Making MCP Production-Ready: Keycard acquires Runebook
AUTHOR
Ian Livingstone
SHARE
Share on X imageShare on Linkedin image
November 20, 2025
6 Min Read

Making MCP Production-Ready: Keycard acquires Runebook

Keycard and Runebook Logos

Today, we’re excited to announce our acquisition of Runebook. Their team joins Keycard to accelerate our ecosystem of integrations and drop-in SDKs for building production-ready, trusted agents and tools powered by the Model Context Protocol (MCP). We’re thrilled to add Peter Cho and Matte Noble’s deep experience building beloved developer ecosystems at Heroku, Mezmo, and Sentry.


Agents are driving a massive change in the way we interact with software, by moving us from a world of static, human-driven, point and click interactions to one where agents make decisions autonomously and do work on our behalf. However, the capabilities of these agents are limited by the systems they can access and our willingness to trust them to take on work.


Until MCP launched in 2024, there was no standard way for an AI agent to discover tools, much less to use them. Since launch, it has stormed its way into the mindshare of every developer and company adopting copilots, assistants, and autonomous agents, becoming the de facto way for connecting agents with databases, internal services, SaaS APIs, and anything else they need to do their job.


The potential value unlock is so massive that the ecosystem around MCP has exploded. There are now tens of thousands of MCP servers, spanning everything from Postgres to Stripe, Slack, and internal knowledge bases with hundreds of MCP clients, including first-class implementations from AI leaders like Anthropic, OpenAI, Google DeepMind, and Microsoft.


But they’re not the only ones rushing to take advantage of MCP and realize the power of providing copilots and agents access to tools. Companies of all sizes are building MCP servers for their products and internal services so they can empower their customers and employees to adopt agent-native workflows.


While MCP had humble beginnings as a way for Claude to begin solving computer-use tasks, it’s beginning to unlock the future of contextual, agent-native applications through features like elicitation, introspection, and dynamic tool management. It’s creating a new, agent-native web the same way the browser, HTML, CSS, and JavaScript created the human one we know today.


A web where an agent can discover other agents and tools, owned by no one but accessible to everyone, all powered by a protocol designed to deeply integrate into the agentic loop, minimizing time to insight and maximizing accuracy.


The Production-Readiness and Trust Gap

While MCP has incredible promise and significant early adoption, it’s still incredibly difficult to build MCP-powered agents and tools that can be trusted in production.


Most MCP deployments today still assume:


  • The agent can reuse a human’s credentials or some shared secret.
  • The server is implemented correctly and won’t expose more than it should.
  • The organization will “figure out” audit, revocation, and policy later.
  • All actors involved in any agent interaction are good, well-intentioned and trustable.

That’s a long list of assumptions for something that can delete databases, move money, change production config, or read sensitive data. We’re already starting to see company-damaging incidents in the wild and important research showing the growing trust problems that agents and MCP represent as a whole.


While many of these stem from the proliferation of early local MCP servers, there is a growing set of exploits from improperly protected remote MCP servers, such as the Asana incident from June 2025.


Many of these security challenges are a variation of known problems from the last generation of software that only become must-solve with the rise of non-deterministic, autonomous agents.


  • Supply Chain Security: Can you trust the MCP server? Who wrote it? Is it malicious or does it contain vulnerabilities? Does it have features that violate your security model?
  • Identity, Access, and Auditing: How do you control what an agent can do on your behalf? How do you ensure an agent can only access and perform actions that are aligned with the intent of the user and builder? How do you know what actions an agent performed, and why?
  • Data Poisoning & Exfiltration: Did a malicious actor modify the prompt? Can the agent access sensitive data and accidentally expose it? Could the results of a tool call poison the agent's context window?

So, companies are understandably cautious: pilots stay in sandboxes, agents are heavily restricted, and the productivity upside of agents remains theoretical instead of being realized in production. The promise is there, but the trust layer simply isn’t: it’s inadequate, painfully hard to build, or missing entirely.


These problems need to be solved urgently. MCP is being adopted faster than organizations can secure it, and we’re already seeing the agent-era version of shadow IT: internal MCP servers tied to critical systems, publicly exposed with no authentication.


Identity as the Foundational Pillar

At the root of the production-readiness gap lies the fundamental challenge: how we authenticate, authorize and audit interactions between users, agents, and tools.


  • Supply-chain attacks come down to knowing who authored or operates an MCP server, verifying you’re talking to the server you think you are, determining whether it’s malicious or overly permissive, and controlling what capabilities it exposes.
  • Identity, access, and audit gaps stem from identifying every party involved in an agentic workflow and giving each of them fine-grained control over what an agent can do on their behalf, against their resources, and under what conditions — with no blind spots.
  • Data poisoning and exfiltration attacks are a combination of input and output sanitization, preventing application-layer man-in-the-middle attacks by maintaining prompt and tool integrity, managing the tool-call and data-flow dependency graph and ensuring tool access is bound to the session and context window associated with the task at hand.

Our traditional identity and access systems were not designed for this new world of agents and the evolution of software from systems of record and commerce to systems of reasoning and action. They weren’t designed multi-identity delegation chains or agents that operate across company, network and application boundaries.


Agents put the final nail in firewall’s coffin. They require application layer identity controls built for ephemeral, dynamic, high-throughput, low latency workflows.


The Federated, Trust Fabric for the Agent-Native Era

Our mission is to empower developers to build trusted agents and tools—and to give security teams a fast, secure, and intuitive default that prevents uncontrolled agent sprawl while providing the governance and response capabilities this new era demands.


Our core technology gives agents their own identity and access model, solving a foundational pillar of agent security:


  • First-class identities for agents, tools, and application. No more borrowed human credentials. We support federation with your existing OIDC and workload identity providers, along with best-in-class OAuth 2.1 and Client ID Metadata support.
  • Ephemeral, identity-bound tokens that encode the full delegation chain and task-scoped resource targeting, instead of long-lived secrets or static API keys.
  • Policy enforced at the edge, next to the tools and data they protect. No payloads ever pass through the Keycard network.
  • Expressive authorization, allowing complex relationships and conditional access in code or clicks.
  • Full audit lineage for every action: who delegated what, to which agent, using which tool, for which task, and under which policy.

With this core technology, we’re unlocking our customers' ability to adopt MCP without sacrificing trust:


  • Drop-in SDKs for building agents and tools powered by MCP
    You build the server or agent logic; we handle identity, permission checks, and audit trails. Teams are getting from their first MCP experiment to a full production application in hours. Use our detailed telemetry to discover bugs and understand policy decisions without needing to become an identity expert.
  • Safe adoption of third-party agents and tools
    Adopt any agent and provide it with tools from the growing universe of trusted MCP clients and servers without accepting their security model as-is. Keycard acts as the trust layer, enforcing policy, and recording all interactions independent of whether you built them or bought them.
  • Empower adoption across your organization
    Empower everyone in your organization to discover trusted MCP servers, install them, and govern which servers they’re able to use with a personalized MCP Registry for every user and agent, all driven by policy. Gain insight into which clients and servers are being used by whom with our detailed analytics and roll up dashboards.
  • Detect malicious activity and revoke access in a single click
    Use our continuous audit log and telemetry export system to drive audit logs into your SIEM, generate insights, and build automated remediation workflows that can immediately revoke an agent’s access in a click of a button or single API call.

The outcome is simple: teams can move from static, human-driven workflows to agent-driven, human-controlled ones, without blowing up their risk profile.


Bringing Runebook into the Fold

When we met the Runebook team, it was clear they deeply understood what it takes to make MCP accessible, easy to adopt, and production-ready. Their work on Tome - making it simple to plug in MCP servers without wrestling with config files, runtimes, or complex identity wiring - aligned directly with our mission.


Combined with their experience building first-class developer ecosystems at companies like Heroku, Mezmo, and Sentry, we knew they were the perfect team to bring into the fold to help us realize our vision of empowering the adoption and creation of truly autonomous and trusted agentic applications.


With them joining the team, they’ll help us:


  • Expand the breadth and depth of our drop-in SDKs for building trusted agents and tools.
  • Grow the ecosystem of tools and resources that can be governed and managed through Keycard.
  • Simplify adoption workflows, bringing their perspective at the intersection of models, tools, and agents to improve how Keycard integrates with the platforms developers already love.

What Comes Next

MCP is quickly becoming the backbone of agent-native applications, but it doesn’t solve for trust. Keycard gives agents, tools, and users a real identity and access layer, and Runebook expands our ability to meet developers where they’re at by giving them the tools they need to build best-in-class agents and tools without gambling on security.


Together, we’re making it possible for companies to embark on their agent-native transition. Our goal is simple when it comes to MCP: any server or client in your environment can be adopted, governed, and audited without compromises – a developer first experience that’s secure by default.


If you’re serious about putting MCP-powered agents into production - reach out to us at hello@keycard.ai or sign up for early access.


UNLOCK SECURE AIINFRASTRUCTURE

© 2025 Keycard Labs, Inc. All rights reserved.
keycard logo mobile