How to See Every MCP Server Developers Have Configured

Developers frequently configure Model Context Protocol (MCP) servers with AI agents, yet many organizations lack visibility into these connections. This article explores the challenges of shadow AI in the context of MCP servers and how Bifrost and Bifrost Edge provide a solution for comprehensive visibility and governance.

The rapid adoption of AI agents has introduced new complexities for enterprise security and governance. As developers integrate powerful AI tools into their workflows, they often connect these tools to external services and internal systems through Model Context Protocol (MCP) servers. Without a centralized way to track and control these connections, organizations face a significant "shadow AI" problem, where critical data pathways operate outside of IT and security oversight. Gaining visibility into every MCP server configured across an organization's endpoints is essential for maintaining security and compliance. Bifrost, an open-source AI gateway, with its endpoint component Bifrost Edge, offers a robust framework for addressing this challenge.

The Challenge of Ungoverned MCP Servers and Shadow AI

AI agents are no longer passive tools; they actively plan, call external tools, and execute actions, often with delegated authority. The Model Context Protocol (MCP), introduced in November 2024, enables this by providing a standardized way for AI systems to interact with external data sources, applications, and services. It acts like a universal adapter, allowing AI assistants to query databases, read files, call APIs, and even run shell commands. This capability, while powerful for developers, creates a new security risk: shadow MCP.

Shadow MCP refers to the MCP servers that employees configure for their AI applications without formal security review or central governance. These servers can be wired directly into developer tools like Claude Code, Cursor, or VS Code Copilot Chat, often with little to no visibility for IT or security teams. The risks are substantial:

Data exfiltration: Ungoverned MCP servers can inadvertently expose sensitive data to unauthorized external systems.
Privilege escalation: An agent using an MCP server might inherit the broad access of the developer who installed it, potentially accessing privileged systems without explicit authorization.
Compliance gaps: Without an audit trail of MCP server usage and data flows, organizations struggle to meet regulatory requirements like SOC 2, GDPR, HIPAA, and ISO 27001.
Misconfiguration and vulnerabilities: Misconfigured MCP servers can create new attack surfaces, acting as backdoors into internal systems.

A 2026 Verizon Data Breach Investigations Report noted a fourfold increase in shadow AI detections, highlighting it as a common insider action in enterprise environments. This growing challenge underscores the need for comprehensive visibility into endpoint AI.

What is an MCP Server?

The Model Context Protocol (MCP) is an open standard designed to enable AI applications to connect with external data and services seamlessly. It standardizes how AI agents discover and interact with external "tools" at runtime. These tools can include anything from internal databases and file systems to web search engines and custom APIs.

An MCP ecosystem involves three primary components:

MCP Host: The AI application or environment (e.g., an AI-powered IDE or conversational AI) that contains the LLM.
MCP Client: A component within the MCP host that facilitates communication between the LLM and the MCP server.
MCP Server: The external service that provides context, data, or capabilities to the LLM. It exposes specific "tools" that the AI agent can invoke to perform actions.

For example, an AI coding assistant might use an MCP server to access a company's codebase, an issue tracker, or internal documentation. This allows the AI to provide real-time, context-aware assistance beyond its initial training data. The protocol leverages JSON-RPC 2.0 messages for communication between client and server.

Bifrost Edge: Gaining Visibility into Endpoint MCP Usage

Traditional security tools often fail to close the visibility gap around shadow AI because they focus on network perimeters, which endpoint AI frequently bypasses through direct, encrypted connections. Effectively governing MCP servers requires controls at the point where AI actually runs: the endpoint itself.

Bifrost addresses this by combining the Bifrost AI gateway, as the control plane and policy engine, with Bifrost Edge, which extends that same governance to every machine. Bifrost Edge is a lightweight agent that runs natively on macOS, Windows, and Linux devices. Its primary function is to route all AI traffic from the endpoint through the organization's Bifrost gateway automatically. This brings desktop applications, browser AI, coding agents, and, crucially, the MCP servers those tools connect to, under a single, unified governance framework.

Bifrost Edge tackles shadow MCP by providing essential visibility:

Fleet-wide MCP Server Inventory: Bifrost Edge discovers and inventories the MCP servers configured within each AI application across the entire fleet of devices. This creates a live, deduplicated catalog of every MCP server in use, allowing security teams to answer "what MCP servers are running on our fleet?" with real data.
Real-time Discovery: New MCP servers are detected as they appear, rather than during periodic audits. This continuous monitoring ensures that administrators have an up-to-date view of their AI ecosystem.
Supported Applications: Bifrost Edge supports discovery for a growing list of popular AI applications, including Claude Code, Claude Desktop, Gemini CLI, OpenCode, Codex, and Cursor. This ensures comprehensive coverage for the tools developers commonly use.

This visibility provides the foundation for effective governance, transforming an invisible threat into an observable, manageable aspect of the enterprise AI landscape.

From Visibility to Control: Approving and Denying MCP Servers

Once Bifrost Edge provides visibility into configured MCP servers, the Bifrost AI gateway enables administrators to apply granular policy controls. The governance configured at the gateway level automatically applies to endpoint AI traffic routed by Edge.

Administrators can manage detected MCP servers through a centralized dashboard:

Per-Server Allow/Deny Decisions: The system allows admins to make explicit allow or deny decisions for each discovered MCP server. This policy is then enforced directly on the device. A denied server cannot be used, even if an application had it configured before the policy was established.
Approval Workflows: When Edge detects a new MCP server, it can automatically request approval in the admin console. Administrators can configure whether pending servers are allowed or blocked while awaiting review, ensuring control from the moment of discovery.
Unified Governance Policies: Existing Bifrost features like virtual keys, budgets, rate limits, and guardrails extend to MCP server traffic. This means the same content safety and data loss prevention policies that apply to API calls at the gateway also protect prompts and responses from endpoint AI, preventing sensitive content like secrets or PII from leaving the machine.
Audit Logs: Every MCP tool call is recorded in immutable audit logs, providing a critical trail for compliance with standards such as SOC 2, GDPR, and HIPAA.

Deployment and Integration for Comprehensive Governance

Bifrost Edge is designed for fleet-wide deployment, rather than relying on manual per-machine setup. Organizations can push Edge to every device using existing device management (MDM) platforms, delivering a managed configuration that points each machine to the organization's Bifrost gateway. This ensures that governance applies across the entire fleet without requiring individual users to reconfigure their AI tools.

Supported MDM platforms include Jamf, Microsoft Intune, Kandji, Omnissa Workspace ONE, and JumpCloud, covering macOS, Windows, and Linux endpoints. This integration with existing IT infrastructure streamlines the rollout process, making it feasible to achieve comprehensive endpoint AI governance at scale.

Bifrost Edge is currently in alpha and available to enterprise customers of the Bifrost gateway. Teams interested in gaining this level of visibility and control can request early access to evaluate its capabilities.

By pairing the powerful Bifrost AI gateway as a policy engine with Bifrost Edge for endpoint enforcement, organizations can transform their approach to AI agent governance. This combined strategy ensures that every MCP server, whether sanctioned or not, becomes visible and governable, helping to secure sensitive data and maintain compliance in an evolving AI landscape.