Anthropic shipped Constitutional MCP on March 25. Most coverage called it a security patch. It's not.
Safety moved from the application layer into the protocol and runtime itself. Cryptographic message signing. Explicit trust manifests. Zero-trust tool execution at the agent level, not the app level.
That's progress. But there are two second-order effects that most coverage misses.
Ecosystem fracture is coming
Strict manifests increase developer friction. That's mechanical, not a complaint. When friction goes up, adoption splits.
The pattern has played out before: HTTPS (~2015 at scale), iOS code signing, OAuth 2.0. Each time a more secure-but-harder path arrived, it coexisted with the old path for years. The fast path stayed alive in the long tail. The secure path got adopted by enterprise.
With Constitutional MCP, "classic" (unsigned) implementations don't disappear. They become the wild west long tail — still running, still used by the majority of hobby and small-team deployments, still exploitable. The constitutional tier becomes the enterprise standard. The two worlds stop interoperating cleanly.
Anthropic's spec is still young. The tooling around manifest generation is rough as of late March 2026. If first-class developer ergonomics don't ship in the next 60 days, the bifurcation calcifies.
The disintermediation nobody's announcing
Third-party "agent firewall" services were a growing category. The pitch: sit between your orchestration layer and your tool calls, flag anomalous behavior, enforce access control. Reasonable value proposition when the underlying protocol was trust-naïve.
When trust is baked cryptographically into the protocol, that value proposition collapses. Not gradually — immediately, for any team running a fully constitutional stack.
Three of the four vendors I track in this category listed "protocol-agnostic" as a selling point in their March 2026 positioning. That's now a liability, not a feature.
My prior was wrong by 12 months
I expected security to stay at the application layer for 18+ more months. The MCP vulnerability crisis accelerated the timeline.
The bear case worth steelmanning: if Constitutional MCP becomes the de facto enterprise standard, it centralizes execution trust around one vendor. The intelligence is open — Qwen-3 Max matches Opus 4.6, Llama 4 is competitive. The execution gatekeeping may not be.
That's worth watching.