The MCP-tool authority surface KYE™ proves per invocation.
EC-Council ADG names MC-7 — the Tools & MCP Register — as a minimum control for any organisation running AI agents. The KYE Tool & MCP Authority Register™ productises MC-7 as a tenant-scoped, signed, runtime-bound artefact. The KYE Tool Authority Engine™ checks every agent tool call against the register; unregistered tool calls are refused; every permitted call emits a tool_call_pin evidence event sealed at T=0. The canonical schema is kye.tool_mcp_register.v1; the sample register lives at public/examples/tool-mcp-register/sample-register.json.
Per entry — everything the runtime needs to refuse or admit a tool call.
- Trust tier. One of tier-0 untrusted, tier-1 sandboxed, tier-2 scoped, tier-3 trusted. The tier is the floor for every other field on the entry.
- Permitted agents. Which agent URNs may invoke the tool. Any other agent is refused at the gate.
- Permitted actions. Which action verbs the tool exposes. Anything not on the list is refused.
- Data access scope. Data classes, regions, and rate limit. A tool that touches PII outside its declared regions is refused.
- Write permissions. none / tenant-scoped-write / system-of-record-write / external-side-effect. Each lift demands a higher approval threshold.
- Approval threshold. auto / single-approver / two-person / two-person-with-legal / super-admin. The threshold gates the call into GovernedUI™ when required.
- Evidence requirements. Which canonical evidence schemas MUST be emitted per invocation. Missing evidence = retroactively inadmissible.
- Finality conditions. The terminal conditions for the call — e.g. settled-or-reversed, replay-proof-derivable, federation-chain-resolved.
- Assurance review cadence. last_assurance_review + next_assurance_review — the register decays without periodic re-review.
Four tiers — scope grows; floor moves with it.
| Tier | Write permission ceiling | Approval threshold floor | Evidence floor |
|---|---|---|---|
| tier-0 untrusted | none | single-approver | tool_call_pin |
| tier-1 sandboxed | none | auto | tool_call_pin + evidence pack |
| tier-2 scoped | tenant-scoped-write | single-approver | tool_call_pin + evidence pack + decision map |
| tier-3 trusted | external-side-effect / system-of-record-write | two-person (or two-person-with-legal) | tool_call_pin + evidence pack + admissibility + replay-proof + attestation |
Five entries spanning the ladder — canonical at sample-register.json.
- Experimental research LLM (tier-0). Public-only data, no write permission, single-approver, read-only finality.
- Sanctions screener sandbox (tier-1). Pseudonymous PII, no write permission, auto-approval, session-bounded read.
- Case management write API (tier-2). Tenant-scoped write, single-approver, write bound to case_id, human-approver recorded.
- Faster Payments rail adapter (tier-3). External side-effect, two-person approval above threshold, settled-or-reversed finality, replay-proof derivable.
- Cross-org settlement bridge (tier-3). External side-effect + system-of-record write, two-person-with-legal, federation-chain-resolved, authority finality recorded.
ADG declares the control. KYE™ makes it refuse the call.
- ADG MC-7 (Tools & MCP Register). "Every tool an agent calls MUST be enumerated in a register with trust tier, permitted scope, evidence requirements." The KYE Tool & MCP Authority Register™ is that register, materialised as a signed JSON document the KYE Tool Authority Engine™ reads on every invocation.
- KAC™-4 (Tool / MCP Authority Register). The runtime-side mirror of MC-7. Unregistered tool calls are refused at the gate, not flagged in post-hoc analytics.
- tool_call_pin (the side-effect binding). Each permitted call emits a
kye.evidence.tool_call_pin.v1event binding the tool invocation to the admitted grant. Prompt injection cannot retrofit authority after the fact.
8-week pilot. £75,000. One tenant. Up to 25 tool/MCP entries.
Bring your existing tool catalogue and MCP topology. The pilot delivers the register definition, the Tool Authority Engine binding for your runtime, per-tier evidence binding, and Replay-Proof™ derivation. Outcome: every agent tool call you run for the pilot tenant is admissible-or-refused at the gate, with evidence sealed at T=0.