Device Trust MCP and endpoint governance: are your controls ready?

TL;DR: The governance challenge is no longer whether AI can query endpoint data, but whether identity, access, and audit controls are ready for AI-mediated administration, as 1Password’s Device Trust MCP Server connects device security data to AI tools like Claude and ChatGPT, giving admins logged, auditable access to checks, issues, audit logs, and reporting across 59 API tools while the MCP ecosystem has grown from around 1,200 servers in early 2025 to over 6,400 today.

NHIMG editorial — what this means for AI and NHI governance

By the numbers:

• The ecosystem has grown from around 1,200 servers in early 2025 to over 6,400 today.
• The Device Trust MCP Server covers the full Device Trust API surface across 59 tools.

Questions worth separating out

Q: How should security teams govern MCP servers used by AI tools?

A: Treat each MCP server as a privileged non-human identity integration.

Q: Why do MCP-based workflows increase identity governance risk?

A: MCP-based workflows move administration into an AI client, which can hide how access is exercised unless logging and scope controls are explicit.

Q: What breaks when AI tools can query endpoint data without tight scoping?

A: The first failure is privilege expansion, because a broad tool surface makes it easy for the AI client to reach more data than the task requires.

Practitioner guidance

• Classify MCP servers as privileged integrations Assign each server an owner, a business purpose, and a least-privilege scope for the specific Device Trust tools it exposes.
• Require query-level audit trails Make sure every AI-mediated request can be traced back to the user, client, token, and endpoint set queried.
• Limit MCP data exposure by use case Separate administrative workflows that need device posture from those that need audit logs, owner data, or reporting.

What's in the full announcement

1Password's full article covers the operational detail this post intentionally leaves for the source:

• The full setup flow for running the Device Trust MCP Server locally with bearer-token authentication.
• The exact 59-tool Device Trust API surface exposed through the MCP connector.
• Examples of the device, people, issues, checks, audit logs, and reporting queries the server can handle in practice.
• The support-document installation steps for Claude, Cursor, and other MCP-compatible clients.

👉 Read 1Password's article on the Device Trust MCP Server for AI tools →

Device Trust MCP and endpoint governance: are your controls ready?

Explore further

View Full Forum →  |  NHI Foundation Course →