Skip to content

MONGODB 2026-05-11

Read original ↗

MongoDB — Fighting Tool Sprawl: The Case for AI Tool Registries

Summary

A 2026-05-11 MongoDB Engineering / Technical blog opinion piece arguing that every enterprise running AI agents at any non-trivial scale needs its own internal tool registry — and that the absence of one is the structural cause of three compounding costs: duplicated engineering effort across teams, security exposure from ungoverned tool surfaces, and operational opacity when something breaks. The post explicitly rules out a public package-manager-style registry (npm / PyPI / Maven analog) for AI tools as "premature standardization in a fast-moving, nascent space" and instead frames the registry as organisation-internal infrastructure scoped to one company's regulatory environment, security posture, and operational conventions. The argument's structure: a tool-sprawl failure mode that the software industry already solved once (with package managers for shared code) reappears in the agent era at the application layer; the registry is not itself a governance layer but is the structural precondition that makes governance possible — "a registry does not make tools inherently secure; rather, it makes security work possible by ensuring tools exist not as transitory, ad hoc shims, but rather as inventoried artifacts that audits and policy can attach to." The post catalogs two pillars of value (reducing coordination cost; enabling risk management) and enumerates four registry functions: (1) discovery with hierarchical grouping by functional domain so humans and agents can find existing tools before writing new ones; (2) versioning so when agent behavior changes, "why did it change?" (model? tool prompt update? underlying API change?) is a diff comparison rather than a manual investigation; (3) certification metadata — security-approval, API-contract validation, PII-handling-check status surfaced as metadata at adoption time, with the actual review work performed externally by the security organisation through its existing tooling; (4) access control delegated to a separate policy layer that reads from the registry, enforcing authorization scoped to agent identity, team, environment, and action type. Two industry-data signals frame the urgency: McKinsey reports that in most large organisations agent tools are "built by individual teams in an ad hoc fashion: undocumented, ungoverned, and invisible to the rest of the organization;" Gravitee's State of AI Agent Security 2026 survey found only 14.4% of teams with agents past planning have full security approval, 88% of organisations had an agent-related security incident this year, and only 22% treat agents as independent identities. The post explicitly cites Kong's enterprise MCP Registry launch (February 2026) as a market signal that the same pattern is being externalised by infrastructure vendors. The architectural framing is Internal Developer Portal (IDP) one layer up: "Think of it as an Internal Developer Portal (IDP) built for the agent era, solving the same coordination problem that IDPs solved for service teams, but one layer up." — explicitly positioning the AI tool registry as a structural sibling of Backstage-style service catalogs. The post's ending claim is direct: "coordination problems do not resolve themselves at the application layer. They compound there." This is not an architecture-of-MongoDB's-own-tool-registry post — MongoDB does not disclose any internal tool-registry implementation or product offering; the article is a position-piece in MongoDB's Designing an Agentic Platform series advocating tool registries as one component of a broader agentic-platform infrastructure stack alongside memory, orchestration, state, and observability.

Key takeaways

  1. Tool sprawl is the predictable application-layer outcome of treating an infrastructure problem as a discipline problem. "Fragmented tool development is not a consequence of poor engineering practice. Rather, it is the predictable outcome of asking teams to solve an infrastructure problem at the application layer." The historical analog: pre-package-manager era, every team rebuilt utility libraries from scratch; the centralised-registry pattern (npm, PyPI, Maven) didn't work because individual teams got more disciplined — it worked because the problem moved from application-layer-decision to infrastructure-layer-default. Same pattern now applies to AI agent tools at the enterprise scale. Canonical wiki instance of concepts/tool-sprawl — the named structural failure mode that motivates the patterns/enterprise-ai-tool-registry pattern (Source).

  2. Centralization is a precondition for security, not a security solution. "A registry does not make tools inherently secure; rather, it makes security work possible by ensuring tools exist not as transitory, ad hoc shims, but rather as inventoried artifacts that audits and policy can attach to." The post is careful not to overclaim: public package managers still suffer from typosquatting, malicious packages, and dependency confusion — "centralization alone is not a security solution". But: "decentralization forfeits the means to coordinate it." Security teams cannot review what they cannot discover; without a registry, discovery is "manual, incomplete, and stale". The registry's contribution is making security-team work tractable, not making tools intrinsically secure. Canonical wiki instance of concepts/registry-as-governance-precondition — the architectural argument that an inventory primitive is upstream of any policy-layer enforcement (Source).

  3. The default posture of allow-by-default scales the attack surface with adoption. "AgilityFeat's analysis of enterprise AI guardrails identifies the structural risk this creates, since an architecture not built on deny-by-default increases risk and creates upkeep costs. Allow-by-default, replicated across dozens of independent agent deployments, produces an attack surface that scales with adoption." The structural property: in an allow-by-default world, every new agent deployment adds to the surface that security must monitor — the cost of new agents is super-linear because each one's policy is independent. Inverting this requires a coordination point"a shared, organization-wide context" — i.e. the registry. "A guardrail that references a tool the security team has never heard of cannot be written in the first place." Canonical wiki instance of concepts/deny-by-default-tool-policy (Source).

  4. The registry is the inventory; the policy layer is separate. "The registry itself isn't a governance layer, but it is what makes governance possible." The post explicitly separates two concerns: registry = inventory + metadata vs policy = enforcement against that inventory. Frontegg's framework for AI agent governance — referenced as "agent actions mapped to explicit, granular guardrails that define the operational boundaries" — is the policy layer. "These guardrails live outside the registry, but they depend on it." This separation matters: it lets the registry be a relatively simple write-mostly-once, read-heavy inventory while the policy layer can be re-implemented or swapped (Frontegg, Open Policy Agent, custom) without touching the registry. Certification metadata is the bridge: the registry surfaces "security approval, API contract validation, PII handling checks" as metadata at adoption-decision time, but "the actual review work happens through the security organization's existing tooling. The registry's contribution is making the result of that review visible at the moment a team is deciding whether to adopt a tool, ensuring the review actually informs the decision it was meant to inform." Canonical wiki instance of concepts/certification-as-metadata-not-enforcement (Source).

  5. The registry has four functions; only two are core. "A mature enterprise tool registry has two core functions, discovery and versioning, and serves as the foundation for two others: certification metadata and access control." The hierarchy is load-bearing: discovery + versioning are properties the registry must implement directly because they describe what's in the inventory; certification metadata is data the registry holds but doesn't compute (security organisation does the review and writes the verdict back); access control is enforcement the registry doesn't perform (a separate policy layer reads from the registry to know what tools exist and who owns them). The result: a clean four-function shape with a clean separation between "what we know" (registry-owned) and "what's allowed" (policy-layer-owned). Canonical wiki instance of the four-function shape captured by patterns/enterprise-ai-tool-registry (Source).

  6. Discovery requires hierarchical grouping by functional domain — flat lists don't work. "A well-designed catalog goes further than a flat list: tools should be grouped hierarchically by functional domain so that both humans and agents can find relevant capabilities quickly." Two consequences: (a) the hierarchy is functional-domain-driven, not team-driven — i.e. "customer-data-access tools" not "the team-X registry". (b) The hierarchy must serve both humans and agents as discovery clients; the same data model has to render in a UI for marketers / engineers / security reviewers and via an API for AI agents to query at decision time. This is the same dual-surface property that Pinterest's MCP registry surfaces (web UI for humans, API for AI clients) — a structural sibling of the AI-tool-registry pattern at the MCP-server granularity (Source).

  7. Versioning closes a gap that neither discovery nor access control addresses: change attribution. "When agent behavior changes, why did it change? A tool registry that tracks versions gives enterprises the visibility to answer that question. Was it the model? A tool prompt update? An underlying API change? Without proper versioning, finding the answer goes from a simple diff comparison to a time-consuming, manual investigation." The structural insight: agent behavior is a composite of model + tools + prompt, and any of the three can change. Without per-tool version history, debugging a behavior regression requires reconstructing the full input-state of every tool the agent used at the time of the regression — manually. With versioning, it's a diff. This makes the registry a forensics substrate in addition to a discovery + governance substrate (Source).

  8. The MCP registry is a structural sibling, not the same thing. Although the MongoDB post is about AI tool registries generically, it explicitly references Kong's enterprise MCP Registry launch (February 2026) as evidence the pattern is being market-validated. MCP standardises a particular tool-call protocol (LLM ↔ MCP server); an MCP registry catalogs the MCP-compliant servers an organisation has approved (canonicalised at Pinterest in concepts/mcp-registry). An AI tool registry in this post's framing is the broader category — it would catalog any tool an agent can call, MCP-compliant or not (REST APIs, internal RPC services, code-execution sandboxes, data accessors). The two patterns share the four-function shape but differ in protocol scope (Source).

  9. The Internal Developer Portal (IDP) parallel is structural, not metaphorical. "Think of it as an Internal Developer Portal (IDP) built for the agent era, solving the same coordination problem that IDPs solved for service teams, but one layer up." The IDP era's lesson — that organisations with N services need a service catalog (ownership, version, dependencies, runbooks, on-call) regardless of how disciplined teams are — is presented as direct precedent for the AI-tool-registry pattern. The "one layer up" phrase is precise: IDPs catalog services that humans operate; AI tool registries catalog tools that agents call. Backstage is the canonical IDP wiki instance; the post implicitly positions the agent-era equivalent as a Backstage-like substrate one abstraction level higher. Canonical wiki instance of patterns/idp-extended-to-ai-agent-tools (Source).

  10. The cost of inaction compounds; this is the post's closing claim. "For platform engineering teams, the trajectory is clear. Agent adoption is increasing, tool duplication is increasing with it, and the shims that worked at small scale will not hold as the number of agents and tools grows. The security exposure documented in the Gravitee survey will widen, not narrow, without structural intervention." And: "Those that defer will rediscover, the hard way, what platform teams learned a decade ago: coordination problems do not resolve themselves at the application layer. They compound there." The argument is path-dependence: the cost of building a registry now is bounded by the current tool count; the cost of building one later grows with adoption because every team has implemented its own ad-hoc shim that needs to be migrated. This is the same argument that motivated centralised package managers in the language-runtime era — and the same payoff structure (Source).

Architectural numbers + operational notes (from source)

  • Industry data points cited:
  • McKinsey (cited via QuantumBlack analysis): in most large organisations, AI-agent tools are "built by individual teams in an ad hoc fashion: undocumented, ungoverned, and invisible to the rest of the organization."
  • Gravitee State of AI Agent Security 2026 survey: 14.4% of teams with agents past planning have full security approval; 88% of organisations had an agent-related security incident this year; 22% treat agents as independent identities (i.e. 78% still share API keys across agents — "endemic" shared-API-key posture).
  • Market signal: Kong launched an enterprise MCP Registry in February 2026, "explicitly call[ing] out the problems of manual MCP configuration, hardcoded and managed tool isolation across teams, fragmented integrations, and limited organization visibility."
  • Four registry functions (verbatim list): discovery (with hierarchical grouping by functional domain) + versioning (with version history + ownership metadata + usage metrics) + certification metadata (surfaced, not enforced) + access control (delegated to a separate policy layer).
  • Two pillars of value: reducing coordination cost (preventing duplication via discovery + reuse) + enabling risk management (security teams can review what they can discover; policy layer can enforce against the inventory).
  • Anti-prescription: the post explicitly does not advocate a public package-manager-style AI-tool registry — "this is not an argument for a public package manager, something like npm, PyPI, or Maven … Trying to expand the scope beyond the confines of individual organizations would be premature standardization in a fast-moving, nascent space."
  • No MongoDB-internal product or implementation is disclosed in this post. MongoDB references the Designing an Agentic Platform series for architectural treatment of memory + orchestration + state + observability as the components a tool registry sits alongside.

Systems extracted

Extended (cross-link added):

  • systems/model-context-protocol — adds MongoDB's positioning of tool registries as a broader category that subsumes the MCP registry pattern, plus the citation of Kong's February 2026 MCP Registry launch as market validation. The MCP registry shape (catalog of approved MCP servers) is canonicalised at Pinterest; the AI tool registry shape extends the same four-function pattern to tools regardless of protocol.
  • systems/backstage — adds the explicit IDP-extended-to-agent-tools framing: the AI tool registry is Backstage "one layer up" — services-cataloged-for-humans → tools-cataloged-for-agents. Reinforces Backstage as the canonical wiki instance of the IDP pattern that the AI-tool-registry pattern structurally extends.

Concepts extracted

New wiki pages:

  • concepts/tool-sprawl — the named application-layer failure mode of unmanaged AI agent tooling: tools built ad-hoc by individual teams, undocumented, ungoverned, invisible cross-team. The structural precursor to the patterns/enterprise-ai-tool-registry pattern. Distinct from concepts/coding-agent-sprawl (which is about the clients — Cursor / Claude Code / Codex CLI) by being about the tools the agents call.
  • concepts/deny-by-default-tool-policy — the architectural posture that an agent's tools should be denied by default, allowed by exception — vs the empirically common allow-by-default posture in early agent deployments. The post's argument: allow-by-default scales the attack surface with adoption; deny-by-default requires a coordination point (the registry) but bounds the surface.
  • concepts/registry-as-governance-precondition — the architectural argument that an inventory primitive is upstream of any policy-layer enforcement: a guardrail can only reference tools the security team knows about; a policy can only enforce against an enumerated set. The registry doesn't do governance, but governance requires the registry.
  • concepts/certification-as-metadata-not-enforcement — the design property that certification status (security-approval, contract-validation, PII-handling-check) is surfaced as metadata at adoption-decision time rather than enforced as a registry-side gate. The actual review work happens externally; the registry's contribution is visibility at the right moment.

Extended (cross-link added):

  • concepts/mcp-registry — adds the framing that the MCP registry is a protocol-scoped instance of the broader AI-tool-registry pattern argued for in this post. Both share the four-function shape (discovery + versioning + certification metadata + access control); the AI tool registry generalises beyond MCP-compliant servers to any tool an agent can call.
  • concepts/coding-agent-sprawl — adds the client-vs-tool distinction: coding-agent sprawl is about parallel agent clients (Cursor, Claude Code, Codex); tool sprawl is about the tools those clients call. Both motivate centralised governance, but at different layers.
  • concepts/centralized-ai-governance — adds tool-registry as the inventory substrate that the centralised-AI-governance pillars (security/audit, cost, observability) operate against. Reinforces the inventory-vs-policy split.

Patterns extracted

New wiki pages:

  • patterns/enterprise-ai-tool-registry — the canonical pattern: an organisation-internal catalog of AI agent tools with four functions (discovery + versioning + certification metadata + access control), structurally separated from the policy-enforcement layer that reads from it. The pattern's contribution is making security-team work tractable + making policy-layer enforcement possible by providing the inventory.
  • patterns/idp-extended-to-ai-agent-tools — the framing pattern: take the Internal Developer Portal shape that catalogs human-operated services and extend it "one layer up" to catalog the tools agents call. The pattern is structural — same four functions (discovery + version metadata + ownership + dependency tracking) — but the consumers are agents (via API) and humans (via UI), and the cataloged entities are tools rather than services.

Caveats / gaps

  • Position-piece, not architecture-of-an-implementation post. MongoDB does not disclose any internal AI-tool-registry implementation, design, or product offering. The post is "the case for" — it argues the pattern should exist; it does not document one in production. Concrete in-production instances are referenced externally (Kong's MCP Registry, Pinterest's internal MCP registry via concepts/mcp-registry, Frontegg's policy-layer framework).
  • Industry-data citations are second-hand. The 14.4% / 88% / 22% numbers are from Gravitee's State of AI Agent Security 2026 survey; the McKinsey ad-hoc-tooling characterisation is via QuantumBlack analysis. The post does not provide MongoDB-internal data on tool sprawl or registry adoption.
  • The "two pillars" + "four functions" framing is the post's contribution. This is a coherent architectural framing that subsequent posts in the Designing an Agentic Platform series can build on, but it is presented as MongoDB's analytical framing of the problem, not as a derived-from-empirical-study taxonomy.
  • Anti-product-launch. The post is not announcing a MongoDB tool registry product. The Next Steps section points to the Designing an Agentic Platform series for architectural treatment of memory + orchestration + state + observability as adjacent components — implying tool registries are one of many components, none of which are positioned as MongoDB-product-specific in this post.
  • Allow-by-default vs deny-by-default treatment is brief. The post cites AgilityFeat's analysis but doesn't explore the deny-by-default architecture in depth (e.g. how to handle the bootstrapping problem of "the first time an agent needs a new tool"); this is captured in concepts/deny-by-default-tool-policy as a known open question.
  • The IDP-one-layer-up phrase is positional shorthand. The structural sibling-ship between an AI tool registry and an IDP is real (same four functions, same dual-consumer-surface property), but the phrase elides the fact that AI tool registries face new problems IDPs didn't (per-agent-identity authorization at machine speed, agent-readable schema discovery, runtime certification-status checks during a tool call) — captured in patterns/idp-extended-to-ai-agent-tools as an explicit list of differences.

Source

Last updated · 542 distilled / 1,571 read