MCP Governance
Overview
Model Context Protocol (MCP) allows AI agents to access external tools and data sources—databases, APIs, file systems, etc. TruthVouch MCP Governance automatically controls which tools agents can access, logs all tool usage, and prevents abuse like unauthorized data access or destructive operations.
What is MCP?
MCP is a standard protocol for AI systems to call external tools:
User Request ↓AI Agent (e.g., Claude) ↓"I need to check the database for that information" ↓MCP Tool Call: query_database(query="SELECT * FROM users WHERE id=123") ↓[TruthVouch MCP Governance checks: Is this allowed?] ↓If allowed: Execute tool → DatabaseIf blocked: Return error to agent ↓Agent continues with responseCommon MCP tools:
- Database queries (SELECT, INSERT, UPDATE, DELETE)
- API calls (external services, webhooks)
- File operations (read, write, delete)
- System commands (shell execution)
MCP Governance Controls
Tool Approval
Decide which tools agents can access:
Allowlist (recommended):
mcp: approval_mode: "allowlist" allowed_tools: - "query_user_database" - "send_email" - "log_action" # All other tools are blockedBlocklist:
mcp: approval_mode: "blocklist" blocked_tools: - "delete_database" - "read_sensitive_files" - "execute_shell" # All other tools are allowedPer-Agent Rules
Different rules for different agents:
mcp: agents: - name: "customer_support_agent" allowed_tools: - "lookup_customer" - "query_order_history" - "send_email_to_customer" blocked_tools: - "create_refund" - "delete_customer"
- name: "finance_agent" allowed_tools: - "query_transactions" - "generate_report" - "export_data" blocked_tools: - "modify_ledger" - "delete_transaction"
- name: "admin_agent" allowed_tools: ["all"] # Admin can use any toolRate Limiting
Prevent tool abuse:
mcp: rate_limits: - tool: "query_database" calls_per_minute: 10 calls_per_day: 1000
- tool: "send_email" calls_per_minute: 5 calls_per_day: 100
- tool: "export_data" calls_per_minute: 1 calls_per_day: 10Argument Validation
Prevent dangerous arguments:
mcp: tools: - name: "delete_record" approval_mode: "manual" # Always ask for approval denied_arguments: - "WHERE true" # Delete everything - "CASCADE" # Cascade delete
- name: "query_database" allowed_arguments: - "SELECT" denied_patterns: - "DROP" - "DELETE" - "TRUNCATE"Configuration
Via UI
- Go to Governance → MCP Governance
- Tool Approval: Select allowlist or blocklist mode
- Tool Access: Check/uncheck which tools are allowed per agent
- Rate Limits: Set call limits per minute/day
- Arguments: Define dangerous patterns to block
- Click Save & Deploy
Via YAML
governance: mcp: enabled: true approval_mode: "allowlist"
agents: - name: "support_bot" enabled: true allowed_tools: - "lookup_customer" - "query_order" - "send_email"
tools: - name: "lookup_customer" enabled: true rate_limit: per_minute: 20 per_day: 5000
- name: "send_email" enabled: true rate_limit: per_minute: 5 per_day: 100 argument_validation: - deny_if_contains: "phishing" - deny_if_matches: "spam.*list"
- name: "delete_customer" enabled: false # Completely disabled
- name: "modify_ledger" approval_mode: "manual" # Always requires approvalAudit & Logging
Every tool call is logged:
{ "timestamp": "2025-03-15T10:23:45Z", "agent": "customer_support_agent", "tool": "lookup_customer", "arguments": { "customer_id": "cust_123" }, "result": { "status": "allowed", "execution_time_ms": 145 }, "audit_entry": { "hash": "sha256:abc123...", "chain_verified": true }}View logs at Governance → Audit → MCP Tool Calls.
Real-World Examples
Example 1: Customer Support Agent
agents: - name: "customer_support" allowed_tools: - tool: "lookup_customer" max_calls_per_day: 10000 - tool: "view_order_history" max_calls_per_day: 10000 - tool: "send_support_email" rate_limit: per_minute: 5 per_day: 100
blocked_tools: - "refund_order" # Requires manual approval - "delete_customer" - "modify_price" - "access_payment_info"Allowed Agent Actions:
- Look up customer info
- View past orders
- Send support emails
Blocked Actions:
- Issue refunds (security gate)
- Delete customer records
- Change prices
- Access payment details (PCI compliance)
Example 2: Finance & Reporting Agent
agents: - name: "finance_agent" allowed_tools: - "query_transactions" - "generate_report" - "export_csv"
manual_approval_tools: - "export_sensitive_data" - "modify_budget"
rate_limits: query_transactions: 100/min export_csv: 1/min # Max 1 export per minute export_sensitive_data: 0/min # Always manualExample 3: Admin Agent with Safeguards
agents: - name: "admin_agent" allowed_tools: ["all"]
dangerous_tool_safeguards: - tool: "delete_database" require_approval: true require_mfa: true log_to_slack: "#security-alerts"
- tool: "modify_user_role" require_approval: true deny_if: "role contains admin AND requester_role not admin"
- tool: "access_audit_logs" require_approval: true require_justification: trueApproval Workflow
Manual Approval
For sensitive tools, require human approval:
- Agent requests to use tool
- Approval request sent to designated reviewer
- Reviewer sees: agent, tool, arguments, timestamp
- Reviewer approves or denies with reason
- If approved, tool executes; if denied, agent gets error
- Action logged in audit trail
Setup:
mcp: tools: - name: "delete_database" approval_mode: "manual" approval_required_from: ["security_lead", "cto"] approval_timeout_minutes: 30Monitoring & Alerts
Alert on Suspicious Activity
alerts: - name: "excessive_tool_calls" condition: "tool_calls > rate_limit" action: "block_and_alert"
- name: "denied_argument_detected" condition: "argument matches dangerous_pattern" action: "block_and_log"
- name: "unauthorized_tool_access" condition: "tool not in allowed_list AND agent == specific_agent" action: "block_and_alert_slack"
- name: "manual_approval_required" condition: "tool == delete_database" action: "send_approval_request"Monitoring Dashboard
Go to Governance → Reports → MCP Usage:
- Tool calls by agent: Who’s using what
- Rate limit violations: Which agents hitting limits
- Denied requests: Blocked tool access attempts
- Manual approvals: Pending and completed
- Trends: Usage patterns over time
Best Practices
1. Start with Allowlist
- More secure (default-deny)
- Explicitly enable what you trust
- Easier to audit
2. Principle of Least Privilege
- Give agents minimum tools needed
- Support agent doesn’t need delete access
- Finance agent doesn’t need code execution
3. Rate Limiting
- Prevent accidental abuse (loops, bugs)
- Prevent intentional abuse (extraction attacks)
- Set realistic limits based on actual usage
4. Dangerous Tool Approval
- Require manual approval for risky operations
- Use MFA for sensitive actions
- Log and alert on every usage
5. Regular Audits
- Review MCP usage weekly
- Check for unusual patterns
- Revoke access when roles change
Common Tool Scenarios
| Tool | Risk Level | Approval | Rate Limit |
|---|---|---|---|
lookup_customer | Low | None | High (10K/day) |
send_email | Medium | Auto | Medium (100/day) |
refund_order | High | Manual | Low (10/day) |
delete_customer | Critical | Manual + MFA | None (disabled) |
execute_command | Critical | Manual + approval | None (disabled) |
export_pii | High | Manual | Low (1/min) |
Troubleshooting
”Tool Call Denied”
- Check if tool is in allowed list
- Verify rate limits haven’t been exceeded
- Check dangerous argument patterns
”Manual Approval Not Sending”
- Verify approver email is correct
- Check Slack webhook if using Slack notifications
- Review approval timeout setting
”High False Positive Block Rate”
- Adjust dangerous argument patterns
- Lower strictness of validation
- Add safe arguments to allowlist