MCP and identity governance: are your controls ready for AI?

TL;DR: Omada’s MCP Developer Reference shows how AI systems can interact with governed identity data through auditable channels, positioning MCP as the integration layer while IGA remains the policy and oversight layer, according to Omada Identity. The governance question is no longer whether AI can connect to identity systems, but whether access, accountability, and policy enforcement stay intact when intelligent systems become part of the control plane.

NHIMG editorial — based on content published by Omada Identity: Omada Advances AI-Ready Governance with the Model Context Protocol Initiative

By the numbers:

• Only 18% of MCP server deployments implement any form of access scoping for tool permissions.

Questions worth separating out

Q: How should security teams govern AI systems that access identity data through MCP?

A: Treat MCP as a governed transport path, not a trust grant.

Q: Why does MCP create new governance challenges for IAM and IGA teams?

A: MCP reduces integration friction, but it also increases the number of systems that can consume identity context.

Q: What breaks when AI tools can query identity data without strong auditability?

A: Accountability breaks first, followed by policy assurance.

Practitioner guidance

• Define MCP as a governed integration layer Classify every MCP connection as a policy-controlled pathway and require the same approval, logging, and oversight standards used for other identity data integrations.
• Bind every AI query to an audit record Capture who or what initiated the request, which identity objects were exposed, and what downstream action followed so the record can survive review and investigation.
• Separate AI assistance from delegated authority Allow AI to assist with governance analysis, but keep approval, entitlement changes, and lifecycle actions behind explicit policy gates that cannot be bypassed by the protocol layer.

What's in the full article

Omada Identity's full blog covers the operational detail this post intentionally leaves for the source:

• Developer reference examples for connecting AI systems to governed identity data through MCP.
• Configuration templates and early-access materials for experimenting with policy-aware identity workflows.
• Implementation context for aligning Omada IGA controls with AI-assisted access patterns.
• The source article's own framing of the transition from AI for IGA to IGA for AI.

👉 Read Omada Identity's blog on the MCP initiative for AI-ready governance →

MCP and identity governance: are your controls ready for AI?

Explore further

View Full Forum →  |  NHI Foundation Course →