Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

MCP gateways and ChatGPT Dev Mode: what IAM teams need to know


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9079
Topic starter  

TL;DR: ChatGPT Developer Mode can reach a local SQLite MCP server through an identity-aware reverse tunnel that handles auth, TLS and per-request policy enforcement, according to Pomerium. The core issue is not convenience but whether enterprises can expose local tools to cloud LLMs without breaking Zero Trust assumptions.

NHIMG editorial — based on content published by Pomerium: Secure SQL AI analyst, enabled by Pomerium and ChatGPT Developer Mode

By the numbers:

Questions worth separating out

Q: How should security teams govern MCP access for cloud-hosted AI tools?

A: Security teams should govern MCP access as a request-level identity problem, not a network problem.

Q: Why do VPN-based controls fail for ChatGPT-style tool access?

A: VPNs fail because they authenticate network presence, not the specific tool request made by a cloud-hosted model.

Q: What should teams do with upstream secrets used by MCP servers?

A: Teams should treat upstream secrets as non-human identities with owners, expiry, rotation and revocation requirements.

Practitioner guidance

  • Classify MCP upstream credentials as governed NHIs Inventory the OAuth tokens, certificates and API secrets that allow an LLM or MCP server to reach internal data sources.
  • Enforce per-request authorisation at the gateway Require the access decision to evaluate identity, resource, operation and context for each tool invocation.
  • Remove VPN dependence from AI tool access design Map every local or internal tool exposed to a cloud model and replace blanket network trust with identity-aware routing.

What's in the full article

Pomerium's full blog post covers the operational detail this post intentionally leaves for the source:

  • A live walkthrough of how the reverse tunnel terminates in Pomerium and how auth, TLS and policy enforcement are wired together.
  • The exact ChatGPT Developer Mode workflow used to list tables, generate SQL and render output through MCP tools.
  • Configuration-level guidance for handling OAuth flows, upstream tokens and certificate management without custom server code.
  • Practical examples of how the same route can be reused for local development, testing and peer sharing.

👉 Read Pomerium's analysis of secure MCP access with ChatGPT Developer Mode →

MCP gateways and ChatGPT Dev Mode: what IAM teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8508
 

Request-layer governance is becoming the new control plane for AI tool access. The article shows why perimeter-first thinking fails when a cloud LLM needs to reach a local tool through MCP. The important trust decision happens at invocation time, not at network admission, which means IAM and NHI controls must move closer to the request itself. Practitioners should treat every MCP call as a governed access event, not a transport detail.

A few things that frame the scale:

  • 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, according to Ultimate Guide to NHIs.
  • Only 5.7% of organisations have full visibility into their service accounts, which is why AI toolchains that rely on upstream credentials need explicit ownership and review.

A question worth separating out:

Q: How do you know whether an MCP gateway is actually enforcing Zero Trust?

A: You know it is working if access decisions are made per request and can distinguish among users, tools, actions and context. If the gateway only opens a path and then trusts everything over that path, it is acting like a tunnel, not a Zero Trust control. The test is whether policy can block one call without disabling the whole integration.

👉 Read our full editorial: MCP gateways reshape secure AI analyst workflows in ChatGPT Dev Mode



   
ReplyQuote
Share: