MCP Apps extends the frontier — KYA is the identity spine beneath it
· by Risto Anton Paarni
From the AAIF launch post
“MCP Apps launched as the first official Model Context Protocol extension that brings interactive UI capabilities to MCP clients — developed through a partnership between OpenAI and Anthropic, building on OpenAI’s Apps SDK and the community-driven MCP-UI project. ChatGPT, Claude, goose and Visual Studio Code all ship support.”
Source: Agentic AI Foundation (AAIF), Linux Foundation —
aaif.io/blog/mcp-apps-extending-the-frontier/
Every time OpenAI and Anthropic ship another open standard under the Linux Foundation’s neutral AAIF governance, our KYA thesis gets sharper, not weaker. Interactive UIs that can take actions from inside ChatGPT, Claude Desktop, goose and VS Code do not need less identity than invisible tool calls — they need more. Here is what we are doing about it, and what we have already shipped.
What MCP Apps actually is
Built on OpenAI’s Apps SDK and the community-driven MCP-UI project, unified under AAIF. It lets an MCP server return rich, interactive UI — dashboards, forms, multi-step workflows, visualisations — that render directly inside the conversation. Write the tool once; it shows up natively in ChatGPT, Claude Desktop, goose and VS Code without per-client code. For the first time, agent-facing UI has a cross-vendor shared standard.
What that unlocks for DWS
We already expose DWS as MCP. The
/mcp endpoint lists
our agents via
tools/list; our Aiven
databases have an Aiven MCP server on them (SQL, pgvector, Kafka) with RBAC-enforced
scopes; the GitHub MCP server gives us 48 tools into the repo. Today those are invisible
tool calls. With MCP Apps they become surfaces:
Surface 1 · Compliance
CSRD gap dashboard, rendered inside the chat
/compliance-check
runs the scoring engine, fills 82 ESRS disclosures, then returns a live gap matrix
— sortable, filterable — right above the prompt. The CFO clicks an ESRS
code, the form opens, they approve or reject inline. The agent writes the result to
Aiven, signs the audit entry, and moves on.
Surface 2 · Carbon
3D LCA breakdown from
/carbon-analysis
Material Oracle returns EN 15978 lifecycle stages (A1–D) as an interactive widget. Hover a stage, see the kgCO2e per unit, click the factor, drill to the EU ETS benchmark citation. Same data we already compute; new surface that survives copy-paste into a board deck.
Surface 3 · Site safety
Live SiteSense score card
EN 13001 crane warnings, wind-speed thresholds, worker count — rendered as a 0–100 score panel that auto-refreshes. Site manager says “lift clear for today?” in Claude Desktop, gets a yes/no plus signed rationale they can forward to the union rep.
The question the UI does not answer: who is doing this?
MCP Apps adds affordance. It does not add identity. A signed form fired from ChatGPT is an authenticated human action from the model vendor’s perspective. It is an unattributed agent action from the enterprise auditor’s perspective — unless something binds the action to a verified human who is accountable under EU AI Act Article 26 (deployer obligations for high-risk AI systems). That something is KYA.
What KYA adds that the open standard does not
- Identity Attribution (Pillar 1) — every MCP Apps action carries a cryptographic KYA token back to a KYB/KYC-verified human. The model vendor sees a user; the auditor sees a named accountable party.
- Capability Gating (Pillar 2) — which MCP Apps surfaces a given agent can render is a policy decision, not a client-side toggle. Low-trust agents don’t get to draw the approval button.
- Forensic Observability (Pillar 3) — Firehorse trace IDs thread through the tool call, the rendered UI, the user’s click and the downstream write. One query reconstructs the full chain six months later.
- TC-4 Leash Snap — one revoke terminates the agent chain across every client (ChatGPT, Claude, goose, VS Code) simultaneously. The open standard cannot do this; the identity spine can.
The stack, one more time
- MCP Apps (AAIF, cross-vendor) — the agent’s hands: interactive UI that works across ChatGPT, Claude, goose, VS Code.
-
MCP tools (Aiven MCP, DWS IQ
/mcp, GitHub MCP) — the agent’s reach: data, services, code. - Microsoft Foundry Connect — the agent’s computer: sandbox, durable state, harness freedom.
- Aiven (Helsinki) + Scaleway (Paris) — the agent’s jurisdiction: EU-sovereign data and compute.
- KYA Standard v1.5 — the agent’s identity spine: the accountable human on the leash.
AAIF standardises the fabric. Microsoft provides the sandbox. Aiven and Scaleway hold the sovereign ground. KYA makes the whole thing enterprise-legal for EU-regulated industries. Five pieces, all solid, all composable. The only one of them DWS owns is the identity spine — which is exactly the piece the rest of the industry keeps forgetting to build.
Read next
- Our layers are solid — Aiven, Scaleway, KYA meet Nadella’s Foundry (sister post)
- KYA Standard v1.5 — what changed since the v1 field note
- KYA Standard v1 — the original field note
-
AAIF launch post:
aaif.io/blog/mcp-apps-extending-the-frontier/ -
Aiven MCP server:
aiven.io/mcp
Risto Anton Paarni
CEO, Lifetime Oy · Editor in Chief, Lifetime Scope Journal