The Model Context Protocol is everywhere. Anthropic published the spec in late 2024. By the time you're reading this, every major SaaS vendor has an MCP server, every IDE has an MCP client, and your engineers have already wired half a dozen of them into Claude Code and Cursor without telling you. Three thousand MCP servers exist in the wild. Eighteen thousand if you count the ones that haven't shipped a release in eighteen months. The protocol works. Adoption is real.
So is the gap.
MCP is a protocol. It defines how an AI client and a tool server talk to each other. It does not define who is allowed to call which tool, when, with what parameters, on whose behalf, under what policy, and with what audit trail. The protocol is silent on identity. Silent on policy. Silent on lifecycle. Silent on audit. Those things still have to come from somewhere. The question is where.
The first answer the market gave was the gateway. Sit a proxy in front of the MCP servers, terminate the tool calls there, enforce some policy at the proxy, log the request and response, and call it governance. This works in the same way a firewall is "network security." It stops the tool call. It doesn't know who made the call, what they're entitled to elsewhere, or how the request fits the rest of your identity surface. If the call is to grant a Salesforce role, the gateway doesn't know whether your approval workflow already ran. If the call is to read a Snowflake table, the gateway doesn't know whether the user is in a department allowed to see that data. If the call is from an agent running in a CI/CD pipeline, the gateway doesn't know whether the credential the agent is using has been rotated, revoked, or is about to expire.
A gateway is a necessary enforcement point. It isn't governance.
Governance is what happens behind the gateway. It's the unified identity graph that knows every human, every machine, and every agent in your enterprise. It's the access review that checks an enterprise agent's entitlements on the same schedule as a human employee's. It's the policy engine that evaluates a tool call against the role the requester actually holds, the department they sit in, the time of day, the risk score, and the audit obligation. And — better still — it's the credential model that drops stored secrets entirely. Workload Federation exchanges your CI/CD platform's OIDC token for a scoped C1 access token, per workflow run, validated against CEL conditions, with permissions that are the intersection of the Service Principal's roles and the trust's scope. The same pattern your engineers already use for aws-actions/configure-aws-credentials@v4 in GitHub Actions, now applied to AI agents.
None of that is in MCP. None of that is in a gateway. All of it has to come from your identity infrastructure.
That's the missing layer. And it's the layer C1 already runs at Ramp, Instacart, DigitalOcean, Brex, Klaviyo, Qualtrics, Zscaler — the platform that already governs human access, now extended to AI agents. An identity-aware MCP gateway is one capability among many. Hosted MCPs in our cloud. Custom MCPs in your cloud. On-prem MCPs reached through a single outbound tunnel — your data stays on your network.
The fastest path to AI doesn't have to be a separate parallel control plane. It can be the identity infrastructure you already trust, extended to a new class of actor. That's where governance comes from.
That's why we built AI Access Management. See how the pieces fit together.
