mpl vs MCP: A Compliance and Audit Layer on Top of the Agent Protocol
MCP defines how agents talk. mpl defines what correct looks like. Why production agentic systems need both — and how to compose them.
The protocol-stack question
MCP (Model Context Protocol) and A2A (Agent-to-Agent) are the two de-facto protocols for agent-to-tool and agent-to-agent communication. They are well-designed, widely adopted, and answer the right question: how do agents exchange messages?
They do not answer the question production teams actually need answered: did the agent’s message meet the contract, and can you prove it? This is the gap mpl fills.
The 60-second version: MCP is a transport. mpl is a contract layer. They stack. mpl sits between your agent and your MCP server, observing, validating, and recording every message.
What MCP is
MCP is a JSON-RPC-based protocol that lets an LLM agent call tools exposed by an MCP server. The server advertises a list of tools (with names, descriptions, and JSON-Schema input/output types); the agent invokes them; results come back. It is the USB-C of agent ↔ tool integration:
{
"jsonrpc": "2.0",
"method": "tools/call",
"params": {
"name": "calendar.create",
"arguments": {
"title": "Quarterly Review",
"start": "2026-03-15T14:00:00Z",
"end": "2026-03-15T15:00:00Z"
}
},
"id": "req-1"
}
MCP is a transport. It moves messages. It does not check whether the messages are correct, it does not record who sent them, and it does not give you a quality score on the agent’s output.
What mpl is
mpl is a protocol layer that sits between your agents and the underlying MCP / A2A transport. It defines the contracts for every message type, measures the quality of every interaction, enforces your policies, and records tamper-evident audit trails:
┌─────────────────────────────┐
│ Your Agent Logic │
├─────────────────────────────┤
│ mpl (this layer) │
│ Contracts · Quality · │
│ Policies · Proofs │
├─────────────────────────────┤
│ MCP (client-server) or │
│ A2A (peer-to-peer) │
└─────────────────────────────┘
mpl ships with:
- A contract registry — versioned JSON-Schema contracts
for every message type (
org.calendar.Event.v1,org.finance.Order.v1, etc.). 25+ contracts ship out of the box; you can add your own. - Quality measurement — six metrics
(schema_fidelity, instruction_compliance, groundedness,
determinism, ontology_adherence, tool_outcome) you mix
into profiles (
qom-basic,qom-strict-argcheck, custom). - A policy engine — declarative YAML rules that enforce organisational constraints (require provenance, block certain stypes, require a quality profile, etc.).
- Cryptographic audit — every message gets a BLAKE3 hash, provenance metadata, and a quality report. These map directly to SOX, GDPR, HIPAA, and the EU AI Act.
The five dimensions
| Dimension | MCP | mpl |
|---|---|---|
| Layer | Transport (JSON-RPC) | Contract / quality / audit layer |
| Solves | How agents talk | What correct looks like |
| Adoption | Anthropic, OpenAI, Google, Microsoft (de-facto) | Early but growing |
| Schema validation | JSON-Schema on the tool input/output | JSON-Schema on every message type, with versioning |
| Quality measurement | None | Six metrics, profile-driven |
| Policy enforcement | None | Declarative policy engine |
| Audit trail | None | Tamper-evident (BLAKE3 hash chain) |
| Compliance mapping | None | SOX, GDPR, HIPAA, EU AI Act |
| Mode: observe | n/a | Drop-in proxy, transparent mode (no enforcement) |
| Mode: enforce | n/a | Strict mode (rejects bad messages before they reach the server) |
| Multi-protocol | n/a | Wraps MCP and A2A, with a unified audit trail |
| Performance overhead | n/a | ~3-8ms per message (proxy mode) |
| Language SDKs | n/a | Python, TypeScript, Rust |
When to use which
Use MCP (without mpl) when:
- You are prototyping, and the cost of a bad message is low.
- The agent’s actions are reversible (e.g. read-only queries on your own data).
- The blast radius of a mistake is small (a typo, a wrong search query, a minor scheduling error).
- You are not in a regulated industry.
Use mpl on top of MCP when:
- The agent takes actions that are not easily reversible (sending messages, making purchases, modifying settings).
- You are in a regulated industry (finance, healthcare, government) and need to answer “what did the agent know when it did X” months later.
- You need to enforce a contract (e.g. every calendar event must have a title, a start, and an end) and reject malformed requests before they hit your server.
- You need quality measurement (e.g. is the agent’s output grounded in the data it claims to cite?).
- You are running multiple agents and need a unified audit trail across all of them.
A 5-minute setup
mpl runs as a sidecar proxy in front of your existing MCP server. The agent’s code doesn’t change:
# 1. install
cargo install mplx
# or
pip install mpl-sdk
# 2. start your existing MCP server
my-mcp-server --port 8080
# 3. start mpl-proxy in transparent (observe) mode
mpl proxy http://localhost:8080 --port 9080
# → open http://localhost:9080 for the dashboard
# 4. point your agent at mpl-proxy instead of the server
# (config change, no code change)
# 5. once you've observed the traffic, lock in the schemas
mpl schemas generate # learn contracts from live traffic
mpl schemas approve --all # lock them in
mpl proxy http://localhost:8080 --mode production
# → now bad messages get blocked before they reach the server
Compliance mapping
mpl’s audit trail maps to the specific articles of the major regulations:
| Regulation | What mpl provides |
|---|---|
| SOX (Sarbanes-Oxley) | Tamper-evident records (BLAKE3 hash chain) for every financial action the agent takes |
| GDPR | Right-to-erasure for personal data in agent memory; data-handling proof via the policy engine |
| HIPAA | Quality thresholds on clinical outputs (instruction_compliance ≥ 0.95); provenance for every PHI access |
| EU AI Act | Quality scores + full provenance chain for every high-risk AI action; transparency log for end-users |
This is the gap MCP does not address. If you are deploying agents in a regulated environment, you need both.
What to read next
- Formalising Prompts as First-Class Research Objects — the prompt-side of the same architecture
- Ephemeral Credentials and Zero-Trust AI — the perishable companion
- mpl documentation
- mpl repository
- MCP specification