Governance Audit Plugin
Purpose
The SailPoint Entro Claude Governance Audit plugin provides automatic audit logging for Model Context Protocol (MCP) tool calls executed within the Claude Code CLI. The integration ensures every interaction between the Claude agent and external tools is captured, enabling visibility into agentic workflows and a verifiable audit trail.
What This Integration Is
The SailPoint Entro Governance Audit plugin passively intercepts MCP tool calls and forwards audit metadata to SailPoint Entro.
Note
No code execution is modified. No tool output is changed. Every call is analyzed for intent, policy compliance and intercepted if needed.
Key Capabilities
-
Policy compliance: Enforce policies to govern, secure and protect your enterprise services from agentic AI misuse, destructive actions and potential leakage.
-
Automatic Audit Logging: Captures all remote MCP tool calls.
-
Agentic Visibility: Provides security teams with insight into AI-driven tool usage.
-
Security & Compliance: Supports audit and governance requirements for agentic AI workflows.
Deployment Model
The plugin is installed locally via the Claude CLI or organization wide through the Claude Organization Settings, and communicates outbound to SailPoint Entro Control Plane using an authenticated token embedded in the plugin package. The token only associates the Claude instance with its organization ID.
Installation
Use Claude Plugin Installation for the full flow (add the SailPoint Entro marketplace, then install this plugin): local or organization.
High-Level Architecture
+---------------------+ +------------------------+
| Claude Code CLI | | Entro Console |
| (Local Environment)| | (Control Plane) |
+---------+-----------+ +-----------+------------+
| ^
| Audit Log Metadata |
+-----------------------------------+
(Auth: Entro Token)
Demo
Let's see how the MCP Audit plugin helps us get visibility on our Agentic AI's actions. In this brief demo, we write a prompt that triggers an MCP call - get my upcoming events on my Google Calendar. The plugin detected the MCP call, and audited it.

The plugin sent the audit log to the SailPoint Entro platform, and you can view it there. Log in into your SailPoint Entro account and navigate to "AI Agents Inventory" under "AI Agents". You can view the audit log with additional context:

Troubleshooting and Validation
-
Run
claude plugin listRun the following command to list plugins:
claude plugin listor
/plugin -
Execute a test MCP tool call
Perform a test MCP tool call to validate functionality.
Common issues
| Issue | Cause | Resolution |
|---|---|---|
| Marketplace add fails | Invalid GitHub token | Verify token |
| Plugin not found | Marketplace missing | Re-add marketplace |
| No logs | Missing token | Re-run init |
| Auth error | Token expired | Regenerate token |
Support
Contact SailPoint Entro Support via your Customer Success Manager or approved support channels.
Permissions Reference
Summary
The Claude MCP Audit plugin operates with the minimum permissions required to intercept and log MCP tool call metadata.
Data collected
-
Tool name
-
Invocation timestamp
-
Tool parameters
-
Host name
-
System username
-
Claude account email
-
Used identity - Masked auth token (e.g.,
github_pat_11B******tobz),"oauth", or"local-process"in the case of a local MCP server tool call -
User prompt
-
MCP server name
-
MCP server type - remote or local
-
MCP server address - in the case of a remote server
-
MCP server command - in the case of a local server
-
MCP server env vars - Env vars configured for local MCP servers
-
Tool call result
Security controls
-
Token-based authentication (AES-256)
-
TLS 1.2+ encrypted transport
-
Stateless processing with no local secret storage