MCP servers are the new privileged-dependency class. Your AI agents trust them with production credentials. Safeguard provides the governance layer: verified registry, capability-manifest review, scoped per-server credentials, and full audit logs of every tool invocation.
Open protocol, explosive ecosystem growth, no governance layer between "someone published it" and "it has your production credentials".
A traditional package dependency is code. An MCP server exposes tools — with capabilities to send email, read files, query databases. The security question is not 'what does the code do?' but 'what permissions does it hand the AI?'
An MCP server wrapping your Salesforce API has your Salesforce credentials by design. A malicious server does not need to escape; it was granted the keys at install time.
Because tool calls are triggered by LLM output, prompt injection anywhere upstream can trigger tool calls the operator never intended. Every context-window input is effectively a candidate instruction.
Engineers install servers for experiments and never uninstall them. Over months you accumulate ad-hoc tools with stale credentials. None of it is on your asset inventory.
Tiered trust model — Tier 1 for official, signed, widely-used servers; Tier 2 for reviewed community servers; Tier 3 blocked in production. Capability manifests reviewed before an MCP server is allowed in the org registry.
Purpose-built service identities per MCP server deployment. Credentials scoped to exactly the APIs the server declares needing. No more generic 'MCP runner' role with broad cloud permissions.
Every MCP tool call logged with full context: server, tool, arguments, LLM session, user. Drift from declared capability triggers alerts. Anomalous patterns (off-hours, unusual args) surface for review.
A developer requests an MCP server be added. Safeguard automatically fetches the manifest, verifies the signature, pulls down the source for review, and surfaces any dependency, capability, or credential-scope concerns to the security reviewer. On approval, the server is added to the org registry with scoped credentials provisioned and logging enabled. Invocations flow to your SIEM. Capability drift triggers a review ticket. Stale servers expire unless re-affirmed.
Coding agents and MCP servers in production raise risks SCA was never designed to catch.
An agent has commit rights to a SOC 2 in-scope service. Block writes to production manifests, redact customer IDs in tool output, log every action with the user's identity attached.
Engineering uses Claude Code, Cursor, Cline, and a couple of in-house agents. One allowlist, one capability catalogue, one audit trail — regardless of which agent made the call.
Adversarial text in a connected vector store tries to trick the agent into leaking credentials. Lion runs inline on every tool response and quarantines the suspicious flow.
Agent activity must be auditable end-to-end with cryptographic provenance. Every tool call, every redaction, every policy decision — signed and chained.
The agent hits the Safeguard MCP proxy. Connection metadata — agent vendor, version, environment — is captured before any tool call.
The agent presents a scoped service identity bound to a human user. No shared bot accounts; every invocation is attributable.
Per-tool capability scope resolved from policy. The agent only sees the tools its role is allowed to invoke.
Arguments scanned for sensitive selectors (production hosts, customer IDs, secrets). Outbound payload checked against the policy bundle.
Lion runs inline on the response — PII redaction, secret detection, prompt-injection signatures. The agent never sees the raw sensitive bytes.
Allow, deny, or transform — the decision is written to the signed audit log with a hash chain back to the previous entry.
Clean responses reach the agent; flagged responses return a structured policy error the agent can reason about.
Sensitive tool calls surface a one-click approval prompt inside the IDE. The developer sees the agent's intent, the argument, and the policy verdict before they say yes.
Per-agent token usage report attached to the PR. CI checks the quota and flags when an agent is operating above its baseline.
Agent activity timeline across the org, policy-violation rate by tool, and a redacted-output counter that proves Lion is doing the inline work.
Put the registry, review process, and audit trail in place before MCP scales across engineering and business teams.