The MCP ecosystem is fragmenting faster than most platform teams can track.
The MCP ecosystem is fragmenting faster than most platform teams can track. This week's data reveals a critical shift: developers are standardizing on a small set of high-utility servers—GitHub, OpenAI, Figma, Anthropic Claude—but they're running them across four different AI coding environments (Claude Code, Cursor, Windsurf, GitHub Copilot). That means your allowlist policy isn't just about which servers you approve; it's about ensuring they work identically wherever your team uses them. One new server this week underscores exactly that challenge.
We added one new risk-classified server to the catalog:
threadctx-mcp — A shared memory server for AI coding agents. The governance signal here is straightforward: threadctx-mcp runs identically in Claude Code and Cursor without config drift. If your team uses both IDEs (and most do), this is a candidate for your core allowlist. No authentication, no external data connectors, minimal supply-chain risk. The decision tree: Does your team need persistent conversation state across coding sessions? If yes, test in a pilot group before rolling out. If no, block it to reduce agent complexity.
The catalog now holds 74 risk-classified servers—all free tier, zero paid MCP dependencies emerging this week. That's a quiet win for cost transparency, but the real governance challenge isn't cost; it's velocity. Your developers see these servers in the marketplace and ask to use them. Your allowlist either keeps pace or becomes a friction point that drives shadow MCP adoption.
Five servers dominated developer attention this week:
All five are high-signal, high-touch. None should be allowlisted without a risk review specific to your org's auth model, data classification, and audit posture.
Here's the hard truth: most platform teams have an allowlist for one AI coding environment and assume it applies everywhere. It doesn't. Cursor reads from one config file. Claude Code reads from another. GitHub Copilot doesn't read allowlists at all—it respects org-level policy, but that's coarse-grained. Windsurf has its own model. Result: developers end up running different MCP stacks on different machines, and your central audit log has blind spots.
Start here: inventory which MCP servers are actually running across your four main IDEs this week. Don't assume you know. Use machine-level telemetry if you have it, or run a voluntary audit sweep. Then pick your five highest-leverage servers (GitHub, Anthropic Claude, OpenAI is a safe trio) and enforce the same risk classification across all four IDEs. Document the exceptions. Use TokenShield to build a live spend ledger by IDE and server, so when someone asks "why is our Claude spend up 40%?" you can trace it to a specific server and a specific cohort of developers.
The teams winning at this aren't trying to block everything; they're winning by knowing what's running and keeping the allowlist synchronized. That's governance at scale.
Govern MCP usage across your team with CuratedMCP — or scan your own stack free at https://www.curatedmcp.com/auditor.
Explore the full MCP catalog
Discover, compare, and install verified MCP servers