Arcade's bet: the agentic web needs an actions runtime, not just MCP servers

Arcade promotes itself as an "MCP runtime" — basically, middleware that governs how agents execute actions across tools and services. Although the company actually prefers the term "actions runtime," it believes that MCP is becoming the default way for agents to use SaaS apps and, increasingly, website capabilities.

To find out why agents need middleware, I spoke with Arcade CEO Alex Salazar.

Salazar firstly pointed out that the agentic web is not just about data retrieval. Up till very recently, he says, many people thought of agents as "glorified chatbots."

"My definition of an agent is that it can take actions. It can mutate data. It can issue a transaction of some type. It’s not just data retrieval."

What is an actions runtime?

With that definition in mind, what Arcade offers is a way to manage the actions that an agent takes.

"We call it an MCP runtime, for SEO, but we really refer to it internally and to our customers as an actions runtime," he explained. "An actions runtime or an MCP runtime is really the layer that is taking care of all of the execution of the agent’s requests. The left-hand side is the brains of an agent; the right-hand side is the hands of the agent.”

Here he was referring to a slide from an Arcade deck that showed "AI systems" on the left side (ChatGPT, Claude, et al) and tools (like Slack, Jira, et al) on the right side. The AI systems and tools are connected via MCP — the Model Context Protocol — and Arcade sits in the middle, managing authorization and other governance rules.

Arcade: The Actions Runtime; image via the company.

The graphic above clearly shows how Arcade is middleware, which of course makes it an ideal business offering for enterprise IT departments. Prior to founding Arcade, Salazar was an executive at Okta — one of the leading identity and access management companies. So Arcade is bringing a similar product pitch to the AI era: that agents need an authorization and access management layer too.

"If you were to take MuleSoft and Okta and have them make an agent baby, that’s what this layer is, that's Arcade," he chuckled.

Websites as capabilities

I've been writing a lot about how websites are becoming tools for agents — that you can now define a set of capabilities in your website that agents can use and interact with. I asked Salazar if Arcade can be useful in that paradigm? I was thinking here of, for example, a retail website that offers various tools that agents can use to help people compare or buy their products.

He replied that their original idea — before MCP even existed — was to create a "site reliability agent," which would offer "a properly governed delegated user authorization flow."

"MCP is quickly turning into the HTTP of agents." - Alex Salazar, Arcade CEO

But Arcade soon realized that just building an agent wasn't enough, because ChatGPT, Claude and other AI chatbots had quickly become the primary way consumers used AI. Then MCP arrived in late-2024, bringing a standard way for AI applications to connect to external tools. Once MCP became established, Arcade decided that being middleware for MCP servers and tools was the way to go.

"MCP is quickly turning into the HTTP of agents," Salazar said. "And so I think the agentic web and agentic tool calling, from my perch, are becoming the same thing very, very quickly."

This is the key connection, I think, to the “websites as capabilities” idea. Arcade is betting that it’s not enough for a website to expose product data, checkout flows, support actions or other business logic to agents. Those capabilities also need to be callable in a way that respects user permissions, site policies and enterprise governance.

Enterprises want to control the runtime

In the 1990s and into the 2000s, it was common for enterprise companies to put controls around the primary user-facing runtime of the web — that is, the browser. This led to corporate networks, proxies, firewalls, directory services, single sign-on, browser policies, and intranet portals.

These days, there are enterprise browser management tools for organizations. Google has Chrome Enterprise Core, which offers "centralised control from the cloud"; while Microsoft has an "Edge for Business" version of its Edge browser, featuring "browser policies, AI controls, and more."

What Arcade is offering is similar in concept, with the proviso that its runtime is for agents — not people. Either way, it's about organizations putting policy controls around an internet application runtime.

"Organizations just want one standardized way of doing something that’s governed and controlled, and reliable, and is going to work," Salazar said.

MCP server quality varies

One other point Salazar made about enterprise control in the AI era: not all MCP servers are the same. He referenced Arcade's ToolBench page, which rates tens of thousands of MCP servers and tools. ToolBench currently reports 219,332 indexed tools, with only 0.5% earning an A or above. The majority are rated F.

Arcade's ToolBench showing MCP tools by quality grade.

"If enterprise is managing governance MCP server by MCP server, agent by agent, they’re going to fail," Salazar claimed.

Agents are software, not new users

There's been discussion in the industry about whether an AI agent is a new class of actor that needs its own independent identity, almost like a peer to a human user. But Salazar gives this idea short shrift. He argues that agents should be treated as equivalent to software applications.

"Every application I've seen, that's been started in the last six months, is agentic." - Salazar

"Agents are software," he insisted. "And the difference between an application and an agent today, in 2026, is nil. Every application I've seen, that's been started in the last six months, is agentic. And every agentic system I've seen in the last six months is an application. And so if we treat them like application workloads, which is what I think they are, then suddenly everything magically works."

This is also a good argument for why users and companies should be cautious about giving local agents broad access to a computer or account credentials.

"You put an agent on your laptop, an agent of one, and you give it your credentials — that’s pretty dangerous, because you can delete files, you can delete emails, you can delete all kinds of stuff."

MCP-first websites

A trend that Salazar sees playing out is websites and applications becoming "MCP-first," which is something I've also been exploring.

"If I were building a website tomorrow, or building a SaaS app tomorrow, I would probably build it MCP-first, because that’s how agents increasingly want to consume this," he said.

For Arcade, that makes MCP a likely foundation for how agents will interact with the web going forward — provided there is a governed runtime layer around it.