Systems | Development | Analytics | API | Testing

The Model Context Protocol (MCP) is quickly becoming the standard for how large language models connect to enterprise data. As adoption accelerates, engineering teams face a foundational decision: build a custom MCP server from scratch, or adopt an AI data gateway that ships with MCP support, security, and governance out of the box. Both paths have real tradeoffs. This post breaks them down so you can make the right call for your stack, your team, and your risk profile.

Audit logs are essential for making AI systems accountable, reliable, and compliant with regulations. They act as a record-keeping system, documenting every critical interaction within an AI system, such as user prompts, model decisions, and policy enforcement. Here's why they are crucial: Audit logs are not just a legal requirement - they are a key part of managing AI systems effectively and minimizing risks.

APIs are transforming how AI interacts with enterprise data. Instead of directly connecting AI to databases like MySQL, PostgreSQL, or MongoDB - which can lead to security risks, schema complexities, and high maintenance - APIs act as a secure middle layer. This approach simplifies data access, reduces risks, and ensures seamless integration with multiple databases.

On March 31, Axios—the most widely used HTTP client in the JavaScript ecosystem, with approximately 100 million weekly npm downloads and a presence in roughly 80% of cloud environments—was compromised via a hijacked maintainer account. Two malicious versions (1.14.1 and 0.30.4) delivered a cross-platform remote access trojan (RAT) that harvested credentials, SSH keys, cloud tokens, and API secrets from every machine where they were installed.

On March 31, an attacker hijacked the npm account of Axios’s primary maintainer and published two malicious versions of the most popular HTTP client library in the JavaScript ecosystem. The backdoored packages—axios@1.14.1 and axios@0.30.4—injected a trojanized dependency that delivered cross-platform remote access trojans to macOS, Windows, and Linux machines within seconds of installation.

Between March 19 and March 31, five major open-source projects were compromised in rapid succession: Aqua Security’s Trivy vulnerability scanner, Checkmarx’s AST GitHub Actions, the LiteLLM AI proxy on PyPI, the Telnyx communications library, and Axios—the most downloaded HTTP client in the npm registry. Collectively, these projects serve hundreds of millions of installations across virtually every enterprise software environment on earth.

Observability is the key to understanding and improving MCP servers. These servers connect AI agents to tools, but without visibility, issues like slow responses, errors, or security risks can go undetected. Observability helps track how agents interact with tools, pinpoint failures, and optimize performance.

Before rolling out policy-driven APIs, it's crucial to have a governance framework in place. This framework should clearly outline who makes decisions, how approvals work, and how exceptions are handled. Interestingly, while 71% of organizations claim to have data governance programs, only 25% actually put them into practice. Even fewer - just 28% - have enterprise-wide oversight for AI governance roles and responsibilities.

DreamFactory 7.4.5 ships the aggregate_data MCP tool — a purpose-built tool that lets AI agents compute SUM, COUNT, AVG , MIN, and MAX directly on the database server in a single call. This release also adds Cursor IDE OAuth compatibility, a desktop OAuth success page for smoother onboarding, server-side aggregate expression support across all SQL connectors, and critical MCP daemon stability improvements including request timeout guards and global error handlers.

Both methods have their place, but identity passthrough is the go-to for modern, secure, and compliant data access.