AI Access Management vs Standalone MCP Gateways
Gateways stop calls. C1 governs identity.
How C1 compares
Standalone MCP gateway
Architecture
Identity-aware MCP gateway driven by a unified identity graph.
Standalone gateway, parallel control plane.
Self-service request flow
Users request access in Slack, Cursor, CLI, or web. Policy-based auto-approval. Approvals land in Slack or Teams.
No self-service surface. Provisioning is an admin task.
Catalog
Tiered. SLA-backed core integrations. Formally modeled coverage for every other SaaS. Plus any MCP your team brings.
Flat count, typically aggregated from public OpenAPI specs and GitHub repos.
Integration quality
Formal domain model per integration. Tools risk-classified. 37+ structural and semantic checks per release.
Varies. Typically not validated against the upstream vendor API.
When an integration breaks
C1 ships a fix. SLA applies for the supported tier.
Customer waits on community or files an issue.
MCP server types supported
Catalog integrations plus native MCPs — vendor-published, community, or built in-house. Hosted endpoint, customer cloud, or on-prem via tunnel.
Native MCP only. No first-party catalog.
CodeMode bindings
Every tool exposed as a CodeMode TypeScript binding from the same formal model. Agents chain calls in one program; policy enforced per call; one audit envelope per execution.
Raw tools/call only. Each call round-trips the agent's conversation context.
Auth modes per integration
Shared or personal credentials. OAuth, API key, or the target app's existing IdP flow (works with SAML via the IdP redirect). Credentials vault in C1, never on user devices.
Varies. Often OAuth-only and tied to a gateway-specific session model.
Identity and access mutations
When a tool would grant permissions, rotate credentials, or modify roles, the request routes through C1's governance engine. Approval workflows apply.
Direct tool calls. Bypasses identity workflows.
Agent identity
First-class C1 Service Principals — owner, role assignments, access reviews. Workload Federation for CI/CD-driven agents (GitHub Actions, GitLab, HCP Terraform, AWS IAM) with no stored secret. Permissions are SPN role ∩ trust scope.
Service-account-style. OBO token exchange at best. Typically no federation surface.
Audit envelope
Every tool call logged with user, agent, harness, tool, parameters, policy, outcome. Audit trails fit for SOC 2, GDPR, HIPAA, and your EU AI Act governance program.
Gateway-level logging. Identity context typically thin or absent.
Deployment
SaaS. No VPC, no control plane to maintain, no upgrade windows.
Often requires VPC deployment and customer-managed control plane.
On-prem reach
Single outbound tunnel. Your data stays on your network.
Varies. Usually inbound or VPC-resident.
Pricing
Consumption-based. Scales to zero when idle.
Typically new contract, custom enterprise pricing. Plus the cloud infrastructure you deploy and run.
FAQs
