I'm the CTO of a mid-sized organization with about 70 employees, and we've been adopting various Cursor and Claude technologies. Recently, we've noticed a significant number of Managed Cloud Providers (MCPs) emerging organically within our environment. We have a mixture of verified, open-source, and untrusted GitHub repositories that employees can access, including critical infrastructure credentials, API tokens, and customer .env files.
From an enterprise IT perspective, I'm trying to figure out how to handle this MCP sprawl without disrupting the workflows of our developers and admins. Even if we establish observability, we'll face challenges in blocking everything locally since some MCPs genuinely require execution for ongoing operations. Full proxying breaks automation as well. I'm curious about how other IT teams are ensuring visibility and control in scenarios like this.
3 Answers
One way to tackle this issue is to position Risk & Compliance as the "bad guys" in your organization. Start enforcing security standards in the name of compliance — a common excuse like, "We can't change or disrupt their current systems" just isn't valid anymore. It may sound harsh, but setting clear boundaries is essential.
Local MCPs can definitely be a headache, and it often depends on what they are doing. In our case, we built a proxy for cloud runtimes to centralize everything. MCPs that are streamable can pass through easily, while stdio ones are run statelessly. If I were starting now, I’d consider exploring options like MintMCP, it looks promising compared to what we created before they launched.
I sent you a message! I’d really like to learn more about your approach and how it’s working for you.
Integrating approval processes directly into workflows is crucial for keeping random shadow IT at bay. This way, you maintain visibility while allowing legitimate use of MCPs without hindering team productivity.
Has this method worked specifically for MCPs in practice? I'd love to hear more about the implementation details.
That's great advice! But how would we actually implement that? What specific standards should we focus on for MCPs? I'm open to brainstorming ideas.