Admin-approved catalog
Enable managed connectors or a public HTTPS MCP server, then snapshot every security-relevant detail.
One governed endpoint
Enable managed connectors or a public HTTPS MCP server, then snapshot every security-relevant detail.
Choose one owned or assigned identity per connector, narrow tools, and reuse the choice as a profile.
Default deny, deny precedence, immediate tightening, step-up approval, and no silent grant expansion.