Reference architectures/On prem

Enterprise MCP hub with approvals and SIEM

A central hub for internal MCP servers with provenance tainting, Slack approvals, and streaming export to Splunk or Sentinel.

Microsoft Entra / Azure ADMCP serversProvenance taintsSlack approvalsSplunkSentinel
Claude
Any LLM
Dept agents
Identity · Microsoft Entra / Azure AD
Per user · per agent
Your network
GatekeeperDeny by default
Provenance taintingTRACKED
Approval escrow · SlackLIVE
Append only audit logCHAINED
SIEM exportSTREAMING
Jira MCPSlack MCPInternal MCPDatabasesRegistered behind the hub
Deny by defaulteDiscovery readySplunk · Sentinel

Dataflow

01

Department agents connect to a central Gatekeeper hub. Microsoft Entra / Azure AD issues identity JWTs per agent and per user.

02

Internal MCP servers (Jira, Slack, databases, custom tools) register behind the hub. Agents see tools, never credentials.

03

Every tool result carries a provenance taint marking its source trust level. Taints propagate through session context.

04

A write whose parameters derive from a low trust read escalates to human approval in Slack, showing the exact parameters.

05

Approvals bind to subject, issuer, tenant, and payload hash. They cannot be replayed across users or tenants.

06

The append only audit log streams to Splunk or Sentinel. Retention defaults to 13 months with export to your S3.

Components

MCP server registry

One hub fronts every internal MCP server. Onboarding a new tool is a registration, not a credential handout.

Provenance engine

Annotates every tool result with source and trust level, the structural defense against the Confused Deputy.

Slack approval channel

Escalated calls arrive as real time notifications with exact parameters. Approve or deny in place.

SIEM streamers

Configurable export to Splunk and Sentinel in common formats, plus anomaly alerts on decision rates.

Microsoft Entra / Azure AD (OIDC)

Agent and user identity from your existing directory. No new credential store to govern.

Security considerations

Provenance tainting is the structural defense against the Confused Deputy: a write built from a low trust read escalates to a human.

There is no LLM in the decision path. Decisions are reproducible from the log, with no drift and no prompt injection surface.

The audit log is append only and hash chained. Tampering with any entry breaks the chain detectably.

New services start with conservative defaults (read then write escalates) that you refine as trust topology becomes clear.

Deploy this architecture

Walk through the trust model, policy design, and rollout with our security and solutions team.

Learn moreAll architectures