MCP Tool Governance
Overview
MCP Tool Governance provides fine-grained control over individual tools exposed by MCP servers. This enables organizations to apply specific policies, risk scores, and approval requirements at the tool level, ensuring that each AI tool operation is evaluated according to its actual risk profile.
Key Capabilities
- Tool-Level Policies: Apply policies to specific tools or tool patterns
- Risk Score Overrides: Customize risk scores for individual tools
- Auto-Approval Lists: Define tools that can execute without review
- Block Lists: Permanently block dangerous tools
- Namespace Policies: Apply policies across tool namespaces
- Dynamic Risk Assessment: Real-time risk calculation based on parameters
- Audit Trail: Complete logging of all tool executions
How It Works
Tool Evaluation Pipeline
┌─────────────────────────────────────────────────────────────────────────────┐
│ TOOL GOVERNANCE EVALUATION │
└─────────────────────────────────────────────────────────────────────────────┘
Tool Call Request
│
v
┌─────────────────┐
│ Block List │──── MATCH ────> DENY (Tool Blocked)
│ Check │
└────────┬────────┘
│ NO MATCH
v
┌─────────────────┐
│ Auto-Approve │──── MATCH ────> ALLOW (Skip Risk Check)
│ List Check │
└────────┬────────┘
│ NO MATCH
v
┌─────────────────┐
│ Risk Score │
│ Calculation │
│ ┌─────────────┐│
│ │ Base Score ││
│ │ + Override ││
│ │ + Context ││
│ │ + Resource ││
│ └─────────────┘│
└────────┬────────┘
│
v
┌─────────────────┐
│ Policy │
│ Matching │
│ ┌─────────────┐│
│ │ Tool Match ││
│ │ Namespace ││
│ │ Conditions ││
│ └─────────────┘│
└────────┬────────┘
│
v
┌─────────────────┐
│ Decision │──── ALLOW / DENY / EVALUATE
│ + Audit Log │
└─────────────────┘
Risk Score Components
Tool Risk Score = Base_Risk + Override + Context_Factors
Where:
┌─────────────────────────────────────────────────────────────────┐
│ Base_Risk = Namespace_Risk + Verb_Risk + Resource_Risk │
│ │
│ Namespace_Risk: │
│ admin: 50, exec: 45, system: 40, database: 35 │
│ filesystem: 30, network: 25, api: 20, tools: 15 │
│ │
│ Verb_Risk: │
│ delete/destroy: 40, write/modify: 25, execute: 30 │
│ read/query: 5, list/describe: 5 │
│ │
│ Override = tool_risk_overrides[tool_name] or 0 │
│ │
│ Context_Factors: │
│ production_resource: +20, sensitive_data: +25 │
│ admin_user: +10, after_hours: +15, external_ip: +20 │
└─────────────────────────────────────────────────────────────────┘
Policy Matching Logic
Policies are matched in priority order (lowest priority number = highest priority):
For each policy (sorted by priority ASC):
1. Check server_patterns (if any)
2. Check namespace_patterns (if any)
3. Check verb_patterns (if any)
4. Check resource_patterns (if any)
5. Check risk_threshold (if any)
6. If ALL checks pass → Apply policy action
7. Stop at first matching policy
Configuration
Tool Risk Overrides
Set custom risk scores for specific tools:
{
"tool_risk_overrides": {
"write_file": 65,
"create_directory": 45,
"move_file": 55,
"copy_file": 35,
"execute_script": 85,
"send_email": 50
}
}
Auto-Approve List
Tools that bypass risk evaluation:
{
"auto_approve_tools": [
"read_file",
"list_directory",
"get_file_info",
"describe_table",
"count_rows",
"check_status"
]
}
Block List
Tools that are always denied:
{
"blocked_tools": [
"delete_file",
"delete_directory",
"truncate_table",
"drop_database",
"execute_command",
"run_shell",
"modify_permissions",
"grant_access"
]
}
MCP Policy Schema
{
"policy_name": "string (required)",
"description": "string (optional)",
"is_active": "boolean (default: true)",
"priority": "integer (default: 100, lower = higher priority)",
"server_patterns": ["array of server name patterns"],
"namespace_patterns": ["array of namespace patterns"],
"verb_patterns": ["array of verb patterns"],
"resource_patterns": ["array of resource patterns"],
"risk_threshold": "integer (0-100, policy applies above this)",
"action": "ALLOW | DENY | REQUIRE_APPROVAL | ESCALATE",
"action_params": {
"approval_level": "integer (1-5)",
"escalate_to": "string (team or user)",
"timeout_seconds": "integer",
"notification_channels": ["array of channels"]
}
}
Usage Examples
Create Tool Policy (Python SDK)
from ascend import AscendClient
client = AscendClient(api_key="your-api-key")
# Create a policy for database write operations
policy = client.mcp.policies.create(
policy_name="database-write-approval",
description="Require approval for any database write operation",
is_active=True,
priority=50, # Higher priority (lower number)
# Match criteria
namespace_patterns=["database"],
verb_patterns=["insert", "update", "delete", "alter"],
# Risk threshold (apply to actions >= 40)
risk_threshold=40,
# Action
action="REQUIRE_APPROVAL",
action_params={
"approval_level": 2,
"timeout_seconds": 3600,
"notification_channels": ["slack", "email"]
}
)
print(f"Policy created: {policy.policy_name}")
Create Policy (cURL)
# Policy for production file writes
curl -X POST https://api.ascend.security/api/mcp/policies \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"policy_name": "production-file-protection",
"description": "Block file modifications in production directories",
"is_active": true,
"priority": 25,
"namespace_patterns": ["filesystem"],
"verb_patterns": ["write", "delete", "modify", "move"],
"resource_patterns": ["*/production/*", "*/prod/*", "/var/www/*"],
"action": "DENY"
}'
Create Escalation Policy
# Policy for high-risk operations that need executive approval
curl -X POST https://api.ascend.security/api/mcp/policies \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"policy_name": "executive-approval-required",
"description": "Critical operations require executive approval",
"is_active": true,
"priority": 10,
"risk_threshold": 85,
"action": "ESCALATE",
"action_params": {
"approval_level": 4,
"escalate_to": "security-executives",
"timeout_seconds": 86400,
"notification_channels": ["pagerduty", "email", "slack"]
}
}'
Configure Server Tool Governance
from ascend import AscendClient
client = AscendClient(api_key="your-api-key")
# Update server with comprehensive tool governance
server = client.mcp_servers.update(
server_name="database-tools",
# Low-risk tools - auto-approve
auto_approve_tools=[
"select_query",
"describe_table",
"list_tables",
"count_rows",
"check_connection"
],
# High-risk tools - always block
blocked_tools=[
"drop_table",
"drop_database",
"truncate_table",
"execute_raw_sql",
"grant_permission",
"revoke_permission"
],
# Custom risk scores for medium-risk tools
tool_risk_overrides={
"insert_row": 55,
"update_row": 60,
"delete_row": 70,
"create_table": 50,
"alter_table": 65,
"create_index": 45
}
)
Evaluate Tool Call
from ascend import AscendClient
client = AscendClient(api_key="your-api-key")
# Evaluate a specific tool call
result = client.mcp.evaluate_action(
server_id="database-tools",
namespace="database",
verb="update_row",
resource="production.customers",
parameters={
"table": "customers",
"set": {"status": "inactive"},
"where": {"customer_id": 12345}
},
session_context={
"session_id": "sess-abc123",
"client_id": "claude-desktop",
"source_ip": "192.168.1.100"
}
)
print(f"Decision: {result.decision}")
print(f"Risk Score: {result.risk_score}")
print(f"Risk Level: {result.risk_level}")
print(f"Matched Policies: {result.matched_policies}")
if result.decision == "EVALUATE":
print(f"Requires approval level: {result.approval_level}")
print(f"Estimated wait: {result.estimated_review_time_minutes} minutes")
List MCP Policies
curl -X GET https://api.ascend.security/api/mcp/policies \
-H "Authorization: Bearer YOUR_API_KEY"
# Response:
# {
# "success": true,
# "policies": [
# {
# "id": 1,
# "policy_name": "executive-approval-required",
# "priority": 10,
# "is_active": true,
# "risk_threshold": 85,
# "action": "ESCALATE"
# },
# {
# "id": 2,
# "policy_name": "production-file-protection",
# "priority": 25,
# "is_active": true,
# "namespace_patterns": ["filesystem"],
# "action": "DENY"
# }
# ]
# }
Update Policy
curl -X PUT https://api.ascend.security/api/mcp/policies/1 \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"risk_threshold": 80,
"action_params": {
"approval_level": 5,
"timeout_seconds": 43200
}
}'
Delete Policy
curl -X DELETE https://api.ascend.security/api/mcp/policies/2 \
-H "Authorization: Bearer YOUR_API_KEY"
Best Practices
Policy Priority Guidelines
| Priority Range | Use Case | Examples |
|---|---|---|
| 1-25 | Critical security rules | Production protection, admin blocks |
| 26-50 | Compliance requirements | Audit logging, data classification |
| 51-75 | Business rules | Department-specific policies |
| 76-100 | Default behaviors | Standard approval workflows |
Tool Classification Guidelines
Auto-Approve (Low Risk):
- Read-only operations
- Information queries
- Status checks
- List/describe operations
Require Review (Medium Risk):
- Write operations to non-production
- Create operations
- Non-destructive modifications
Always Block (High Risk):
- Delete/drop/truncate operations
- Code execution
- Permission modifications
- Raw SQL/command execution
Pattern Matching Best Practices
Server Patterns:
{
"server_patterns": [
"production-*", // All production servers
"*-database-*", // All database servers
"specific-server" // Exact match
]
}
Namespace Patterns:
{
"namespace_patterns": [
"database", // Exact match
"file*", // Starts with "file"
"*admin*" // Contains "admin"
]
}
Resource Patterns:
{
"resource_patterns": [
"*/production/*", // Production paths
"*.credentials.*", // Credential tables
"/etc/*", // System configuration
"s3://sensitive-bucket/*" // Sensitive storage
]
}
Risk Override Strategy
┌─────────────────────────────────────────────────────────────────┐
│ RISK OVERRIDE RECOMMENDATIONS │
└─────────────────────────────────────────────────────────────────┘
Tool Type │ Base Score │ Recommended Override
───────────────────┼────────────┼─────────────────────
Read operations │ 5-15 │ No override needed
List operations │ 5-15 │ No override needed
Create operations │ 25-35 │ 40-50 if creates resources
Update operations │ 25-35 │ 50-60 if modifies state
Delete operations │ 40-50 │ 70-80 (always higher)
Execute operations │ 40-50 │ 75-90 (code execution risk)
Admin operations │ 50-60 │ 80-95 (privilege escalation)
Security Recommendations
- Default Deny for New Tools: Block unrecognized tools until reviewed
- Regular Policy Review: Audit policies quarterly
- Test Before Production: Test policies in staging first
- Monitor Policy Matches: Track which policies trigger most often
- Alert on Policy Bypasses: Set up alerts for auto-approve patterns
Common Policy Patterns
Pattern 1: Environment Protection
{
"policy_name": "protect-production",
"resource_patterns": ["*prod*", "*production*"],
"verb_patterns": ["write", "delete", "modify"],
"action": "REQUIRE_APPROVAL",
"action_params": {"approval_level": 3}
}
Pattern 2: PII Data Protection
{
"policy_name": "pii-data-protection",
"resource_patterns": ["*customer*", "*user*", "*personal*"],
"namespace_patterns": ["database"],
"action": "REQUIRE_APPROVAL",
"action_params": {"approval_level": 2}
}
Pattern 3: After-Hours Blocking
{
"policy_name": "after-hours-block",
"conditions": {
"time_range": {
"outside_hours": true,
"start": "09:00",
"end": "17:00"
}
},
"action": "DENY"
}
Related
- MCP Governance Overview - MCP concepts
- MCP Server Registration - Server setup
- Policy Management - General policies
- Risk Scoring - Risk calculations
- Approval Workflows - Approval configuration
Compliance
MCP tool governance supports compliance with:
- SOC 2 CC6.1/CC6.2: Logical access controls
- SOC 2 CC7.1: Security incident management
- PCI-DSS 7.1/7.2: Access control systems
- NIST 800-53 AC-3: Access enforcement
- NIST 800-53 AC-6: Least privilege
- HIPAA 164.312: Access controls for PHI
- GDPR Article 25: Data protection by design