MCP Governance Overview
| Field | Value |
|---|---|
| Document ID | ASCEND-MCP-001 |
| Version | 2026.04 |
| Last Updated | April 2026 |
| Author | Ascend Engineering Team |
| Publisher | OW-KAI Technologies Inc. |
| Classification | Enterprise Client Documentation |
| Compliance | SOC 2 CC6.1/CC6.2, PCI-DSS 7.1/8.3, HIPAA 164.312, NIST 800-53 AC-2/SI-4 |
Reading Time: 8 minutes | Skill Level: Advanced
Overview
ASCEND provides comprehensive governance for Model Context Protocol (MCP) servers, extending the same enterprise-grade security controls used for AI agents to MCP tool use. Every MCP server action is evaluated, approved, and audited using unified governance policies.
MCP governance uses a default-deny policy model. Any MCP tool invocation that does not match an explicit allow policy is blocked. Register all MCP servers and configure policies before enabling governance.
What is MCP?
Model Context Protocol (MCP) is a standard for AI models to interact with external tools and data sources. MCP servers provide capabilities like:
- File System Access - Read/write files
- Database Queries - Execute SQL queries
- API Calls - Interact with external services
- Code Execution - Run code in sandboxes
Why MCP Governance?
Without governance, MCP servers present significant security risks:
| Risk | Without Governance | With ASCEND |
|---|---|---|
| Unauthorized file access | Unrestricted | Risk-assessed + approved |
| Database manipulation | Open access | Policy-controlled |
| Sensitive data exposure | No protection | PII detection + masking |
| Compliance violations | Unknown | Audit trail + evidence |
MCP Governance Architecture
+---------------------------------------------------------------------------------+
| MCP GOVERNANCE SYSTEM |
+---------------------------------------------------------------------------------+
| |
| MCP CLIENT (Claude, etc.) |
| +-------------------------------------------------------------------------+ |
| | | |
| | Tool Request: filesystem.read_file("/etc/passwd") | |
| | | |
| +-------------------------------------------------------------------------+ |
| | |
| v |
| +-------------------------------------------------------------------------+ |
| | ASCEND MCP GATEWAY | |
| | | |
| | 1. Intercept MCP request | |
| | 2. Evaluate against policies | |
| | 3. Calculate risk score | |
| | 4. Route to approval workflow (if needed) | |
| | 5. Execute or deny | |
| | 6. Log to audit trail | |
| | | |
| +-------------------------------------------------------------------------+ |
| | |
| +-------------------+-------------------+ |
| | | |
| v v |
| +------------------+ +------------------+ |
| | AUTO-APPROVED | | PENDING APPROVAL | |
| | Risk < threshold | | Risk >= threshold| |
| | -> Execute | | -> Human review | |
| +------------------+ +------------------+ |
| | | |
| +-------------------+-------------------+ |
| | |
| v |
| +-------------------------------------------------------------------------+ |
| | MCP SERVER | |
| | - Filesystem - Database - API - Code Execution | |
| +-------------------------------------------------------------------------+ |
| |
+---------------------------------------------------------------------------------+
Unified Governance
ASCEND provides a unified governance model for both AI agents and MCP servers:
| Feature | AI Agents | MCP Servers |
|---|---|---|
| Risk Assessment | 0-100 score | 0-100 score |
| Policy Engine | Smart Rules | Smart Rules |
| Approval Workflow | Multi-level | Multi-level |
| Audit Trail | Immutable | Immutable |
| Kill Switch | Supported | Supported |
Unified Authorization Center
The unified view of agent + MCP actions is served from the orchestration topology + unified governance endpoints. In the admin UI, use the Activity tab. In the SDK, use AscendClient.evaluate_mcp_action (SDK 2.2.0+); the backend writes both agent and MCP actions through the same EnterpriseRiskPipeline, so they land in the same audit surface.
MCP Action Evaluation
Endpoint
MCP tool calls are governed by the dedicated MCP pipeline endpoint introduced in FEAT-008:
POST /api/v1/mcp/actions/submit
This endpoint runs the same 11-stage EnterpriseRiskPipeline as agent actions, with MCP-specific branches in CVSS / MITRE / NIST scoring and the mcp_tool_risk_defaults safety floor.
Evaluate MCP Action (cURL)
curl -X POST "https://pilot.owkai.app/api/v1/mcp/actions/submit" \
-H "Authorization: Bearer <api_key_or_jwt>" \
-H "Content-Type: application/json" \
-d '{
"mcp_server": "filesystem-server",
"namespace": "filesystem",
"verb": "read_file",
"resource": "/data/reports/financial.csv",
"action_type": "filesystem.read_file",
"parameters": {
"encoding": "utf-8"
},
"context": {
"session_id": "session_abc123",
"client_id": "claude-desktop"
},
"environment": "production"
}'
Evaluate MCP Action (Python SDK 2.3.0)
from ascend import AscendClient
client = AscendClient(api_key="owkai_...")
decision = client.evaluate_mcp_action(
mcp_server="filesystem-server",
namespace="filesystem",
verb="read_file",
resource="/data/reports/financial.csv",
action_type="filesystem.read_file", # optional — defaults to "<namespace>.<verb>"
parameters={"encoding": "utf-8"},
context={"session_id": "session_abc123"},
environment="production",
)
if decision.decision.value == "allowed":
# Proceed with tool execution
...
elif decision.decision.value == "pending":
# Human approval required; poll or wait
...
else:
raise PermissionError(decision.reason)
Response:
{
"success": true,
"action_id": 12345,
"request_id": "mcp-1711234567890",
"mcp_server": "filesystem-server",
"namespace": "filesystem",
"verb": "read_file",
"resource": "/data/reports/financial.csv",
"status": "PENDING",
"risk_score": 72,
"risk_level": "HIGH",
"requires_approval": true,
"compliance": {
"cvss_score": 6.8,
"cvss_severity": "MEDIUM",
"mitre_tactic": "TA0009",
"mitre_technique": "T1005",
"nist_control": "AC-6"
},
"automation": {
"playbook_matched": false,
"playbook_name": null,
"workflow_triggered": true,
"alert_created": false
},
"meta": {
"pipeline_version": "1.0.0",
"stages_completed": 11,
"processing_time_ms": 42.3,
"errors": []
}
}
Fail-Secure Responses
The endpoint fails secure on several conditions before running the pipeline:
| Condition | Response | Notes |
|---|---|---|
| MCP server not registered for this tenant | 404 Not Found | Prevents cross-tenant enumeration |
MCPServerConfig.governance_enabled == False | 403 Forbidden | Tenant explicitly ungoverned |
MCPServerConfig.is_active == False (kill-switch) | 200 OK with status: "denied" + reason: "mcp_server_blocked_by_kill_switch" | Logged to immutable audit as MCP_ACTION_DENIED_KILL_SWITCH |
Tool in blocked_tools list | 200 OK with status: "denied" + reason: "tool_in_blocked_list" | Catalog-independent tool blocklist |
Decision Values
The response shape matches the agent-action pipeline. In the SDK, evaluate_mcp_action() normalizes to the AuthorizationDecision enum:
| Decision | Meaning | Action |
|---|---|---|
ALLOWED | Approved by pipeline | Execute immediately |
DENIED | Blocked by policy, kill-switch, or blocked-tool list | Raise authorization error |
PENDING | Requires human approval | Wait or queue |
Risk Assessment
Risk Factors
# MCP-specific risk factors
MCP_RISK_FACTORS = {
"sensitive_path": {
"patterns": ["/etc/", "/var/secrets/", "*.pem", "*.key"],
"weight": 30
},
"write_operation": {
"verbs": ["write_file", "delete_file", "create_directory"],
"weight": 25
},
"database_mutation": {
"verbs": ["execute_query", "insert", "update", "delete"],
"weight": 35
},
"external_api": {
"namespaces": ["http", "api", "webhook"],
"weight": 20
},
"pii_detected": {
"data_types": ["ssn", "credit_card", "health_data"],
"weight": 40
}
}
Risk Score Calculation
Risk Score = Base Score + Sum(Applicable Risk Factors)
Example:
- Base Score: 20
- sensitive_path (/etc/): +30
- read_operation: +0
- Total: 50 (MEDIUM risk)
MCP Server Registration
MCP servers are registered through the agent registry (/api/registry/mcp-servers) with the same admin-level controls used for agents. Admin role is required (JWT or admin API key).
Register Server
curl -X POST "https://pilot.owkai.app/api/registry/mcp-servers" \
-H "Authorization: Bearer <admin_jwt_or_api_key>" \
-H "Content-Type: application/json" \
-d '{
"server_name": "filesystem-server",
"display_name": "Filesystem Access Server",
"endpoint_url": "stdio://filesystem-server",
"governance_enabled": true,
"blocked_tools": [],
"allowed_namespaces": ["filesystem"]
}'
List Servers
curl "https://pilot.owkai.app/api/registry/mcp-servers" \
-H "Authorization: Bearer <admin_jwt_or_api_key>"
Update / Delete / Activate / Deactivate
| Action | Endpoint |
|---|---|
| Get details | GET /api/registry/mcp-servers/{server_name} |
| Update | PUT /api/registry/mcp-servers/{server_name} |
| Delete | DELETE /api/registry/mcp-servers/{server_name} |
| Activate | POST /api/registry/mcp-servers/{server_name}/activate |
| Deactivate (soft kill-switch) | POST /api/registry/mcp-servers/{server_name}/deactivate |
Deactivation flips MCPServerConfig.is_active = False, which causes subsequent POST /api/v1/mcp/actions/submit calls targeting that server to return a denied decision with reason = "mcp_server_blocked_by_kill_switch" — no pipeline work is performed.
Approval Workflow
MCP actions flow through the same approval workflow as agent actions. After an MCP action is evaluated with requires_approval: true, it can be approved or denied via the unified action-approval endpoints:
| Action | Endpoint |
|---|---|
| Approve an action | POST /api/v1/actions/{action_id}/approve |
| Reject an action | POST /api/v1/actions/{action_id}/reject |
See API — Actions for full request/response shape. This unification means one approval UI and one audit path for both agent and MCP actions.
Analytics
Analytics for MCP governance are served from the platform analytics endpoints (analytics_routes), not a dedicated MCP endpoint. Filter by action_source=mcp or use the Activity tab in the admin UI for an MCP-specific view. Real-time dashboards use the existing platform WebSocket channels; there is no dedicated MCP WebSocket in the current release.
Best Practices
1. Defense in Depth
# Layer multiple controls
{
"trust_level": "restricted",
"require_approval_by_default": True,
"path_allowlist": ["/data/public/", "/tmp/"],
"path_denylist": ["/etc/", "/var/secrets/"]
}
2. Least Privilege
# Grant minimum necessary capabilities
{
"capabilities": {
"verbs": ["read_file"], # No write access
"path_patterns": ["/data/reports/*"] # Specific paths only
}
}
3. Monitor and Alert
# Set up anomaly detection
{
"alerts": {
"high_risk_spike": True,
"new_path_access": True,
"unusual_hours": True
}
}
Next Steps
- MCP Policies - Configure governance policies
- Server Registration - Register MCP servers
- Unified Governance - Agents + MCP
Document Version: 2026.04 | Last Updated: April 2026