The Record Nobody Specified

Something concrete changes in the next version of the protocol most AI agents talk through, and few people building on it have read the change.

The Model Context Protocol — MCP, the interface a growing share of agents use to reach tools and data — has a specification release landing July 28. One change is already finalized: SEP-2577. It deprecates three of the protocol’s older features — roots, sampling, and logging.

Deprecates, not removes. Nothing breaks that day. The features keep working; the spec marks them with a note that says stop building on these, they’re on their way out. A signal, not a demolition.

I’ve spent the last few months building agent systems against this protocol, so I read SEP-2577 when it landed. If you’re building on MCP and you haven’t, read it — but not for the reason you’d expect, because the change itself is the right call.

The SEP calls sampling — letting a server ask the client’s model to generate text — the most security-sensitive of the three: a path for prompt injection and data exfiltration. Deprecating it makes MCP safer, not weaker. Logging was an application-protocol channel doing a job that stderr and standard observability tooling already do better. Trimming both is disciplined protocol hygiene: fewer features, smaller attack surface, less to get wrong.

So this isn’t a complaint about the pruning. The pruning is fine.

It’s what the pruning throws into relief.

MCP specifies who an agent is authorized to be and what tools it’s allowed to reach. Read the spec and you’ll find careful work on identity and capability. What you won’t find is any record of what the agent actually did, under what authority, at the moment it ran. The protocol governs the doorway. It keeps no account of what walked through.

That gap predates this release. SEP-2577 just makes it easier to see. A release disciplined enough to delete features that aren’t earning their keep does not add the one that would answer the first question an operator asks after something goes wrong: what did it do, and was it allowed?

The evidence layer isn’t in the protocol, so it falls to each deployment to solve on its own — and the results vary enormously. Some teams build a real one. But with nothing in the spec to build toward, the default is whatever a given deployment improvises: a log line here, a database row there, a screenshot someone saved because they had a bad feeling. When an agent does something it shouldn’t have, that’s the trail you’re left reconstructing the event from — and it’s often thinner than the moment demands.

Agents are taking on more consequential work every month. The record of what they did, under whose authority, is still nobody’s job to keep.

If it’s become yours — if you’re the one who has to answer “what did it do, and was it allowed” — I want to hear how you’re handling it. Reach me at [email protected]; I’m comparing notes across deployments, because nothing in the spec hands it to you today.