MCP Dev Summit North America

ChatGPT apps aren't websites or mobile apps. They're a new primitive - lightweight tools invoked within a conversation, surfacing minimal UI to move the user forward.

Websites are destinations. Mobile apps are rich installed experiences with device access. ChatGPT apps are in-flow utilities - joining tasks already in progress. You don't own the screen or control the journey. The model decides when to invoke you.

Wrong mental model = wrong architecture.

Drawing on first-hand experience shipping ChatGPT apps for enterprise clients, we'll cover the principles separating apps that work from those that don't:

- Scoping around single, sharp intent vs building a platform inside a chat
- Where conversational interfaces add genuine value - and where you're fighting the medium
- Leveraging context and memory instead of requiring users to re-establish state
- Using ChatGPT as infrastructure vs distribution
- Testing and iterating when the model controls invocation

We'll walk through concrete implementation examples and lessons learned.

MCP is a strong foundation for building AI agents, enabling fast iteration, clear boundaries, and safer early deployments. But as agents move from prototypes to products customers rely on, product teams begin to hit limits around reliability, user experience, observability, and long-running workflows.

In this talk, I’ll share a product leader’s perspective on how MCP-based agent systems evolve in production. We’ll explore the product signals that indicate when MCP-only approaches start to constrain outcomes, and how teams can extend MCP-driven systems to meet higher expectations around trust, clarity, and control. Attendees will leave with a practical framework for scaling MCP-based agents from experimentation to dependable products.

You approve one sudo command (Ubuntu's default timeout is 15 minutes), so now your agent can `rm -rf /` your entire machine without asking again. You could run in a sandbox, but even there, `gh` can add a public SSH key to your account, or leak a token into the context window.

These aren't hypotheticals. Agents have deleted production databases and wiped drives using interfaces designed for humans, not autonomous AI. CLIs optimize for human ergonomics; APIs optimize for programmatic flexibility. Neither provides what agents need: structural safety boundaries, workflow context, graceful error recovery and auditable actions.

MCP can solve virtually all of these. This talk explores what breaks when agents use CLIs and APIs, and how MCP addresses these failures through protocol-level security, structured tool definitions, workflow guidance, consent flows, and registries.

We'll see why MCP offers the only sane path forward for safe agentic AI, and how it enables enterprise governance that unlocks mass corporate adoption. We'll also discuss gaps that still need addressing. You'll leave knowing exactly why "just use CLIs" is dangerous advice—and what to do instead.

This session will describe the work of the AI Threat Modeling working group within the OpenID Foundation. Security considerations in OAuth were a concern before MCP, and MCP's use of OAuth raises additional concerns including malicious elicitation and code execution requests. I will describe MCP attacks which enable attackers to exfiltrate sensitive data, compromise password-protected accounts, and gain remote control of local machines.

Delivering unstructured file content over MCP introduces various challenges in performance, efficiency, and security. We will explore the questions that arise when building an MCP server for content management and some of the approaches that can be used to tackle them. As enterprise environments require a more conservative security posture, we’ll also break down strategies for mitigating data exfiltration risks and prompt injection attacks through granular, configurable guardrails.

• Why large content operations can fail: latency, data corruption
• Techniques for managing context efficiently and minimizing LLM token usage
• The benefits of programmatic tool calling for MCP tool composability
• Tradeoffs between MCP and CLI for content operations
• Handling safety risks when untrusted content becomes a data exfiltration vector
• Balancing functionality and security when designing tool guardrails

By starting from first principles and reviewing specific examples attendees will leave with techniques for building MCP servers that process unstructured content efficiently and securely in enterprise environments.

Agentic systems adopting MCP face a scalability hurdle: managing interactions with numerous servers exposing dozens or hundreds of tools. Injecting all tools into the model context, or "context bloat," increases latency, inflates context window usage, drives up costs, and degrades reasoning quality.

This session introduces the MCP Gateway pattern, an architectural solution to context bloat. This pattern uses an MCP-aware routing layer to dynamically select and inject only the tools semantically relevant to a user request.

We will detail the design and implementation of semantic tool routing utilizing intent classification, embedding-based search, and lightweight prompt analysis. The talk will cover how this routing layer interacts with multiple MCP servers, maintains protocol correctness, and enables just-in-time tool discovery without overwhelming the model.

Attendees will receive a practical blueprint for building scalable, cost-efficient, and modular agentic systems based on MCP. The session emphasizes reusable patterns and reference architectures applicable across the broader MCP ecosystem, independent of any single vendor or runtime.

At WestJet, our flight schedule is modeled in a Neo4j graph database - airports, routes, aircrafts, seasonal schedules. The data is rich, but accessing it required Cypher expertise most stakeholders don't have.

I built an MCP server to change that. By creating a proxy layer connecting Claude to our Neo4j database, I enabled non-technical colleagues to query complex flight relationships using natural language. No Cypher. No waiting for developers. Just questions and answers.

This talk covers the journey from idea to working pilot: why I chose MCP, how I architected a proxy server wrapping the Neo4j MCP server, and what I learned deploying it internally. I'll give a live demo showing how analysts can explore our flight network conversationally.

This isn't a top-down initiative. It's about individual ownership - recognizing potential in data your team already maintains and using MCP to unlock value for people who couldn't access it before.
Whether you're exploring MCP for enterprise data or graph databases, this talk offers a practical, beginner-friendly blueprint.

With MCP Apps, AI interactions are no longer limited to text. MCP Apps unlock the full power of the web within AI chat, allowing us to build AI-enriched UIs that persist, react and collaborate in real-time.

Through a series of demos and code deep-dives, I’ll showcase foundational patterns that we've found to be effective as MCP Apps gain ubiquity.

Durability: Demo a “text snippet saver” that persists across conversation, thread, and even different AI clients enabling shared memory that follows you everywhere.

Async tasks: Start an async audio transcription job, monitor it with a progress bar, and receive a completion notification in chat, while other work continues.

Realtime sync: See the job we just ran come alive as we play the original audio file with the text transcript rendering in perfect sync.

Multiplayer: Join me in a live collaborative drawing demo accessible through a public MCP server. Draw your best race car in real-time while we watch everyone’s creations come to life. The best drawing wins a prize!

The purpose of these demos is to spark imagination and show a glimpse of the future of intelligent UIs that go beyond the capabilities of the modern web.

Now live on GitHub, gcloud-mcp is the open-source reference implementation bringing agentic power to Google Cloud via the Model Context Protocol. As cloud platforms grow more complex, traditional CLIs struggle to support exploratory, goal-driven interactions. This session shares architectural lessons from building the bridge between AI assistants and enterprise cloud services to enable agent-driven reasoning.

Using the Storage MCP server as a deep dive, we demonstrate how AI assistants interact with Google Cloud Storage via MCP. We’ll show how raw GCS APIs were transformed into high-level Storage Intelligence tools that support meaningful workflows rather than simple command execution.

We focus on the design of the /storage-mcp package, including how we summarize GCS metadata into concise, accurate responses that agents can reason over without hitting context limits. Finally, we discuss how metrics like cost, latency, and task accuracy guided our iteration, helping refine prompt design and tool granularity. Attendees will leave with practical, enterprise-ready patterns for building local MCP servers that enable efficient interaction with complex cloud infrastructure.

As AI agents become more autonomous through the Model Context Protocol (MCP), one question becomes unavoidable => why, when, and how should humans be asked to intervene to provide feedback or approval?

In this talk, we explore MCP elicitation as a core design pattern for agentic systems, not just as a UX or AX (Agent Experience) feature, but as a security, authorization, and trust mechanism.

We will

-Trace how human interaction models evolved across web, APIs, and OAuth, and why MCP requires a new balance

-Break down elicitation patterns in agent workflows

-Show how elicitation integrates with fine-grained authorization, consent, and delegation

-Explore step-up authentication and human-in-the-loop approvals for accountability

-Discuss how proper elicitation improves trust, explainability, and compliance, without harming DX, UX, or AX

The goal is simple but critical: delivering agentic AI that users can trust, by design, not by trade-off.