Loading…
April 2-3, 2026
New York, NY
View More Details & Registration

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for MCP Dev Summit North America to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration..

IMPORTANT NOTE: Timing of sessions and room locations are subject to change.
Company: Intermediate clear filter
arrow_back View All Dates
Friday, April 3
 

10:00am EDT

Keynote: One-To-Many: Enabling MCP, Agents, and Intelligent Systems at Nordstrom - Ola Hungerford, Principal Engineer & Sandeep Bhat, Engineer, Nordstrom
Friday April 3, 2026 10:00am - 10:15am EDT
Broadway Ballroom (6th Floor)
Natural language is becoming a universal interface. Connecting that interface to enterprise systems requires more than protocols. It requires active, thoughtful, and sustained work.

This talk shares Nordstrom's journey enabling MCP and AI agents across the organization: building secure MCP server standards, navigating OAuth and token management for agent workflows, and creating governance frameworks that let teams experiment while ensuring supportability. We'll cover practical challenges and solutions that make the C in MCP reliable, accurate and secure: knowledge feedback loops, layered access management, and evaluation techniques that make "one-to-many" enablement possible.

Beyond the technical, we'll also touch on the human systems work: coordinating across teams when AI initiatives emerge organically, building documentation that drives the right patterns from the start, and patiently creating the organizational foundations that let others follow and build on what you've started.
Speakers
avatar for Ola Hungerford

Ola Hungerford

Principal Engineer, Nordstrom
Ola Hungerford is a Principal Engineer at Nordstrom and a maintainer and community moderator for the Model Context Protocol. She leads AI enablement initiatives while contributing to MCP's specification, developer tooling, documentation, and community governance. Ola comes from a... Read More →
avatar for Sandeep Bhat

Sandeep Bhat

Engineer, Nordstrom
​I work on the AI Enablement team at Nordstrom, focusing on platform engineering for MCP and AI agents. My past background in security grounds my decision-making, allowing me to balance safe architecture with a passion for AI productivity. I build infrastructure that empowers internal... Read More →
Friday April 3, 2026 10:00am - 10:15am EDT
Broadway Ballroom (6th Floor)
  Keynote Sessions

11:30am EDT

Code Mode Without the Code - Bob Dickinson, TeamSpark
Friday April 3, 2026 11:30am - 11:55am EDT
Astor Ballroom (7th Floor)
Major AI players (Cloudflare, Anthropic, Docker) advocate "Code Mode" - having LLMs generate wrapper MCP servers to orchestrate tools, drastically reducing context usage. However, executing LLM-generated code introduces security risks and compliance challenges.

mcpGraph provides Code Mode benefits without code execution risks. It's a YAML-based DSL for declarative MCP tool orchestration using directed graphs. Tools are defined as graphs with MCP nodes, JSONata transforms, and JSON Logic conditionals, all inspectable and auditable, and exposed to agents as MCP tools themselves.

We'll cover and demo three MCP servers: mcpGraph (the core engine), mcpGraphToolkit (agent development tools for building/testing/deploying graphs, with associated agent skills), and mcpGraphUX (visual inspection and debugging).

This approach delivers Code Mode efficiency while maintaining security, observability, and compliance—no arbitrary code execution required.

mcpGraph is open source and available at: https://github.com/TeamSparkAI/mcpGraph

The presentation will be largely based on this document (and referenced videos): https://github.com/TeamSparkAI/mcpGraph/blob/main/docs/no-code-code-mode.md
Speakers
avatar for Bob Dickinson

Bob Dickinson

Founder, TeamSpark
Serial founder, CTO at scale, and always a hands-on builder. Creator of MCP Tool Vault and the open source projects tsAgent and mcpGraph. Maintainer of MCP Registry and MCP Inspector. Background in security, including as CTO of OneLogin and Censys.
Code Mode without the Code pdf
Friday April 3, 2026 11:30am - 11:55am EDT
Astor Ballroom (7th Floor)
  MCP Best Practices

11:30am EDT

Human in the Loop, Agent in the Flow - Harald Kirschner & Connor Peet, Microsoft
Friday April 3, 2026 11:30am - 11:55am EDT
Broadway Ballroom South (6th Floor)
The AI hype cycle promised full automation. Reality delivered hallucinations and agents that guess when they should ask. The MCP spec offers a different vision—humans in control through rich, interactive collaboration rather than micromanaging every step.

This talk explores how recent MCP primitives transform the protocol from text-in-text-out tool-calling into interactive human-agent workflows. We'll cover elicitations that let servers ask clarifying questions with structured forms, async tasks that pause for human decisions and resume seamlessly, and MCP Apps that render interactive UIs—charts, dashboards, confirmations—in sandboxed iframes. Each makes feedback loops faster and agent interactions richer.

Using VS Code's implementation as reference, we'll demonstrate patterns for adaptive autonomy, progressive input gathering, and bidirectional workflows where servers drive the conversation. You'll leave with concrete patterns for building MCP integrations that treat collaboration as a feature, not a fallback.
Speakers
avatar for Harald Kirschner

Harald Kirschner

Principal PM, Microsoft
Harald Kirschner is a Principal Product Manager at Microsoft, building AI coding experiences in VS Code and GitHub Copilot for 40+ million developers. Before Microsoft, he led Firefox DevTools at Mozilla and helped ship Firefox Quantum. His engineering roots (MooTools, early web... Read More →
avatar for Connor Peet

Connor Peet

Principal Software Engineer, Microsoft
Connor is a principal software engineer working on VS Code since 2019.
mcp vscode human in the loop url
Friday April 3, 2026 11:30am - 11:55am EDT
Broadway Ballroom South (6th Floor)
  MCP Best Practices

11:30am EDT

Goose as a Proving Ground for New MCP Features, and How To Use Them - Alex Hancock, Block
Friday April 3, 2026 11:30am - 11:55am EDT
Broadway Ballroom North (6th Floor)
Goose serves as a real-world proving ground for new MCP capabilities before they're widely adopted. In this talk, you'll learn how to use advanced and early versions of MCP features that go beyond basic tool calling—with practical examples from production.

You'll see:

* Code mode MCP: handling massive tool catalogs without overwhelming context windows
* MCP Apps: rich user experiences for MCP servers that go beyond chat
* How ACP (Agent Client Protocol) can complement and interoperate with an MCP-aware agent, and how we use it in goose

The audience will learn from our experience building goose how they can use and contribute to emerging MCP features.
Speakers
avatar for Alex Hancock

Alex Hancock

Software Engineer, Block
Alex is a core maintainer of goose, and maintainer of the Rust SDK for the Model Context Protocol. Alongside teammates at Block he built and contributed goose as a founding project of the Agentic AI Foundation. He lives in Connecticut in the US with his wonderful family.
Friday April 3, 2026 11:30am - 11:55am EDT
Broadway Ballroom North (6th Floor)
  Protocol in Depth

11:30am EDT

Demistifying Client ID Metadata Documents in MCP - Den Delimarsky, Anthropic
Friday April 3, 2026 11:30am - 11:55am EDT
Empire Complex (7th Floor)
With the recent specification update, MCP moved away from using DCR as the default in favor of Client ID Metadata Documents (CIMD). It's a new approach to client registration already adopted by such projects like Bluesky, and now making its way to the MCP ecosystem. CIMD is significantly easier to use than DCR while providing the same security guarantees and a much more flexible approach to client governance. In this session, you will learn about the transition from DCR to CIMD, how you should design your MCP servers (and MCP clients) around this new requirement, and what the future holds for broader CIMD adoption.
Speakers
avatar for Den Delimarsky

Den Delimarsky

Member of Technical Staff, Anthropic
Den is an avid reverse engineer, passionate about APIs, protocols, and security. He leads MCP technical programs at Anthropic and prior to that built authentication and authorization libraries used by millions of developers around the globe. You can learn more about his work on h... Read More →
Friday April 3, 2026 11:30am - 11:55am EDT
Empire Complex (7th Floor)
  Security and Operations

12:00pm EDT

From One MCP Server To an Ecosystem: When MCP Stops Being a Server and Becomes a Platform - Vaibhav Tupe, Equinix
Friday April 3, 2026 12:00pm - 12:25pm EDT
Juilliard Complex (5th Floor)
As MCP adoption grows, teams quickly discover that scaling from a single MCP server to a multi-server ecosystem introduces new architectural, operational, and governance challenges. Patterns that work for standalone MCP implementations often break down when MCP becomes a shared platform capability across multiple domains, teams, and clients.

In this talk, we share practical lessons from building and operating an MCP server ecosystem at infrastructure scale at Equinix. What began as a single MCP server evolved into multiple coordinated MCP servers spanning networking and infrastructure domains, each with distinct tools, lifecycles, and operational constraints.

Attendees will learn:
1. How MCP architecture changes when scaling from one server to an ecosystem
2. Design patterns to avoid tight coupling and fragmentation across MCP servers
3. Practical approaches to tool discovery, versioning, and backward compatibility
4. Operational lessons for reliability, rate limiting, and failure isolation
5. Governance best practices for ownership, change management, and ecosystem growth
Speakers
avatar for Vaibhav Tupe

Vaibhav Tupe

Tech Lead - Principal Engineer, Equinix
Vaibhav Tupe is a distinguished Technology Advisory Board Member and Engineering Leader specializing in cybersecurity, cloud, and AI-ready data center infrastructure. With over 13 years of experience, he currently serves as a Technology Leader at Equinix USA, where he drives high-performance... Read More →
MCP DevSummit Final pptx
Friday April 3, 2026 12:00pm - 12:25pm EDT
Juilliard Complex (5th Floor)
  Apps and Agents

12:00pm EDT

Distributing MCP Servers With OCI To Power Agent Skills - Bobby House, Docker
Friday April 3, 2026 12:00pm - 12:25pm EDT
Broadway Ballroom South (6th Floor)
While it is now considered a best practice for agent skills to leverage MCP servers, there is still no widely accepted approach for how those MCP servers should be distributed, versioned, and shared as dependencies.

This talk presents a practical pattern for using OCI artifacts as a distribution mechanism for MCP servers and configurations that agent skills depend on, enabling reproducible, shareable, and composable agent capabilities.

We’ll walk through creating an agent skill that can build and run an MCP project as a containerized service, then publish supporting artifacts such as the MCP server’s configuration.

Rather than bundling dependencies directly, the agent skill references an OCI artifact by OCI ref, pulls it at runtime, and activates the required MCP servers automatically. This ensures that when prompts expect specific MCP servers to be available, they already are.

By treating OCI as a universal distribution layer for agent tooling metadata and configurations, this approach makes agent skills easier to share, reproduce, and evolve across teams and environments.
Speakers
avatar for Bobby House

Bobby House

Sr Software Engineer, Docker
Bobby House is a senior software engineer at Docker that enjoys building products for engineers. His recent work centers on integrating MCP into enterprise environments by enabling organizations to publish and manage private catalogs of MCP servers as OCI artifacts.
agent skill dependencies pdf
Friday April 3, 2026 12:00pm - 12:25pm EDT
Broadway Ballroom South (6th Floor)
  MCP Best Practices

12:00pm EDT

MCP Live: Streaming Context To AI Agents - Harshit Kohli, Amazon Web Services
Friday April 3, 2026 12:00pm - 12:25pm EDT
Astor Ballroom (7th Floor)
Most MCP servers work like snapshots - ask for context, get a response, done. But what happens when your code changes while the AI is working? Or system metrics spike during deployment? Your agent has stale data.

I've been building streaming MCP servers that push live updates to AI agents. Think file watchers notifying code changes, system monitors streaming metrics, or database triggers sending updates as they happen.

I'll walk through building a live log monitoring MCP server from scratch. We'll extend the basic MCP protocol to handle streaming data using WebSockets, implement event subscriptions, and keep agents synchronized with rapidly changing data.

The demo shows an AI agent monitoring application logs in real-time, detecting anomalies and suggesting fixes as errors occur - not minutes later when someone checks the logs.

This isn't theoretical - I'm using similar patterns in production for DevOps monitoring and trading systems. I'll share the code, discuss gotchas, and show how streaming MCP opens up new use cases.

You'll leave with practical patterns for building reactive MCP servers that keep your AI agents always current.
Speakers
avatar for Harshit Kohli

Harshit Kohli

Sr Technical Account Manager, Amazon Web Services
GenAI/Data Driven individual who has 15+ years of experience. Proven experience with AWS Data Analytics/GenAI services, Cloudera Hadoop, Hortonworks Hadoop and Mapr Hadoop. Achieved customer wins over Amazon Q , Bedrock, Amazon Managed Kafka, Amazon Data Firehose, Kinesis Streams... Read More →
HarshitKohli MCP Live Streaming Context pdf
Friday April 3, 2026 12:00pm - 12:25pm EDT
Astor Ballroom (7th Floor)
  MCP Best Practices

12:30pm EDT

Mix-Up Attacks in MCP: Multi-Issuer Confusion and Mitigations - Emily Lauber, Microsoft
Friday April 3, 2026 12:30pm - 12:55pm EDT
Empire Complex (7th Floor)
MCP deployments increasingly involve multiple authorization servers / identity providers across tools, registries, gateways, and enterprise environments. That flexibility introduces a classic but under-discussed class of failures: mix up attacks. A mix-up attack is where a client or intermediary confuses which issuer/authorization server it’s interacting with and misroutes sign-in artifacts, such as tokens, to the wrong party, potentially a malicious one.

This talk gives a clear threat model for mix-up in MCP-style topologies (client↔server↔auth server), then focuses on practical mitigations being discussed in the Auth Mix-Up Attack Prevention WG. I’ll also cover what’s realistic to adopt today in SDKs and servers versus what should be standardized in the MCP Core spec or another standard like OAuth.
Speakers
avatar for Emily Lauber

Emily Lauber

Senior Product Manager, Microsoft
Emily Lauber is a Senior Product Manager at Microsoft focused on identity, authentication, and developer platforms. She works at the intersection of cloud security, browser-based auth, and standards, helping shape how modern apps and agents securely authenticate and access resources... Read More →
MixUpAttackPrevention MCP pdf
Friday April 3, 2026 12:30pm - 12:55pm EDT
Empire Complex (7th Floor)
  Security and Operations

2:25pm EDT

Putting the Single Back in Single Sign-On: Cross-App Access for MCP - Paul Carleton, Anthropic & Max Gerber, Twilio
Friday April 3, 2026 2:25pm - 2:50pm EDT
Empire Complex (7th Floor)
MCP makes it easy for AI agents to connect to tools, but authorization hasn't kept up. Users connecting an MCP client to a dozen MCP servers face a dozen separate OAuth flows, one for each server, each with its own login and token lifecycle. If we have Single Sign-On, why are users signing in so many times? It's not just a UX problem. Enterprise environments can quickly run into governance issues with unmanaged or scattered permissions. Security teams can't answer basic questions about which agent can access which system under what policy. Every agent-to-server connection is another point-to-point relationship with no central visibility. Cross-App Access (XAA), built on the Identity Assertion JWT Authorization Grant (ID-JAG), solves both problems. By leveraging the existing trust between the MCP client, MCP server, and the organization's Identity Provider, the IdP can broker token exchanges from the user's initial login. Agents gain access to everything the admin has approved with one sign-in. No additional user interaction required. The IdP becomes the policy decision point for approving, scoping, and auditing delegated access across MCP integrations. In this session, Paul Carleton (Anthropic) and Max Gerber (Twilio) explain the technical underpinnings that enable enterprise admins to enforce policies about which users, clients, and servers can interact. They'll also demo an MCP client completing an XAA flow from beginning to end to obtain access tokens securely and silently. Attendees will leave understanding how Cross-App Access works and how to integrate with it.
Speakers
avatar for Max Gerber

Max Gerber

Principal Software Engineer, Twilio
Max Gerber is the software engineering lead for agent and AI identity at Twilio, where he works on core identity SDKs and APIs including OAuth, SAML, SSO, and RBAC. He previously led identity initiatives at Stytch and served as a lead engineer on MuleSoft’s IAM team during its integration... Read More →
avatar for Paul Carleton

Paul Carleton

Member of Technical Staff, Anthropic
Paul Carleton is a Core Maintainer of the Model Context Protocol and Auth Nerd at Anthropic, where he leads auth implementations across Anthropic's clients and the TypeScript and Python SDKs. He drives MCP conformance testing efforts to ensure consistent behavior across the ecosy... Read More →
Friday April 3, 2026 2:25pm - 2:50pm EDT
Empire Complex (7th Floor)
  Security and Operations

2:55pm EDT

UI in the Age of AI - Adam Cowley, Neo4j
Friday April 3, 2026 2:55pm - 3:20pm EDT
Juilliard Complex (5th Floor)
When the backend can reason, what does that mean for the frontend? Let's look at how to build UIs that support reasoning and adapt to any task.

The way we interact with software is changing. LLM-powered applications, with human-in-the-loop, are handling repetitive tasks that used to require forms and workflows. But bolting a chatbot onto your existing UI isn't enough - extracting structured data from natural language is fragile, adding frustration and friction for users.

In this talk, we'll explore how tool-calling and protocols like MCP provide deterministic contracts with non-deterministic systems, what human-in-the-loop looks like when the UI adapts to the task at hand rather than forcing users through fixed workflows.
Speakers
avatar for Adam Cowley

Adam Cowley

Manager, Developer Education, Neo4j
Adam is a multi-disciplinary developer with over 20 years of experience building products that help people learn and grow. Currently Manager of Developer Education at Neo4j, he leads the team behind GraphAcademy - Neo4j's free learning platform.
Friday April 3, 2026 2:55pm - 3:20pm EDT
Juilliard Complex (5th Floor)
  Apps and Agents

2:55pm EDT

Interceptors for MCP: A Production-Tested Standard for Agentic Middleware - Kurt Degiorgio & Cannis Chan, Bloomberg
Friday April 3, 2026 2:55pm - 3:20pm EDT
Broadway Ballroom North (6th Floor)
MCP standardized how agents connect to tools and context, but enterprise deployments need control between the model and the data. Today, MCP lacks a standard way to apply these controls, leading to a fragmented landscape of bespoke sidecars and proxies that shifts the M×N integration problem from the data layer to the middleware layer.
This session is a Protocol-in-Depth walkthrough of SEP-1763 (Interceptors), which proposes a protocol-native framework to intercept, validate, and transform messages across the MCP lifecycle, elevating middleware to a first-class capability alongside core MCP concepts. We will cover the concrete protocol semantics implementers need to align on: capability negotiation, hook points and invocation models, deterministic ordering/composition, enforcement semantics, error handling and observability.
We motivate the proposal with Bloomberg’s production experience in adopting interceptors to build agents in a regulated financial environment, sharing lessons on what must be standardized for interoperability. To ground the design, we map the proposed semantics to AWS Bedrock AgentCore Gateway Interceptors and OpenAI Guardrails’ staged validation guidance.
Speakers
avatar for Kurt Degiorgio

Kurt Degiorgio

Senior Engineer, Bloomberg
Kurt Degiorgio is a Senior Engineer at Bloomberg, working on building platforms for Generative AI. With 14 years of experience, his background includes Monzo, Diffblue and GFI Software (of TeamViewer fame), covering a wide technical spectrum—from developing network drivers to building... Read More →
avatar for Cannis Chan

Cannis Chan

Technical Product Manager, Bloomberg
Cannis Chan is a Technical Product Manager in the Office of the CTO at Bloomberg, building infrastructure platforms for AI products. With 10 years in B2B and Enterprise (AutogenAI, Deutsche Bank, Ondat/Akamai), she specializes in navigating complex products through pre- and post-product... Read More →
MCP Dev Summit Interceptors pdf
Friday April 3, 2026 2:55pm - 3:20pm EDT
Broadway Ballroom North (6th Floor)
  Protocol in Depth

3:25pm EDT

From Benchmarks To Business Value: Building a Use-Case Specific Agent Evaluation Framework - Gaurav Saxena, Independent & Matvey Kukuy, Archestra.AI
Friday April 3, 2026 3:25pm - 3:50pm EDT
Broadway Ballroom South (6th Floor)
While frontier models achieve impressive scores on benchmarks like MCP Atlas (62.3%) and SWE-bench (62.1%), these metrics don't answer the critical question: "Will this agent work for OUR specific use-case?"This talk presents a practical framework for building custom agent evaluation systems tailored to your organization's needs. We'll cover the complete lifecycle: data collection and categorization, open-source instrumentation patterns, and production monitoring for long-term performance tracking. You'll learn to construct evaluation datasets reflecting actual workloads, implement testing harnesses mirroring production constraints, and establish monitoring pipelines that catch degradations early.We'll demonstrate techniques for measuring agent reliability across accuracy, latency, cost, and safety dimensions while accounting for real-world variables: prompt engineering, data quality, MCP tool availability, and model selection. Attendees will leave with actionable strategies to build confidence in production deployments and create feedback loops for continuous improvement.
Speakers
avatar for Gaurav Saxena

Gaurav Saxena

Director of Engineering
Gaurav Saxena is an engineering leader in the field of platform and cloud engineering with over 20 years of experience in the software industry. His technical expertise includes Stream-based architectures, Kubernetes, Service Mesh, Software Supply Chain Security, and Observabilit... Read More →
avatar for Matvey Kukuy

Matvey Kukuy

CEO, Archestra.AI
Maintainer: Grafana OnCall, KeepHQ, Archestra.AI.

Ex-Engineering Director at Grafana Labs.
Friday April 3, 2026 3:25pm - 3:50pm EDT
Broadway Ballroom South (6th Floor)
  MCP Best Practices

3:25pm EDT

Beyond the Sandbox: Security at the Host Layer - Lorenzo Verna & Pietro Valfrè, Denied
Friday April 3, 2026 3:25pm - 3:50pm EDT
Empire Complex (7th Floor)
Security in the MCP ecosystem has primarily followed a "Henhouse Model": building a perimeter to manage who enters with which keys. While we’ve become adept at granting agents the access they need to be productive, a new challenge is emerging. Because agents often operate with the user’s broad privileges, it is no longer just about managing entry; it is about ensuring that an agent's actions remain consistently aligned with the user’s intent.

While sandboxing is vital for isolation, it cannot "undo" the real world. When an agent uses an MCP tool to send an email, modify a calendar, or trigger a financial API, it steps through a "one-way door." Unlike local code, these actions lack a git revert.

We believe the most sustainable path forward is to move the primary authorization boundary to the Host. In this session, we propose an architectural approach that shifts outbound security to the application layer. By centering protection where context is richest, we can simplify server development and provide a more reliable way to manage the unpredictable nature of autonomous workflows.
Speakers
avatar for Lorenzo Verna

Lorenzo Verna

Co-founder and CPO, Denied
Lorenzo Verna (Math & CS) is Co-Founder & CPO at Denied.dev. A former CTO and founder with 3 startups and 2 exits, he has 15+ years building and scaling software products and AI platforms. His current work focuses on securing agentic systems, including MCP tool execution and policy... Read More →
avatar for Pietro Valfrè

Pietro Valfrè

CEO & Co.founder at Denied, Denied
Pietro, CEO and Co-founder of Denied, previously served as the first employee of a mid-size Italian venture studio. During his time there, he ultimately headed R&D and contributed to the successful development of several ventures. Having thoroughly explored the field of Auth, he is... Read More →
denied mcp nyc slides pdf
Friday April 3, 2026 3:25pm - 3:50pm EDT
Empire Complex (7th Floor)
  Security and Operations

3:25pm EDT

MCPwned: Hacking MCP Servers With One Skeleton Key Vulnerability - Jonathan Leitschuh, Independent
Friday April 3, 2026 3:25pm - 3:50pm EDT
Astor Ballroom (7th Floor)
MCPwned weaponizes a widely overlooked MCP-spec weakness, browser-based DNS rebinding, against SSE & streaming-HTTP MCP servers to exfiltrate data and escalate access.
This skeleton key vulnerability hacks your locally running MCP server, just by getting you to visit a malicious website.
Speakers
avatar for Jonathan Leitschuh

Jonathan Leitschuh

Open Source Security Researcher, Independent
Jonathan Leitschuh is an open source software security researcher and self-described Vulnerability Janitor. He was the inaugural Dan Kaminsky Fellow at HUMAN Security and later led research for OpenSSF’s Alpha-Omega project. He is best known for his 2019 Zoom zero-day disclosure... Read More →
Friday April 3, 2026 3:25pm - 3:50pm EDT
Astor Ballroom (7th Floor)
  Security and Operations

4:20pm EDT

MCP Servers in the Wild: Managing Tool Complexity at Scale - Arnav Balyan, Concierge AI
Friday April 3, 2026 4:20pm - 4:45pm EDT
Broadway Ballroom South (6th Floor)
As MCPs are adopted at scale, certain patterns start to emerge:
1. Increase in wrong tool calls
2. increase in token usage, semantic loss
3. agents skipping the required tool call sequence.

For high stakes domains such as finance and infrastructure, this leads to reliability and compliance risk.

This talk presents a new MCP server design pattern for addressing this class of problems called: "progressive tool exposure".
Rather than assuming static tools, the MCP server actively controls which tools are visible to the agent at each point in execution. This framework ensures, tools are refreshed, scoped, and changed as the agent progresses through an MCP workflow. This allows the server to direct the agent’s action space, guide execution order, and enforce "runbooks" without changing server/ agent capability. This design pattern also tracks state ensuring backtracking of tool calls reverts the server side state, making agent behaviour as transactional on the MCP server.

We show how such practices reduce invalid tool calls, lower inference costs, and improve determinism for tool heavy systems.
Speakers
avatar for Arnav Balyan

Arnav Balyan

CEO, Concierge AI
Founder of Concierge AI. Ex-Uber building MCP systems at scale. Concierge AI manages 400+ public MCP deployments, Arnav focuses on MCP tool complexity and researches token overhead reduction at scale.
Friday April 3, 2026 4:20pm - 4:45pm EDT
Broadway Ballroom South (6th Floor)
  MCP Best Practices

4:20pm EDT

The Seven Deadly Sins With MCP - Ricardo Ferreira, Redis
Friday April 3, 2026 4:20pm - 4:45pm EDT
Broadway Ballroom North (6th Floor)
Picture your MCP server exposing your database to an overeager LLM that tries to "optimize" your schemas at 3 AM. Sinful? Absolutely. As MCP becomes the standard for connecting LLMs to real systems, teams are speedrunning mistakes like this—causing memory leaks, runaway polling, and permission scopes so wide they make the sudo commands executed in production look cautious.

This session breaks down the seven deadly sins developers must be aware about MCP: gluttony (resource abuse), sloth (lazy errors), wrath (aggressive polling), greed (permission overreach), pride (overengineering), envy (tool sprawl), and lust (unsafe exposure). Each of these sins can turn a powerful protocol like MCP into a recipe for disaster.

By examining each sin, its patterns, and its symptoms, you'll learn how to spot and avoid them, along with the technical practices that make MCP deployments reliable. Come learn how to ship with absolution. Instead of yet another pager alert.
Speakers
avatar for Ricardo Ferreira

Ricardo Ferreira

Lead Developer Advocate, Redis
Ricardo leads the developer relations team at Redis. He built a successful career in DevRel working for companies such as AWS, Elastic, and Confluent. He spent two decades working as a software engineer, instructor, and solution architect before diving into the world of developer... Read More →
Friday April 3, 2026 4:20pm - 4:45pm EDT
Broadway Ballroom North (6th Floor)
  Protocol in Depth

4:20pm EDT

From Chaos To Clarity: How MCP Transforms Incident Response - Sebastian Villanelo & Rocío Bayon, PagerDuty
Friday April 3, 2026 4:20pm - 4:45pm EDT
Astor Ballroom (7th Floor)
Imagine being on-call at 3 AM: alerts fire, you scramble between the incident, monitoring dashboards, Slack, runbooks, and ticketing systems. Each tool switch drains cognitive capacity during your highest-stress moments.

Current reality: On-call engineers navigate 5-10 tools under pressure. Managers manually coordinate team responses. Stakeholders interrupt for updates. Result: burnout, delayed resolution, human error.

MCP-powered future: Natural language handles coordination, knowledge retrieval, and status updates. Responders focus on solving problems, not navigating tools. Managers orchestrate responses conversationally. Stakeholders self-serve information.

Attendees learn production patterns for building MCP servers that reduce human fatigue in critical operations: safety mechanisms for high-stakes automation, balancing AI assistance with human oversight, context preservation across operations, and testing strategies for mission-critical workflows.
Speakers
avatar for Sebastian Villanelo

Sebastian Villanelo

Forward Deployment Engineer, PagerDuty
Develop custom reports that help each customer identify and monitor the metrics most relevant to their operations. Gather technical and functional requirements, working closely with the product team to translate customer needs into concrete improvements.
avatar for Rocío Bayon

Rocío Bayon

Product Manager, Forward Deployed Engineering, PagerDuty
Originally from Argentina and based in Chile, I'm a Product Manager on the Forward Deployed Engineering (FDE) team at PagerDuty. With a background in Mechanical Engineering and Business Analytics, I live at the intersection of technology, data, and real-world customer implementations... Read More →
MCP Dev Summit From Chaos to Clarity pdf
Friday April 3, 2026 4:20pm - 4:45pm EDT
Astor Ballroom (7th Floor)
  Security and Operations

4:50pm EDT

Call Now, Fetch Later: MCP Tasks and SEP-1686 - Adam Azzam, Prefect
Friday April 3, 2026 4:50pm - 5:15pm EDT
Broadway Ballroom North (6th Floor)
MCP made agents portable. But it also made them fragile—every tool call lives or dies by its network connection, and long-running work has been a liability we've all been working around in different (incompatible) ways.

SEP 1686 introduces native task orchestration to the protocol. This talk covers what's changing, why it matters, and what it unlocks for anyone building serious MCP infrastructure.

I'll walk through the design decisions, demonstrate the new primitives in FastMCP, and share what we've learned from helping teams scale MCP Tasks.

If you've ever wished MCP would just let you run real workloads without holding your breath, this one's for you.
Speakers
avatar for Adam Azzam

Adam Azzam

VP Product, Prefect
Adam Azzam, Ph.D. is VP of Product at Prefect, where he leads product development for their open source automation and context platform. He is a maintainer of FastMCP.

Before joining Prefect, Adam co-founded Openrole AI, where he served as CTO building an AI career co-pilot. He was previously Director of Product at Insight Data Science (YC S11). Adam holds a PhD in Mathematics from UCLA... Read More →
Friday April 3, 2026 4:50pm - 5:15pm EDT
Broadway Ballroom North (6th Floor)
  Protocol in Depth

4:50pm EDT

Enterprise-Ready MCP: Security Patterns and the "4-Legged" Identity Challenge - Paulina Xu, Agentic Fabriq
Friday April 3, 2026 4:50pm - 5:15pm EDT
Empire Complex (7th Floor)
As MCP evolves from local developer workflows to shared, remote infrastructure, new security & identity challenges emerge. Patterns that work for single-user, local MCP setups often break down when MCP servers become gateways serving thousands of users, agents, and tools. This session explores the architectural patterns required to deploy MCP securely in enterprise environments. We’ll examine common failure modes such as data overexposure, unsafe bulk operations, topic-based disclosure, and weak audit controls, and map them to practical MCP-level mitigations including least-privilege access, tool-level guardrails, and privacy-aware logging. A focus of the talk is the “4-Legged” Identity Challenge: when a user interacts with a web app, which calls an agent, which then calls a remote MCP server. This model is not natively handled by standard OAuth flows. We’ll cover approaches such as token exchange, pre-provisioned trust, and interactive authorization, and discuss how emerging MCP capabilities like protected resource metadata support scalable identity discovery. Attendees will leave with a blueprint for moving from local MCP development to secure, production-ready MCP deployments.
Speakers
avatar for Paulina Xu

Paulina Xu

CEO, Agentic Fabriq
Paulina Xu is the CEO of Agentic Fabriq, where she is building a centralized hub for agent identity, OAuth-based authentication, permissioning, and auditability, enabling organizations to safely manage what agents can access and do across tools, applications, and teams. Prior to founding... Read More →
Agentic Fabriq MCP Dev pdf
Friday April 3, 2026 4:50pm - 5:15pm EDT
Empire Complex (7th Floor)
  Security and Operations

5:20pm EDT

Reflections on Context Engineering Via MCP Servers - Till Döhmen, MotherDuck
Friday April 3, 2026 5:20pm - 5:45pm EDT
Broadway Ballroom South (6th Floor)
Effective context engineering via MCP servers requires understanding how host agents weave the server's responses into their context as conversations unfold.

Context flows through more channels than tool definitions alone: initial instructions, the tool set itself (explicit tools vs. generic execution tools), tool names and parameters, descriptions, response content, structure and length, error feedback, "skill-loading" tools, resources, and sub-agent delegation.

Each mechanism involves trade-offs. Eager loading of context risks bloat; lazy loading adds tool calls. Rich tool responses help agents self-correct but consume tokens. Sub-agents compartmentalize complexity, but limited client support for elicitation creates friction.

Getting this balance right means staying conscious of how much context you're injecting, when, and at what cost (e.g. in # of tool calls to achieve a goal)—a balancing act that's hard without a clear picture of what's happening inside the host agent's context window.

This talk aims at providing a framework for thinking about these decisions—grounded in concrete examples from building the MotherDuck MCP Server.
Speakers
avatar for Till Döhmen

Till Döhmen

AI Lead, MotherDuck
Till Döhmen is AI Lead at MotherDuck, where he focuses on building agentic experiences for data analytics. He designed and built the MotherDuck MCP Server, enabling AI agents to query and analyze data through Claude, Cursor, and other MCP clients. Till is also a final-year PhD candidate... Read More →
Friday April 3, 2026 5:20pm - 5:45pm EDT
Broadway Ballroom South (6th Floor)
  MCP Best Practices

5:20pm EDT

Context Middleware for MCP: From Enterprise Needs To Protocol Extension - Peder Holdgaard Pedersen, Saxo Bank
Friday April 3, 2026 5:20pm - 5:45pm EDT
Empire Complex (7th Floor)
Many MCP servers aren't public - they're internal enterprise deployments where security, compliance, and safety aren't optional. Yet MCP currently lacks standardized middleware patterns, forcing teams into shared libraries and bespoke solutions that recreate the NxM problem.

Context middleware lets us intercept, inspect, and transform MCP traffic at trust boundaries. Just as tools were key to end-user MCP adoption, standardized middleware can unlock it for regulated industries: PII redaction, audit logging, prompt injection defense, hallucination detection - all without vendor lock-in or security gaps.

For the emerging gateway and proxy ecosystem, this opens new market opportunities: standardized integration points that transform MCP infrastructure into a composable, enterprise-grade platform.

This talk presents a working implementation as used at a major financial institution, including demos of attack prevention and real-world findings. You'll leave understanding the architecture, the extension, the trust boundary considerations, and how to start building context-aware middleware today.
Speakers
avatar for Peder Holdgaaard Pedersen

Peder Holdgaaard Pedersen

Principal Developer, Saxo Bank
Peder architects AI systems and spearheads AI adoption at Saxo Bank as Principal Developer. He is a contributor to the C# MCP SDK and an MCP maintainer for the Financial Services Interest Group. He specializes in integrating cutting-edge AI capabilities with bespoke assistants and... Read More →
MCP Context Middleware pptx
Friday April 3, 2026 5:20pm - 5:45pm EDT
Empire Complex (7th Floor)
  Security and Operations

5:20pm EDT

Hooks, Not Hacks: Modular Enforcement for MCP Agents - Fred Araujo & Ian Molloy, IBM
Friday April 3, 2026 5:20pm - 5:45pm EDT
Astor Ballroom (7th Floor)
MCP enables agent composition, but leaves security, policy, and governance enforcement to individual implementations. This results in inconsistent controls and security gaps across agents, tools, and environments, pushing platform-specific logic into otherwise portable MCP systems.

This talk presents a hook-based extension pattern for MCP, inspired by the Linux Security Modules (LSM) extensibility model and implemented in open source as part of the ContextForge MCP Gateway. Using standardized pre- and post-execution hooks, the gateway intercepts MCP interactions such as prompt handling, tool invocation, and data transformation. These hooks enable composable security modules—including prompt injection detection, PII redaction, and policy-based access control (OPA/Cedar)—without modifying agent or MCP server logic. By externalizing enforcement into reusable modules, this approach avoids extensibility lock-in and enables interoperability with existing security frameworks.

We show how developers can author MCP extensions and apply consistent controls across agent stacks, focusing on design patterns and interoperability for production-ready MCP systems.
Speakers
avatar for Ian Molloy

Ian Molloy

Department Head, IBM Research
Ian Molloy is a Principal Research Scientists and Department Head of the Security Department at IBM's Thomas J. Watson Research Center, a large and diverse team working across working in cryptography, cloud, AI and Security Intelligence. His primary research interest is in automating... Read More →
avatar for Fred Araujo

Fred Araujo

Principal Research Scientist and Manager, IBM
Dr. Fred Araujo is a Principal Research Scientist and Manager at IBM Research, where he leads research on the security of AI agents and middleware. His work spans protocol security, access control, systems security, and program analysis, and has influenced several IBM and Red Hat... Read More →
Friday April 3, 2026 5:20pm - 5:45pm EDT
Astor Ballroom (7th Floor)
  Security and Operations
 
  • Filter By Date
    Apr 1 - 3, 2026
  • Filter By Venue
    New York, NY, USA
    All
    Astor Ballroom (7th Floor)
    Broadway Ballroom (6th Floor)
    Broadway Ballroom North (6th Floor)
    Broadway Ballroom South (6th Floor)
    Dear Irving on Hudson
    Empire Complex (7th Floor)
    Juilliard Complex (5th Floor)
    Lucky Strike Times Square
    Marquis Ballroom (9th Floor)
    Marquis Ballroom Foyer (9th Floor)
    Marquis Ballroom Salon A + B (9th Floor)
    Marquis Ballroom Salon C (9th Floor)
    North Registration - Fifth Floor Foyer (5th Floor)
    Soho Room (7th Floor)
    Solutions Showcase, Westside Ballroom (5th Floor)
  • Filter By Type
    Apps and Agents
    All
    MCP Best Practices
    Keynote Sessions
    MCP Best Practices
    All
    Apps and Agents
    Protocol in Depth
    Security and Operations
    All
    MCP Best Practices
    Special Events / Exhibits / Breaks
    Sponsor Booth Interactions
    Workshop
  • Audience Experience Level
    Advanced
    Any
    Beginner
    Intermediate
  • Session Slides
    Yes
  • Timezone

Get help with the event

Contact event planner Event login
View support guides Find upcoming events
Create an event you'd love to attend!
Explore why organizers choose Sched Success stories
Event App Event scheduling Event registration Event ticketing Sched forms Call for papers Badges Conferences
© 2026. SCHED LLC - All rights reserved - Helping events since 2008
Conference Scheduling Software Privacy Terms
Share Modal

Share this link via

Or copy link

Filter sessions
Apply filters to sessions.
Filtered by Date - 
Clear filter
Wednesday, April 1
Thursday, April 2
Friday, April 3
Astor Ballroom (7th Floor)
Broadway Ballroom (6th Floor)
Broadway Ballroom North (6th Floor)
Broadway Ballroom South (6th Floor)
Dear Irving on Hudson
Empire Complex (7th Floor)
Juilliard Complex (5th Floor)
Lucky Strike Times Square
Marquis Ballroom (9th Floor)
Marquis Ballroom Foyer (9th Floor)
Marquis Ballroom Salon A + B (9th Floor)
Marquis Ballroom Salon C (9th Floor)
North Registration - Fifth Floor Foyer (5th Floor)
Soho Room (7th Floor)
Solutions Showcase, Westside Ballroom (5th Floor)
  • Apps and Agents
  • Keynote Sessions
  • MCP Best Practices
  • Protocol in Depth
  • Security and Operations
  • Special Events / Exhibits / Breaks
  • Sponsor Booth Interactions
  • Workshop
  • Audience Experience Level
  • Advanced
  • Any
  • Beginner
  • Intermediate
  • Session Slides
  • Yes