A year after their initial security analysis, the authors revisit Model Context Protocol (MCP) implementations, noting its rapid evolution from experimentation to production use. MCP now enables models to act as software, introducing a critical trust boundary around tool interactions. Key changes in the latest release candidate include enhanced request inspection, tighter identity checks, and sandboxed interactive UI capabilities. However, the protocol itself does not enforce security, leaving implementation to users.The primary risks have shifted, with prompt injection and tool poisoning remaining significant threats. In this scenario, malicious instructions embedded in tool descriptions or outputs can hijack agent actions, leading to data exfiltration or unauthorized operations. Authorization and the confused deputy problem have seen significant rework, now aligning with OAuth 2.1 standards and audience-bound tokens to prevent servers from exploiting user privileges. Over-broad access and credential aggregation remain concerns, where a single compromised server with excessive permissions can lead to widespread breaches.Supply chain risks and "rug pulls" are increasingly prevalent, as compromised dependencies or unexpected server changes can introduce vulnerabilities. Unregistered "shadow MCP" implementations also pose a governance challenge, as unseen servers cannot be secured or patched. Command injection and sandbox escape are still a concern for locally run servers that process unsanitized input, potentially allowing arbitrary code execution. Enterprises must adopt deliberate adoption strategies, focusing on server inventory, identity and policy enforcement, and continuous monitoring.Validating current documentation and SDKs, and contributing practical hardening examples, are crucial steps for organizations. The authors encourage community contribution to MCP's security features and RFCs. Future discussions will delve into practical implementation guides for these security controls.