What is an MCP server?

An MCP server exposes tools, resources, or prompts through the Model Context Protocol so an AI application can retrieve context or request actions from an external system.

Why do enterprise security teams need an MCP server inventory?

MCP servers often hold OAuth grants, API tokens, database roles, cloud roles, browser sessions, or repository access. A server inventory helps teams understand which tools can read, write, mutate, or export enterprise data.

How should MCP servers be governed?

Treat MCP servers like privileged integration software: inventory each server, assign an owner, scope credentials, separate read and write permissions, log tool invocations, review retrieved data, and keep LLM provider traffic behind a governed gateway.

RESOURCE / MCP SERVER DIRECTORY

MCP Server Directory for Enterprise AI Teams

Known tool connectors, ranked by credential exposure and governance priority.

MCP servers make agents useful by connecting them to databases, SaaS systems, browsers, repositories, cloud control planes, and internal tools. They also expand the blast radius of agent access. This directory helps security and platform teams decide which servers need the strongest review before production use.

Request enterprise review →Review gateway controls →

MODEL CONTEXT PROTOCOL / GOVERNANCE

The server list is useful. The access model is what matters.

MCP adoption creates a new integration layer between agents and enterprise systems. Treat every server as a privileged connector with its own credentials, permissions, data access, and runtime audit requirements.

Inventory the server

Track owner, environment, host, exposed tools, upstream system, credential type, write capability, and whether the server is approved for production agent use.

Constrain credentials

Prefer short-lived tokens, read-only roles, narrow OAuth scopes, project allowlists, and separate credentials for development, staging, and production agents.

Record tool access

Log tool name, arguments, resource IDs, retrieved documents, write operations, actor, model route, and final outcome so security teams can reconstruct activity.

Govern model calls

Keep LLM provider traffic behind an on-prem gateway with virtual keys, budgets, guardrails, and durable audit while tool-specific permissions stay scoped at the source system.

CURATED MCP SERVER LIST

Popular MCP servers by enterprise risk surface

Use this as a starting inventory. Confirm each server implementation, version, OAuth scope, and deployment model before approving it for production use.

Data & Storage

Databases, warehouses, files, and operational records that often contain regulated data.

07 SERVERS

ServerSystemCredential SurfaceRiskRecommended Control

PostgreSQLSchema inspection, read-only analytics, controlled SQL queriesRelational databaseDatabase user, host allowlist, schema grantsCriticalUse read-only roles, query allowlists, row-level security, and full query logging.

MySQLOperational database lookup and controlled reportingRelational databaseDatabase user, network path, table grantsCriticalSeparate production credentials, restrict write operations, and rotate exposed secrets.

BigQueryWarehouse analysis, BI lookup, governed data explorationCloud warehouseGoogle service account, dataset IAM, billing projectCriticalBind service accounts to approved datasets and monitor query cost per agent workflow.

SnowflakeEnterprise analytics over governed warehouse dataCloud warehouseUser, role, warehouse, network policyCriticalUse least-privilege roles, masking policies, warehouse quotas, and query audit exports.

SupabaseApplication data access, schema lookup, developer automationPostgres application platformProject token, service role key, database roleHighAvoid service-role keys in agents and enforce row-level security for all agent paths.

Google DriveDocument retrieval, knowledge lookup, file searchDocument storageOAuth scopes, domain delegation, shared-drive permissionsHighConstrain OAuth scopes, isolate service accounts, and log file IDs returned to agents.

BoxDocument search, policy lookup, content workflowsEnterprise content managementOAuth app, enterprise token, folder permissionsHighLimit folder scope and require approval before agents access customer or legal records.

Cloud & Infrastructure

Cloud, cluster, deployment, and runtime systems where MCP tool access can affect production assets.

05 SERVERS

ServerSystemCredential SurfaceRiskRecommended Control

AWSResource inventory, operational lookup, automation assistanceCloud platformIAM role, access key, STS session, resource policyCriticalPrefer short-lived roles, deny destructive APIs by default, and stream CloudTrail evidence.

AzureTenant inventory, deployment context, operational automationCloud platformManaged identity, app registration, RBAC assignmentCriticalScope app registrations tightly and alert on privileged role assignment or secret creation.

CloudflareDNS, Workers, observability, and edge configuration lookupEdge and developer platformAPI token, account scope, zone permissionHighUse account-scoped tokens with read-only defaults and approvals for DNS or deploy actions.

KubernetesCluster diagnostics, workload status, deployment investigationCluster orchestrationKubeconfig, service account, RBAC bindingCriticalBind read-only roles by namespace and block exec, secret read, and mutating verbs unless approved.

TerraformState review, drift context, infrastructure planningInfrastructure as codeWorkspace token, cloud backend, provider credentialsHighSeparate plan from apply and keep state access away from broad agent prompts.

Development Tools

Code, CI/CD, observability, and security platforms used by engineering and platform teams.

09 SERVERS

ServerSystemCredential SurfaceRiskRecommended Control

GitHubRepository search, pull request review, issue triage, code contextRepository and SDLC platformOAuth app, GitHub App token, PAT, repository permissionCriticalPrefer GitHub Apps, repository allowlists, branch protections, and audit every write action.

GitLabProject lookup, merge request context, issue and pipeline operationsRepository and DevOps platformProject token, group token, OAuth app, CI permissionsCriticalConstrain project scope, separate read and write tokens, and block pipeline mutation by default.

GitLocal code search, diff inspection, repository history analysisVersion controlLocal repository path, SSH key, filesystem accessHighRun in a sandboxed workspace and prevent arbitrary filesystem traversal.

DatadogMetrics, logs, monitors, incidents, and dashboard contextObservability platformAPI key, application key, site, org roleHighUse read-scoped apps and prevent agents from muting monitors or changing incident routing.

GrafanaDashboard lookup, incident context, metrics and log explorationObservability platformService account token, data-source permissionsHighScope service accounts by folder and data source; log query text and panel access.

SentryError triage, release context, stack trace analysisApplication monitoringOrganization token, project token, issue permissionMediumRestrict project scope and redact PII in stack traces before agent retrieval.

SemgrepStatic analysis findings, policy context, remediation workflowsCode security scanningOrganization token, project permissionMediumAllow read-only finding access and route remediation changes through pull requests.

PostmanAPI collection lookup and test execution contextAPI collaborationAPI key, workspace role, environment secretsHighPrevent environment secret exposure and separate collection read from execution privileges.

VercelDeployment lookup, project status, build contextApplication hostingTeam token, project scope, deployment permissionHighKeep deployment tokens read-only unless change control approves release actions.

Content & Search

Web, browser, crawler, documentation, and search tools that expand what agents can retrieve.

06 SERVERS

ServerSystemCredential SurfaceRiskRecommended Control

Brave SearchWeb research, source discovery, external contextSearch APIAPI key, query quota, usage billingMediumLog query terms and keep search output outside trusted data boundaries until validated.

FetchFetch web pages and convert content for model contextWeb retrievalOutbound network access, URL allowlistMediumApply domain allowlists, malware scanning, and prompt-injection filtering on retrieved text.

FirecrawlStructured website extraction and research automationCrawler and extraction APIAPI key, crawl quota, outbound domainsMediumRestrict crawl domains and retain provenance for every retrieved page.

PlaywrightWeb app testing, UI inspection, workflow automationBrowser automationBrowser session, cookies, filesystem, networkCriticalRun isolated browsers, block credential reuse, and record screenshots plus network traces.

PuppeteerHeadless browser tasks, scraping, and UI workflow executionBrowser automationBrowser session, cookies, filesystem, networkCriticalUse disposable profiles, outbound allowlists, and strict download/upload restrictions.

Google MapsGeocoding, route planning, place lookupLocation APIAPI key, quota, project billingLowRestrict API keys by referrer or service account and monitor quota consumption.

Productivity & SaaS

Collaboration systems where agent access can expose conversations, tickets, docs, and CRM data.

06 SERVERS

ServerSystemCredential SurfaceRiskRecommended Control

AtlassianTicket lookup, project context, documentation retrievalJira, Confluence, and CompassOAuth scopes, API token, project and space permissionHighLimit Jira projects and Confluence spaces; require approval for writes or status changes.

SlackConversation lookup, incident context, workflow notificationsMessaging and collaborationBot token, user token, channel membership, OAuth scopesHighRestrict channels, redact sensitive messages, and separate read bots from posting bots.

NotionKnowledge base lookup, database update, project documentationWorkspace documentationIntegration token, page and database permissionsMediumShare only approved pages with the integration and avoid workspace-wide access.

LinearIssue lookup, roadmap context, engineering workflow automationIssue trackingOAuth app, API key, workspace permissionMediumSeparate issue read access from mutation and log every generated comment or status change.

AsanaTask lookup, project updates, planning contextWork managementOAuth app, workspace permission, project membershipMediumConstrain projects and route task creation or assignment through approval flows.

HubSpotAccount lookup, customer context, CRM workflow assistanceCRM and marketing platformPrivate app token, OAuth scopes, object permissionsHighMinimize CRM object scopes and redact customer PII before passing context to models.

AI & Memory

Model, vector, memory, and retrieval systems that shape agent context and long-lived recall.

04 SERVERS

ServerSystemCredential SurfaceRiskRecommended Control

Hugging FaceModel lookup, dataset search, inference and deployment contextModel and dataset platformAccess token, organization permission, gated model accessMediumSeparate public model discovery from organization tokens and gated asset access.

QdrantVector search, retrieval, and memory-backed agent contextVector databaseAPI key, collection permission, network endpointHighPartition collections by tenant and log every vector query plus document ID returned.

LlamaCloudRAG indexing, document retrieval, managed knowledge workflowsManaged retrieval and data pipeline platformAPI key, index permission, data source connectorHighSeparate indexing credentials from retrieval credentials and review source permissions.

MemoryLong-lived agent context and preference recallPersistent agent memoryLocal store, database token, user profile dataHighExpire memory records, classify stored facts, and block regulated data from persistence.

Business Systems

Payments, support, and workflow systems where tool calls can read or mutate customer operations.

04 SERVERS

ServerSystemCredential SurfaceRiskRecommended Control

StripeCustomer, subscription, invoice, and payment workflow lookupPayments platformRestricted key, webhook secret, account permissionCriticalUse restricted read keys and require explicit approval for refunds, disputes, or price changes.

IntercomSupport context, customer history, workflow automationCustomer supportAccess token, workspace permission, conversation scopeHighRedact customer data and separate read-only context from outbound message generation.

SalesforceAccount lookup, pipeline context, support and sales workflowsCRM platformOAuth app, connected app policy, object permissionsCriticalConstrain object permissions, require field-level security, and monitor bulk export attempts.

monday.comOperational workflow lookup, project updates, board automationWork operating systemAPI token, board permission, workspace accessMediumScope tokens by board and require review before agents create automations or change owners.

ENTERPRISE REFERENCE ARCHITECTURE

Keep MCP tool access and LLM provider access governed as separate control planes.

MCP servers authorize tools and data sources. Agent Access Manager governs LLM provider access through virtual keys, routing, budgets, guardrails, metering, and audit. Separating these paths gives platform teams clearer evidence and fewer shared secrets.

01Agent applicationuses MCP tools + virtual LLM key

02MCP serverscoped to source-system credential

03Agent Access Managerroutes model call through /v1/chat/completions

04Audit planerecords tool evidence + model usage outcome

MCP ACCESS REVIEW

Prioritize the MCP servers that can touch regulated data or production systems.

Review your current MCP server inventory, model-provider keys, data boundaries, and audit requirements with an enterprise AI gateway architecture session.

Request enterprise review →Recommended for CISO, CTO, platform, and AppSec teams