The architectural argument here is spot on. MCP was designed for local tool-calling, not for a world where agents discover and connect to remote servers autonomously.

The missing layer is verified discovery -- how does an agent know which MCP servers to trust before it ever calls a tool? Right now that trust chain is implicit (human picked the server) but agentic workflows break that assumption entirely.

KubeCon has an Agentics Day on Sunday tackling exactly this gap.