MCPF is intended to be adoptable: small pieces you can add to your existing MCP deployment, one step at a time.
Issue VCs for MCP servers and publish revocations. Keep keys in proper HSM/KMS when possible.
Publish server entries, manifests, issuer lists, and revocations in a queryable API.
A small component that enforces allow/deny rules before an agent calls a tool.
Detect when an MCP server’s exposed tools changed and require re-approval.