Skip to content

Governance Audit Plugin

Purpose

The SailPoint Entro Claude Governance Audit plugin provides automatic audit logging for Model Context Protocol (MCP) tool calls executed within the Claude Code CLI. The integration ensures every interaction between the Claude agent and external tools is captured, enabling visibility into agentic workflows and a verifiable audit trail.

What This Integration Is

The SailPoint Entro Governance Audit plugin passively intercepts MCP tool calls and forwards audit metadata to SailPoint Entro.

Note

No code execution is modified. No tool output is changed. Every call is analyzed for intent, policy compliance and intercepted if needed.

Key Capabilities

  • Policy compliance: Enforce policies to govern, secure and protect your enterprise services from agentic AI misuse, destructive actions and potential leakage.

  • Automatic Audit Logging: Captures all remote MCP tool calls.

  • Agentic Visibility: Provides security teams with insight into AI-driven tool usage.

  • Security & Compliance: Supports audit and governance requirements for agentic AI workflows.

Deployment Model

The plugin is installed locally via the Claude CLI or organization wide through the Claude Organization Settings, and communicates outbound to SailPoint Entro Control Plane using an authenticated token embedded in the plugin package. The token only associates the Claude instance with its organization ID.

Installation

Use Claude Plugin Installation for the full flow (add the SailPoint Entro marketplace, then install this plugin): local or organization.

High-Level Architecture

+---------------------+           +------------------------+
|  Claude Code CLI    |           |     Entro Console      |
|  (Local Environment)|           |    (Control Plane)     |
+---------+-----------+           +-----------+------------+
          |                                   ^
          |        Audit Log Metadata         |
          +-----------------------------------+
                   (Auth: Entro Token)

Demo

Let's see how the MCP Audit plugin helps us get visibility on our Agentic AI's actions. In this brief demo, we write a prompt that triggers an MCP call - get my upcoming events on my Google Calendar. The plugin detected the MCP call, and audited it.

The plugin sent the audit log to the SailPoint Entro platform, and you can view it there. Log in into your SailPoint Entro account and navigate to "AI Agents Inventory" under "AI Agents". You can view the audit log with additional context:

Troubleshooting and Validation

  1. Run claude plugin list

    Run the following command to list plugins:

    claude plugin list

    or

    /plugin

  2. Execute a test MCP tool call

    Perform a test MCP tool call to validate functionality.

Common issues

Issue Cause Resolution
Marketplace add fails Invalid GitHub token Verify token
Plugin not found Marketplace missing Re-add marketplace
No logs Missing token Re-run init
Auth error Token expired Regenerate token

Support

Contact SailPoint Entro Support via your Customer Success Manager or approved support channels.

Permissions Reference

Summary

The Claude MCP Audit plugin operates with the minimum permissions required to intercept and log MCP tool call metadata.

Data collected

  • Tool name

  • Invocation timestamp

  • Tool parameters

  • Host name

  • System username

  • Claude account email

  • Used identity - Masked auth token (e.g., github_pat_11B******tobz), "oauth", or "local-process" in the case of a local MCP server tool call

  • User prompt

  • MCP server name

  • MCP server type - remote or local

  • MCP server address - in the case of a remote server

  • MCP server command - in the case of a local server

  • MCP server env vars - Env vars configured for local MCP servers

  • Tool call result

Security controls

  • Token-based authentication (AES-256)

  • TLS 1.2+ encrypted transport

  • Stateless processing with no local secret storage