Photo by Fabio Sasso on Unsplash
- As of June 18, 2026, the Enterprise-Managed Authorization (EMA) extension for MCP reached stable status, enabling zero-touch OAuth server setup through identity providers like Okta.
- MCP SDK downloads hit 97 million monthly as of March 2026—up from roughly 2 million at launch, a 4,750% growth rate in 16 months.
- 41% of surveyed software organizations now run MCP servers in some form of production, according to Stacklok's 2026 survey, but most lack centralized identity governance.
- EMA's biggest production risk isn't the setup—it's token scope drift and audit-trail fragmentation when agents chain tool calls across multiple MCP servers.
The Identity Problem No One Solved Until Now
Picture a mid-sized financial services firm in early 2026. Their engineering team spent three months wiring up MCP servers for Jira, Confluence, and a custom data warehouse. The agents work. The demos are impressive. Then compliance asks a simple question: "Which agent accessed which system, with what permissions, at what time?" Silence—not because the logs don't exist, but because every server has its own auth scheme, hardcoded API keys, and no unified audit trail. That's the production gap EMA was built to close.
According to Google News, reporting on the official MCP blog's June 18, 2026 announcement, the Enterprise-Managed Authorization extension reached stable status today—the first major governance addition to the protocol since Anthropic donated MCP to the Agentic AI Foundation under the Linux Foundation in December 2025. That Linux Foundation donation brought backing from AWS, Google, Microsoft, Salesforce, and Snowflake, signaling that MCP had crossed from Anthropic experiment to industry infrastructure. EMA is the first deliverable that makes that infrastructure enterprise-grade.
The Agentic Pattern: EMA as Centralized Identity Governance
The core agentic pattern here is delegated authorization—an agent acting on behalf of a human user, inheriting that user's permissions, scoped to a specific task, without the agent ever holding long-lived credentials. Before EMA, most MCP server deployments solved this with hardcoded API keys or per-server OAuth apps that each IT team managed independently. The Stack Overflow Blog identified this as a critical specification gap: the MCP specification deliberately avoided prescribing downstream authentication, leaving every implementation to invent its own solution.
EMA closes that gap by treating identity as a centralized governance plane rather than a per-server configuration problem. Okta became the first identity provider to support EMA through its Cross App Access protocol. As Okta's Aaron Parecki explained the design intent: "By embedding Cross App Access into MCP as the EMA extension, we turn identity into a centralized governance plane." The practical result is zero-touch OAuth server setup—IT provisions access once in the IdP, and every EMA-compliant MCP server inherits those policies automatically, without touching server-side code.
As of June 18, 2026, MCP servers from Asana, Atlassian, Canva, Figma, Granola, Linear, and Supabase have confirmed EMA support, with Slack actively adding it. That's not a niche adoption list—those are the collaboration and development tools enterprise AI agents most commonly need to touch.
The growth context makes the timing understandable. According to the official MCP blog and corroborated by GitHub data current as of May 2026, the modelcontextprotocol/servers repository accumulated 86,148 stars and 10,799 forks, with 15,926 repositories tagged with the mcp-server topic. Monthly SDK downloads reached 97 million as of March 2026—up from approximately 2 million at launch. When a protocol grows at 4,750% in 16 months, security governance is always the lagging indicator.
Chart: MCP SDK monthly downloads grew from approximately 2 million at the November 2024 launch to 97 million by March 2026, a 4,750% increase in 16 months. Source: official MCP blog data current as of March 2026.
That trajectory also explains why Gartner, as of mid-2026, projects that 40% of enterprise applications will include task-specific AI agents by end of 2026—and that 75% of API gateway vendors will have MCP features by the same date. When a protocol is embedded in that percentage of enterprise tooling, "everyone manages their own auth" stops being an engineering inconvenience and becomes a compliance liability.
Photo by Bernd 📷 Dittrich on Unsplash
What EMA Actually Looks Like in Architecture
Concretely, EMA works like this: an administrator registers MCP servers inside their identity provider—Okta today, with more IdPs presumably following. Each server receives a client credential scoped to specific capabilities. When an AI agent requests a tool call, the MCP server validates the incoming token against the IdP, checks the scope, and either allows or denies the operation. The agent never holds raw API keys. The IdP maintains the audit trail across every interaction.
This is a meaningful departure from the previous status quo. The Cerbos security analysis framed the pre-EMA problem precisely: "MCP authorization means controlling which AI agents—or users behind them—can invoke specific tools," while warning that "hardcoding permissions creates brittle code requiring redeployment for policy changes." EMA moves policy out of code and into the IdP, where access reviews, role changes, and revocations happen in real time without touching server source code.
For teams building on tools like Asana or Linear—both confirmed EMA adopters as of June 18, 2026—the practical workflow is live today. For teams running custom internal MCP servers, EMA is available as an extension implementable against any OAuth 2.0-compliant identity provider, not just Okta.
The OWASP 'MCP Top 10' project, launched in response to documented vulnerabilities in Asana Work Graph (data exposure), Atlassian MCP (forged support tickets), and Supabase implementations, adds useful framing here. EMA addresses the identity layer of those vulnerabilities. It does not address prompt injection or tool poisoning, which are separate attack surfaces OWASP documented. Academic researchers in arXiv paper 2504.08623v2 were explicit: "Simply adopting standard API security practices is insufficient" for MCP security, specifically calling for defense-in-depth and Zero Trust architecture. EMA is the identity piece of that Zero Trust stack—the most critical piece, but still one layer among several required.
Where This Breaks in Production
Here's where I'd push back on the "zero-touch" framing in the official announcement: the setup is zero-touch once the IdP is configured, but that configuration step is non-trivial for organizations with complex role hierarchies, contractors, or multi-tenant environments. The centralized governance plane only works as well as the RBAC (role-based access control) model beneath it in the IdP.
The deeper production risk is token scope drift. An AI agent chaining tool calls across three or four EMA-compliant servers—reading from Jira, writing to Confluence, querying a Supabase database, posting to Slack—accumulates permissions across each hop. If any of those servers issue tokens with broader scopes than strictly necessary, the agent's effective permission set expands in ways that may not surface in the IdP audit log without careful per-server configuration. This is the context window blowup equivalent for auth: the agent's permission surface grows with each tool call, and the audit trail fragments across multiple server logs.
For fintech environments navigating SOC 2, PCI-DSS, or banking compliance, that fragmentation is the audit finding waiting to happen. Teams should treat multi-server EMA deployments as requiring explicit scope enumeration at each hop—not relying on the protocol to enforce least-privilege automatically end-to-end.
The Stacklok 2026 survey finding that 41% of software organizations have MCP servers in some form of production (29% limited, 12% broad) suggests most teams are still in early deployment phases. That's actually reasonable for a 16-month-old protocol—it means the majority of organizations have time to architect EMA correctly before scaling. The teams already in broad production without centralized auth controls face the most immediate compliance exposure, particularly in regulated industries.
This trust gap echoes a broader pattern AI Tools flagged recently: AI adoption is consistently outpacing the governance infrastructure organizations need to trust it at scale. EMA is the first structural answer to that gap specifically within the MCP ecosystem.
Which Teams Should Move First
If your organization already uses Okta as its primary IdP and operates in finance, healthcare, or legal, EMA adoption is available today with minimal additional infrastructure. As of June 18, 2026, Okta's Cross App Access is the only confirmed EMA-compatible IdP implementation. Map your current MCP server inventory against the confirmed EMA-compatible list (Asana, Atlassian, Canva, Figma, Granola, Linear, Supabase) and prioritize migrating those servers first. The centralized audit trail benefit is immediate and directly maps to compliance requirements—document the migration as a SOC 2 control update.
For internally built MCP servers, begin implementing EMA as an extension now, before additional IdPs confirm support. The EMA specification is stable as of today, so building against it avoids rework when the second and third IdPs come online. Pay particular attention to scope definition: enumerate the minimum permissions each tool requires and enforce those as maximum scopes at the server level independently of the IdP. Defense-in-depth—as both the arXiv researchers and OWASP's MCP Top 10 framework recommend—means both layers independently enforce least-privilege, not just one.
If your organization is among the 12% with MCP in broad production, treat the EMA stable release as an audit trigger. Review every MCP server in inventory for authentication mechanism, scope breadth, and audit trail coverage. Any server using long-lived API keys or hardcoded credentials is a priority replacement candidate. Cross-reference the OWASP MCP Top 10 vulnerability taxonomy against your deployment before your next compliance review cycle—EMA mitigates the authorization-layer vulnerabilities, but prompt injection and tool poisoning require separate mitigations that no IdP integration will solve.
Frequently Asked Questions
What is the Model Context Protocol and how does it work?
The Model Context Protocol (MCP) is an open standard originally developed by Anthropic in November 2024 and donated to the Linux Foundation's Agentic AI Foundation in December 2025. It defines a standardized interface for AI agents to connect to external systems—databases, APIs, productivity tools, and enterprise software. Think of it as a universal connector: any AI agent can call any MCP server's exposed tools (read a Jira ticket, write to a Supabase database, query a data warehouse) without custom integration code per system. As of May 24, 2026, over 9,400 public MCP servers have been documented, with private enterprise deployments conservatively estimated at three to four times that number, totaling somewhere between 28,000 and 38,000 servers in the wild.
Is Model Context Protocol secure for enterprise use?
As of June 18, 2026, MCP with Enterprise-Managed Authorization is significantly more enterprise-ready than it was at launch—but it is not inherently secure by default. EMA addresses identity governance through centralized IdP integration. However, academic researchers in arXiv paper 2504.08623v2 emphasize that standard API security practices are insufficient for MCP security, specifically calling for defense-in-depth and Zero Trust architecture. The OWASP MCP Top 10 project additionally documents vulnerabilities—including data exposure in Asana Work Graph and forged ticket attacks in Atlassian MCP—that exist independent of the authorization layer. Enterprises should treat MCP security as a multi-layer problem: EMA for identity governance, plus separate mitigations for prompt injection, tool poisoning, and cross-server scope drift.
Who owns the Model Context Protocol?
Anthropic created MCP and launched it in November 2024. In December 2025, Anthropic donated the protocol to the Agentic AI Foundation, a project under the Linux Foundation, making it vendor-neutral. The foundation's backing includes AWS, Google, Microsoft, Salesforce, and Snowflake. This governance structure—similar to how Linux or Kubernetes are managed—is a primary reason OpenAI ChatGPT, Google Gemini, and Microsoft Copilot Studio all added MCP support within months of the original launch. No single company controls the roadmap.
What is Enterprise-Managed Authorization in MCP?
Enterprise-Managed Authorization (EMA) is an extension to the MCP specification that reached stable status on June 18, 2026. It enables zero-touch OAuth server setup through enterprise identity providers (IdPs), allowing IT administrators to centrally provision, scope, and audit AI agent access across MCP servers through their existing identity infrastructure—currently Okta via its Cross App Access protocol—rather than configuring authentication individually at each server. The practical effect is that policy changes (revoking access, adjusting scopes, onboarding new roles) happen in the IdP in real time, without modifying or redeploying MCP server code. EMA-compliant servers confirmed as of the stable release date include Asana, Atlassian, Canva, Figma, Granola, Linear, and Supabase.
How does MCP authorization differ from authentication in this context?
Authentication answers "who are you?"—verifying the identity of the agent or user making a request. Authorization answers "what are you allowed to do?"—controlling which tools, data sources, and operations that verified identity can actually invoke. In MCP's pre-EMA architecture, servers typically handled authentication (via API keys) but delegated authorization logic to individual server implementations, producing inconsistent and often hardcoded enforcement. EMA standardizes the authorization layer: once authenticated through the IdP, the agent receives a token scoped to specific tools and operations, and the MCP server enforces those scopes without custom code. As the Cerbos security analysis notes, this distinction—controlling which AI agents can invoke specific tools—is the critical governance capability that regulated enterprises require before deploying agents into production workflows.
Disclaimer: This article is editorial commentary for informational and educational purposes only and does not constitute financial, legal, or security advice. All statistics and claims reflect publicly available reporting and analysis. Research based on publicly available sources current as of June 18, 2026.