written from the MCP Dev Summit, New York City, April 2026

The Model Context Protocol is the most consequential data acquisition layer in the history of artificial intelligence — and most of the enterprises adopting it don’t realize that’s what it is.

That is the argument of this article. It requires some unpacking. And it deserves to be made carefully, because MCP also has genuine technical merit in specific contexts, and the engineers building on it are largely acting in good faith. But the structural dynamics of what MCP enables — who benefits, what data flows where, how policies evolve after infrastructure is entrenched — follow a pattern the technology industry has run before. With Gmail. With Facebook. With every platform that offered genuine utility while quietly accumulating something more valuable than the product itself.

I spent today at the MCP Dev Summit in New York City. The room was full of smart people. The talks were technically competent. There were sessions on authorization frameworks, OAuth flows, gateway registries, and compliance patterns. What was absent, in any session I attended, was a serious examination of the deeper question: what is this infrastructure actually collecting, who benefits from that collection over time, and what happens when today’s policy commitments become tomorrow’s competitive liabilities?

I’ve been building software for over 20 years. I’ve watched these patterns play out before. I’m watching one play out again. And this time, the stakes may be higher than anything that came before — because what is being accumulated is not social behavior or search intent. It is the cognitive architecture of human expertise itself.

Part One: The Gift

Let me start with what MCP actually is, stripped of its marketing.

MCP is a calling convention — a standardized way for AI clients like Claude Code, Cursor, and Windsurf to discover and invoke tools that live on servers. An MCP server exposes functions with descriptions. An MCP client reads those descriptions and calls the functions when the AI decides it needs them.

That’s it. The technical community has been comparing it to USB-C — one standard port, many peripherals. The analogy is apt, though not in the way the promoters intend.

USB-C moves data between devices. MCP moves enterprise data to frontier model providers.

The official story, told at this conference and in Anthropic’s launch announcement, is that MCP solves an integration problem. Before MCP, connecting an AI to your internal tools required custom code for every combination. MCP gives you a standard so you build once and reach every AI client.

This is true. And it is also, I will argue, the least important thing about MCP.

Part Two: The Well Running Dry

To understand why MCP matters strategically, you need to understand the most quietly discussed crisis in artificial intelligence: the training data problem.

Epoch AI, one of the most rigorous research organizations tracking AI development, has documented this in unsettling detail. Their research suggests that the stock of high-quality human-written text suitable for training frontier models will be effectively exhausted by 2026-2028. The open web — Wikipedia, Reddit, GitHub, StackOverflow, PubMed, arXiv, Common Crawl — has been fully mined. Everything legally defensible and high-quality has already been scraped by every major lab.

Dario Amodei, CEO of Anthropic, estimated in 2023 a ten percent chance that AI system scaling could stagnate due to insufficient data. Current models cost roughly $100 million to train. Models in development cost around $1 billion. Models projected for 2025-2027 could reach $10 to $100 billion. Those costs are rising not because compute is getting more expensive, but because models need increasingly more data to achieve incremental improvements, while that data is becoming scarcer.

The industry has responded with three strategies:

First, synthetic data. Generate training data using AI itself. The problem is documented in a 2024 Nature paper: models trained recursively on AI-generated content experience “model collapse.” The outputs become increasingly homogenized and disconnected from reality. The models start dreaming rather than learning.

Second, licensing deals. OpenAI signed a deal worth over $250 million with News Corp for five years of access to their content. Reddit negotiated with Google and OpenAI for $203 million annually. The industry is paying unprecedented sums to get access to human-written text. But even this strategy has limits — the available text is finite, and the good stuff is already claimed.

Third, something else entirely.

A VC publication called SignalFire put it clearly in late 2025: “The new training frontier is not about ‘what’s true’ but ‘what works.’ To achieve functional reasoning, AI models must be trained on structured datasets that accurately reflect how experts perform tasks in real-world settings — writing code, arguing cases, diagnosing patients, negotiating contracts, managing projects. This type of workflow data is largely absent from the open web.”

That is the missing dataset. Not more text. Not more synthetic content. But the cognitive workflows of human experts doing real work.

And that dataset cannot be scraped from the internet. It doesn’t exist there. It has never been shared publicly. It lives entirely inside enterprises — in the queries engineers send to their databases, the questions lawyers ask their document systems, the diagnostic reasoning of clinicians navigating patient records, the strategic decisions executives test against their financial models.

Until now, this data has been inaccessible. There was no mechanism to reach it at scale. No enterprise would share it directly. No data licensing deal would capture it. It requires watching humans actually work.

MCP is that mechanism.

Part Three: The Script We’ve Seen Before

Before I explain how, let me tell you a story you already know.

Gmail, 2004.

Google launched Gmail with a revolutionary offer: one gigabyte of free storage at a time when competitors offered two megabytes. The catch, revealed in the fine print, was that Google would scan email content to serve contextually relevant advertisements.

The public reaction was immediate outrage. Privacy advocates raised alarms. A group of California state senators introduced legislation. Users worried about their communications being read by a corporation.

And then everyone used Gmail anyway.

By 2013, Gmail had become the world’s largest email service. And Google was doing something more sophisticated than scanning for ads — it was using the behavioral patterns of hundreds of millions of users to understand human communication at a depth no one had previously achieved. It wasn’t just the content of the emails. It was who people emailed, how often, what triggered responses, how relationships evolved over time, what language patterns indicated intent.

Gmail didn’t just give Google a product. It gave Google a map of human social cognition.

Facebook, 2006.

Facebook launched its News Feed feature to immediate user revolt. “Stalker Feed” users called it. A group called “Students Against Facebook News Feed” gathered 750,000 members in 24 hours — ironic given that they organized the protest on Facebook itself.

Mark Zuckerberg apologized. Facebook added privacy controls. Users kept using it.

What the outrage missed was that the News Feed wasn’t the product. The behavioral data it generated was. Facebook was learning how social attention works — what content people engage with, what they ignore, what triggers sharing, what triggers outrage. By 2018, Cambridge Analytica had used this data to construct psychographic profiles of 87 million users for political targeting. By 2021, the Facebook Papers revealed that internal researchers knew the platform was causing harm and the company chose growth anyway.

The infrastructure had been built. The data had been accumulated. The policy came later.

What these stories share:

In both cases, the technology offered genuine value — free email storage, an easier way to see what friends were doing. In both cases, users accepted because the trade felt reasonable in the moment. In both cases, the data being accumulated was richer and more consequential than users understood. In both cases, the full implications became clear only after the infrastructure was entrenched and the switching costs made departure painful.

This is the playbook. And it is being run again.

Part Four: What MCP Is Really Collecting

When an enterprise connects its internal systems to Claude via MCP, here is what flows through that connection:

The obvious part: data. Query results, document contents, database records returned in response to AI requests.

But the less obvious part is what makes this strategically unprecedented: cognitive workflows.

When an enterprise engineer asks Claude to debug a distributed system failure, and Claude reaches into the company’s logging infrastructure, query database, and monitoring tools via MCP, the model doesn’t just see the data it retrieves. It observes:

• How an expert frames a complex problem

• What context they consider relevant

• What tools they reach for in what order

• How they interpret ambiguous results

• How they course-correct when initial hypotheses fail

• The full reasoning loop of professional expertise applied to a real problem

This is qualitatively different from anything frontier models have been trained on before. The web contains the outputs of human thinking — finished articles, documented code, published papers. MCP gives frontier models access to the processof human thinking — the iterative, messy, expert cognition of people actually doing hard work.

IBM Research made this explicit in a 2025 paper on agentic workflows: “Agentic workflows are meaningful not only for task execution but also for training the next generation of LLMs. In traditional, nonagentic workflows, using the output of one LLM to train another has not been found to lead to effective results. However, using an agentic workflow that produces high-quality data leads to useful training.”

IBM is saying, in technical language, what I’m saying in plain language: watching experts work via agentic systems produces the training data that static text cannot. MCP creates exactly the conditions for this observation at enterprise scale.

The domains this unlocks:

• Legal: How lawyers actually research and reason through novel cases — the queries, the documents consulted, the arguments tested and discarded

• Medicine: How clinicians work through differential diagnosis — the sequence of information gathering, the weight given to different signals, the judgment calls under uncertainty

• Finance: How analysts build and stress-test models — the assumptions challenged, the scenarios explored, the risks weighted

• Engineering: How experts debug complex systems — the mental models applied, the hypotheses formed, the evidence evaluated

• Strategy: How executives test decisions against data — the questions asked, the context assembled, the conclusions drawn

None of this data exists in the public domain. None of it could be licensed. It has never been observable at scale. MCP makes it observable for the first time in history.

Part Five: The Mechanism and the Policy

At this point, a reasonable person raises the obvious objection: Anthropic has stated explicitly that they don’t train on enterprise data accessed through MCP.

Anthropic’s privacy documentation states: “Feedback data does not include raw content from connectors including remote and local MCP servers.”

This is true. And it is important to separate two distinct questions that often get tangled in this discussion.

The first question is about mechanism. What does MCP structurally enable? The answer is clear and documented: MCP creates a standardized, frictionless pathway for enterprise cognitive workflow data to flow through frontier model infrastructure. This is what the protocol does. It is the mechanism. It is not disputed.

The second question is about intent and use. Is that data being used for training? Is there a deliberate strategy to capture it? These are separate questions, with answers that are less certain, and which are appropriately answered with more care.

On the mechanism, there is no ambiguity. Enterprise data flows through Anthropic’s infrastructure when MCP is in use. The behavioral patterns of how experts interact with enterprise systems are observable to the model during inference. The mechanism exists regardless of what policy currently governs its use.

On intent and current use: Anthropic states they do not train on this data. I have no evidence to contradict that specific claim. What I do have is a detailed understanding of how policy evolves in platform businesses over time — and that understanding is where the concern lives, not in any accusation about current practice.

September 2025: Anthropic updated its privacy policy to allow individual consumer users’ conversations to be used for model training — by default, with an opt-out mechanism. The change was framed as voluntary contribution. Users who didn’t actively opt out would have their data used. Bitdefender’s analysis noted: “The design of the new policy — presenting users with a prominent ‘Accept’ button and a smaller, pre-selected toggle for data sharing — raises questions about whether users are giving true, informed consent.”

This is not evidence of bad faith. It is evidence of how policies evolve. Consumer data first. The mechanism already built. The enterprise question deferred.

The derived data loophole.

Here is what most people discussing MCP privacy miss entirely: the policy covers raw data. It says almost nothing about what can be derived from that data.

When Claude processes a query against your proprietary financial model, the raw query and data may be protected. But consider what else exists after that interaction:

• Statistical patterns across millions of similar enterprise queries

• Aggregate signals about how domain experts frame problems

• RLHF signals derived from which model responses experts find useful

• Synthetic training data generated to mirror enterprise interaction styles

None of these derived artifacts are “your data” in any legal sense. The derived signal is legally and technically distinct from the source data. GDPR protects personal data. It has limited reach over aggregate behavioral patterns derived from enterprise system queries. Enterprise process data has even less protection — it is not personal data at all.

The mechanism is: protect raw data from explicit reuse. The behavioral and cognitive patterns it reveals are a separate matter, governed by different — and much narrower — frameworks.

The long-term storage reality.

Every interaction with Claude through MCP is logged somewhere. This is not speculation — it is basic engineering economics. The cost of storage is negligible. The future value of interaction logs, if policies evolve, is potentially enormous. Data captured today under favorable terms is available the moment those terms change. Enterprises have no mechanism to retroactively delete data that flowed through MCP connections before any such policy shift.

The storage decision and the training decision are made at different times, by the same organization facing different competitive pressures. The infrastructure is built first. The policy question is answered later, after the switching costs make departure painful.

This is the mechanism. It does not require intent to be consequential.

This is not conspiracy. This is how platform businesses work. You accumulate data under favorable terms. You shift terms when the network effect has made departure painful.

Part Six: What This Data Teaches Models

To understand why this matters for the future of AI, you need to understand what frontier models currently can and cannot do.

Current models are extraordinary at language. They reason well about problems they’ve seen patterns of in training. They write, summarize, translate, and explain with superhuman fluency.

What they lack is grounded domain expertise — not knowledge about a domain, but the embodied judgment of an expert operating within it. The difference between knowing facts about medicine and thinking like a clinician. Between understanding code syntax and debugging like a senior engineer. Between analyzing market data and reasoning like a portfolio manager.

This gap is often called the “jagged frontier” — AI is superhuman in some dimensions and surprisingly weak in others, in ways that don’t map to how humans think about intelligence. The jaggedness correlates with what was in the training data: tasks that appeared extensively in public text are performed well; tasks that experts do privately and rarely document are performed poorly.

Enterprise MCP data closes this gap by providing, for the first time at scale, the private cognitive workflows of domain experts. Here is what frontier models will learn:

Instrumental cognition. Not just what experts know, but how they use knowledge as a tool to accomplish goals under uncertainty. The iterative reasoning loops that books and papers never capture.

Domain-specific judgment. The heuristics, the intuitions, the pattern recognition that experts develop over years of practice — compressed into billions of interactions observable through MCP connections.

Error recovery. How experts recognize when their initial approach is wrong and how they adjust. This is perhaps the most valuable signal of all: watching expertise navigate failure.

Multi-system coordination. How complex knowledge work actually flows across tools, data sources, and decision points. MCP-connected agents provide an unprecedented view of this.

Contextual appropriateness. What information matters in which situations. The signal filtering that distinguishes expert from novice isn’t about knowing more — it’s about knowing what’s relevant. MCP captures this judgment at scale.

The frontier model that is trained on years of enterprise cognitive workflow data will be qualitatively different from today’s models. Not just better at answering questions — better at working. The distinction is as significant as the difference between a person who has read extensively about surgery and a surgeon.

Part Seven: The Browser Data Dimension

The MCP Dev Summit featured talks on browser integration — MCP servers that give AI clients access to live web browsing on behalf of users.

This adds a dimension to the data question that deserves separate treatment.

Search engines have user behavioral data. Google built a trillion dollar business on understanding what people search for and what they click. But search behavior is intentional and structured — you type a query, you click a result.

Browser MCP integration captures something richer: the full cognitive workflow of information-seeking behavior. When a user asks Claude to research a complex topic and Claude navigates the web on their behalf via browser MCP, the model observes:

• How experts navigate information landscapes

• What sources they trust and why

• How they triangulate across multiple sources

• Where they pause, re-read, or backtrack

• How they synthesize contradictory information

• The full epistemic process of how humans learn and verify

This is behavioral data at a depth and richness that no previous data collection mechanism has achieved. It’s not what people searched — it’s how people think about information. The difference is enormous for training models to reason rather than merely retrieve.

Part Eight: The Governance Gap

At this point, you might reasonably ask: isn’t there regulatory protection here?

The honest answer is: not much, and not where it matters.

GDPR protects personal data — information that identifies individuals. MCP flows enterprise data about business processes, not personal data about individuals. GDPR’s framework doesn’t map cleanly onto enterprise workflow data.

CCPA protects California consumer data. Enterprise business process data isn’t consumer data.

The EU AI Act imposes requirements on high-risk AI systems and frontier models, including transparency obligations. But it doesn’t regulate what data flows through AI inference APIs or how derived patterns from that inference can be used for model improvement.

The regulatory gap isn’t accidental. Privacy law was built around a specific threat model: corporations collecting personal information about individuals without consent. It was built for Facebook’s ad targeting. It was built for Google’s search history tracking.

It was not built for a scenario where:

• The data being captured is enterprise business process data, not personal data

• The collection mechanism is an AI productivity tool, not a tracking pixel

• The value being extracted is cognitive patterns, not demographic profiles

• The entity extracting value is the AI model itself through inference, not a separate analytics system

MCP sits precisely in this regulatory gap. And the W3C — the standards body that governs web technologies with a public interest mandate — was not involved in MCP’s design or governance. The choice to route through the Linux Foundation rather than W3C is significant: the Linux Foundation governs code. W3C governs the web’s relationship with people. The distinction is the difference between technical governance and ethical governance.

W3C’s process would have required privacy impact assessments. Public comment periods. Civil society participation. The questions that would have been asked — what data is retained, how long, what counts as training versus inference improvement, what are enterprise rights to retroactive deletion — have no good answers that also serve the business model.

Part Nine: The Inevitable Adoption

Here is the most sobering part of this analysis: none of it will stop MCP adoption.

I know this because of Gmail.

Enterprise IT teams knew Google was reading their email. They understood the tradeoff. They adopted Gmail anyway because the productivity gains were immediate and measurable, while the data implications were abstract and future-tense. Nobody got fired for using Gmail.

The same logic applies to MCP. Claude is genuinely useful. The productivity gains from MCP-connected AI are measurable — Block reports 50-75% time savings on engineering tasks. Bloomberg adopted it company-wide. Amazon has MCP support in most internal tools.

These are real numbers. The data risk is real too, but it operates on a different time horizon. Productivity gains show up in the next sprint. Data policy changes show up years later, after the infrastructure is entrenched and the switching costs make exit painful.

This is the fundamental asymmetry that makes the pattern so durable:

Benefit: Immediate, measurable, attributable to the tool Risk: Delayed, abstract, not attributable to any single decision

By the time the risk materializes — when Anthropic updates its enterprise terms to allow training on interaction data, or when the derived data question reaches regulatory attention — thousands of enterprises will have years of MCP integration embedded in their workflows. The switching cost will be enormous. The data will already be captured.

Part Ten: The Final Training Run

Let me be direct about what I believe is happening, with the caveat that the deliberate strategy framing is my interpretation, not proven fact.

Frontier models face a genuine crisis: the public internet data that powered the first wave of AI development is exhausted. Synthetic data has quality ceilings. The missing dataset — expert cognitive workflows in real enterprise contexts — has never been accessible.

MCP is the mechanism that makes it accessible. Whether by design or by emergent opportunity, it creates the data flow that fills the gap. Enterprises connect their internal systems. AI clients observe how experts work. The cognitive patterns of human professional expertise, across every domain simultaneously, flow for the first time into a form that can inform model training.

The current policy protects against direct training on raw enterprise data. It says nothing about:

• Derived behavioral signals from inference

• Aggregate patterns across millions of enterprise interactions

• RLHF signals from interaction quality

• Synthetic data generated to mirror enterprise interaction styles

• What happens when policy changes after switching costs establish lock-in

SignalFire’s analysis from late 2025 put it plainly: “The next phase of model training is shifting from scraping to partnerships that look more like data licensing and infrastructure deals — not traditional API integrations.”

MCP is the infrastructure deal. Enterprises are the partners who don’t know they’re partners.

The frontier model trained on years of enterprise MCP interaction data will have something no model has had before: a map of how human expertise actually works. Not described expertise — observed expertise. Not documented workflows — live cognitive processes.

That model won’t just answer questions better. It will work better. It will reason like a domain expert because it has observed domain experts reason, at a scale and depth that no deliberate training data collection effort could achieve.

MCP is not a protocol. It is not an integration standard. It is not an agentic architecture.

It is the final training run.

Part Eleven: Where MCP Actually Belongs

Before I’m accused of being reflexively anti-MCP, let me be precise about where it genuinely earns its place.

MCP solves one real problem well: distribution to AI-native clients you don’t control.

If you’re building developer tools — a database, a CI/CD platform, a code intelligence system — and your users are already living inside Claude Code, Cursor, or Windsurf, then MCP is the right answer. You build your server once and it works across every MCP-compatible client without custom integration. That’s genuine value. That’s a real distribution problem solved elegantly.

For internal tooling inside your own controlled environment, where you own both the client and the server? You don’t need MCP. Call your API directly. It’s faster, cheaper in tokens, more reliable, and gives you complete control over what data flows where.

For exposing sensitive enterprise systems to frontier model APIs? That’s where this article lives.

The distinction matters because MCP’s legitimate use cases are real and meaningful. GitHub, Linear, Stripe, Vercel — developer tool companies whose users are literally inside AI IDEs — have good reasons to build MCP servers. The protocol serves them well.

The concern isn’t MCP as a technical standard. The concern is the normalization of connecting sensitive enterprise data to frontier model infrastructure without full appreciation of what that data relationship means over time.

MCP is a tool. Like most tools, it is neither inherently good nor bad. A hammer is appropriate for nails and dangerous near windows. The question isn’t whether to ever use MCP — it’s whether enterprises understand clearly which side of that line their specific integrations fall on.

Many don’t. And the conference I attended today wasn’t helping them figure it out.

What Enterprises Need to Reckon With

The five questions at the end of most responsible technology analyses are not enough here. The situation calls for a clearer reckoning.

First: The policy protection is narrower than legal and compliance teams assume. “We don’t train on your data” covers raw data explicitly used for model training. It does not, in any current policy language I have reviewed, cover derived behavioral signals from inference, RLHF signals from interaction quality, aggregate patterns across enterprise user populations, or synthetic data generated to mirror enterprise interaction styles. Enterprises should require explicit contractual clarity on derived data before connecting sensitive systems — and they should understand that current policy language does not provide it.

Second: The storage and training decisions are separated by design and by time. Data captured today under favorable terms is available when terms change. The September 2025 consumer policy shift — the move from opt-in to opt-out for individual users — establishes the incremental pattern. Enterprises should assume that any data flowing through frontier model infrastructure is retained, and that the question of whether it is ever used for training is governed by terms of service that can and do evolve.

Third: The derived data loophole is the real exposure. If your legal team is evaluating MCP integrations based on whether your raw data is used for training, they are evaluating the wrong thing. The cognitive patterns revealed by how your experts interact with enterprise systems through AI are the valuable signal. That signal is not “your data” under most privacy frameworks. It flows through inference and manifests in model improvement in ways that current legal frameworks were not designed to capture.

Fourth: The competitive implication deserves board-level attention. If the cognitive workflows of your domain experts — how your engineers debug, how your lawyers research, how your analysts model — become embedded in a general frontier model available to your competitors, what have you lost? This is not a hypothetical future risk. It is the logical endpoint of the mechanism that MCP enables at scale, regardless of current policy.

Conclusion: A Verdict

The pattern this article documents does not require bad actors to be consequential. Google’s email scanning and Facebook’s behavioral harvesting were not secret — they were disclosed in terms of service that users accepted without reading. The technology industry’s most significant data accumulations have generally been legal, often technically disclosed, and profoundly underappreciated by the people whose data was being accumulated.

MCP is a well-designed protocol that solves a real integration problem. The engineers building on it are largely working in good faith. The productivity gains are genuine. For developer tool companies distributing to AI-native IDE users, it is often exactly the right technical choice.

But the structural dynamics — a mechanism that makes enterprise cognitive workflow data flow through frontier model infrastructure, at a moment when that data is the missing training set for the next generation of AI, governed by policy that covers raw data but not derived signal, built on infrastructure that accumulates data before the question of its use is answered — these dynamics are not incidental. They are consequential regardless of any individual actor’s intentions.

The historians of this technology moment may well identify MCP as the mechanism that resolved the frontier model training data crisis — not through announced strategy, not through disclosed data licensing agreements, but through the deployment of a productivity tool that made enterprises enthusiastic participants in an infrastructure whose full implications they had not examined.

The Greeks built their horse with genuine craftsmanship. Troy’s mistake was not admiring the engineering. Troy’s mistake was bringing it inside the walls without understanding what the gift contained.

Enterprises are currently debating whether to bring the horse inside. The debate should be better informed than it currently is.

The author attended the MCP Dev Summit in New York City, April 2026. This article represents his analytical interpretation of publicly available information and research conducted during and after the event. The author holds no position in any AI company and has no financial interest in any outcome described. Claims about intent are explicitly distinguished from claims about mechanism throughout. The mechanism claims are documented. The intent claims are interpretive.

Sources and further reading:

• Epoch AI: “Will we run out of data? Limits of LLM scaling based on human-generated data” — https://epoch.ai

• SignalFire: “Why expert data is becoming the new fuel for AI models” — https://www.signalfire.com/blog/expert-data-is-new-fuel-for-ai-models

• IBM Research: “Agentic workflows are meaningful not only for task execution but also for training the next generation of LLMs” — https://www.ibm.com/think/topics/agentic-workflows

• TechTarget: “Anthropic’s new standard raises AI privacy, other concerns” — https://www.techtarget.com/searchenterpriseai/news/366616516/Anthropics-new-standard-raises-AI-privacy-other-concerns

• Forgepoint Capital: “MCP: USB for AI or Trojan Horse for Security?” — https://forgepointcap.com/perspectives/margin-of-safety-9-mcp-usb-for-ai-or-trojan-horse-for-security/

• Medium: “The MCP Privacy Gap: How Model Context Protocol Creates Hidden Data Threats” — https://medium.com/ai-insights-cobet/the-mcp-privacy-gap-how-model-context-protocol-creates-hidden-data-threats-aa802e1b3cf8

• Bitdefender: “Anthropic Shifts Privacy Stance, Lets Users Share Data for AI Training” — https://www.bitdefender.com/en-us/blog/hotforsecurity/anthropic-shifts-privacy-stance-lets-users-share-data-for-ai-training

• Nature (2024): “AI models collapse when trained on recursively generated data” — https://www.nature.com/articles/s41586-024-07566-y

• CIO Magazine: “Why Model Context Protocol is suddenly on every executive agenda” — https://www.cio.com/article/4136548

• O’Reilly Radar: “The Missing Layer in Agentic AI” — https://www.oreilly.com/radar/the-missing-layer-in-agentic-ai/

• Salesforce Architects: “The Agentic Enterprise — IT Architecture for the AI-Powered Future” — https://architect.salesforce.com/fundamentals/agentic-enterprise-it-architecture

• Medium: “MCP Hijacking: The Trojan Horse in Your AI Service Manifest” — https://medium.com/@instatunnel/mcp-hijacking-the-trojan-horse-in-your-ai-service-manifest