Model Context Protocol (MCP) servers have transformed AI from passive chatbots into action-capable agents. Claude can now execute tools, read files, query databases, and interact with your infrastructure. For developers, it's revolutionary. For security teams, it's a nightmare.
The problem? MCP servers everywhere like on laptops, in IDEs, in browser tabs and most organizations have no visibility into what they are or what they're doing. You've got an enterprise AI gateway controlling centralized traffic, but the moment an employee opens Claude Desktop, all governance evaporates.
Bifrost solves this with a two-layer approach: the Bifrost Gateway centralizes governance policies in your infrastructure, and Bifrost Edge enforces those same policies on every employee's machine. Together, they turn shadow MCP into governed MCP.
This is the article of how.
Let's be clear about what MCP enables. A single MCP server can:
This is intentional design. MCP servers are meant to be powerful. The protocol assumes a trusted environment.
But in enterprise? There is no single trusted environment anymore.
You might think: "We'll just block MCP access at the network layer."
But MCP can operate over stdio (local pipes), WebSockets, HTTP, and custom transports. Blocking one doesn't block the others. And even if you could block everything, you'd cripple the developers who should be using MCP as part of their workflow.
You might try: "We'll mandate that all MCP servers are pre-approved and centrally configured."
This works until your first developer says, "I need a custom tool for my use case." Suddenly you're the bottleneck. Teams build workarounds. Governance fails.
The real solution requires visibility at the endpoint + enforcement at the gateway, working together.
Bifrost's answer is a two-layer system:
The Bifrost Gateway sits in your infrastructure and provides centralized control over AI traffic:
This is where enterprise governance lives. The Gateway is your source of truth.
{
"virtual_key": "vk-eng-team",
"allowed_tools": [
"github"
],
"blocked_tools": [
"file_system",
"subprocess"
],
"budget": {
"monthly_spend": 5000,
"alert_threshold": 4500
}
}
But here's the catch: the Gateway only controls traffic that actually goes through it.
This is where Bifrost Edge changes the game.
Bifrost Edge is a lightweight agent that runs on each employee's machine (macOS, Windows, Linux) and does one thing: routes all AI traffic through your Bifrost Gateway automatically.
No configuration. No base URLs to change. No SDK modifications. Edge intercepts all AI requests at the machine level and runs them through the governance policies you've already defined in the Gateway.
Now here's what changes:
Before Bifrost Edge: Your engineer runs Claude Desktop β Direct connection to OpenAI β Unaudited, uncontrolled, outside your governance
After Bifrost Edge: Your engineer runs Claude Desktop β Routed through Edge β Routed through Gateway β Governed, audited, controlled
The governance you've already configured at the Gateway level now applies to every AI request, everywhere.
For the first time, you can see every MCP server configured across your organization:
The Bifrost admin console shows:
MCP Servers Across Your Fleet
ββββββββββββββββββββββββββββββ
Developer Machines: 47
β github-integration (27 devices)
β custom-web-scraper (3 devices) β NOT APPROVED
β file-system-access (8 devices) β BLOCKED
Research Machines: 12
β arxiv-search (11 devices)
β paper-summarizer (9 devices)
β experimental-tool (1 device) β PENDING APPROVAL
You now have visibility into shadow MCP. And visibility is the first step to control.
But Bifrost Edge goes further. You can approve or deny MCP servers at the device level:
Virtual Key: vk-engineers
Allowed MCP Servers:
- github
- internal-apis
Denied MCP Servers:
- file-system
- subprocess
- custom-scrapers
When an engineer tries to connect an unapproved MCP server through Claude Desktop, Edge intercepts it:
This happens transparently, on the device, without breaking the user's workflow.
The real power emerges when you combine MCP governance with Bifrost's guardrails:
Imagine an approved MCP server that reads files. Your guardrails are set to block PII exposure. A developer accidentally tries to send a file containing customer data through an AI request:
Request: "Analyze this file: customer_data.csv"
Edge Route:
MCP server allowed? β Yes
Block: β Request denied
Notification: β Sent to security team + user
The developer sees: "This file contains sensitive data that can't be analyzed. Contact security if you need access."
You see: Full audit trail, who tried to do what, when, and why.
Your engineering organization uses:
Configuration in the Gateway (one time):
{
"virtual_key": "vk-engineering",
"allowed_mcp_servers": [
"github"
],
"blocked_mcp_servers": [
"file_system",
"subprocess",
"arbitrary_http"
],
"budget": {
"monthly": "$10,000",
"alerts": ["$9,000", "$9,500"]
}
}
Deploy Edge to all 150 engineers.
Result: Every engineer can use Claude and approved tools, with no per-machine setup, and no governance overhead.
When an engineer tries to use an unapproved server (because they found it online), Edge blocks it and Surface it in the admin dashboard. Your security team sees the attempt, reviews the tool, and either approves it or documents why it's blocked.
Here's how this typically rolls out:
This is a one-time investment. The policies you define here apply to all endpoints.
Edge rolls out silently. Employees see a one-time browser sign-in prompt. Then it works.
The process is iterative because you're learning what tools your teams actually need.
From a CISO's perspective:
| Concern | Before Bifrost | With Bifrost |
|---|---|---|
| Shadow MCP Visibility | ||
| None | Complete | |
| MCP Approval Workflow | ||
| Manual, slow | Automated, instant | |
| Enforcement | ||
| Network-only | Every machine | |
| Audit Trail | ||
| Partial | Complete | |
| Compliance Reporting | ||
| Time-consuming | Automated | |
| Onboarding Speed | ||
| Slow (per-app config) | Fast (sign-in only) | |
| Offboarding | ||
| Manual | Automatic |
Bifrost Edge is in alpha. If you're managing AI at enterprise scale and drowning in shadow MCP:
The story of AI governance isn't about choosing between security and productivity. It's about choosing infrastructure that enables both.
AI is becoming critical to how work gets done. MCP servers are how AI becomes actionable. Enterprise teams need to govern both.
For too long, we've accepted a false choice: either employees use cutting-edge AI tools, or organizations maintain strict controls (which developers circumvent).
Bifrost offers a third path: governance that enables rather than restricts. Policies defined once, enforced everywhere, visible to everyone, invisible to users.
This is what enterprise AI infrastructure should look like.
npx -y @maximhq/bifrost-cli