DEV Community

Ricardo Rodrigues
Ricardo Rodrigues

Posted on

The Governance Layer AI Agents Are Missing

#ai #claude #mcp #cursor

Enterprises learned to govern data. Tool governance is the parallel layer almost no one has built yet.

Over the last decade, enterprises built a real discipline around data. Not just storing it — governing it. Cataloging what exists, defining who owns it, controlling who can access it, and proving where it came from and where it went. The question "who is using this data, how, and was it allowed?" went from unanswerable to routine.

The Model Context Protocol just recreated that question one layer up. And almost no one has the answer yet.

From assistants to agents

MCP did something quietly significant: it turned AI clients into agents. Through it, tools like Claude, Cursor, and Windsurf can reach real systems — query databases, read repositories, call internal APIs, trigger deployment workflows. The protocol itself is clean and well-designed. The governance around it is where every enterprise will eventually get stuck.

MCP works beautifully for an individual developer. It becomes a problem the moment a team adopts it.

What it looks like inside most teams

Right now, MCP adoption inside organizations tends to look like this:

  • Zero governance. Developers install servers ad hoc. Security has no approved list, no process, and no visibility into which tools are connected to AI clients.
  • Shared access. Teams pass around the same tokens and config files. Everyone effectively gets the same access, regardless of role.
  • Local chaos. Many MCP servers run as local stdio processes on laptops. They can't be centrally monitored, shared, revoked, or audited.
  • No forensics. When an agent queries a production database or triggers a workflow, no one can reconstruct who initiated it, when, and whether it was permitted. The buyer pain here is not discovery. There are plenty of directories to find MCP servers. The pain is safe operationalization — adopting MCP without creating shadow AI tooling, uncontrolled credentials, and untraceable agent activity.

The parallel layer

This is the part worth sitting with, especially if you work in data or AI governance.

Data governance answers questions about the asset: what is this dataset, who owns it, what is its sensitivity, who is allowed to use it, where did it come from.

Tool governance has to answer questions about the action: which tool did the agent invoke, who was the agent acting for, was that invocation allowed, and what happened.

These are not competing categories. They're parallel layers in the same enterprise stack, bought by the same people — platform engineering, security, and the emerging AI enablement function. And critically, each has a blind spot the other fills.

When a developer uses an AI client and an MCP server to query a governed table, the data platform sees the table but not the agent's tool call. A tool-governance layer sees the tool call but not the data's classification. Connected, the two produce something neither has alone: end-to-end lineage from a business data asset all the way to the AI agent invocation that touched it.

Put simply: data governance explains the asset. Tool governance explains the agent action.

What the tool-governance layer actually needs

If you accept the framing, the requirements fall out naturally. They mirror what an identity provider brought to applications, applied to AI tool calls:

  • A single governed endpoint per team, so AI clients connect to one controlled surface instead of dozens of ungoverned servers.
  • Per-member identity — individual credentials, so every tool call can be attributed to a person and revoked independently.
  • Tool-level allowlists — least-privilege control over exactly which tools each member can call.
  • A protocol-level audit trail — an immutable operational record of every invocation: who, what, when, and the outcome.
  • Hosted, governable infrastructure — a way to take local stdio servers and run them as monitored, controlled services instead of processes on a laptop. None of this is exotic. It's the same governance discipline enterprises already apply elsewhere. It just hasn't been applied to AI tool usage yet, because the usage itself is only a year or two old.

Why now

The reason this matters now and not later is timing. MCP adoption is moving faster than internal security processes. By the time most organizations notice the gap, they'll already have unmanaged AI tool access spread across teams. Governance is far cheaper to introduce before broad rollout than to retrofit after.

This is the layer we're building at mcpnest.io — a governed MCP gateway, per-member access control, hosted infrastructure, and a protocol audit log for AI tool usage. If you want the full thesis, the architecture, and how it complements existing data and AI governance platforms, I put together an enterprise overview:

Read the mcpnest.io enterprise overview (PDF)

If you lead platform, security, or data governance and you're thinking about how AI tool adoption gets controlled in your organization, I'd value your perspective on where this framing holds and where it breaks.

Top comments (0)