Matthew Khouzam writes:
'Ericsson has joined the Agentic AI Foundation (AAIF). For a company that has been connecting the world for 150 years, this is a natural next step. The infrastructure that carries 40% of the world's mobile traffic increasingly runs on software, and that software needs intelligent tooling. AI agents that can plan, decide, and act using tools are not a novelty for us. They are an operational necessity.
I had the privilege of representing Ericsson at the MCP Dev Summit North America in New York City on April 2 and 3, 2026. This is the story of what I saw, what I learned, and why it matters.
What is the AAIF?
The Agentic AI Foundation is the industry body driving the standards and ecosystem for AI agents. It rests on three pillars:
MCP (Model Context Protocol) is the universal adapter between AI and tools. Think of it as USB C for AI: one connector, every device. Write a tool once, use it from any MCP compatible agent.
Agents.md is a standard format for defining agent behavior. Check it into your repo, and the whole team shares the same agent, portable across CLIs and platforms.
Goose is Block's open source, MCP native AI agent. Everything is an extension. It proves that the model works from end to end.
Why Ericsson Joined
MCP adoption is explosive. Over 73 million weekly SDK downloads across TypeScript and Python. Every major LLM provider supports it. Every major IDE supports it. Every major cloud provider supports it. The protocol is becoming a standard with or without us.
If we are not at the table, we are on the menu.
Ericsson brings something most AAIF members do not: decades of operating mission critical infrastructure on a global scale. We know what enterprise security looks like. We know what compliance at telecom scale demands. And we believe open source is not just a development model but a security model. Auditable code means no hidden backdoors.
Getting to MCP Dev Con NYC
The MCP Dev Summit North America was a two-day event at the Marriott Marquis in New York City. Walking in, the energy was palpable. Startups, big tech companies, independent researchers, and one telecom company all in the same room, all building on the same protocol.
The event was presented by the Agentic AI Foundation and hosted by the Linux Foundation. The hallways buzzed with conversations about security, identity, and the future of how AI agents interact with the world.
The Keynote from Anthropic
The opening keynote from Anthropic sets the tone for the entire summit. Two major “announcements” stood out (they were already out, but I learned them there):
Progressive Discovery allows MCP clients to load tool schemas on demand rather than all at once. This directly addresses the context window bloat problem. Instead of shipping all tool definitions upfront and consuming thousands of tokens before the user says anything, the AI only pays for what it uses.
MCP Apps enable tools to return rich content inline: images, charts, interactive elements. No more text only output. An anomaly detection tool can now return an annotated chart directly in the conversation.
These two features address many of the concerns the community had been raising for months. They show that Anthropic is listening and that the protocol is evolving in the right direction.
The Talks
Building MARVIN: What Teaching a Non-Technical Marketer to Use MCP Taught Me About AI Adoption
Sterling Chin, Postman
Sterling shared the story of putting MCP tools in the hands of someone outside engineering. What happens when a non-technical marketer tries to use an AI agent with real tools? The lessons about usability, onboarding, and the gap between protocol and product resonated with everyone in the room. MCP is powerful, but power means nothing if people cannot use it.
This is a strong reminder for me that we develop for users. We need to keep them in mind. I organized the talks in a flow that makes sense from a narrative perspective. Feel free to watch them in that order.
Shadow MCP: Finding the MCPs Nobody Approved
Alexander Frazer & Aidan Sochowski, Runlayer
This talk hit close to home for anyone in enterprise security. Shadow MCP is the new shadow IT. Developers install MCP servers in their IDEs and security teams have zero visibility into what tools their agents can access. Frazer and Sochowski showed how to detect and govern these rogue deployments. For Ericsson, where network security is non-negotiable, this talk validated exactly why we need to be part of this conversation.
Any large organization needs to address this problem. Also, Alex has mastered the art of memes in slides.
Golem To Murderbot: Challenges with Agentic Security Delegation Via MCP
Michael Schwartz, Gluu
Schwartz tackled the identity and authorization problem head on. When you have a user talking to an app talking to an agent talking to an MCP server, traditional OAuth breaks down. The four-legged identity challenge is the unsolved problem for enterprise MCP adoption. Gluu's perspective on what alternatives might look like gave the audience a lot to think about.
Cedar/Cedarling are projects to check out.
Enterprise Ready MCP: Security Patterns and the "4 Legged" Identity Challenge
Paulina Xu, Agentic Fabriq
Complementing Schwartz's theoretical framing, Xu presented practical security patterns for enterprise MCP deployments. How do you actually deploy MCP at scale while maintaining security, compliance, and auditability? This is directly relevant to what Ericsson needs to solve. The patterns she described map closely to the gaps we identified in our own state of the art analysis.
This talk needs more eyes. The solution may not be ideal yet, but the gap is real. Do you really want to have your credentials used by an agent on your behalf?
Who's Driving? Delegation and the Confused Deputy Problem for AI Agents
Vitor Balocco & Alvaro Inckot, Runlayer
Runlayer's sponsored session addressed the confused deputy problem: when an agent acts on behalf of a user, who is responsible? Their approach uses containerized MCP servers distributed as OCI images, providing verified distribution, isolation, and reproducibility. This aligns perfectly with Ericsson's security requirements around sandboxing and supply chain integrity.
Also, Alvaro has a great sunburst Ibanez guitar!
MCPwned: Hacking MCP Servers With One Skeleton Key Vulnerability
Jonathan Leitschuh, Independent
This was the most entertaining talk about the summit. Leitschuh is a gifted presenter who kept the entire room on the edge of their seats while demonstrating a skeleton key vulnerability that compromises MCP servers. Live hacking, real exploits, and real consequences. It made security tangible in a way that slides full of bullet points never could. A wake-up call for anyone deploying MCP without hardening their servers. Also, he dressed like a pirate, yarr.
The Hallway Track
The best conversations at any conference happen between sessions, and MCP Dev Con was no exception.
One unexpected highlight: running into colleagues from Ericsson Ireland. In a room full of startups and cloud companies, finding colleagues from across the Atlantic reminded me that Ericsson's reach is genuinely global.
For outsiders, the three fingers gesture is us trying to make the Ericsson company logo.
Ericsson's Angle at the Table
We came to MCP Dev Con not to lecture but to collaborate. Ericsson brings an enterprise security perspective shaped by 150 years of operating critical infrastructure. We have seen what happens when standards are built without input from the people who operate at scale.
Our role in the AAIF is to be the adults in the room without being gatekeepers. To build bridges, not walls. Standards need people who have operated at scale, and that is us.
Security Concerns We Are Watching
The talks at MCP Dev Con confirmed every gap we identified in our February 2026 state of the art analysis:
Tool poisoning: hidden instructions in tool metadata that the AI follows, but users never see.
Rug pulls: trusted servers that turn malicious after deployment.
Namespace typosquatting: malicious tools that mimic legitimate ones with similar names.
Enterprise gaps: no built-in authorization framework, direct system access without sandboxing, insufficient audit trails, and command injection risks.
Defenses must be lifecycle aware.
At creation: automated metadata verification and input sanitization.
At deployment: OCI containers and Sigstore attestations.
At operation: runtime sandboxing and real time monitoring.
At maintenance: automated updates with rollback and configuration drift detection.
What Comes Next
Ericsson's involvement in the AAIF is not a one-time appearance. We are here to shape the security standards that will govern how agents interact with enterprise infrastructure. The protocol will evolve. The question is whether it evolves to meet the needs of organizations that operate on a telecom scale.
If you are building with MCP, I encourage you to get involved. Try the protocol. Build a server. Join the ecosystem. The community is welcoming and the problems are real.
Closing Thoughts
Walking out of the Marriott Marquis after two days of talks, demos, and hallway conversations, I felt something I have not felt at a conference in a long time: the energy of a community that knows it is building something that matters.
I have the privilege of being paid by Ericsson to make the world a better place through open source, and for that I am grateful. MCP Dev Con reminded me of why this work matters. The future of AI is not just about models. It is about how those models connect to the real world. And that connection needs to be open, secure, and built by the people who will operate it at scale.
The question is not whether MCP becomes the standard. It is whether the standard meets our needs. That is why we showed up.
My name is Matthew Khouzam, and I have the privilege of being paid by Ericsson to make the world a better place through Open Source, and for that I am and always shall be grateful.'