MCP Governance Overview

Overview

The Model Context Protocol (MCP) is an open standard that enables AI assistants to interact with external tools, data sources, and services through a unified interface. Ascend provides enterprise-grade governance for MCP servers, ensuring that all AI tool calls are evaluated, logged, and controlled according to your organization's security policies.

MCP governance extends the same policy engine, risk scoring, and audit capabilities used for agent actions to cover tool calls made through MCP servers. This provides unified visibility and control across all AI operations in your organization.

Key Capabilities

• Server Registration: Register and manage MCP servers with governance enabled
• Tool-Level Governance: Apply policies at the individual tool level
• Namespace Security: Categorize tools by namespace for risk assessment
• Real-Time Evaluation: Sub-200ms policy evaluation for tool calls
• Risk Scoring: Comprehensive risk assessment using verb, resource, and context analysis
• Approval Workflows: Route high-risk tool calls through approval workflows
• Audit Trail: Complete audit logging of all MCP operations
• Health Monitoring: Track MCP server health and availability

How It Works

MCP Integration Architecture

┌─────────────────────────────────────────────────────────────────────────────┐
│                         MCP GOVERNANCE ARCHITECTURE                          │
└─────────────────────────────────────────────────────────────────────────────┘

┌─────────────────┐     ┌─────────────────┐     ┌─────────────────┐
│   AI Assistant  │     │  Ascend SDK     │     │  MCP Server     │
│   (Claude, etc) │────>│  Governance     │────>│  (Tools)        │
└─────────────────┘     │  Middleware     │     └─────────────────┘
                        └────────┬────────┘
                                 │
                                 v
                        ┌─────────────────┐
                        │  Ascend Policy  │
                        │  Engine         │
                        │  - Risk Scoring │
                        │  - Policy Match │
                        │  - Audit Log    │
                        └────────┬────────┘
                                 │
                    ┌────────────┼────────────┐
                    v            v            v
              ┌──────────┐ ┌──────────┐ ┌──────────┐
              │  ALLOW   │ │ EVALUATE │ │   DENY   │
              │  Execute │ │ Approval │ │  Block   │
              └──────────┘ └──────────┘ └──────────┘

MCP Action Evaluation Flow

Tool Call Request
      │
      v
┌─────────────────┐
│  1. Server      │──── NOT FOUND ────> Reject (Unknown Server)
│     Lookup      │
└────────┬────────┘
         │ FOUND
         v
┌─────────────────┐
│  2. Governance  │──── DISABLED ────> Pass-through (No Governance)
│     Enabled?    │
└────────┬────────┘
         │ ENABLED
         v
┌─────────────────┐
│  3. Tool        │──── BLOCKED ────> Reject (Tool Blocked)
│     Allowed?    │
└────────┬────────┘
         │ ALLOWED
         v
┌─────────────────┐
│  4. Risk Score  │
│     Calculation │
│     - Server    │
│     - Namespace │
│     - Verb      │
│     - Resource  │
│     - User      │
│     - Context   │
└────────┬────────┘
         │
         v
┌─────────────────┐
│  5. Policy      │
│     Evaluation  │────────────────> Decision (ALLOW/DENY/EVALUATE)
└────────┬────────┘
         │
         v
┌─────────────────┐
│  6. Audit       │
│     Logging     │────────────────> Immutable Audit Trail
└─────────────────┘

MCP Protocol Components

Component	Description	Governance Scope
Tools	Functions the MCP server exposes	Per-tool risk scoring and policies
Resources	Data sources the server can access	Resource-level access control
Prompts	Pre-defined prompt templates	Prompt injection detection
Sessions	Client-server communication sessions	Session tracking and limits

Namespace Risk Categories

MCP tools are categorized by namespace for risk assessment:

Namespace	Base Risk Score	Description
admin	50	Administrative operations
exec	45	Code execution capabilities
system	40	System-level operations
database	35	Database operations
filesystem	30	File system access
network	25	Network operations
data	25	Data processing
api	20	API integrations
tools	15	General tools
default	10	Uncategorized tools

Verb Risk Categories

Tool operations are assessed by verb type:

Verb Category	Risk Score	Examples
Critical	40	delete, remove, destroy, drop, truncate, kill, exec, execute, run, eval, sudo
High	25	write, create, modify, update, insert, alter, grant, revoke, chmod, chown
Medium	15	copy, move, rename, link, mount, unmount
Low	5	read, list, describe, get, query, scan

Configuration

MCP Server Configuration Options

Option	Type	Default	Description
server_name	string	required	Unique server identifier
display_name	string	required	Human-readable name
description	string	null	Server description
server_url	string	null	Server endpoint URL
transport_type	string	"stdio"	Transport: stdio, http, websocket
connection_config	object		Transport-specific configuration
governance_enabled	boolean	true	Enable/disable governance
auto_approve_tools	array	[]	Tools auto-approved (no review)
blocked_tools	array	[]	Tools always blocked
tool_risk_overrides	object		Per-tool risk score overrides

Trust Levels

MCP servers can be assigned trust levels that affect base risk scoring:

Trust Level	Base Risk Modifier	Description
sandbox	+0	Fully sandboxed, isolated environment
restricted	+20	Limited access, requires approval
trusted	+10	Verified and approved server
unknown	+30	Default for unregistered servers

Risk Score Calculation

The MCP risk score is calculated as follows:

Final Score = min(100, (Base_Scores + Amplification) × Resource_Multiplier)

Where:
- Base_Scores = Server_Risk + Namespace_Risk + Verb_Risk + Resource_Risk + User_Risk + Environment_Risk
- Amplification = Additional risk for dangerous combinations
- Resource_Multiplier = 0.8x to 1.2x based on target resource type

Risk Level Thresholds:

Score Range	Risk Level	Action
80-100	CRITICAL	Deny or Executive Approval
60-79	HIGH	Require Approval (L3+)
30-59	MEDIUM	Require Approval (L1-L2)
0-29	LOW	Auto-approve

Usage Examples

Register an MCP Server (Python SDK)

from ascend import AscendClient

client = AscendClient(api_key="your-api-key")

# Register an MCP server for governance
server = client.mcp_servers.register(
    server_name="filesystem-tools",
    display_name="File System Tools Server",
    description="MCP server providing file system operations",
    server_url="stdio:///path/to/server",
    transport_type="stdio",

    # Governance configuration
    governance_enabled=True,

    # Auto-approve low-risk tools
    auto_approve_tools=[
        "read_file",
        "list_directory",
        "get_file_info"
    ],

    # Block high-risk tools
    blocked_tools=[
        "delete_file",
        "delete_directory",
        "execute_command",
        "run_script"
    ],

    # Override risk scores for specific tools
    tool_risk_overrides={
        "write_file": 65,        # Higher than default
        "create_directory": 45,   # Moderate risk
        "move_file": 55,          # Moderate risk
        "copy_file": 35           # Lower risk
    }
)

print(f"MCP Server registered: {server.server_name}")
print(f"Governance enabled: {server.governance_enabled}")

Register MCP Server (cURL)

curl -X POST https://api.ascend.security/api/registry/mcp-servers \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "server_name": "database-tools",
    "display_name": "Database Query Tools",
    "description": "MCP server for database queries and operations",
    "transport_type": "http",
    "server_url": "http://localhost:8080/mcp",
    "governance_enabled": true,
    "auto_approve_tools": ["select_query", "describe_table", "list_tables"],
    "blocked_tools": ["drop_table", "truncate_table", "delete_database"],
    "tool_risk_overrides": {
      "insert_row": 50,
      "update_row": 55,
      "delete_row": 70
    }
  }'

Evaluate an MCP Tool Call

from ascend import AscendClient

client = AscendClient(api_key="your-api-key")

# Evaluate a tool call before execution
result = client.mcp.evaluate_action(
    server_id="filesystem-tools",
    namespace="filesystem",
    verb="write_file",
    resource="/var/data/reports/output.csv",
    parameters={
        "content": "report data...",
        "mode": "overwrite"
    },
    session_context={
        "session_id": "session-123",
        "client_id": "claude-desktop",
        "source_ip": "192.168.1.100"
    }
)

print(f"Decision: {result.decision}")           # ALLOW, DENY, or EVALUATE
print(f"Risk Score: {result.risk_score}")       # 0-100
print(f"Risk Level: {result.risk_level}")       # LOW, MEDIUM, HIGH, CRITICAL
print(f"Requires Approval: {result.requires_approval}")

if result.requires_approval:
    print(f"Approval Level: {result.approval_level}")
    print(f"Estimated Review Time: {result.estimated_review_time_minutes} min")

Configure Tool-Level Policies

# Add a policy for specific tool behavior
curl -X POST https://api.ascend.security/api/mcp/policies \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "policy_name": "database-write-approval",
    "description": "Require approval for database write operations",
    "is_active": true,
    "priority": 100,
    "server_patterns": ["database-*"],
    "namespace_patterns": ["database"],
    "verb_patterns": ["insert", "update", "delete"],
    "resource_patterns": ["production*"],
    "risk_threshold": 50,
    "action": "REQUIRE_APPROVAL"
  }'

Get MCP Server Details

curl -X GET https://api.ascend.security/api/registry/mcp-servers/filesystem-tools \
  -H "Authorization: Bearer YOUR_API_KEY"

# Response:
# {
#   "success": true,
#   "server": {
#     "id": 15,
#     "server_name": "filesystem-tools",
#     "display_name": "File System Tools Server",
#     "transport_type": "stdio",
#     "governance_enabled": true,
#     "is_active": true,
#     "health_status": "online",
#     "discovered_tools": [
#       {"name": "read_file", "description": "Read file contents"},
#       {"name": "write_file", "description": "Write to a file"},
#       {"name": "list_directory", "description": "List directory contents"}
#     ],
#     "auto_approve_tools": ["read_file", "list_directory"],
#     "blocked_tools": ["delete_file", "execute_command"],
#     "tool_risk_overrides": {"write_file": 65}
#   }
# }

Get MCP Analytics

curl -X GET "https://api.ascend.security/api/mcp/analytics?hours=24" \
  -H "Authorization: Bearer YOUR_API_KEY"

# Response:
# {
#   "time_range_hours": 24,
#   "total_actions": 1523,
#   "status_distribution": [
#     {"status": "AUTO_APPROVED", "count": 1245},
#     {"status": "APPROVED", "count": 198},
#     {"status": "DENIED", "count": 45},
#     {"status": "PENDING_APPROVAL", "count": 35}
#   ],
#   "risk_distribution": [
#     {"risk_level": "LOW", "count": 1100},
#     {"risk_level": "MEDIUM", "count": 350},
#     {"risk_level": "HIGH", "count": 65},
#     {"risk_level": "CRITICAL", "count": 8}
#   ],
#   "top_servers": [
#     {"server_id": "filesystem-tools", "total_actions": 750, "avg_risk_score": 28.5},
#     {"server_id": "database-tools", "total_actions": 523, "avg_risk_score": 42.1}
#   ]
# }

Best Practices

Server Registration

1. Unique Names: Use descriptive, unique server names that indicate purpose
2. Enable Governance: Always enable governance for production MCP servers
3. Document Tools: Ensure tool descriptions are clear for policy creation
4. Regular Discovery: Re-run tool discovery when servers are updated

Tool Classification

1. Block Dangerous Tools: Always block execute, delete, and admin tools by default
2. Auto-Approve Read-Only: Safe to auto-approve read-only operations
3. Risk Override: Set explicit risk scores for tools that need custom handling
4. Review Periodically: Audit tool classifications quarterly

Policy Configuration

1. Namespace-Based Policies: Create policies based on namespace for broad coverage
2. Environment Awareness: Apply stricter policies for production resources
3. Verb Patterns: Use verb patterns to catch write/delete operations
4. Resource Patterns: Use wildcards for resource pattern matching

Monitoring

1. Health Checks: Enable health monitoring for all production MCP servers
2. Alert on Failures: Set up alerts for MCP server health degradation
3. Analytics Review: Review MCP analytics weekly for unusual patterns
4. Audit Log Review: Regularly review MCP audit logs for compliance

Security Recommendations

1. Fail Closed: Configure governance to deny on evaluation errors
2. Principle of Least Privilege: Only expose necessary tools
3. Network Isolation: Run MCP servers in isolated network segments
4. Credential Management: Never expose credentials through MCP tools
5. Input Validation: Ensure MCP servers validate all inputs

Related

• MCP Server Registration - Detailed registration guide
• MCP Tool Governance - Tool-level policy configuration
• Policy Management - Creating governance policies
• Risk Scoring - Understanding risk calculations
• Audit Logs - MCP audit trail documentation

Compliance

MCP governance supports compliance with:

• SOC 2 CC6.1: Logical access controls for AI tools
• SOC 2 CC6.2: Access authorization for tool operations
• SOC 2 CC7.1: Security incident management for tool abuse
• PCI-DSS 7.1: Restrict tool access by business need
• NIST 800-53 AC-3: Access enforcement for tool operations
• NIST 800-53 SI-4: Information system monitoring
• HIPAA 164.312: Access controls for healthcare data tools