MCP Integration

Model Context Protocol (MCP) is an open standard that lets AI assistants like Claude, ChatGPT, and others use external tools. Instead of copying data into chat windows or switching between dashboards, you ask your AI assistant directly: "show me agent health" or "halt that misbehaving agent." The assistant calls AgentLattice tools behind the scenes and returns structured results.

AgentLattice ships a built-in MCP server. This means your AI assistant becomes a governance operator -- it can query audit trails, check agent status, manage team members, triage anomalies, and take enforcement actions, all through natural language.

Why MCP?

The governance dashboard is designed for humans browsing at their own pace. MCP is designed for AI-assisted operations where you want to:

• Ask questions in natural language. "Which agents triggered anomalies in the last 12 hours?" is faster than navigating filters.
• Chain reasoning across tools. Your assistant can call get_agent_health, spot a problem, then call list_anomaly_events for that specific agent, and suggest an enforcement action -- all in one conversation turn.
• Operate from wherever you already work. If your team lives in Claude Desktop or another MCP-compatible client, governance is one tool call away instead of a tab switch.
• Automate incident response. A human reviews the AI's summary and confirms enforcement actions. The AI handles the data gathering; the human makes the call.

Available MCP Tools

AgentLattice exposes two categories of tools through its MCP server:

Identity & Access Management

Note the deliberate safety constraint: admin-level role changes cannot be performed through MCP. Privilege escalation requires human confirmation through the dashboard UI.

Security & Behavioral Monitoring

Policy Management

Approval Management

Delegation Management

Webhook Management

Every MCP action is recorded in the audit trail, tagged with the MCP key that performed it. There is no "shadow admin" problem -- MCP operations are as visible as any other action in the system.

Setup

Generate an MCP API Key

1. Go to Settings > Security in the AgentLattice dashboard.
2. Click Generate MCP Key. You will see the key exactly once -- copy it immediately.
3. The key is prefixed with al_mcp_ for easy identification. Only the hash is stored server-side.

MCP key generation requires admin privileges and is itself recorded as an audit event.

Add to Claude Desktop

Open your Claude Desktop configuration file and add the AgentLattice MCP server:

macOS: ~/Library/Application Support/Claude/claude_desktop_config.json Windows: %APPDATA%\Claude\claude_desktop_config.json

{
  "mcpServers": {
    "agentlattice": {
      "url": "https://www.agentlattice.io/api/mcp",
      "headers": {
        "Authorization": "Bearer al_mcp_your_key_here"
      }
    }
  }
}

Restart Claude Desktop. You should see "agentlattice" listed in your available tools.

Other MCP Clients

AgentLattice implements the standard MCP JSON-RPC protocol over HTTP. Any MCP-compatible client that supports HTTP transport and Bearer token authentication can connect using the same endpoint and key format.

Example Workflows

Morning Security Check

You: "Show me agent health across the org."

Claude calls get_agent_health and returns a table: three agents green (monitoring), one yellow (calibrating), one red (halted after last night's anomaly spike).

You: "What happened with the halted agent?"

Claude calls list_anomaly_events filtered to that agent and summarizes: bulk data access pattern detected at 2:47 AM, anomaly score 87, auto-halted by circuit breaker policy.

You: "That was a scheduled batch job. Mark it as a false positive and resume the agent."

Claude calls acknowledge_anomaly with disposition false_positive, then resume_agent with your justification. Both actions are recorded in the audit chain.

Team Access Review

You: "List everyone with access to this workspace."

Claude calls list_principals and returns members (with roles), active agents, and any pending invitations.

You: "Remove the contractor who left last week."

Claude calls remove_member. If the member has pending approval requests, it asks for confirmation before proceeding.

Incident Triage

You: "Show me open incidents."

Claude calls list_incidents with status OPEN and returns a summary including severity, affected agents, and threat taxonomy techniques observed.

You: "The high-severity one on agent deploy-bot -- kill it and note that we're investigating a potential prompt injection."

Claude calls trigger_enforcement with action KILL and your reasoning. The enforcement event is hash-chained for tamper evidence.

Security Model

MCP access is governed by the same principles as the rest of AgentLattice:

• Authentication: Every request requires a valid, non-revoked MCP key. Keys are SHA-256 hashed at rest -- AgentLattice never stores the raw key after initial generation.
• Workspace scoping: An MCP key can only access data and agents within its workspace. Cross-workspace access is architecturally impossible.
• Privilege boundaries: Admin-level operations (promoting users to admin, revoking other MCP keys) are deliberately excluded from MCP tools. These require human interaction through the dashboard.
• Audit trail: Every MCP tool invocation is logged with the key ID, making it trivial to trace who (or what) performed any action.
• Key revocation: Admins can revoke MCP keys instantly from the dashboard. Revocation is immediate -- the next tool call with that key will fail.

Revoking an MCP Key

If a key is compromised or no longer needed:

1. Go to Settings > Security in the dashboard.
2. Find the key by its label and click Revoke.
3. Revocation is instant and irreversible. Any client using that key will receive an authentication error on the next request.

Key revocation is recorded as an audit event.