C1 Deploy: Introducing C1 Bridge C1 Deploy launched C1 Bridge, a new component that extends AI Access Management to MCP servers running inside private networks without requiring inbound firewall rules or internet exposure. The solution allows organizations to govern internal AI servers—often handling sensitive data in finance, healthcare, and critical infrastructure—through a single outbound connection, eliminating the need for VPNs or reverse proxies while maintaining security and compliance. C1 Bridge extends AI Access Management to the MCP servers that run inside private networks, with no inbound firewall rules and nothing exposed to the internet. AI Access Management governs how AI clients reach MCP servers: every tool call is authenticated, checked against policy, and logged with the identity behind it. C1 Bridge brings that same governance to the MCP servers a company hosts itself, inside its own network, where nothing is exposed to the internet. These are often the servers that matter most: close to sensitive data, custom to a team, or required by regulation to stay inside the network, as in financial services, healthcare, and critical infrastructure. With Bridge they come under the same control plane as the thousands of MCP servers C1 already hosts. Why these servers are hard to govern why-these-servers-are-hard-to-govern Internal MCP servers arrive two ways. Some are built in house to wrap sensitive data or a team's own tools. Others ship with software a company runs on its own infrastructure, from a self-managed ERP to an on-prem code platform that exposes its own MCP server. Either way the server sits on a network with no inbound route, which is what keeps it off the internet and, at the same time, what makes it hard to govern. A cloud proxy cannot reach what it cannot address. Until now the choices were poor. Exposing the server so a cloud service can reach it is a non-starter for anyone responsible for the environment. Building a VPN or reverse proxy adds infrastructure to own and still moves packets without governing who sits on the other end. Doing nothing leaves an AI server that agents can already reach and no one is watching, which is how shadow MCP turns into a finding in the next audit. Each path forces the same choice between reaching a server and keeping it contained. That choice is a false one. Reach without exposure reach-without-exposure C1 Bridge runs as a container or a binary on the network beside those servers and opens a single outbound connection to C1. Nothing inbound is required: no firewall rule to add, no public hostname to publish, and no change to the network's posture. Once the connection is live, the private server appears in C1 like any other. An administrator registers it, C1 discovers and classifies its tools, and AI clients reach it through the same governed entry point they already use. The server never moves. It stays behind the firewall and comes under governance where it sits. A single Bridge fronts many services at once, so a platform team deploys it once and brings new servers under governance as they come online, without standing up new infrastructure each time. "Isn't this just a tunnel?" isnt-this-just-a-tunnel Outbound tunnels are not new. Cloudflare offers one for free, the model labs ship their own, and they are good at exactly one thing: moving bytes. A tunnel authenticates a connection, not a person. It cannot say who made a call or whether policy allowed it, and it produces no audit trail. That distinction is the product. C1 is the governance plane that sits above any tunnel and works for any AI client. Reach is plumbing; governance is the point. And because the Bridge is part of AI Access Management, nothing separate is metered or sold. Private servers come under the same governance as everything else. How we designed it how-we-designed-it We built the Bridge around a single constraint: bringing a server under governance should never require opening it up. Several decisions follow from that. The connection is always initiated from inside the network, over one outbound port. With no inbound listener, the most common way these deployments fail, an exposed port that gets scanned or misconfigured, does not exist here. The Bridge itself does as little as possible. It carries traffic between C1 and the local servers and makes no access decisions of its own; policy and identity live upstream, not on the agent. It authenticates with one narrowly scoped workload credential that can be rotated or revoked in a single action, which keeps its blast radius small by design. Governance stays where it belongs. Identity, policy, approvals, and audit run in AI Access Management's identity-aware proxy. The Bridge provides reach and AIAM provides governance, and keeping the two separate is what lets the deployed component stay small enough to reason about and trust. It also fits how infrastructure teams already work. The Bridge ships as a single container or binary, runs on Kubernetes, Docker, or bare metal, needs only outbound 443, and validates its configuration before it starts. A platform engineer can have it running in an afternoon without filing a networking exception. Governed like everything else governed-like-everything-else Once connected, a private server inherits the controls AIAM already applies to hosted ones. Access is tied to a person. With per-user identity enabled, the identity and policy of the human behind a request are enforced at the proxy, rather than a shared key that hides everyone behind a single credential. Each request to an internal tool is logged against the specific person who made it, with the same audit context AIAM records for any other application it governs. And the program a company already runs, the access requests, approvals, and periodic certifications that span thousands of applications, now includes its private MCP servers, under one control plane regardless of who hosts the server. For environments where regulation forbids inbound exposure of a protected zone, such as PCI-DSS or NERC CIP, an outbound-only design is more than a convenience. It is often the only way to connect these servers at all without breaking the control. Every architecture, now complete every-architecture-now-complete AI Access Management set out to be one control plane for agent access across every system and every architecture. The Bridge closes the hardest case in that promise: the servers organizations keep off the internet on purpose. The governed path now reaches all the way into the private network, and the servers that used to sit beyond it are governed like the rest. Want to bring your private MCP servers under governance? Book a demo /lp/request-demo/ and we'll walk you through C1 Bridge and AI Access Management /products/ai-access-management in action.