Department agents connect to a central Gatekeeper hub. Microsoft Entra / Azure AD issues identity JWTs per agent and per user.
Internal MCP servers (Jira, Slack, databases, custom tools) register behind the hub. Agents see tools, never credentials.
Every tool result carries a provenance taint marking its source trust level. Taints propagate through session context.
A write whose parameters derive from a low trust read escalates to human approval in Slack, showing the exact parameters.
Approvals bind to subject, issuer, tenant, and payload hash. They cannot be replayed across users or tenants.
The append only audit log streams to Splunk or Sentinel. Retention defaults to 13 months with export to your S3.
One hub fronts every internal MCP server. Onboarding a new tool is a registration, not a credential handout.
Annotates every tool result with source and trust level, the structural defense against the Confused Deputy.
Escalated calls arrive as real time notifications with exact parameters. Approve or deny in place.
Configurable export to Splunk and Sentinel in common formats, plus anomaly alerts on decision rates.
Agent and user identity from your existing directory. No new credential store to govern.
Provenance tainting is the structural defense against the Confused Deputy: a write built from a low trust read escalates to a human.
There is no LLM in the decision path. Decisions are reproducible from the log, with no drift and no prompt injection surface.
The audit log is append only and hash chained. Tampering with any entry breaks the chain detectably.
New services start with conservative defaults (read then write escalates) that you refine as trust topology becomes clear.
Walk through the trust model, policy design, and rollout with our security and solutions team.