Managed registry
Every MCP server is registered and discovered through Cortex. New servers land in status='pending' and cannot be invoked until an admin approves them.
The Model Context Protocol opens your tools to autonomous agents. Cortex puts a managed registry, per-tenant allowlists, DLP on input and output, rate limits, risk scoring, a kill switch, and a full transaction log in front of every call — so MCP is safe to run in regulated work.
Aligned with EU AI Act · NIST AI RMF · ISO 42001
MCP lets any agent discover and call your servers' tools — read records, move money, send messages. Out of the box there is no approval step, no allowlist, no data-loss check, no rate limit, and no record of what was called. Cortex makes the gateway the only way in: a server can't be invoked until it's approved, every call is scanned both ways, and one click blocks it instantly.
Each control is enforced at invoke time, fail-closed. A request that fails any check is denied and the attempt is still recorded.
Every MCP server is registered and discovered through Cortex. New servers land in status='pending' and cannot be invoked until an admin approves them.
Per-server tool allowlists scope exactly which discovered tools an agent may call — and per-tenant scoping keeps one tenant's servers invisible to another.
Inbound text is scanned for prompt-injection and PII before the call; outbound results are PII-redacted before they reach the agent.
Every governed invocation — allowed or blocked — is recorded with redacted I/O, the deny reason, and latency, ready for an auditor.
An MCP server earns the right to be called. The gateway then checks it on every single request.
A server is added to the managed registry as status='pending'. Until it's approved, every invoke is refused with 403 — no tool runs by default.
An admin approves the server, sets its risk tier (low / medium / high), and defines the tool allowlist. An empty allowlist means all discovered tools; an explicit list locks it down.
gateInvoke checks approved + enabled + tool-allowlisted, then runs DLP on the input (high-injection text is blocked), executes the JSON-RPC tools/call, and redacts PII from the output.
The call lands in the transaction log with redacted I/O and latency. One block flips the kill switch — every subsequent invoke returns 403 until you re-approve.
These are the actual enforcement results — the gateway denies first and asks questions never. Each denial is recorded, so 'it was blocked' is something you can hand an auditor, not just assert.
The gateway doesn't just allow or deny — it inspects, scores, throttles, and records, on input and output alike.
block is an instant, server-wide kill switch — the moment you flip it, every governed invoke refuses, no matter which agent or workflow asks. approve re-enables it. Allowlists are scoped to the agent identity that's calling, so the gateway always knows who's reaching for which tool.
MCP calls flow through the same identity, action, audit, and observability fabric as everything else in Cortex.
Per-agent allowlists are scoped to the identity calling — owner, risk tier, allowed actions, expiry.
Tool calls become governed actions with risk tiers and dry-run → approve → execute lifecycle.
Every gated invocation is hash-chained into a tamper-evident, verifiable audit trail.
See MCP servers, pending, and blocked counts live — and disable tools from one screen.
Author allow / deny / require-approval rules that govern when tools may be invoked.
Every tool call shows up in run traces, quality scoring, and the event stream.
Fail-closed approval, DLP on both directions, per-tenant isolation, a kill switch, and a complete call ledger — mapped to the frameworks your auditors already use.
Put a managed gateway in front of every MCP server: approved before invoke, scanned both ways, logged, and one click from a full stop.