-focused initiatives, driving development on MCP and A2A to enable advanced agentic AI outcomes and seamless... Read More →

Kailas Krivanka

Software Engineer, Box

Kailas Krivanka is a software engineer with expertise in API design, software architecture, and distributed systems. He has worked at Box for 4 years, building scalable systems and solving complex technical challenges including launching the Box MCP server. With experience across... Read More →

MCP Dev Summit slides pdf

Friday April 3, 2026 12:30pm - 12:55pm EDT
Juilliard Complex (5th Floor)

Audience Experience Level Beginner
Session Slides Yes

12:30pm EDT

Solving Context Bloat: Semantic Tool Routing in Multi-Server MCP Environments - Hugo Guerrero, Kong

Friday April 3, 2026 12:30pm - 12:55pm EDT

Agentic systems adopting MCP face a scalability hurdle: managing interactions with numerous servers exposing dozens or hundreds of tools. Injecting all tools into the model context, or "context bloat," increases latency, inflates context window usage, drives up costs, and degrades reasoning quality.

This session introduces the MCP Gateway pattern, an architectural solution to context bloat. This pattern uses an MCP-aware routing layer to dynamically select and inject only the tools semantically relevant to a user request.

We will detail the design and implementation of semantic tool routing utilizing intent classification, embedding-based search, and lightweight prompt analysis. The talk will cover how this routing layer interacts with multiple MCP servers, maintains protocol correctness, and enables just-in-time tool discovery without overwhelming the model.

Attendees will receive a practical blueprint for building scalable, cost-efficient, and modular agentic systems based on MCP. The session emphasizes reusable patterns and reference architectures applicable across the broader MCP ecosystem, independent of any single vendor or runtime.

Speakers

Hugo Guerrero

Developer Advoate, Kong

Hugo Guerrero is a tech leader, speaker, and architect obsessed with AI, APIs, and the systems that connect them. From scaling developer ecosystems to mastering event-driven architecture, he focuses on making agentic connectivity a practical reality for modern enterprises. Passionate... Read More →

Beating Context Bloat MCP Dev Summit 2026 pdf

Friday April 3, 2026 12:30pm - 12:55pm EDT
Broadway Ballroom South (6th Floor)

Audience Experience Level Beginner

12:30pm EDT

The Anatomy of a Meltdown: A Deep-Dive into MCP via Selective Sabotage - Joey Stout, Spacelift

Friday April 3, 2026 12:30pm - 12:55pm EDT

Most technical talks feel like a one-way street: I talk, you listen, and maybe you ask a question at the end if we have time. But the Model Context Protocol (MCP) isn't about one-way communication; it's about creating a living connection between a "brain" (the LLM) and the "world" (your data and tools).

To prove this, we aren't going to look at static slides. Instead, we are going to use a Live Audience Agent.

At the start of the talk, a QR code will go up on the screen. Anyone in the room can scan it and access a simple web interface. You can send in "Live Vibe Checks"—short text snippets, emoji reactions, or "Heckles"—that feed directly into a database. My MCP server is the bridge. It connects my LLM assistant to that live database of your thoughts.

This is a high-stakes demo. If the protocol works, the AI will be my co-speaker, responding to the room's energy in real-time. If I break the protocol, which I plan to do, repeatedly, the AI will lose its connection to you. We're going to perform "Selective Sabotage" to see exactly which parts of the MCP spec keep the lights on.

Speakers

Joey Stout

Solutions Architect, Spacelift

Joey Stout is a Solutions Architect at Spacelift.io, CKA-certified, and creator of manifests.io. He specializes in Kubernetes, OpenTofu, and GitOps—and goes by The Outdoor Programmer.

The Anatomy of a Meltdown pdf

Friday April 3, 2026 12:30pm - 12:55pm EDT
Broadway Ballroom North (6th Floor)

Audience Experience Level Any
Session Slides Yes

12:30pm EDT

Mix-Up Attacks in MCP: Multi-Issuer Confusion and Mitigations - Emily Lauber, Microsoft

Friday April 3, 2026 12:30pm - 12:55pm EDT

Empire Complex (7th Floor)

MCP deployments increasingly involve multiple authorization servers / identity providers across tools, registries, gateways, and enterprise environments. That flexibility introduces a classic but under-discussed class of failures: mix up attacks. A mix-up attack is where a client or intermediary confuses which issuer/authorization server it’s interacting with and misroutes sign-in artifacts, such as tokens, to the wrong party, potentially a malicious one.

This talk gives a clear threat model for mix-up in MCP-style topologies (client↔server↔auth server), then focuses on practical mitigations being discussed in the Auth Mix-Up Attack Prevention WG. I’ll also cover what’s realistic to adopt today in SDKs and servers versus what should be standardized in the MCP Core spec or another standard like OAuth.

Speakers

Emily Lauber

Senior Product Manager, Microsoft

Emily Lauber is a Senior Product Manager at Microsoft focused on identity, authentication, and developer platforms. She works at the intersection of cloud security, browser-based auth, and standards, helping shape how modern apps and agents securely authenticate and access resources... Read More →

MixUpAttackPrevention MCP pdf

Friday April 3, 2026 12:30pm - 12:55pm EDT
Empire Complex (7th Floor)

Audience Experience Level Intermediate
Session Slides Yes

12:55pm EDT

Lunch (Provided Onsite for All Attendees)

Friday April 3, 2026 12:55pm - 2:25pm EDT

Friday April 3, 2026 12:55pm - 2:25pm EDT
Solutions Showcase, Westside Ballroom (5th Floor)

Special Events / Exhibits / Breaks

1:45pm EDT

Sponsor Activity - AMA with WorkOS Founder Michael Grinich

Friday April 3, 2026 1:45pm - 1:55pm EDT

Stop by booth D/P3 with your questions on agent identity, MCP, fine-grained authorization, and how the fastest-growing AI companies stay Enterprise Ready with WorkOS.

Sponsor: WorkOS
Location: Booth D/P3 within the Solutions Showcase

In order to facilitate networking and business relationships at the event, you may choose to visit a third party's booth or access sponsored content. You are never required to visit third party booths or to access sponsored content. When visiting a booth or participating in sponsored activities, the third party will receive some of your registration data. This data includes your first name, last name, title, company, address, email, standard demographics questions (i.e. job function, industry), consenting to receipt and use of such data by the third-party recipients, which will be subject to their own privacy policies.

Friday April 3, 2026 1:45pm - 1:55pm EDT
Solutions Showcase, Westside Ballroom (5th Floor)

Sponsor Booth Interactions

2:25pm EDT

Progressive Tool Discovery: Using MCP Notifications To Manage Context at Scale - Billy Hickman & Lilia Abaibourova, Amazon

Friday April 3, 2026 2:25pm - 2:50pm EDT

As MCP adoption grows, a challenge emerges: how do you expose 100’s of tools from a single server without overwhelming agent context windows? This talk introduces an MCP tool discovery mechanism we’ve built that dynamically loads tools. The platform works with a single discovery meta-tool on initialization, server-side state management to track agent context, and leveraging streamed MCP’s notifications/tools/list_changed to push relevant tool sets mid-session. Agents declare their problem context (incident response, monitoring etc) and receive only the tools they need, when they need them. Attendees will learn how this pattern keeps context windows lean while maintaining access to a broad tool ecosystem, with real examples showing how a single MCP server can serve diverse agent use cases without tool overload.

Speakers

Billy Hickman

Sr SDE, Amazon, Prime Video

Sr SDE from Amazon Prime Video. 10+ years experience building highly available, scalable distributed systems.

Lilia Abaibourova

Principal Product Manager, Prime Video, Amazon

Lilia Abaibourova is a product and engineering leader with 15 years of experience building and scaling developer platforms and AI-first tools at Amazon, Peloton, HBO, and Microsoft. At Amazon, she leads AI enablement for Prime Video engineers, delivering agentic assistants for design... Read More →

progressive tool discovery pdf

Friday April 3, 2026 2:25pm - 2:50pm EDT
Juilliard Complex (5th Floor)

Audience Experience Level Advanced
Session Slides Yes

2:25pm EDT

From Cypher to Conversation: MCP at WestJet - Anton Lysov, WestJet

Friday April 3, 2026 2:25pm - 2:50pm EDT

Astor Ballroom (7th Floor)

At WestJet, our flight schedule is modeled in a Neo4j graph database - airports, routes, aircrafts, seasonal schedules. The data is rich, but accessing it required Cypher expertise most stakeholders don't have.

I built an MCP server to change that. By creating a proxy layer connecting Claude to our Neo4j database, I enabled non-technical colleagues to query complex flight relationships using natural language. No Cypher. No waiting for developers. Just questions and answers.

This talk covers the journey from idea to working pilot: why I chose MCP, how I architected a proxy server wrapping the Neo4j MCP server, and what I learned deploying it internally. I'll give a live demo showing how analysts can explore our flight network conversationally.

This isn't a top-down initiative. It's about individual ownership - recognizing potential in data your team already maintains and using MCP to unlock value for people who couldn't access it before.
Whether you're exploring MCP for enterprise data or graph databases, this talk offers a practical, beginner-friendly blueprint.

Speakers

Anton Lysov

Software Developer, WestJet

Anton Lysov is a Software Developer at WestJet, working on backend systems that power westjet.com, mobile apps, and services used by teams across the organization. Before WestJet, he was one of the first hires at Rafflebox, helping build a platform that raised over $500M CAD for nonprofits... Read More →

slides pdf

Friday April 3, 2026 2:25pm - 2:50pm EDT
Astor Ballroom (7th Floor)

Audience Experience Level Beginner
Session Slides Yes

2:25pm EDT

The Tool Abstraction Problem: Lessons Learned Building 1000+ MCP Tools - Sam Partee, Arcade.dev

Friday April 3, 2026 2:25pm - 2:50pm EDT

Before MCP, Arcade was building tools for LLM agents. We've shipped over 1,000 tools—first as native Arcade tools with our own protocol and eventually adopting MCP. The main lesson: the hard part isn't writing the code, it's finding the right abstraction.

Most MCP tools today are thin wrappers around APIs. `GET /users/{id}` becomes `get_user(id)`. But this creates a mismatch—LLMs reason about tasks ("find the customer who complained last week"), not endpoints. The question is: where should tools sit on the abstraction spectrum?

**Too low-level:** The agent needs to chain together many calls. Each step is a chance to fail, and the model has to maintain context across all of them. You're asking the LLM to be a programmer at runtime.

**Too high-level:** You end up enumerating every possible task as its own tool. This defeats the point of having a general-purpose agent and your tool schema balloons, eating context and degrading selection accuracy.

In this talk:

- The common pitfalls we see in MCP tool design
- Our design philosophy for optimized tools
- Multiple real-world use cases and the tools that work for them
- Outlook on future tool development

Speakers

Sam Partee

CTO and Co-founder, Arcade.dev

Sam is the CTO and co-founder of Arcade.dev. Before starting Arcade, Sam lead the led the applied AI team at Redis responsible for the vector database offering. He is a avid OSS developer and has contributed on projects like Langchain, LlamaIndex, Chapel, DeterminedAI, and others... Read More →

MCP Dev Summit pptx

Friday April 3, 2026 2:25pm - 2:50pm EDT
Broadway Ballroom South (6th Floor)

Audience Experience Level Advanced
Session Slides Yes

2:25pm EDT

Every API Is a Tool for Agents - Matt Carey, Cloudflare

Friday April 3, 2026 2:25pm - 2:50pm EDT

The best MCP server is the one you didn't have to build.

At Cloudflare we have a lot of products. Our REST OpenAPI spec is over 2.3 million tokens. When teams started building MCP servers, they did what everyone does: cherry-picked important endpoints for their product, wrote some tool definitions and shipped a separate service that covered a small fraction of their API.

This was driven by a fundamental context limit of the end users' agent. And tools use a bunch of context just to describe themselves. MCP felt like a Mega Context Problem (and a separate service to maintain).

I think we got it all wrong.

The context limit is not an MCP problem. It's an agent problem. Tools should probably be discovered on demand and clients are coming around to this. But maybe we can also do it on the server?

CLIs get this for free, self-discoverable and documented by design. APIs just need a little help.

This talk will cover some of the techniques we've been exploring at Cloudflare, such as codemode and tool search, to make complete APIs accessible to agents through MCP.

I'll also cover some of the work we are doing with the MCP Typescript SDK to make stateless servers the default.

Speakers

Matt Carey

Agents and MCP, Cloudflare

I work on Agents and MCP at Cloudflare and I'm one of the maintainers of the official MCP Typescript SDK.

My role is to build infrastructure for agent developers to be successful with MCP. I am currently working on the release of v2 of the Typescript SDK.

Fun fact: I was previously a professional windsurfer and raced for Malta at several World and European championships... Read More →

Friday April 3, 2026 2:25pm - 2:50pm EDT
Broadway Ballroom North (6th Floor)

Audience Experience Level Any

2:25pm EDT

Putting the Single Back in Single Sign-On: Cross-App Access for MCP - Paul Carleton, Anthropic & Max Gerber, Twilio

Friday April 3, 2026 2:25pm - 2:50pm EDT

Empire Complex (7th Floor)

MCP makes it easy for AI agents to connect to tools, but authorization hasn't kept up. Users connecting an MCP client to a dozen MCP servers face a dozen separate OAuth flows, one for each server, each with its own login and token lifecycle. If we have Single Sign-On, why are users signing in so many times? It's not just a UX problem. Enterprise environments can quickly run into governance issues with unmanaged or scattered permissions. Security teams can't answer basic questions about which agent can access which system under what policy. Every agent-to-server connection is another point-to-point relationship with no central visibility. Cross-App Access (XAA), built on the Identity Assertion JWT Authorization Grant (ID-JAG), solves both problems. By leveraging the existing trust between the MCP client, MCP server, and the organization's Identity Provider, the IdP can broker token exchanges from the user's initial login. Agents gain access to everything the admin has approved with one sign-in. No additional user interaction required. The IdP becomes the policy decision point for approving, scoping, and auditing delegated access across MCP integrations. In this session, Paul Carleton (Anthropic) and Max Gerber (Twilio) explain the technical underpinnings that enable enterprise admins to enforce policies about which users, clients, and servers can interact. They'll also demo an MCP client completing an XAA flow from beginning to end to obtain access tokens securely and silently. Attendees will leave understanding how Cross-App Access works and how to integrate with it.

Speakers

Max Gerber

Principal Software Engineer, Twilio

Max Gerber is the software engineering lead for agent and AI identity at Twilio, where he works on core identity SDKs and APIs including OAuth, SAML, SSO, and RBAC. He previously led identity initiatives at Stytch and served as a lead engineer on MuleSoft’s IAM team during its integration... Read More →

Paul Carleton

Member of Technical Staff, Anthropic

Paul Carleton is a Core Maintainer of the Model Context Protocol and Auth Nerd at Anthropic, where he leads auth implementations across Anthropic's clients and the TypeScript and Python SDKs. He drives MCP conformance testing efforts to ensure consistent behavior across the ecosy... Read More →

Friday April 3, 2026 2:25pm - 2:50pm EDT
Empire Complex (7th Floor)

Audience Experience Level Intermediate

2:55pm EDT

UI in the Age of AI - Adam Cowley, Neo4j

Friday April 3, 2026 2:55pm - 3:20pm EDT

When the backend can reason, what does that mean for the frontend? Let's look at how to build UIs that support reasoning and adapt to any task.

The way we interact with software is changing. LLM-powered applications, with human-in-the-loop, are handling repetitive tasks that used to require forms and workflows. But bolting a chatbot onto your existing UI isn't enough - extracting structured data from natural language is fragile, adding frustration and friction for users.

In this talk, we'll explore how tool-calling and protocols like MCP provide deterministic contracts with non-deterministic systems, what human-in-the-loop looks like when the UI adapts to the task at hand rather than forcing users through fixed workflows.

Speakers

Adam Cowley

Manager, Developer Education, Neo4j

Adam is a multi-disciplinary developer with over 20 years of experience building products that help people learn and grow. Currently Manager of Developer Education at Neo4j, he leads the team behind GraphAcademy - Neo4j's free learning platform.

Friday April 3, 2026 2:55pm - 3:20pm EDT
Juilliard Complex (5th Floor)

Audience Experience Level Intermediate

2:55pm EDT

Lessons Learned Building Intelligent UIs With MCP Apps - Riley Scheid, Reboot (reboot.dev)

Friday April 3, 2026 2:55pm - 3:20pm EDT

Astor Ballroom (7th Floor)

With MCP Apps, AI interactions are no longer limited to text. MCP Apps unlock the full power of the web within AI chat, allowing us to build AI-enriched UIs that persist, react and collaborate in real-time.

Through a series of demos and code deep-dives, I’ll showcase foundational patterns that we've found to be effective as MCP Apps gain ubiquity.

Durability: Demo a “text snippet saver” that persists across conversation, thread, and even different AI clients enabling shared memory that follows you everywhere.

Async tasks: Start an async audio transcription job, monitor it with a progress bar, and receive a completion notification in chat, while other work continues.

Realtime sync: See the job we just ran come alive as we play the original audio file with the text transcript rendering in perfect sync.

Multiplayer: Join me in a live collaborative drawing demo accessible through a public MCP server. Draw your best race car in real-time while we watch everyone’s creations come to life. The best drawing wins a prize!

The purpose of these demos is to spark imagination and show a glimpse of the future of intelligent UIs that go beyond the capabilities of the modern web.

Speakers

Riley Scheid

Founding Engineer, Reboot (reboot.dev)

Full stack engineer / human Swiss Army Knife with a decade of professional experience

Friday April 3, 2026 2:55pm - 3:20pm EDT
Astor Ballroom (7th Floor)

Audience Experience Level Beginner

2:55pm EDT

The MCP Gateway Pattern: Aggregation, Composition, and Beyond - Juan Antonio Osorio, Stacklok

Friday April 3, 2026 2:55pm - 3:20pm EDT

Here's a scenario that might sound familiar: you've got ten MCP servers, which means ten client connections, ten auth flows, and ten different places where things can break. One reason teams end up in this mess is that each MCP server solves a real problem - so you add another one, and another, and suddenly you've got MCP sprawl.

Enter the MCP Gateway pattern.

In this talk, we'll walk through an architecture that aggregates multiple MCP backends behind a single unified interface. We'll cover the fun problems this creates - what happens when two backends expose tools with the same name? and show how declarative workflow composition lets you orchestrate multi-step operations across backends without writing custom wrapper code.

We'll demo a gateway unifying several backends and executing a workflow defined entirely in YAML. No magic, just patterns you can apply to your own infrastructure.

With this in mind, you'll leave with practical approaches to taming MCP sprawl while keeping your security policies consistent across the board.

Speakers

Juan A. Osorio

Principal Engineer, Stacklok

Juan Antonio "Ozz" Osorio is a Mexican software engineer living in Finland. His background spans security for OpenStack, Kubernetes, and bare metal environments. Currently at Stacklok, he founded the ToolHive project and has been building MCP infrastructure, including supply chain... Read More →

Presentation 10 MCP Servers pdf

Friday April 3, 2026 2:55pm - 3:20pm EDT
Broadway Ballroom South (6th Floor)

Audience Experience Level Advanced
Session Slides Yes

2:55pm EDT

Interceptors for MCP: A Production-Tested Standard for Agentic Middleware - Kurt Degiorgio & Cannis Chan, Bloomberg

Friday April 3, 2026 2:55pm - 3:20pm EDT

MCP standardized how agents connect to tools and context, but enterprise deployments need control between the model and the data. Today, MCP lacks a standard way to apply these controls, leading to a fragmented landscape of bespoke sidecars and proxies that shifts the M×N integration problem from the data layer to the middleware layer.
This session is a Protocol-in-Depth walkthrough of SEP-1763 (Interceptors), which proposes a protocol-native framework to intercept, validate, and transform messages across the MCP lifecycle, elevating middleware to a first-class capability alongside core MCP concepts. We will cover the concrete protocol semantics implementers need to align on: capability negotiation, hook points and invocation models, deterministic ordering/composition, enforcement semantics, error handling and observability.
We motivate the proposal with Bloomberg’s production experience in adopting interceptors to build agents in a regulated financial environment, sharing lessons on what must be standardized for interoperability. To ground the design, we map the proposed semantics to AWS Bedrock AgentCore Gateway Interceptors and OpenAI Guardrails’ staged validation guidance.

Speakers

Kurt Degiorgio

Senior Engineer, Bloomberg

Kurt Degiorgio is a Senior Engineer at Bloomberg, working on building platforms for Generative AI. With 14 years of experience, his background includes Monzo, Diffblue and GFI Software (of TeamViewer fame), covering a wide technical spectrum—from developing network drivers to building... Read More →

Cannis Chan

Technical Product Manager, Bloomberg

Cannis Chan is a Technical Product Manager in the Office of the CTO at Bloomberg, building infrastructure platforms for AI products. With 10 years in B2B and Enterprise (AutogenAI, Deutsche Bank, Ondat/Akamai), she specializes in navigating complex products through pre- and post-product... Read More →

MCP Dev Summit Interceptors pdf

Friday April 3, 2026 2:55pm - 3:20pm EDT
Broadway Ballroom North (6th Floor)

Audience Experience Level Intermediate
Session Slides Yes

2:55pm EDT

The Boring Attack That Will Actually Get You - Craig Jellick, Obot AI

Friday April 3, 2026 2:55pm - 3:20pm EDT

Empire Complex (7th Floor)

The MCP security conversation focuses heavily on prompt injection, tool abuse, and session hijacking. These matter. But if you're running a registry of MCP servers, your most likely breach won't be complicated. It will be a compromised server you trusted too quickly.

Supply chain attacks aren't new, and neither are the defenses. But the speed of MCP adoption has outpaced basic hygiene: validation, provenance, versioning, and review processes that mature package ecosystems learned the hard way.

This talk argues that before you harden against novel agent-based attacks, you need to treat your MCP registry like critical infrastructure. We'll cover practical approaches to vetting servers, establishing trust boundaries, detecting drift, and building review workflows that scale.

Prompt injection is a real threat. But the server you added last week without review is a more immediate one.

Speakers

Craig J

VP of Engineering, Obot AI

Craig Jellick is VP of Engineering and co-founder of Obot AI, where they are building an agent platform that helps teams of all technical levels create software, automate work, and ship real tools using AI. Previously, he was a founding engineer and Director of Engineering at Rancher... Read More →

mcp supply chain attacks pdf

Friday April 3, 2026 2:55pm - 3:20pm EDT
Empire Complex (7th Floor)

Audience Experience Level Any
Session Slides Yes

3:25pm EDT

From 60 Minutes To 60 Seconds: Production MCP Workflows for Healthcare Billing - Andrew Espira, Kustode

Friday April 3, 2026 3:25pm - 3:50pm EDT

Healthcare providers lose 30-60 minutes per insurance claim error, with the industry wasting $250B+ annually on administrative overhead. At Kustode, we built a multi-tenant RCM platform processing thousands of daily EDI transactions (837P claims, 835 remittances, 270/271 eligibility). While we automated the EDI pipes, intelligent workflow orchestration—denial management, prior authorization, claim intervention—remained manual until we integrated MCP.
You'll learn:
- Integrating MCP into existing production systems vs. greenfield builds
- Multi-tenant MCP architecture with PHI isolation and compliance
- Orchestrating long-running workflows (45+ day denial cycles) with state management
- Real workflows: automated denial resolution, prior auth orchestration, intelligent claim intervention
- Security patterns for MCP in regulated environments
- Production metrics: time savings, denial reduction, deployment challenges
- When MCP beats traditional API orchestration
This talk shares production lessons from deploying MCP workflows in a HIPAA-compliant healthcare platform

Speakers

Andrew Espira

Founding Engineer, Kustode

Andrew Espira is a Site Reliability Engineer with over seven years of experience in DevOps, Infrastructure, and Site Reliability Engineering. He specializes in optimizing large-scale system environments, cloud infrastructure, and distributed systems. Andrew is passionate about cloud-native... Read More →

MCP Talk Quest pptx

Friday April 3, 2026 3:25pm - 3:50pm EDT
Juilliard Complex (5th Floor)

Audience Experience Level Any
Session Slides Yes

3:25pm EDT

From Benchmarks To Business Value: Building a Use-Case Specific Agent Evaluation Framework - Gaurav Saxena, Independent & Matvey Kukuy, Archestra.AI

Friday April 3, 2026 3:25pm - 3:50pm EDT

While frontier models achieve impressive scores on benchmarks like MCP Atlas (62.3%) and SWE-bench (62.1%), these metrics don't answer the critical question: "Will this agent work for OUR specific use-case?"This talk presents a practical framework for building custom agent evaluation systems tailored to your organization's needs. We'll cover the complete lifecycle: data collection and categorization, open-source instrumentation patterns, and production monitoring for long-term performance tracking. You'll learn to construct evaluation datasets reflecting actual workloads, implement testing harnesses mirroring production constraints, and establish monitoring pipelines that catch degradations early.We'll demonstrate techniques for measuring agent reliability across accuracy, latency, cost, and safety dimensions while accounting for real-world variables: prompt engineering, data quality, MCP tool availability, and model selection. Attendees will leave with actionable strategies to build confidence in production deployments and create feedback loops for continuous improvement.

Speakers

Gaurav Saxena

Director of Engineering

Gaurav Saxena is an engineering leader in the field of platform and cloud engineering with over 20 years of experience in the software industry. His technical expertise includes Stream-based architectures, Kubernetes, Service Mesh, Software Supply Chain Security, and Observabilit... Read More →

Matvey Kukuy

CEO, Archestra.AI

Maintainer: Grafana OnCall, KeepHQ, Archestra.AI.

Ex-Engineering Director at Grafana Labs.

Friday April 3, 2026 3:25pm - 3:50pm EDT
Broadway Ballroom South (6th Floor)

Audience Experience Level Intermediate

3:25pm EDT

Intent Engineering: The Death of the Mono-Directional Prompt - Rizel Scarlett, Block, Inc.

Friday April 3, 2026 3:25pm - 3:50pm EDT

You give an agent a complex task. It says "Absolutely!" Then it deletes your production database.

As engineers adopt AI agents, a common frustration is emerging: agents confidently make the wrong move. The response has been "skill issue," "write better prompts," "add more context," "make a plan first." But not everyone wants to master prompt engineering or maintain context files just to get an agent to understand them.

The missing layer is Intent. Unlike context, intent is ambiguous, implicit, and dynamic. Users don’t always know what they want upfront, and they change their minds once they see options. Forcing that complexity into a one-way text prompt is brittle by design and leads to "context rot."

This talk introduces intent engineering: designing agent workflows that don’t require perfect prompts or perfect context, but instead discover, confirm, and align user intent over time.

Using goose, Rizel will show how MCP Elicitation, MCP Sampling, and MCP Apps let agents ask what you mean, reason about what you might mean, and show you what they think you mean before acting.

Together, these patterns move us beyond mono-directional prompts and toward genuine collaboration.

Speakers

Rizel Scarlett

Tech Lead, Open Source Developer Relations, Block, Inc.

Rizel Scarlett is driven by a singular mission: ensuring powerful technology feels human, joyful, and real. As the Tech Lead for Open Source DevRel at Block, she drives technical storytelling for goose, an open source AI agent. Previously at GitHub, she helped devs adopt GitHub Copilot... Read More →

Friday April 3, 2026 3:25pm - 3:50pm EDT
Broadway Ballroom North (6th Floor)

Audience Experience Level Any

3:25pm EDT

Beyond the Sandbox: Security at the Host Layer - Lorenzo Verna & Pietro Valfrè, Denied

Friday April 3, 2026 3:25pm - 3:50pm EDT

Empire Complex (7th Floor)

Security in the MCP ecosystem has primarily followed a "Henhouse Model": building a perimeter to manage who enters with which keys. While we’ve become adept at granting agents the access they need to be productive, a new challenge is emerging. Because agents often operate with the user’s broad privileges, it is no longer just about managing entry; it is about ensuring that an agent's actions remain consistently aligned with the user’s intent.

While sandboxing is vital for isolation, it cannot "undo" the real world. When an agent uses an MCP tool to send an email, modify a calendar, or trigger a financial API, it steps through a "one-way door." Unlike local code, these actions lack a git revert.

We believe the most sustainable path forward is to move the primary authorization boundary to the Host. In this session, we propose an architectural approach that shifts outbound security to the application layer. By centering protection where context is richest, we can simplify server development and provide a more reliable way to manage the unpredictable nature of autonomous workflows.

Speakers

Lorenzo Verna

Co-founder and CPO, Denied

Lorenzo Verna (Math & CS) is Co-Founder & CPO at Denied.dev. A former CTO and founder with 3 startups and 2 exits, he has 15+ years building and scaling software products and AI platforms. His current work focuses on securing agentic systems, including MCP tool execution and policy... Read More →

Pietro Valfrè

CEO & Co.founder at Denied, Denied

Pietro, CEO and Co-founder of Denied, previously served as the first employee of a mid-size Italian venture studio. During his time there, he ultimately headed R&D and contributed to the successful development of several ventures. Having thoroughly explored the field of Auth, he is... Read More →

denied mcp nyc slides pdf

Friday April 3, 2026 3:25pm - 3:50pm EDT
Empire Complex (7th Floor)

Audience Experience Level Intermediate
Session Slides Yes

3:25pm EDT

MCPwned: Hacking MCP Servers With One Skeleton Key Vulnerability - Jonathan Leitschuh, Independent

Friday April 3, 2026 3:25pm - 3:50pm EDT

Astor Ballroom (7th Floor)

MCPwned weaponizes a widely overlooked MCP-spec weakness, browser-based DNS rebinding, against SSE & streaming-HTTP MCP servers to exfiltrate data and escalate access.
This skeleton key vulnerability hacks your locally running MCP server, just by getting you to visit a malicious website.

Speakers

Jonathan Leitschuh

Open Source Security Researcher, Independent

Jonathan Leitschuh is an open source software security researcher and self-described Vulnerability Janitor. He was the inaugural Dan Kaminsky Fellow at HUMAN Security and later led research for OpenSSF’s Alpha-Omega project. He is best known for his 2019 Zoom zero-day disclosure... Read More →

Friday April 3, 2026 3:25pm - 3:50pm EDT
Astor Ballroom (7th Floor)

Audience Experience Level Intermediate

3:50pm EDT

Coffee Break

Friday April 3, 2026 3:50pm - 4:20pm EDT

Friday April 3, 2026 3:50pm - 4:20pm EDT
Solutions Showcase, Westside Ballroom (5th Floor)

Special Events / Exhibits / Breaks

4:20pm EDT

Enabling Agentic Cloud Workflows - Santhosh Misro & Mayur Deshpande, Google

Friday April 3, 2026 4:20pm - 4:45pm EDT

Now live on GitHub, gcloud-mcp is the open-source reference implementation bringing agentic power to Google Cloud via the Model Context Protocol. As cloud platforms grow more complex, traditional CLIs struggle to support exploratory, goal-driven interactions. This session shares architectural lessons from building the bridge between AI assistants and enterprise cloud services to enable agent-driven reasoning.

Using the Storage MCP server as a deep dive, we demonstrate how AI assistants interact with Google Cloud Storage via MCP. We’ll show how raw GCS APIs were transformed into high-level Storage Intelligence tools that support meaningful workflows rather than simple command execution.

We focus on the design of the /storage-mcp package, including how we summarize GCS metadata into concise, accurate responses that agents can reason over without hitting context limits. Finally, we discuss how metrics like cost, latency, and task accuracy guided our iteration, helping refine prompt design and tool granularity. Attendees will leave with practical, enterprise-ready patterns for building local MCP servers that enable efficient interaction with complex cloud infrastructure.

Speakers

Mayur Deshpande

Staff Software Engineer, Google

Santhosh Misro

Senior Engineering Manager, Google

Friday April 3, 2026 4:20pm - 4:45pm EDT
Juilliard Complex (5th Floor)

Audience Experience Level Beginner

4:20pm EDT

MCP Servers in the Wild: Managing Tool Complexity at Scale - Arnav Balyan, Concierge AI

Friday April 3, 2026 4:20pm - 4:45pm EDT

As MCPs are adopted at scale, certain patterns start to emerge:
1. Increase in wrong tool calls
2. increase in token usage, semantic loss
3. agents skipping the required tool call sequence.

For high stakes domains such as finance and infrastructure, this leads to reliability and compliance risk.

This talk presents a new MCP server design pattern for addressing this class of problems called: "progressive tool exposure".
Rather than assuming static tools, the MCP server actively controls which tools are visible to the agent at each point in execution. This framework ensures, tools are refreshed, scoped, and changed as the agent progresses through an MCP workflow. This allows the server to direct the agent’s action space, guide execution order, and enforce "runbooks" without changing server/ agent capability. This design pattern also tracks state ensuring backtracking of tool calls reverts the server side state, making agent behaviour as transactional on the MCP server.

We show how such practices reduce invalid tool calls, lower inference costs, and improve determinism for tool heavy systems.

Speakers

Arnav Balyan

CEO, Concierge AI

Founder of Concierge AI. Ex-Uber building MCP systems at scale. Concierge AI manages 400+ public MCP deployments, Arnav focuses on MCP tool complexity and researches token overhead reduction at scale.

Friday April 3, 2026 4:20pm - 4:45pm EDT
Broadway Ballroom South (6th Floor)

Audience Experience Level Intermediate

4:20pm EDT

The Seven Deadly Sins With MCP - Ricardo Ferreira, Redis

Friday April 3, 2026 4:20pm - 4:45pm EDT

Picture your MCP server exposing your database to an overeager LLM that tries to "optimize" your schemas at 3 AM. Sinful? Absolutely. As MCP becomes the standard for connecting LLMs to real systems, teams are speedrunning mistakes like this—causing memory leaks, runaway polling, and permission scopes so wide they make the sudo commands executed in production look cautious.

This session breaks down the seven deadly sins developers must be aware about MCP: gluttony (resource abuse), sloth (lazy errors), wrath (aggressive polling), greed (permission overreach), pride (overengineering), envy (tool sprawl), and lust (unsafe exposure). Each of these sins can turn a powerful protocol like MCP into a recipe for disaster.

By examining each sin, its patterns, and its symptoms, you'll learn how to spot and avoid them, along with the technical practices that make MCP deployments reliable. Come learn how to ship with absolution. Instead of yet another pager alert.

Speakers

Ricardo Ferreira

Lead Developer Advocate, Redis

Ricardo leads the developer relations team at Redis. He built a successful career in DevRel working for companies such as AWS, Elastic, and Confluent. He spent two decades working as a software engineer, instructor, and solution architect before diving into the world of developer... Read More →

Friday April 3, 2026 4:20pm - 4:45pm EDT
Broadway Ballroom North (6th Floor)

Audience Experience Level Intermediate

4:20pm EDT

From Chaos To Clarity: How MCP Transforms Incident Response - Sebastian Villanelo & Rocío Bayon, PagerDuty

Friday April 3, 2026 4:20pm - 4:45pm EDT

Astor Ballroom (7th Floor)

Imagine being on-call at 3 AM: alerts fire, you scramble between the incident, monitoring dashboards, Slack, runbooks, and ticketing systems. Each tool switch drains cognitive capacity during your highest-stress moments.

Current reality: On-call engineers navigate 5-10 tools under pressure. Managers manually coordinate team responses. Stakeholders interrupt for updates. Result: burnout, delayed resolution, human error.

MCP-powered future: Natural language handles coordination, knowledge retrieval, and status updates. Responders focus on solving problems, not navigating tools. Managers orchestrate responses conversationally. Stakeholders self-serve information.

Attendees learn production patterns for building MCP servers that reduce human fatigue in critical operations: safety mechanisms for high-stakes automation, balancing AI assistance with human oversight, context preservation across operations, and testing strategies for mission-critical workflows.

Speakers

Sebastian Villanelo

Forward Deployment Engineer, PagerDuty

Develop custom reports that help each customer identify and monitor the metrics most relevant to their operations. Gather technical and functional requirements, working closely with the product team to translate customer needs into concrete improvements.

Rocío Bayon

Product Manager, Forward Deployed Engineering, PagerDuty

Originally from Argentina and based in Chile, I'm a Product Manager on the Forward Deployed Engineering (FDE) team at PagerDuty. With a background in Mechanical Engineering and Business Analytics, I live at the intersection of technology, data, and real-world customer implementations... Read More →

MCP Dev Summit From Chaos to Clarity pdf

Friday April 3, 2026 4:20pm - 4:45pm EDT
Astor Ballroom (7th Floor)

Audience Experience Level Intermediate
Session Slides Yes

4:20pm EDT

Securing the MCP Ecosystem: Production Patterns for Transparency and Trust - Lisa Tagliaferri & Trevor Dunlap, Chainguard

Friday April 3, 2026 4:20pm - 4:45pm EDT

Empire Complex (7th Floor)

Model Context Protocol servers are increasingly granted access to critical infrastructure from observability systems and databases to code repositories. This access introduces new supply chain security challenges for teams operating MCP servers in real-world environments.

In this talk, we share lessons learned from Chainguard’s experience building MCP infrastructure for production. Starting with mcp-grafana, our first hardened MCP server, we reduced known CVEs to 0 at publish time while shrinking image size by 65%. We developed repeatable security patterns for MCP delivery, including automated rebuilds, attack surface minimization, SBOM generation, and SLSA provenance.

We then applied these same patterns to a different use case: a documentation MCP serving over 1,500 container image guides, enabling secure access through AI assistants. These implementations demonstrate how consistent supply chain controls can support both infrastructure-integrated and content-focused MCP servers.

Attendees will learn practical approaches to threat modeling MCP servers. We’ll also share our challenges and failures, along with open-source workflows the community can adopt across the MCP ecosystem.

Speakers

Lisa Tagliaferri

Senior Directory, Developer Enablement, Chainguard

Lisa Tagliaferri is Senior Director of Developer Enablement at Chainguard and a maintainer of Sigstore’s documentation. The author of “How To Code in Python” and a Linux Foundation course developer, Lisa focuses on helping developers and maintainers adopt CNCF and OpenSSF tooling... Read More →

Trevor Dunlap

Senior Software Engineer, Chainguard

Trevor Dunlap is a senior software engineer at Chainguard. He holds a Ph.D. in Computer Science with a focus on automating the enhancement of vulnerability data. Trevor is an advocate for open source software security and enjoys competing on Kaggle.

securing the mcp ecosystem pptx

Friday April 3, 2026 4:20pm - 4:45pm EDT
Empire Complex (7th Floor)

Audience Experience Level Any
Session Slides Yes

4:50pm EDT

Your MCP Server Will Probably Be Abandoned...Or Not - Lahari Chowtoori, Amazon Web Services, Inc.

Friday April 3, 2026 4:50pm - 5:15pm EDT

Here's what's going to happen: MCP takes off. Hundreds of MCP servers get built. Most of them end up unmaintained within two years and then issues pile up, PRs go stale, the original author moves on.

I have spent time digging through MCPZoo, a dataset of 56,000+ MCP servers, and the warning signs are already there. Repos with READMEs that just say "install and run." Projects with one contributor and no activity in months. Issues sitting unanswered. The ecosystem is growing fast, but a lot of what's being built has "abandoned in 6 months" written all over it.

I'm sure some of you have tried contributing to these projects. Couldn't run the tests. Couldn't understand the structure. Couldn't tell if anyone was still around. That friction isn't just annoying, it's why maintainers burn out and contributors disappear.

In this talk, I'll break down what makes an MCP server thrive or die. Projects die when newcomers can't onboard, can't run tests, can't understand the structure. The ones that survive do specific things: working CI from day one, a README that gets someone running in under 5 minutes, clear contributor guidelines. I'll show you how to set up your own projects to last.

Speakers

Lahari Chowtoori

Open Source TPM, AI/ML, AWS

Lahari Chowtoori is an AI enthusiast and Technical Program Manager at AWS, focusing on open source, Machine Learning, and Artificial Intelligence. With a background in Data Science and Machine Learning, she is passionate about democratizing AI knowledge and fostering community collaboration.She... Read More →

Friday April 3, 2026 4:50pm - 5:15pm EDT
Broadway Ballroom South (6th Floor)

Audience Experience Level Any

4:50pm EDT

Call Now, Fetch Later: MCP Tasks and SEP-1686 - Adam Azzam, Prefect

Friday April 3, 2026 4:50pm - 5:15pm EDT

MCP made agents portable. But it also made them fragile—every tool call lives or dies by its network connection, and long-running work has been a liability we've all been working around in different (incompatible) ways.

SEP 1686 introduces native task orchestration to the protocol. This talk covers what's changing, why it matters, and what it unlocks for anyone building serious MCP infrastructure.

I'll walk through the design decisions, demonstrate the new primitives in FastMCP, and share what we've learned from helping teams scale MCP Tasks.

If you've ever wished MCP would just let you run real workloads without holding your breath, this one's for you.

Speakers

Adam Azzam

VP Product, Prefect

Adam Azzam, Ph.D. is VP of Product at Prefect, where he leads product development for their open source automation and context platform. He is a maintainer of FastMCP.

Before joining Prefect, Adam co-founded Openrole AI, where he served as CTO building an AI career co-pilot. He was previously Director of Product at Insight Data Science (YC S11). Adam holds a PhD in Mathematics from UCLA... Read More →

Friday April 3, 2026 4:50pm - 5:15pm EDT
Broadway Ballroom North (6th Floor)

Audience Experience Level Intermediate

4:50pm EDT

Enterprise-Ready MCP: Security Patterns and the "4-Legged" Identity Challenge - Paulina Xu, Agentic Fabriq

Friday April 3, 2026 4:50pm - 5:15pm EDT

Empire Complex (7th Floor)

As MCP evolves from local developer workflows to shared, remote infrastructure, new security & identity challenges emerge. Patterns that work for single-user, local MCP setups often break down when MCP servers become gateways serving thousands of users, agents, and tools. This session explores the architectural patterns required to deploy MCP securely in enterprise environments. We’ll examine common failure modes such as data overexposure, unsafe bulk operations, topic-based disclosure, and weak audit controls, and map them to practical MCP-level mitigations including least-privilege access, tool-level guardrails, and privacy-aware logging. A focus of the talk is the “4-Legged” Identity Challenge: when a user interacts with a web app, which calls an agent, which then calls a remote MCP server. This model is not natively handled by standard OAuth flows. We’ll cover approaches such as token exchange, pre-provisioned trust, and interactive authorization, and discuss how emerging MCP capabilities like protected resource metadata support scalable identity discovery. Attendees will leave with a blueprint for moving from local MCP development to secure, production-ready MCP deployments.

Speakers

Paulina Xu

CEO, Agentic Fabriq

Paulina Xu is the CEO of Agentic Fabriq, where she is building a centralized hub for agent identity, OAuth-based authentication, permissioning, and auditability, enabling organizations to safely manage what agents can access and do across tools, applications, and teams. Prior to founding... Read More →

Agentic Fabriq MCP Dev pdf

Friday April 3, 2026 4:50pm - 5:15pm EDT
Empire Complex (7th Floor)

Kubernetes Native Agent Discovery — MCP Dev Summit 2026 pdf

Audience Experience Level Intermediate
Session Slides Yes

4:50pm EDT

Kubernetes-Native Agent Discovery: A Unified Registry for MCP Servers and Skills - Carlos Santana, AWS

Friday April 3, 2026 4:50pm - 5:15pm EDT

Astor Ballroom (7th Floor)

As AI agents become integral to cloud-native architectures, they need a standardized way to discover capabilities available within Kubernetes clusters. Currently, agents must be pre-configured with MCP server endpoints and skill definitions, creating brittleness in dynamic environments where services scale and evolve continuously.
This talk introduces a Kubernetes-native discovery service: a cluster-scoped registry that exposes both MCP servers and Skills through a unified API. By leveraging Kubernetes primitives like CRDs and proven service discovery patterns, we can make agent capabilities first-class citizens in any cluster.
Attendees will learn how to implement a dynamic registry enabling agents to query available MCP servers by capability, discover registered Skills with their metadata, and handle lifecycle changes gracefully. We'll demonstrate a working implementation showing agents dynamically assembling their toolset based on cluster state.
The registry treats MCP servers and Skills as complementary discovery targets. Whether you're running agents in production or just exploring MCP adoption, this talk provides a blueprint for building discoverable agent infrastructure.

Speakers

Carlos Santana

Sr. Kubernetes Specialist SA, AWS

Senior Specialist Solutions Architect at AWS leading Container solutions in the Worldwide Application Modernization (AppMod). He is experienced in distributed cloud application architecture, emerging technologies, open source, serverless, devops. kubernetes, gitops. He is CNCF Ambassador... Read More →

Friday April 3, 2026 4:50pm - 5:15pm EDT
Astor Ballroom (7th Floor)

Audience Experience Level Advanced
Session Slides Yes

5:20pm EDT

Reflections on Context Engineering Via MCP Servers - Till Döhmen, MotherDuck

Friday April 3, 2026 5:20pm - 5:45pm EDT

Effective context engineering via MCP servers requires understanding how host agents weave the server's responses into their context as conversations unfold.

Context flows through more channels than tool definitions alone: initial instructions, the tool set itself (explicit tools vs. generic execution tools), tool names and parameters, descriptions, response content, structure and length, error feedback, "skill-loading" tools, resources, and sub-agent delegation.

Each mechanism involves trade-offs. Eager loading of context risks bloat; lazy loading adds tool calls. Rich tool responses help agents self-correct but consume tokens. Sub-agents compartmentalize complexity, but limited client support for elicitation creates friction.

Getting this balance right means staying conscious of how much context you're injecting, when, and at what cost (e.g. in # of tool calls to achieve a goal)—a balancing act that's hard without a clear picture of what's happening inside the host agent's context window.

This talk aims at providing a framework for thinking about these decisions—grounded in concrete examples from building the MotherDuck MCP Server.

Speakers

Till Döhmen

AI Lead, MotherDuck

Till Döhmen is AI Lead at MotherDuck, where he focuses on building agentic experiences for data analytics. He designed and built the MotherDuck MCP Server, enabling AI agents to query and analyze data through Claude, Cursor, and other MCP clients. Till is also a final-year PhD candidate... Read More →

Friday April 3, 2026 5:20pm - 5:45pm EDT
Broadway Ballroom South (6th Floor)

Audience Experience Level Intermediate
Session Slides Yes

5:20pm EDT

MCP Elicitation - Balancing Convenience With Security - Kay James, Gravitee

Friday April 3, 2026 5:20pm - 5:45pm EDT

As AI agents become more autonomous through the Model Context Protocol (MCP), one question becomes unavoidable => why, when, and how should humans be asked to intervene to provide feedback or approval?

In this talk, we explore MCP elicitation as a core design pattern for agentic systems, not just as a UX or AX (Agent Experience) feature, but as a security, authorization, and trust mechanism.

We will

-Trace how human interaction models evolved across web, APIs, and OAuth, and why MCP requires a new balance

-Break down elicitation patterns in agent workflows

-Show how elicitation integrates with fine-grained authorization, consent, and delegation

-Explore step-up authentication and human-in-the-loop approvals for accountability

-Discuss how proper elicitation improves trust, explainability, and compliance, without harming DX, UX, or AX

The goal is simple but critical: delivering agentic AI that users can trust, by design, not by trade-off.

Speakers

Kay James

Technical Product Marketing Manager, Gravitee

Friday April 3, 2026 5:20pm - 5:45pm EDT
Broadway Ballroom North (6th Floor)

Audience Experience Level Beginner

5:20pm EDT

Context Middleware for MCP: From Enterprise Needs To Protocol Extension - Peder Holdgaard Pedersen, Saxo Bank

Friday April 3, 2026 5:20pm - 5:45pm EDT

Empire Complex (7th Floor)

Many MCP servers aren't public - they're internal enterprise deployments where security, compliance, and safety aren't optional. Yet MCP currently lacks standardized middleware patterns, forcing teams into shared libraries and bespoke solutions that recreate the NxM problem.

Context middleware lets us intercept, inspect, and transform MCP traffic at trust boundaries. Just as tools were key to end-user MCP adoption, standardized middleware can unlock it for regulated industries: PII redaction, audit logging, prompt injection defense, hallucination detection - all without vendor lock-in or security gaps.

For the emerging gateway and proxy ecosystem, this opens new market opportunities: standardized integration points that transform MCP infrastructure into a composable, enterprise-grade platform.

This talk presents a working implementation as used at a major financial institution, including demos of attack prevention and real-world findings. You'll leave understanding the architecture, the extension, the trust boundary considerations, and how to start building context-aware middleware today.

Speakers

Peder Holdgaaard Pedersen

Principal Developer, Saxo Bank

Peder architects AI systems and spearheads AI adoption at Saxo Bank as Principal Developer. He is a contributor to the C# MCP SDK and an MCP maintainer for the Financial Services Interest Group. He specializes in integrating cutting-edge AI capabilities with bespoke assistants and... Read More →

MCP Context Middleware pptx

Friday April 3, 2026 5:20pm - 5:45pm EDT
Empire Complex (7th Floor)

Audience Experience Level Intermediate
Session Slides Yes

5:20pm EDT

Hooks, Not Hacks: Modular Enforcement for MCP Agents - Fred Araujo & Ian Molloy, IBM

Friday April 3, 2026 5:20pm - 5:45pm EDT

Astor Ballroom (7th Floor)

MCP enables agent composition, but leaves security, policy, and governance enforcement to individual implementations. This results in inconsistent controls and security gaps across agents, tools, and environments, pushing platform-specific logic into otherwise portable MCP systems.

This talk presents a hook-based extension pattern for MCP, inspired by the Linux Security Modules (LSM) extensibility model and implemented in open source as part of the ContextForge MCP Gateway. Using standardized pre- and post-execution hooks, the gateway intercepts MCP interactions such as prompt handling, tool invocation, and data transformation. These hooks enable composable security modules—including prompt injection detection, PII redaction, and policy-based access control (OPA/Cedar)—without modifying agent or MCP server logic. By externalizing enforcement into reusable modules, this approach avoids extensibility lock-in and enables interoperability with existing security frameworks.

We show how developers can author MCP extensions and apply consistent controls across agent stacks, focusing on design patterns and interoperability for production-ready MCP systems.

Speakers

Ian Molloy

Department Head, IBM Research

Ian Molloy is a Principal Research Scientists and Department Head of the Security Department at IBM's Thomas J. Watson Research Center, a large and diverse team working across working in cryptography, cloud, AI and Security Intelligence. His primary research interest is in automating... Read More →

Fred Araujo

Principal Research Scientist and Manager, IBM

Dr. Fred Araujo is a Principal Research Scientist and Manager at IBM Research, where he leads research on the security of AI agents and middleware. His work spans protocol security, access control, systems security, and program analysis, and has influenced several IBM and Red Hat... Read More →

Friday April 3, 2026 5:20pm - 5:45pm EDT
Astor Ballroom (7th Floor)