Skip to main content
AgentFramer

April 2026

Enterprise MCP: governance, billing, and access control

Handing agents the keys to a media generation budget is a real spend decision, not a feature toggle. Here is what enterprise teams put in place before they do it.

The $4,000 surprise invoice

A growth team at a mid-size SaaS company wired an internal Slack bot to an MCP media server in late January. It worked beautifully. By the end of February, finance flagged a $4,000 line item nobody recognized. The agent had been retrying failed video generations on a loop, each one cheap on its own, none of them visible to anyone who could have stopped it. There was no audit trail tied to a user, no spend ceiling, and no alert. The team learned about it from accounting.

This is the failure mode enterprise governance is built to prevent. Not malicious actors, not exotic attacks, just an agent doing exactly what it was told without anyone watching the meter. The fix is not a policy document. It is four concrete controls: who can call what, how much can be spent, what gets stored where for how long, and who answers when something goes wrong.

Workspace per product team, not per company

AgentFramer organizes everything inside a workspace. A workspace owns a credit balance, a member list, an MCP URL, a storage scope, and a region pin. The single most common mistake we see is enterprises modeling AgentFramer like Slack: one workspace for the whole company, everyone added in. That puts the marketing team's experiments and the engineering team's production traffic on the same balance and the same MCP URL.

The pattern that works is one workspace per product team. The growth team has its own workspace, its own balance, its own MCP URL. The content ops team has another. A leaked URL has a blast radius limited to one team's cap. A runaway agent stops at one team's hard cap, not at the company aggregate. The quick-start guide walks through the first workspace; create the rest from the dashboard as teams onboard.

Three roles plus a service identity

Each workspace ships with three roles:

  • Admin: invites and removes members, manages billing, rotates the MCP URL, configures budget caps and webhooks.
  • Developer: configures agents, generates API keys, reads billing and usage, but cannot change billing or rotate URLs.
  • Viewer: read-only access to generations, audit log, and usage dashboards. Finance and compliance reviewers belong here.

An agent connecting via MCP uses a service identity, distinct from any human user. Treat it like an AWS IAM service role: rotate its token on a fixed cadence (90 days is the standard for service identities), scope it to one workspace, and never use a human's token in production. The sample policy below is what we recommend dropping into your IAM reference docs:

{
  "identity": "agent.growth-bot",
  "workspace_id": "ws_4kP9x2",
  "role": "developer",
  "permissions": [
    "generate_image",
    "generate_video",
    "get_credits",
    "list_recent_generations"
  ],
  "denied": [
    "invite_team_member",
    "top_up_balance",
    "delete_workspace"
  ],
  "token_rotation_days": 90,
  "ip_allowlist": ["10.0.0.0/8"],
  "created_by": "user_admin_192",
  "created_at": "2026-04-12T09:14:00Z"
}

Budget caps: hard floor, soft alert

Spend protection has two layers. The hard cap is the credit balance itself: when it hits zero, generations return an error and the agent stops. There is no overage. The soft alert fires at a configurable threshold (default 75% of the workspace's typical monthly run) and emails admins, optionally posting to a Slack webhook.

On top of that, agents can self-throttle. The get_credits tool is callable from the same MCP server the agent is already connected to. The pattern we recommend in our tool call patterns guide is a pre-flight check on any run that could exceed five dollars in a single tool call: video generation, batch image runs, anything the agent itself estimates as expensive. If the balance is below a configured floor, the agent stops, posts to its handler, and waits for a top-up rather than chewing through the remainder.

Hard cap is the seatbelt. Soft alert is the dashboard light. Pre-flight get_credits is the driver checking the gauge before merging onto the highway. All three together are how a $4,000 surprise becomes a $40 stop.

Audit log: who, when, what, how much

Every successful tool call writes one row to the audit log. The shape is stable, queryable from the dashboard, and exportable as JSON for your data warehouse:

{
  "ts": "2026-04-29T14:22:08.413Z",
  "request_id": "req_01HW8K2N4Q",
  "workspace_id": "ws_4kP9x2",
  "user_id": "agent.growth-bot",
  "tool": "generate_image",
  "model": "flux-pro-1.1",
  "prompt_hash": "sha256:9f1c...e802",
  "cost_usd": 0.042,
  "result_url": "https://cdn.agentframer.com/ws_4kP9x2/g_8K2N4Q.png",
  "region": "eu-west-1",
  "retention_days": 30
}

Notice prompt_hash rather than the raw prompt. Full prompts are stored separately under the workspace's retention policy, so the audit log itself can be retained longer (default seven years for enterprise plans) without copying potentially sensitive text into a long-lived index. Compliance gets the trail, the prompt store follows your data policy.

SIEM webhook to Splunk or Datadog

Audit log entries also fan out via webhook in real time. Point the webhook at your SIEM's HTTP event collector and every generation lands in your existing dashboards alongside the rest of your logs:

POST https://http-intake.logs.datadoghq.eu/api/v2/logs
X-AgentFramer-Signature: t=1714402928,v1=4f3a...
Content-Type: application/json

{
  "event": "generation.completed",
  "version": "1",
  "ts": "2026-04-29T14:22:08.413Z",
  "request_id": "req_01HW8K2N4Q",
  "workspace_id": "ws_4kP9x2",
  "user_id": "agent.growth-bot",
  "tool": "generate_image",
  "model": "flux-pro-1.1",
  "cost_usd": 0.042,
  "balance_after_usd": 312.18,
  "region": "eu-west-1",
  "result_url": "https://cdn.agentframer.com/ws_4kP9x2/g_8K2N4Q.png"
}

Signatures use HMAC-SHA256 with a workspace secret. The same payload format works for Splunk HEC and any custom collector; we publish the full schema in the MCP reference.

Storage, retention, and data residency

Generated media is stored at signed URLs scoped to the workspace. Default retention is 30 days. Enterprise plans can shorten that to one day for sensitive workloads, or extend it for archival. If your policy is "no model output lives on a vendor longer than necessary", set retention to one day and have the agent download anything it needs to keep into your own object store.

Data residency is pinned per workspace. Pick EU or US at workspace creation; the MCP endpoint, the storage bucket, and the audit log all stay inside that region. Cross-region replication is opt-in. The model providers themselves vary; the model library marks each model's residency, and several models offer EU-only inference for GDPR-bound workloads.

Prompts and outputs are subject to GDPR data subject requests via the dashboard's deletion API. Output ownership sits with the workspace under the AgentFramer terms; underlying model licenses are linked from each model page. SOC 2 Type II report is available under NDA from any Admin in the security panel.

When enterprise governance is too much

Most of this is overhead for most teams. If you are a three-person startup prototyping a feature, a solo developer building a side project, or a single-product company with one shared agent and one shared budget, you do not need workspace-per-team, you do not need a 90-day token rotation cadence, and you do not need a SIEM webhook.

For those teams the right setup is the default: one workspace, one admin, a credit balance you check weekly, and the dashboard's built-in audit view. Hard cap at whatever monthly number you can absorb without calling a board meeting. The whole governance stack above is a tax that only pays for itself when there are real cost centers, real compliance reviewers, and real human users on different teams who should not see each other's prompts. Until then, ignore it. Build the product.

The starting checklist

When the team passes the threshold where governance starts to matter, the rollout that works:

  • One workspace per product team. Region pinned at creation.
  • Hard cap set to the team's expected monthly spend. Soft alert at 75%.
  • Service identity per agent, scoped to one workspace, token rotated every 90 days.
  • Pre-flight get_credits on any tool call estimated above $5.
  • Audit webhook pointed at Splunk or Datadog. Viewer role added for finance and compliance.
  • Retention set to match your data policy. Default 30 days is a reasonable starting point.

Six bullets. Maybe an afternoon of work. The difference between an agent your finance team trusts and the one that ships you a $4,000 invoice. None of this gets in the way of an agent doing useful work, and all of it is reversible. Start with one workspace and the hard cap, layer the rest in as the surface area grows.

← All articles