AI Governance Institute logo
AI Governance Institute

Intelligence for Compliance and GRC Teams

← News
Announcement2026-06-13

AI Governance Institute Publishes Open-Source MCP Server for Automating Governance Controls

Source

ai-governance-mcp on GitHub

AI Governance Institute

What happened

AI Governance Institute published the ai-governance-mcp server to GitHub under an open-source license. The server exposes three governance controls as MCP tools: one runs output guardrail checks against a system prompt or model output and flags policy violations; one scores an AI deployment against a structured risk taxonomy and returns a risk tier with justification; and one generates adversarial test cases for a target system prompt and summarizes attack surface findings. All three tools run locally through Claude Code or any client that supports the Model Context Protocol.

Why it matters

  • ·Governance controls have historically lived in policy documents, not in developer workflows. MCP tooling changes that: when safety screening and risk classification run inside the same environment where AI systems are built and tested, teams can catch governance gaps at the point of development rather than after deployment. The friction of running a governance check drops from hours to seconds.
  • ·The three controls chosen for the initial release (SAF-001, HOC-001, SAF-005) cover the highest-value automation opportunities: output validation, risk tier assignment, and adversarial testing. These are also the controls most often skipped in practice because they require specialized effort to run consistently. Automating them via MCP removes the effort barrier.
  • ·MCP is emerging as the standard integration layer for AI tooling. Publishing governance controls as MCP tools means they can be composed with other tools in agentic workflows, not just used interactively. A CI/CD pipeline, an agent review step, or a pre-deployment checklist can all invoke these controls programmatically.
  • ·Open-source distribution allows compliance teams to inspect the control logic, adapt it to their internal risk taxonomy, and contribute improvements. Governance tools that are opaque or proprietary are harder to audit and harder to trust. Reviewable source is a prerequisite for controls that produce audit-ready output.

Governance controls affected

What to do now

  • Install the ai-governance-mcp server and add it to your Claude Code MCP configuration to start running safety screening and risk classification in your development workflow.
  • Run the risk classification tool against any AI systems currently in development or recently deployed to get a baseline risk tier. Compare the output against your internal risk register and flag discrepancies for review.
  • Use the red-teaming tool to generate adversarial test cases for any system prompts powering customer-facing or high-stakes internal AI applications. Review the attack surface summary with your security team before go-live.
  • If your organization has a custom risk taxonomy, consider forking the repository and adapting the risk classification logic to align with your internal definitions. The control logic is designed to be readable and modifiable.
  • Review your AI governance program for other controls that could be automated and flag them for future MCP tool development. Controls with structured inputs and verifiable outputs are the best candidates.

What to watch next

Additional governance controls moving toward automation in the Control Executor roadmap, and whether the MCP ecosystem develops shared schemas for governance tool output so that results from different tools and vendors can be aggregated into a unified compliance record.

AI Governance Weekly

Weekly intelligence on AI regulation, enforcement, and governance. Every Thursday.

Powered by Buttondown.

Related Coverage

Research2026-07-14

A Five-Phase Blueprint Builds a Full AI Governance Program in Six Months, Offering a Replicable Model for Enterprises Without Dedicated AI Counsel

Fortium Partners published a case study documenting how a Fractional Chief AI Officer constructed an enterprise AI governance program from scratch in six months. The program was grounded in ISO 42001 and the NIST AI Risk Management Framework and delivered a complete operating model including a RACI matrix, three-tier risk classification, AI System Inventory, vendor security review enhancements, and a Center of Excellence training function. The case study presents a five-phase implementation blueprint designed to be adopted by other organizations seeking to right-size governance to actual risk.

Research2026-07-08

Eight-Step ITSM Deployment Framework from GSDCouncil Puts Hallucination Detection and Data Privacy Controls at the Center of AI Governance

The GSDCouncil has published a research report outlining an eight-step framework for deploying generative AI in IT service management, with explicit governance requirements covering access controls, data privacy, hallucination detection, and regulatory compliance. The report includes named case studies and positions structured risk controls as prerequisites for AI-driven automation in ITSM. Compliance teams at organizations using AI in service desk and IT operations functions should treat the framework as a benchmark against which their existing controls can be assessed.

Corporate Policy2026-07-01

Databricks Enterprise AI Governance Guide Puts Risk Classification and PII Controls at the Center of Program Design

Databricks published a practitioner-oriented guide outlining best practices for enterprise AI governance, recommending that organizations inventory and classify AI use cases by risk level before applying controls. The guide emphasizes cross-functional role assignment, built-in safeguards for personally identifiable information, and proactive monitoring across the AI system lifecycle. It targets enterprise compliance teams building or maturing AI governance programs on data and model platforms.