WorkOS MCP Night 2.0 Recap
On August 7, 2025, MCP Night 2.0 brought together 700 engineers, founders, and researchers at the Regency Ballroom in San Francisco for an evening of demos, discussions, and networking around the Model Context Protocol.
What began three months earlier as our first MCP Night at the Exploratorium has evolved into something much larger.
MCP Night 2.0 showcased how quickly the MCP ecosystem is maturing, with more sophisticated implementations, broader adoption, and deeper integrations across the AI infrastructure landscape.
Over 700 hackers, founders, researchers and San Fransciso community members, with lines that went around the block.
The Regency Ballroom provided the perfect venue for the developers, product managers, and researchers who are pushing the boundaries of what's possible when you connect large language models to real-world systems.
MCP Night 2.0 Keynote
I talked about how:
- AI apps grow faster. We're seeing more companies reach higher ARR faster than ever before
- MCP is enabling new experiences, but the Enterprise still requires Identity, Authentication, SSO, Audit logs and more
- WorkOS is seeing a lot of MCP adoption - by our count over 5,400 new MCP servers in the last few months - but also MCP clients (Claude, Cursor, VSCode, Goose and many more)
- MCP as a spec is evolving rapidly: elicitation and resource authorization to name a few, but there remain significant challenges around security
Five key themes from the evening
Several clear patterns emerged from the presentations and conversations throughout MCP Night 2.0, reflecting where the ecosystem is heading and what challenges remain:
1. Security and observability remain enterprise adoption blockers - Multiple speakers emphasized that while MCP shows tremendous promise, organizations need robust security controls and visibility into AI agent actions before widespread enterprise deployment.
2. MCP servers should map to human behavior, not just API endpoints - The most successful implementations don't simply wrap existing APIs, but thoughtfully design interfaces that reflect how people actually work and think about their tasks.
3. Context window limitations drive constant developer workarounds - Teams are getting creative with data summarization, intelligent filtering, and progressive disclosure to work within current model constraints.
4. Integrations are the next big AI product unlock - Rather than focusing solely on newer, more powerful models, the real competitive advantage comes from connecting AI systems to existing workflows and data sources.
5. Developer experience matters more than ever - Tools like Cursor continue to win developer mindshare by focusing relentlessly on seamless, intuitive interfaces that enhance rather than disrupt existing workflows.
MCP Night 2.0 Speakers
Michael Grinich
Theodora Chu
Dmitry Pimenov
Eric Zakariasson
Valentina Bearzotti
Software Developer at Basement (xMCP team member)
Liad Yosef
Ido Salomon
Matthew McClure
Richard Moot
Tech Lead, Developer Relations at Block
Harald Kirschner
Principal Product Manager at Microsoft (GitHub/VS Code team)
Marissa Felix
Kenneth Sinder
MCP Night 2.0 Panel Discussion
The highlight of the evening was a panel discussion between Anthropic and OpenAI representatives, focusing on enterprise readiness and the future of MCP adoption.
The conversation highlighted both companies' commitment to making MCP enterprise-ready while acknowledging the security and operational challenges that remain.
MCP (Music, cocktails and partying)
Once the talks, demos and panel discussion was complete, we headed downstairs for a massive afterparty.
Goodies included MCP Pins, stickers, Polaroids, and more...
There was also an impromptu Chess tournament that broke out!
The MCP ecosystem and community continue to expand
Three months after our first event, the Model Context Protocol has gained significant momentum across the industry. MCP remains the standard way to connect large language models to tools, APIs, data sources, and systems in a secure, standardized manner.
The protocol enables models to move beyond text generation into action execution, including creating tickets, retrieving data, calling APIs, managing files, and automating complex workflows.
What we're seeing now is the maturation of these capabilities into production-ready systems that organizations are deploying at scale.
WorkOS AuthKit continues to be the security layer that makes MCP deployments enterprise-ready, providing the granular access controls and audit capabilities that organizations need when connecting AI systems to sensitive data and critical operations.
Enterprise Security: The Central Challenge
From the panel discussion between Anthropic and OpenAI representatives to countless conversations at the afterparty, one question dominated MCP Night 2.0: How do we make MCP ready for the enterprise?
While it might seem obvious that improved security and observability are the answer, the reality is far more complex than simply attaching OAuth and logging to a public MCP server. The integration of Large Language Models with MCP servers, whether used directly by humans or through AI agents, introduces a sophisticated array of attack vectors that traditional enterprise security frameworks weren't designed to handle.
The expanding attack surface
Enterprise security teams are grappling with entirely new categories of threats that emerge when AI systems gain access to organizational tools and data:
Data Exfiltration via Prompt Injection - Malicious prompts can manipulate AI agents into accessing and exposing sensitive information through seemingly legitimate MCP interactions, bypassing traditional data loss prevention systems.
Malicious MCP and Tool Use - AI agents might be tricked into executing harmful actions through compromised MCP servers or by misinterpreting instructions in ways that cause unintended damage to systems or workflows.
Poor Server Configuration and Implementation - Unlike traditional APIs with well-established security patterns, MCP server implementations often lack standardized security configurations, leaving organizations vulnerable to basic misconfigurations.
Sandbox Escapes - AI agents operating within supposedly contained environments might find unexpected pathways to access restricted resources through MCP connections.
Credential Theft and Reuse - The dynamic nature of MCP interactions creates new opportunities for credential compromise, particularly when AI agents manage authentication across multiple systems.
Supply Chain Compromises - The ecosystem of third-party MCP servers introduces supply chain risks similar to those seen with npm packages or Docker images, but with the added complexity of AI-driven execution.
Protocol-Level Issues and Attacks - As a relatively new protocol, MCP itself may contain undiscovered vulnerabilities that could be exploited at scale across enterprise deployments.
Beyond traditional security models
What became clear from the evening's discussions is that enterprise MCP security requires fundamentally rethinking how organizations approach access control, monitoring, and risk management. Traditional perimeter-based security models break down when AI agents are dynamically interacting with dozens of systems based on natural language instructions.
The conversations revealed that leading organizations are beginning to develop new security frameworks specifically designed for AI-driven tool use, incorporating concepts like:
- Intent-based access controls that understand the context and purpose of AI actions
- Real-time behavioral analysis to detect when AI agents are behaving unexpectedly
- Granular audit trails that capture not just what happened, but why the AI agent made specific decisions
- Dynamic risk scoring for MCP interactions based on data sensitivity and potential impact
This shift in thinking about enterprise security was perhaps the most significant theme to emerge from MCP Night 2.0, suggesting that the next wave of MCP adoption will be defined as much by advances in AI security as by improvements in the protocol itself.