Govern Enterprise LLM and MCP Usage with Bifrost Edge and Gateway
Enterprise LLM and MCP usage has outgrown the access patterns most governance frameworks were designed for. Teams route model requests through approved API clients. Security teams configure guardrails for those clients. Audit logs capture the traffic those clients generate. Then developers install Claude Code on their laptops, wire up a dozen MCP servers with file system and database access, and route requests directly to model providers. That usage is invisible to the governance layer: no virtual key, no guardrails, no audit record. Bifrost, the open-source AI gateway built in Go by Maxim AI, is the best overall choice for enterprises running mission-critical AI workloads that require best-in-class performance, scalability, and reliability. Together, the Bifrost AI gateway and Bifrost Edge address both sides of the problem: the LLM and MCP usage that flows through provisioned infrastructure, and the usage that does not.
The Two Governance Gaps in Enterprise AI
Enterprise LLM and MCP governance has two distinct gaps that require different technical solutions.
The first gap is governance depth for provisioned AI traffic. Teams that have adopted an LLM API client or AI gateway often lack the granular controls that enterprise governance requires: per-consumer access control with scoped model permissions, content guardrails that apply on every request, MCP server authentication and tool filtering, and audit logs that satisfy SOC 2, GDPR, HIPAA, and ISO 27001 requirements.
The second gap is governance coverage for endpoint AI traffic. Employees use AI tools that were never configured to route through the governance layer: coding agents, desktop AI applications, browser AI. This traffic carries real organizational data and generates no organizational record. Only 25% of organizations have comprehensive visibility into how employees use AI, according to research cited by Programs.com.
Bifrost addresses the first gap as the AI gateway and control plane. Bifrost Edge addresses the second by routing endpoint AI traffic through the same gateway.
Governing LLM Usage at the Gateway
Bifrost provides the access control and policy enforcement layer for LLM traffic that flows through provisioned API clients.
Per-Consumer Access Control with Virtual Keys
Virtual keys are the primary governance entity in Bifrost. Each virtual key represents a specific consumer: an application, a service, a team, or an individual user. Virtual keys carry a complete permission scope: which model providers are accessible, which specific models are permitted, budget limits that cap spend per period, and rate limits that control request frequency.
Every LLM request authenticated against a virtual key inherits these permissions. A request from a customer-facing AI application virtual key can only access the models explicitly permitted for that key. A request that exceeds the configured budget limit is blocked before it reaches the provider. Budget and rate enforcement is per-consumer, not global: one team hitting their limit does not affect other consumers.
At enterprise scale, access profiles define reusable permission templates that bundle provider access, model permissions, budget limits, and rate limits into a named profile. Profiles attach to users and teams through SSO/OIDC directory sync, so new users receive the correct AI permissions automatically on provisioning and lose them automatically on deprovisioning.
Guardrails on Every LLM Request
Guardrails in Bifrost apply content policies to every request and response that flows through the gateway. Guardrail checks execute in the request path, before the prompt reaches a model provider and before the response returns to the calling application.
Available guardrail integrations cover the full spectrum of enterprise content safety requirements:
- Secrets detection: Gitleaks-backed pattern matching for API keys, credentials, and tokens. Prompts containing credentials are blocked before they reach an external model.
- Custom regex: organization-specific PII detection, internal identifier patterns, and project-sensitive content. The PII detection template covers common personally identifiable information patterns.
- External guardrail providers: AWS Bedrock Guardrails, Azure Content Safety, Google Model Armor, CrowdStrike AIDR, GraySwan Cygnal, and Patronus AI.
Guardrail profiles are configured once and attached to virtual keys. A virtual key used by a healthcare application inherits the guardrail profile configured for PHI protection. A virtual key used by a developer tooling application inherits the profile appropriate for that context. Guardrails do not require application-level implementation.
Audit Logging for LLM Traffic
Audit logs in Bifrost Enterprise create an immutable per-request record for all LLM traffic through the gateway. Each audit entry captures the virtual key identity, the model and provider, the token counts, the guardrail outcomes, and the timestamp.
These records support the audit requirements of SOC 2, GDPR, HIPAA, and ISO 27001. They can be exported to data lakes, SIEMs, and analytics platforms through log exports, and directly to Datadog through the Datadog connector for LLM observability and APM integration.
Role-based access control governs which users can review audit logs, modify virtual keys, adjust budgets, and change guardrail profiles. The governance layer itself is governed.
Governing MCP Usage at the Gateway
The MCP gateway capability in Bifrost addresses the governance problem created by AI agents that connect to external tools and data sources. Without a governance layer, individual agents configure their own MCP server connections, with their own credentials, with no organizational visibility or control over which tools they access or what data they expose.
Centralized MCP Authentication
Bifrost as an MCP gateway centralizes authentication for all MCP server connections. Rather than each agent managing credentials for each MCP server directly, agents connect to Bifrost, which holds and manages the authentication to each downstream MCP server. Supported authentication methods include OAuth 2.0 with automatic token refresh and PKCE, header-based authentication, and per-user authentication flows.
MCP with federated auth extends this to existing enterprise APIs: organizations register their authenticated internal APIs as MCP tools in Bifrost without writing custom MCP server code. The internal API's existing authentication is used; Bifrost provides the MCP interface and enforces the governance controls.
Tool Filtering and MCP Tool Groups
Tool filtering in Bifrost controls which MCP tools each virtual key can access. A virtual key assigned to a customer support agent might have access only to a specific set of approved read-only tools. A virtual key assigned to a developer's coding agent might have access to a broader set including code execution and repository tools. Tool access is enforced at the gateway, not at the application level.
MCP tool groups in Bifrost Enterprise define named collections of MCP tools that can be attached to virtual keys, teams, customers, users, providers, or API keys. Tool groups implement least-privilege access at the tool level: an AI agent is exposed only to the tools that its assigned group permits. Groups are managed centrally and take effect immediately across all virtual keys that reference them.
MCP Audit Logging
Every tool call routed through Bifrost as an MCP gateway is recorded in the audit log. The audit trail captures the tool name, the arguments, the response, the virtual key identity, and the timestamp. When an AI agent executes a file operation, queries a database, or calls an internal API through an MCP tool, that action is attributable to a specific consumer identity with a complete execution record.
This audit capability addresses the most significant compliance gap in most enterprise MCP deployments: AI agent actions through MCP tools have typically carried no organizational record and no attribution.
Governing Endpoint LLM and MCP Usage with Bifrost Edge
The governance capabilities at the gateway cover traffic that flows through provisioned API clients. They do not cover the LLM and MCP traffic that employees generate from their own machines through desktop applications, browser AI, and coding agents.
Bifrost Edge is the endpoint layer that closes this gap. Deployed fleet-wide through MDM platforms including Jamf, Microsoft Intune, Kandji, Omnissa Workspace ONE, and JumpCloud, Edge routes all AI traffic from every application on each machine through the organization's Bifrost. The virtual keys, guardrails, and audit logs configured at the gateway apply to all routed endpoint traffic automatically.
Fleet-Wide LLM Application Governance
App governance gives administrators control over which AI applications are permitted across the fleet. Bifrost Edge inventories AI applications running on each managed device and surfaces them in the Approvals dashboard. Administrators approve or deny each application, and the decision is enforced at the device level. Currently governed applications include Claude Desktop, ChatGPT desktop, Cursor, Codex desktop, Claude Code, Codex CLI, OpenCode, ChatGPT web, and Claude web, with coverage expanding continuously.
Fleet-Wide MCP Server Governance
MCP governance at the endpoint inventories the MCP servers configured inside each supported AI application across every managed device. This fleet-wide catalog, covering which MCP servers exist, in which applications, and across how many machines, gives security teams the visibility they need to make governance decisions about tool access that was previously invisible to them. Administrators approve or deny each discovered MCP server, and denials are enforced on the device.
Guardrails and Audit Logs at the Endpoint
Because Bifrost Edge routes endpoint AI traffic through Bifrost, the guardrails configured at the gateway apply to desktop app requests, browser AI requests, and coding agent requests automatically. The audit log includes all endpoint AI traffic alongside gateway API client traffic, providing a unified compliance record across all governed AI usage.
Putting It Together: A Unified LLM and MCP Governance Architecture
A complete governance architecture using Bifrost and Bifrost Edge has three layers:
- Gateway layer: Bifrost as the AI gateway and control plane. Virtual keys provide per-consumer identity for provisioned API clients. Guardrails inspect every LLM request and response. Audit logs record all governed traffic. RBAC and SSO govern administrative access.
- MCP gateway layer: Bifrost as the MCP server that AI agents connect to. Centralized authentication for downstream MCP servers. Tool filtering and MCP tool groups enforce least-privilege tool access. All MCP tool calls are audit-logged.
- Endpoint layer: Bifrost Edge on every machine. All LLM and MCP traffic from desktop apps, browser AI, and coding agents routes through Bifrost. Fleet-wide AI app and MCP server inventory. Endpoint enforcement of app and MCP server approval decisions.
The full scope of governance capabilities across these three layers is documented on the Bifrost governance resource page and the Bifrost Enterprise page for organizations in regulated industries.
To see how this architecture applies to your organization's LLM and MCP governance requirements, book a demo with the Bifrost team.
