MCP Weekly: Copilot Goes Agentic, Security Reality Sets In, and MCP Reaches the UI Layer

Welcome to the latest installment of the MCP Weekly digest, covering major developments related to the Model Context Protocol (MCP) from December 11th through December 18th, 2025. This week MCP became a globally distributed and an enterprise-facing execution layer, while also exposing the security realities that come with that scale.

TL;DR

This week, Microsoft announced public preview support for MCP-powered declarative agents inside Microsoft 365 Copilot, effectively turning MCP into a universal integration layer for enterprise SaaS and line-of-business systems distributed at massive scale.

At the same time, the industry was forced to confront the security consequences of that success. New research revealed over 1,000 publicly exposed MCP servers with no authorization, confirming that agentic infrastructure now represents a real and active attack surface. In response, vendors like Docker and Mirantis moved quickly to operationalize “secure-by-default” MCP deployments, while tooling ecosystems doubled down on authentication, isolation, and hardened supply chains.

Finally, the agent stack expanded upward. Google introduced A2UI, a declarative protocol that lets agents generate native user interfaces safely, signaling that MCP is no longer just about tools and data, it is becoming part of a broader, layered agent runtime spanning execution, interaction, and presentation.

Major Updates of the Week

MCP Becomes a First-Class Enterprise Distribution Channel

Microsoft’s announcement, “Build declarative agents for Microsoft 365 Copilot with MCP”, makes MCP the default integration contract between Copilot and external systems. 

Developers can now connect SaaS platforms, internal business systems, and workflows to Copilot by exposing an MCP server URL. More importantly, now MCP-based agents can be distributed through the Microsoft Copilot store or deployed internally by IT administrators to specific organizational units. 

From a platform perspective, Microsoft has abstracted away nearly all of the complexity that previously slowed agent adoption:

• MCP schemas are ingested automatically
• Tool definitions are generated for agents
• Authentication is handled via SSO and OAuth 2.0
• Granular subsets of tools can be selectively exposed

Early partner adoption by monday.com, Canva, and Sitecore demonstrates that this isn’t just theoretical but executes multi-step workflows through natural language alone.

The Agent Security Reality Check Arrives

As MCP adoption accelerates, the security implications are becoming impossible to ignore.

Bitsight Research published a sobering analysis showing that approximately 1,000 MCP servers are currently exposed to the public internet with no authorization enabled. These servers allow unauthenticated clients to execute tools and access connected systems, effectively acting as open proxies into internal infrastructure.

While the MCP specification defines authorization as optional to support rapid local development, many teams have carried those defaults directly into production. As a result, researchers observed exposed tools capable of:

• Managing Kubernetes clusters
• Accessing CRM systems
• Sending bulk communications
• Executing arbitrary shell commands

Even more concerning, Bitsight identified over 1,100 MCP honeypots, indicating that both security researchers and threat actors are now actively scanning for vulnerable agent infrastructure.

Remote MCP servers without OAuth-grade protection are now clear production liabilities.

Vendors Respond: Hardening MCP for Production

In response to these emerging risks, vendors are moving aggressively to professionalize MCP operations.

Docker Democratizes Secure-by-Default MCP

Docker announced that its Docker Hardened Images (DHI) are now free and open source, extending hardened, minimal, supply-chain-verified builds directly to the MCP ecosystem.

By releasing hardened MCP servers for foundational systems like MongoDB, Grafana, and GitHub, Docker is eliminating a long-standing tradeoff between speed and security. These images ship with:

• Distroless runtimes to reduce attack surface
• Full SBOMs for supply chain transparency
• SLSA Build Level 3 provenance for verifiable integrity

Mirantis Pushes MCP into Operational Maturity

Mirantis launched MCP AdaptiveOps Services aimed squarely at enterprises struggling to move from prototypes to governed platforms.

Rather than focusing solely on tooling, Mirantis framed MCP as an operational discipline. Its services cover readiness assessments, platform design, compliance modeling, and reusable MCP server factories, with explicit alignment to the Agentic AI Foundation’s open governance model.

As noted in previous MCP Weekly digests, that MCP security is no longer an afterthought or add-on, it is a foundational mandate.

MCP Reaches the Interface Layer

One of the more forward-looking developments this week came from Google, which introduced A2UI, an open, declarative protocol for agent-generated user interfaces.

While MCP standardizes how agents access tools and data, A2UI addresses the “last mile”: how agents present complex, interactive outputs safely. Instead of emitting raw HTML or JavaScript, agents produce structured JSON UI descriptions that render natively inside host applications.

This approach allows agents to generate rich interfaces such as charts, forms, maps, and dashboards. Early adoption inside Gemini Enterprise and Opal suggests that agent-driven workflows are moving beyond text-first interaction models.

My Thoughts: MCP Enters Its Operational Era

This week, agent-based systems are reaching everyday enterprise users, not just developers, and MCP is becoming part of real production workflows across organizations. At the same time, recent security research highlights the risks that can emerge when adoption accelerates. Exposed MCP servers represent a tangible operational concern. Encouragingly, the ecosystem is responding with improved defaults, stronger security measures, and clearer operational practices. Going forward, success with MCP will depend less on adding new features and more on deploying it safely and reliably.

‍