Skip to main content

AI Workload Guardrails

Humans, services, and AI agents should share one policy engine — not a separate "AI governance" stack.

Principles

  • Treat agent tool calls like API requests — explicit action + resource
  • Scope MCP connections per tenant (Connect MCP)
  • Log every agent-originated decision for audit
  • Require human approval paths for destructive operations (MCP destructiveHint tools or policy-driven escalate)

Two MCP surfaces

ProductWhat it governs
Connect EnforceAuth MCPIDE agents operating your EnforceAuth tenant (deploy, policies, decisions)
MCP Authorization GatewayAgents calling your enterprise MCP tools — filesystem, APIs, databases

Use Connect MCP for platform administration from Cursor or Claude Desktop. Use the MCP Authorization Gateway when agents need governed access to internal tools — OPA evaluates each call; EnforceAuth ships the bundle and ingests decision logs. Our reference baseline is PortcullisMCP from PAC.Labs.

Enterprise tools ◄── Gateway Keep (PEP) ◄── Agent

▼ OPA ← EnforceAuth bundle

For Kubernetes deployment of Keep + OPA and fleet tracking in PDP Monitoring, see Kubernetes Control Center.

Next