Control Plane Defines MCP Value
Wade Foster, co-founder & CEO of Zapier, on AI agent orchestration
Security is the wedge that turns MCP from an open protocol into an enterprise product category. MCP gives agents a standard way to call tools, but it does not decide which agent can touch which customer’s Salesforce, which fields it can read, or whether it can write back into production systems. Zapier is using its old core strength, permissioned workflow automation across thousands of apps, to solve that control layer instead of just exposing raw tools.
-
The practical problem is tenancy and authorization. Once an agent can talk to many systems, the risk is not just bad answers, it is the wrong agent pulling the wrong company’s data or taking actions in the wrong account. Ampersand frames this as a missing layer above MCP, alongside consent, governance, retries, and schema mapping.
-
Zapier’s advantage is packaging. Instead of asking a company to wire dozens of separate MCP servers and then build its own policy layer, Zapier exposes thousands of app actions under one roof and lets admins turn specific apps, actions, and endpoints on or off. That is much closer to how enterprises already buy automation software.
-
This also explains why MCP is more complement than threat to Zapier. Protocols standardize connectivity, but they usually make orchestration vendors more valuable because someone still has to handle long tail integrations, human approvals, and reliable step by step execution. Zapier already built that business in the API era and is extending it into the agent era.
The next phase is a stack split. MCP will remain the common language for tool calling, while value concentrates in the control plane that decides identity, permissions, observability, and safe execution. That favors platforms like Zapier that already sit between many apps and already know how to make fine grained access rules usable for non developers and enterprise admins.