Solutions
Enterprise governance for autonomous systems.
Give security and compliance teams visibility, controls, and a provable audit trail.
Governance
Every autonomous action governed and recorded.
Policy decisions recorded with reason and snapshot hash.
Policy bundles with versioning
Simulate and explain decisions
Approval inbox with bulk actions
Audit exports for compliance
Policy Lifecycle
Draft, simulate, publish, rollback.
Give security teams a predictable workflow for policy changes.
Draft bundles
Create overlays without impacting production.
Simulate decisions
Run explain/simulate against payloads.
Publish snapshots
Promote approved bundles to prod.
Review approvals
Route risky actions through inbox.
Rollback fast
Revert to last-known-good snapshots.
bundle.yaml
bundle: secops/production
rules:
- match:
tenant_id: "acme"
risk_tags: ["prod", "write"]
decision: REQUIRE_APPROVALdecision-log.json
decision: REQUIRE_APPROVAL reason: "prod/write requires approval" constraints: max_lines_changed: 300 snapshot: "policy@9f3c7"
Audit Ready: Every approval is tied to a policy snapshot and job hash for provable compliance.
Govern MCP tool calls.
Apply the same policy and approval controls to MCP tools without slowing teams down.
Problems
- Agents call tools with no visibility into inputs/outputs
- No approval gate before sensitive MCP operations
- Hard to audit which tools ran and why
Cordum Controls
- Label MCP servers and tools for allow/deny decisions
- Require approvals for high-risk tool calls
- Record every MCP invocation with input/output metadata
- Constrain scope, rate, and data impact
mcp-policy.yaml
rules:
- match:
protocol: mcp
server: "filesystem"
capability: "write"
decision: REQUIRE_APPROVAL
- match:
protocol: mcp
server: "database"
decision: ALLOW_WITH_CONSTRAINTS
constraints:
max_rows_affected: 100
deny_tables: ["users", "credentials"]Label MCP servers with capabilities and enforce approvals before tools modify prod data.
Related
More governed workflows.
Explore other high-stakes automation patterns.