LLM governance / policy control planeAgent Governance

MCP Policy Gateway guard (tool governance)

Minimal MCP governance guard for tool allowlists, audit trails, and policy tagging with policy_user and policy_project_id.

MCP is an open standard for connecting assistants to external tools. The Policy Gateway guard adds tool governance on top.

This minimal guard enforces tool allowlists, logs every invocation with reason codes, and reuses policy_user and policy_project_id tags.

Updated Jan 16, 2026Agent governance

Quick start

Example request
const toolPolicy = {
  policy_id: "mcp-guard-v1",
  policy_version: "2026-01-16",
  allowlist: ["crm.read", "tickets.update", "billing.lookup"],
  reason_codes: { allow: "ALLOW", block: "TOOL_NOT_ALLOWED" },
};

export function guardToolCall({ toolName, policyUser, policyProjectId }) {
  const allowed = toolPolicy.allowlist.includes(toolName);
  const decision = allowed ? "allow" : "block";
  const reasonCode = allowed ? toolPolicy.reason_codes.allow : toolPolicy.reason_codes.block;

  logToolAudit({
    tool_name: toolName,
    decision,
    reason_code: reasonCode,
    policy_id: toolPolicy.policy_id,
    policy_version: toolPolicy.policy_version,
    policy_user: policyUser,
    policy_project_id: policyProjectId,
  });

  if (!allowed) throw new Error("Tool call blocked by policy.");
}

Service notes

  • Pricing model: Usage-based pricing (~$5 per 1M tokens) billed on total tokens (input + output). See the API pricing page for current plans.
  • Data retention: No prompt/output retention by default. Operational telemetry (token counts, timestamps, error codes) is retained for billing and reliability.
  • Compatibility: OpenAI-style /v1/chat/completions request and response format with a base URL switch.
  • Latency: Depends on model size, prompt length, and load. Streaming reduces time-to-first-token.
  • Throughput: Team plans include priority throughput. Actual throughput varies with demand.
  • Rate limits: Limits vary by plan and load. Handle 429s with backoff and respect any Retry-After header.

Enforce tool-call allowlists

#

Apply a guard at the MCP server boundary before tool calls are executed.

  • Keep a strict allowlist of tool names your security team approves.
  • Block unknown tools and return a policy reason code to the agent.
  • Version your tool policy so audits can reference the exact rule set.

Log every tool invocation

#

Emit a structured audit event for each tool call with decision metadata.

  • Include policy_user and policy_project_id to align with Policy Gateway tagging.
  • Use consistent reason codes so security teams can query decisions.
  • Send these events to the same audit export destination as Policy Gateway logs.
Log every tool invocation
{
  "event_type": "tool_invocation",
  "tool_name": "crm.read",
  "decision": "allow",
  "reason_code": "ALLOW",
  "policy_id": "mcp-guard-v1",
  "policy_version": "2026-01-16",
  "policy_user": "user-12345",
  "policy_project_id": "support-bot",
  "created_at": "2026-01-16T19:11:22Z"
}

Route tool audits to export destinations

#

Land MCP tool logs in the same SIEM or log platform as LLM audit logs.

  • Splunk HEC, Datadog Logs, Elastic, Amazon S3, Azure Monitor / Log Analytics.
  • Reuse the same indices or datasets for unified governance reporting.
  • Maintain a single audit trail across LLM responses and tool calls.

Common errors & fixes

  • 401 Unauthorized: Check that your API key is set and sent as a Bearer token.
  • 404 Not Found: Make sure the base URL ends with /v1 and you call /chat/completions.
  • 400 Bad Request: Verify the model id and that messages are an array of { role, content } objects.
  • 429 Rate limit: Back off and retry. Use the Retry-After header for pacing.

Related links