Every Vendor Will Ship Their MCP
The connector race is over. Salesforce shipped one. Databricks shipped a gateway and called it the control plane. The control-plane race has begun — and every vendor is running it inside their own walls.
Salesforce moved Hosted MCP Servers to general availability in April. Databricks rebranded AI Gateway to Unity AI Gateway in the same month and described it, in their own words, as "the enterprise control plane that governs access and monitors activity across MCP servers and LLM endpoints." Salesforce now ships at least four distinct MCP servers — Hosted, Data 360, DX, and a Marketing Cloud variant. ServiceNow, Workday, and SAP will follow this year. The connector race that the industry has been racing toward is no longer the interesting question. That race is decided. What replaces it is the more consequential race nobody is naming clearly: every vendor is now claiming to be the control plane, inside their own walls.
This is the right move for each vendor in isolation and the wrong outcome for the enterprises that buy them.
The historical frame
This pattern is older than agentic AI. Every wave of enterprise infrastructure has produced a vendor-walled governance answer, and every wave has been followed by a cross-vendor layer that the original vendors did not build. CRMs governed CRM access. ERPs governed ERP access. Identity providers governed identity for the application they shipped with. Each was sufficient for its own surface and structurally incapable of governing across surfaces. The cross-vendor layer always emerged as a separate category, with a different buyer and a different architecture.
Single sign-on is the cleanest example. Each application of the 2000s shipped its own auth. Each was correct that it knew its users best. None of them solved the problem an enterprise actually had, which was that one human needed to access fifty applications and the access decisions needed to be coherent across them. Okta, Ping, and the IdP category exist because the application vendors could not build that layer — not because they were incompetent, but because they were the wrong layer to build it.
The same pattern is repeating now, at agentic speed. Each vendor's MCP server is correct about its own data and structurally incapable of governing across the data of others. The cross-vendor layer will emerge as a separate category. The only open questions are who builds it and how fast.
What changed in the last six months
Three things shifted, and together they make the in-the-walls strategy a dead end faster than vendors expect.
The first is composition. A single agentic transaction now routinely touches Salesforce, Snowflake, Workday, and an internal data lake before it completes. Each of those vendors has its own MCP, its own permission model, its own audit log. The enterprise has the action. None of the vendors has the action. The composition is where the governance question actually lives and no vendor in the chain can answer it alone.
The second is the vendor-control-plane claim itself. Databricks did not say "we govern Databricks." They said they govern the control plane. Salesforce did not say "we secure Salesforce." They said the MCP transactions run with platform-grade authorization, OAuth, FLS, sharing rules — the implicit claim being that this constitutes governance. Each claim is true for its surface and false for the enterprise that operates across surfaces. The semantic land grab is happening in real time and it has to be challenged in language, not just in architecture.
The third is the buyer awakening. CISOs and CDOs reading the Salesforce GA notes asked the obvious question — what happens when the agent acts across our Salesforce, our Databricks, and our ServiceNow in a single workflow? The vendors' answer is, in effect, each surface is governed inside its own walls. That answer satisfies nobody who actually owns the audit trail. The third-party DLP gateways already springing up around the Salesforce MCP — Strac and others — are the early signal that the market knows the gap exists. Point solutions for point problems. The real layer is still unbuilt.
Every vendor will ship their MCP. The question is who governs across them.
The principle: cross-vendor authority
The control plane the agentic era requires is not vendor-bound. It is the layer above the vendor MCPs, adjudicating across them, owned by the enterprise rather than by any single platform. Call it cross-vendor authority. It has three properties that distinguish it from the vendor-walled gateways shipping today.
First, it is buyer-aligned, not vendor-aligned. The CISO, the CDO, and the General Counsel sign off on it. The procurement contract sits in the enterprise's name, not inside one platform's seat license. The governance accountability lives with the enterprise because the regulatory accountability already lives with the enterprise.
Second, it is composition-aware. It treats the multi-vendor transaction as the unit of governance, not the per-vendor API call. A Salesforce-then-Databricks-then-ServiceNow workflow is one transaction with one composite confidence score, not three independent decisions made by three platforms that never talk.
Third, it is policy-portable. The same threshold the enterprise sets — for example, that PII writes by non-human principals require human-in-loop above confidence 0.8 — applies whether the underlying surface is Salesforce or Snowflake or a system that did not exist yesterday. The policy belongs to the enterprise. The vendor is the substrate.
What this means for buyers
The vendor MCPs are not threats. They are infrastructure. The buyer mistake is treating any of them as the governance answer when they are at best the governance witness. Salesforce Hosted MCP is excellent at being Salesforce's surface. Unity AI Gateway is excellent at governing Databricks-resident traffic. Neither was built to govern across the enterprise, and neither should be expected to. Pretending otherwise produces a portfolio of vendor-walled control planes that do not compose and a CISO with no defensible audit trail.
The procurement question shifts accordingly. The old question was "does this vendor have an MCP." The answer is now yes — for all of them, this year. The new question is "who owns the layer above the MCPs, and is the policy I set there enforceable against any vendor I add tomorrow." That layer is a separate product with a separate buyer.
The closing observation
Salesforce shipped. Databricks shipped. Every vendor that matters will ship within twelve months. None of these shipments solves the problem any enterprise running more than one of them actually has. The race the vendors are running is the wrong race for the buyers who pay them. The right race — for cross-vendor authority owned by the enterprise — is not yet visible in the analyst reports, and that is precisely why it is the race worth watching.
Every vendor will ship their MCP. The question is who governs across them.