How are AI agents actually being used? This New AISI MCP paper has some answers!
Inside the MCP data exhaust that shows agents turning into operators
Agents are rapidly moving from passive copilots to active operators, concentrated in software and finance, increasingly acting in unconstrained environments, and increasingly built by other agents. If you’re thinking about governance, infra, or product, the unit of analysis now isn’t just “the model” it’s the tool layer and the action space it exposes.
Agents are moving from benchmarks to tools. and If you want to understand where AI agents are really going, yo need to stop looking at model benchmarks and start observing the tools. This new paper from Merlin Stein at the UK AI Security Institute does exactly that, by tracking 177,436 Model Context Protocol (MCP) tools between late 2024 and early 2026 to map the “action space” of agents –
the concrete things they can do in the world.
Measuring the agent “action space”
Instead of asking “how capable is the model?”, the paper asks a different question: what tools are agents wired into,
in which domains,
with what stakes,
in which geographies, and
who is building those tools?
Tools are grouped along five dimensions: direct impact (perception, reasoning, action), environmental generality (constrained APIs vs unconstrained browser/desktop), task domain and stakes (via O*NET), geography of usage, and AI co‑authorship. That shift in perspective – from model internals to tool affordances – turns a fuzzy “agents are coming” narrative into something you can actually measure.
Today’s agents are mostly software workers
from the real‑world deployment agents are first being pointed at codebases, terminals, CI pipelines and devtools, not at the whole macroeconomy at once. 67% of tools and about 90% of MCP server downloads are aimed at software development and related IT tasks, with finance and business management a smaller but visible cluster.
Usage is shifting from ‘seeing’ to ‘doing’
But the more interesting trend is not a tually the domain but the shift in direct impact. Over the 16‑month window, the share of downloads going to “action” tools – things that can edit files, send emails, execute code or move money has risen from 27% to 65%.
Perception and reasoning tools still matter, but usage has drifted significantly towards agents that can press buttons, not just read and summarize. this growth is mostly dominated by general‑purpose tools for browser automation and computer control, which means agents are increasingly acting in unconstrained environments rather than narrow, well‑scoped APIs.
Medium‑stakes by default, with finance as an outlier
Most action tools support medium‑stakes occupations such as system administration and software engineering. You don’t yet see a flood of tools directly authorizing prescriptions or running critical infrastructure end‑to‑end.
But finance is a clear outlier, high‑stakes financial occupations have disproportionately more action tools than you’d expect from the overall pattern, and there’s rapid growth in MCP servers that can execute payments or crypto transactions. That’s exactly the region that worries central banks for example, correlated autonomous behaviour around payments and trading, at machine speed.
The action space
Roughly half of observed downloads of action‑capable MCP servers come from the United States, around 20% from Western Europe, and about 5% from China and 5% from Singapore, with everyone else in the single digits.
The authors are quite careful that PyPI/NPM are Western‑centric, so this undercounts non‑Western ecosystems, but as a first‑pass signal it still tells you where general‑purpose, action‑heavy agents are being experimented with.
Agents are now helping to build the tool layer
The most recursive datapoint is who is building the ecosystem.
This paper finds evidence of AI co‑authorship in 28% of MCP servers (36% of tools), and, more strikingly, in 62% of new servers created in February 2026.
Claude Code dominates those AI‑assisted repos at around 69% of AI‑coauthored servers, with Cursor, Copilot and Codex making up most of the rest.
so agents are already helping to write the glue code and connectors that define other agents’ action spaces and Tool creation is starting to decouple from human developer bandwidth.
However there are few but big caveats.
MCP registries capture only public tools; and The risk surface is shifting into unconstrained environments
Even with those caveats, the directional story is clear.
The action space of AI agents is expanding fast and usage is shifting from passive perception to active modification.
general‑purpose tools in unconstrained environments are winning. the first high‑stakes frontier is finance; and a growing fraction of the tool layer is being written with AI assistance.
If you care about governance, risk or infra, that’s a strong signal that the right unit of analysis is the tool layer – not just the models and not just the chat interfaces, but the concrete affordances agents get over the real (and financial) world.