All posts
26 May 2026 MCP MENA enterprise AI

MCP (Model Context Protocol) for MENA enterprise AI — what to build with it in 2026

What MCP actually is — in one paragraph

The Model Context Protocol is a JSON-RPC 2.0 protocol2 that lets a model (the client) call tools, read resources, and use prompts exposed by an MCP server5. The server can run locally over stdio or remotely over Streamable HTTP (which can use SSE as one of two response modes)6. Anthropic published the spec and reference SDKs in November 20241, and the open ecosystem has since produced servers for filesystems, GitHub, Slack, Postgres, and hundreds of community servers7. The shift it represents is structural — before MCP, every model integration was a bespoke function-calling schema written for one model, one tool, one vendor. After MCP, the same server is consumable by Claude, by an agent framework, by Cursor, by an internal enterprise client, without rewriting the integration. See /glossary/mcp-model-context-protocol for the strict definition and /glossary/function-calling and /glossary/tool-use for the prior art it generalizes.

Why this matters specifically in MENA

A Saudi or Emirati bank cannot rely on the same density of mature integration providers a US peer can. The local data systems — Mada8, SARIE9, SADAD10, Etimad11, Absher12, Nafath13, Tabadul, and the ZATCA e-invoicing endpoint — were never wrapped in OpenAI function-calling schemas. MCP changes the economics. An in-house team at a SAMA-regulated bank3 can build an MCP server that exposes the bank’s own AML case management, OFAC SDN list lookup, and KYC document store, and then any model — Claude, an in-Kingdom ALLaM deployment14, a deployment of a Karnak fine-tune15 — can use that server. The protocol is the same regardless of which model the bank’s posture allows it to deploy this quarter. That portability across models is the structural unlock for sovereign-AI buyers who cannot commit to any one model vendor for more than a procurement cycle.

Four MENA workloads where MCP earns its keep

I’ll name the four where the math actually works in 2026 — the workloads where a well-designed MCP server collapses bespoke integration work into a single server contract.

1. Banking AML and sanctions screening

A SAMA-regulated bank3 running an AML team has roughly six data systems an analyst touches per case: the OFAC SDN list, the EU consolidated sanctions list, the UN consolidated list, the bank’s internal case management, the ZATCA e-invoicing endpoint to verify counterparty VAT numbers, and the KYC document store. An MCP server exposing these as tools — screen_sanctions(name, dob), lookup_zatca_invoice(invoice_number), fetch_case(case_id), attach_evidence(case_id, doc) — gives the AML co-pilot one server contract instead of six bespoke integrations. The server is owned by the bank’s AML engineering team. The model that calls it can be swapped (Claude this quarter, an in-Kingdom deployment of a Karnak fine-tune15 next quarter) without touching the server. See /personas/ksa-bank-aml-ops-lead for the persona running this workload.

2. Hospital imaging and clinical decision support

A KSA quaternary hospital using AI on radiology workflows needs the model to do three things in the same session — query the PACS for the prior study, look up the FHIR resource for the patient’s medication history, and reach the ICD-10-AM coding API to suggest a diagnosis code on the report. Before MCP, this was three separate integrations with three different auth flows. With MCP, it is one server exposing pacs_query, fhir_resource_get, icd10am_lookup, and formulary_search — and the model invokes them as tool calls in a single agentic trajectory. The server owns the auth and the audit trail; the model owns the reasoning. See /personas/ksa-quaternary-hospital-imaging-ai-lead.

3. Government services and procurement

A ministry building an internal assistant for procurement officers needs Etimad tender lookup11, Nafath identity verification13, Absher service status12, and ZATCA tax filing read-access. Each of these has a Saudi-specific API. An MCP server exposed inside the ministry’s sovereign environment — running on STC Cloud or a government data center, not on AWS — lets any model the ministry licenses (today or two years from today) use these systems through one contract. The structural point: sovereign-AI buyers cannot commit to a single model vendor, but they can commit to a protocol. MCP gives them a protocol they can stand behind.

4. Sovereign FM lab tooling

This is the use case closest to Annota8’s daily reality. A sovereign foundation-model lab — the team training ALLaM14, the team training Karnak15, the team behind Fanar16 — has a stack of internal tools the training engineer touches every hour: inference endpoints for the current checkpoint, a dialect-stratified eval set retrieval system, a golden-batch lookup, an annotation-task launcher, a metric dashboard. An internal MCP server exposing those tools means the training engineer’s agentic loop (“rerun the Hejazi eval on checkpoint 2400, then queue 500 new fix-it tasks for any sample with a score below 0.7”) can be expressed as natural language to a model that talks to the MCP server. See /solutions/foundation-models, /resources/foundation-models/allam, /resources/foundation-models/karnak, and /personas/mena-fm-lab-training-data-lead.

Integration patterns that survive procurement

Three patterns are worth knowing — and one anti-pattern.

Pattern A — Claude Desktop plus custom MCP servers. Useful for executive prototyping. An analyst at a Saudi bank installs Claude Desktop, drops in an MCP server config pointing at an internal sanctions-screening tool over a VPN, and starts running ad-hoc AML queries. This is the lowest-friction way to demonstrate value to a procurement committee. It is not a production architecture — it is a forcing function for the conversation.

Pattern B — Agents as MCP clients. A production deployment looks different. The model runs inside an agent framework (LangGraph, an internal orchestrator, or a custom loop). The agent is the MCP client. The server runs in the customer’s sovereign environment exposing the bank or ministry tools. This is the pattern that ends up signed in a real contract because the customer’s CISO can audit the server logs, the auth flow, and the rate limits — three things Claude Desktop hides. See /platform/ai-assistant for how an enterprise-grade assistant layer wraps this.

Pattern C — Multi-MCP orchestration. A single agent talks to several MCP servers in one trajectory — an internal banking server, a public OFAC server, an internal HR server. The orchestration is at the agent level, not the protocol. This is the multi-agent system pattern adapted to MCP, and it works well for cross-functional workflows where no single team owns all the data.

Anti-pattern — wrapping the LLM as an MCP server. Some vendors are exposing their hosted LLM as an “MCP-compatible service.” This is a misuse of the protocol — MCP is for tools and data, not for the model itself. If a vendor pitches this in a procurement, ask exactly which tools their server exposes; the answer will usually be “none, just the model.”

What MCP does not solve

This is the part the protocol’s own documentation does not emphasize and that MENA enterprise buyers should hear from an operator.

Data residency. MCP is a protocol, not an architecture. A US-vendor SaaS MCP server hosted in the US is still subject to the US CLOUD Act17 regardless of whether your model client is in Riyadh. The server’s deployment environment is what determines residency — see our piece on this at /blog/in-kingdom-vs-sovereign-data-residency-myths. For Gulf government and regulated-industry workloads, the MCP server must run inside the sovereign environment.

Arabic language quality. MCP exposes tools to a model. It does not improve the model’s Arabic. If your base model is weak on Hejazi dialect or on classical Arabic legal phrasing, an MCP server full of beautifully designed tools will not fix that — you still need a fine-tuned model. See /blog/rag-vs-fine-tuning-arabic-when-each-wins for the prior decision.

Governance. MCP gives you a clean tool-call protocol. It does not give you IAM, audit logs at the depth a SAMA examiner wants, RBAC on individual tools, or rate limiting. Those have to be built into the server. A production MCP server inside a regulated bank in 2026 looks like a service: it has its own IAM layer, its own audit pipeline (every tool call logged with caller identity, model identity, tool name, arguments, response, latency), its own RBAC table mapping which model identities can call which tools, and its own rate limits per identity. The protocol does not give you any of this. The team building the server gives you all of this.

Why annotation work matters here

This part is the conflict of interest disclosure. Annota8 does not sell MCP servers. We sell annotation data for the foundation models that use them. But MCP server quality is bottlenecked on three things annotators produce well — clear API schemas, well-written tool descriptions, and grounded examples of correct tool use. When a model decides whether to call screen_sanctions(name=X) or lookup_zatca_invoice(invoice=X) on an ambiguous user request, it is reading the tool description and matching against patterns it learned during fine-tuning. If the fine-tuning data was sparse on tool-use trajectories — and most Arabic fine-tunes are — the model will pick wrong. Our work on agent trajectories, agent eval, and LLM agent training data feeds directly into making MCP-equipped agents reliable in Arabic environments. See also our position on retrieval-augmented generation — RAG and MCP are complementary, not competitors.

What to do this quarter

If you are a CTO at a MENA bank, hospital, ministry, or FM lab and you have read this far: the action is not to “adopt MCP.” It is to run a two-week prototype. Pick one workload (one of the four above). Build an MCP server exposing three tools. Run it against Claude Desktop on a VPN inside your environment. Show the result to your procurement and compliance teams. If the result is interesting, ask the harder questions — how does this server move into production, who owns the IAM layer above it, how does it survive a model vendor change. Those questions take six months to answer well. They are worth answering. MCP is not a feature; it is the way enterprise AI is going to ship in the GCC for the rest of the decade.

Talk through an MCP-equipped agent prototype → 30-min call See our foundation-models work

References

Footnotes

  1. Anthropic, “Introducing the Model Context Protocol” (Nov 25, 2024). https://www.anthropic.com/news/model-context-protocol — and Wikipedia, “Model Context Protocol.” https://en.wikipedia.org/wiki/Model_Context_Protocol 2

  2. Model Context Protocol specification, “Transports” (2025-06-18). “MCP uses JSON-RPC to encode messages. JSON-RPC messages MUST be UTF-8 encoded.” https://modelcontextprotocol.io/specification/2025-06-18/basic/transports 2

  3. Saudi Central Bank (SAMA) — banking regulator of the Kingdom of Saudi Arabia. https://en.wikipedia.org/wiki/Saudi_Central_Bank 2 3

  4. Saudi Data and AI Authority (SDAIA) — national AI / data authority, including data classification frameworks. https://sdaia.gov.sa

  5. Model Context Protocol specification, “Prompts” (2025-06-18). Server primitives: tools (model-controlled), resources (application-controlled, URI-identified), prompts (user-controlled templates). https://modelcontextprotocol.io/specification/2025-06-18/server/prompts

  6. Model Context Protocol specification, “Transports” (2025-06-18). Standard transports are stdio and Streamable HTTP (which uses HTTP POST/GET and optionally SSE). https://modelcontextprotocol.io/specification/2025-06-18/basic/transports

  7. Model Context Protocol — community servers repository. https://github.com/modelcontextprotocol/servers

  8. Saudi Payments Network (Mada) — SAMA-supervised national payment network. https://en.wikipedia.org/wiki/Saudi_Payments_Network

  9. SARIE — SAMA-owned instant payments system. https://sarie.sa/en

  10. SADAD — centralized bill payment system, launched 2004. https://clearingpost.com/insights/saudi-arabia-payment-infrastructure-guide-sarie-mada-sadad/

  11. Etimad — Ministry of Finance financial services / procurement / e-invoice platform. https://portal.etimad.sa 2

  12. Absher — citizen services for IDs, residency, and licenses. https://my.gov.sa/en/content/165 2

  13. Nafath — national digital identity / SSO. https://www.iam.gov.sa/authservice/userauthservice 2

  14. ALLaM — Saudi Arabic foundation model developed by NCAI at SDAIA from 2023; HUMAIN (formed May 2025) now owns the roadmap. https://huggingface.co/humain-ai/ALLaM-7B-Instruct-preview — and Middle East AI News, “HUMAIN Chat live: ALLaM 34B LLM.” https://www.middleeastainews.com/p/humain-chat-live-allam-34b-llm 2

  15. Karnak — Egyptian sovereign Arabic foundation model launched at Ai Everything MEA 2026 (Feb 11, 2026), built on Qwen3-30B-A3B with Arabic tokenizer extensions, developed by the Applied Innovation Center (AIC). https://itida.gov.eg/English/PressReleases/Pages/egypt-national-ai-karnak-llm-launch-Ai-Everything-MEA-2026.aspx — and https://huggingface.co/Applied-Innovation-Center/Karnak 2 3

  16. Fanar — Qatar Arabic foundation model developed by QCRI at Hamad Bin Khalifa University (Qatar Foundation). https://huggingface.co/QCRI/Fanar-1-9Bhttps://huggingface.co/QCRI/Fanar-2-27B-Instructhttps://arxiv.org/abs/2501.13944

  17. US Department of Justice, “Promoting Public Safety, Privacy, and the Rule of Law Around the World: The Purpose and Impact of the CLOUD Act” — DOJ CLOUD Act primer. https://www.justice.gov/criminal/criminal-oia/page/file/1153466/download