Compliance

Every MCP primitive mapped to a compliance control: the four-framework crosswalk

Visionality's MCP gateway primitives map directly to SOC 2, ISO 27001, ISO 42001, and NIST AI RMF controls. This document is the crosswalk — what each MCP feature implements, which framework + control it satisfies, and how it surfaces in the continuous-evidence pack.

By Chris Therriault10 min read

When procurement at a regulated buyer asks "how does your MCP gateway map to our compliance program" — most AI Control Plane vendors hand over a PDF that says "we support SOC 2." Visionality's answer is structurally different: every MCP primitive we ship maps to a specific control across SOC 2 + ISO 27001 + ISO 42001 + NIST AI RMF, and the mapping is reflected in the continuous-evidence pack each pack run produces.

This document is the crosswalk. Use it as the procurement-clarifying artifact when the security review team needs to confirm how MCP traffic gets governance evidence.

Why a crosswalk matters

The MCP-niche AI Control Plane vendors (Speakeasy, Lunar.dev, Runlayer, MintMCP) market individual MCP features — PKCE consent, tool guardrails, capability allowlists, anomaly detection. Each feature is real. What's missing in the competitive set is the explicit mapping from each MCP feature to the compliance control it satisfies. Without the mapping, procurement has to reverse-engineer how each MCP feature contributes to their compliance posture — and the conversation stalls.

Visionality's crosswalk closes the loop. Every MCP primitive shipped has a named framework + control, and every control has live evidence collectors emitting framework-mapped JSON into the continuous-evidence pack.

The crosswalk table

Visionality MCP primitives (left) mapped to the framework + control they satisfy (right).

| MCP primitive | What it does | SOC 2 | ISO 27001 | ISO 42001 | NIST AI RMF | |---------------|--------------|-------|-----------|-----------|-------------| | PKCE consent flow | Every MCP authorize event captures (client, subject, MCP server, redirect, consent outcome, IP) into mcp_authorize_audit. SQL-role REVOKE enforces append-only. | CC6.1 (logical access), CC6.6 (PKCE consent audit) | A.8.34 (protection during audit testing) | A.6.2 (AI risk mgmt) | GOVERN-1.5 (audit log policy) | | ID-JAG (Enterprise-Managed Authorization) | Customer's IdP issues identity assertion → MCP gateway exchanges for scoped grant. Auth is delegated to the IdP. | CC6.1 (logical access), CC6.3 (role-based access) | A.5.16 (identity management), A.5.17 (authentication info) | A.6.2 (AI risk mgmt) | GOVERN-1.5 | | MCP client registry | Operator-controlled list of permitted MCP clients with explicit redirect URI registration. Unknown clients fail closed at the gateway. | CC6.1, CC6.6 | A.5.15 (access control policy) | A.6.2 | MAP-3.4 (AI risk landscape) | | agent_sub signed into envelope | Per-agent identity claim signed at issuance. AAD-bound to org_id + token_id + binding_alg. Stolen tokens cannot rewrite agent identity. | CC6.1, CC6.7 (binding-status posture) | A.5.17 (authentication info), A.8.24 (cryptographic controls) | A.6.2, A.6.2.5 (AI system impact assessment) | GOVERN-1.5, MAP-3.4 | | Binding-key envelope (Token Authority v2) | Per-request HMAC over (token_id, minute_bucket, body_sha256). Leaked tokens without binding key fail closed with structured 401. | CC6.1, CC6.7, CC7.1 (system operations) | A.8.24 (cryptographic controls) | A.6.2.5 | GOVERN-1.5 | | Replay-cache enforcement | Gateway tracks (token_id, minute_bucket, body_sha256) and rejects re-presented proofs. | CC7.1 (system operations), CC7.2 (system monitoring) | A.8.20 (network controls) | A.6.2.5 | MANAGE-4.3 (incident response) | | MCP invocation log | Every MCP tool call writes a row to mcp_invocations with org, server, tool, parameter hash, outcome, latency. SQL-role REVOKE on UPDATE/DELETE. | CC7.2, CC7.3 (MCP invocation log evidence) | A.8.15 (logging) | A.6.2 | MEASURE-2.7 (drift monitoring) | | MCP anomaly detection | Volume / cost / error-rate spike detection graded critical/warning/info. Surfaces on /mcp page; routes to Slack via @acc/slack. | CC7.1, CC7.4 (incident detection) | A.8.16 (monitoring activities) | A.6.2.5 | MEASURE-2.7, MANAGE-4.3 | | MCP audit CSV export | Authorize audit timeline exportable as RFC 4180 CSV with UTF-8 BOM + OWASP CSV-injection guard. | CC6.6, CC7.2 | A.8.34 | A.6.2 | GOVERN-1.5 | | PII pre-flight on MCP responses | 12 detectors run on tool results before they return to the agent. Fail-closed on detector failure. | CC6.7, CC7.1 | A.5.34 (privacy by design), A.8.11 (data masking) | A.6.2.5 | MAP-3.4, MEASURE-2.7 | | HRIS-bound revocation | BambooHR / Workday / Rippling leaver feeds drive automatic spend-token revocation. Revoked tokens cannot mint MCP authorize events. | CC6.2 (user provisioning), CC6.3 (deprovisioning) | A.5.16, A.5.18 (access rights) | A.6.2 | GOVERN-1.5 | | Continuous-evidence pack | Twelve collectors emit framework-mapped evidence rows into a signed JSON bundle every pack-run. | CC6.1, CC6.6, CC6.7, CC7.2, CC7.3, CC8.1 | A.8.34, A.5.34, A.8.15 | A.6.2, A.6.2.5 | GOVERN-1.5, MAP-3.4, MEASURE-2.7, MANAGE-4.3 | | Offline vis-verify CLI | Standalone Node CLI re-derives the canonical-form fingerprint locally; no network call. Auditor verifies pack integrity without trusting our dashboard. | CC8.1 (change mgmt), CC6.1 (audit-trail integrity) | A.8.31 (separation of dev/test/prod), A.8.34 | A.6.2.5 | GOVERN-1.5 |

How the mapping shows up in the evidence pack

Every pack-run emits framework-tagged JSON rows. The MCP-relevant rows include:

{
  "framework": "SOC2",
  "control": "CC6.6",
  "title": "PKCE consent audit",
  "status": "pass",
  "detail": {
    "table": "mcp_authorize_audit",
    "row_count": 4203,
    "window_days": 30,
    "approve_count": 4189,
    "deny_count": 14,
    "rejection_rate": 0.003,
    "policy_threshold": 0.01
  }
},
{
  "framework": "SOC2",
  "control": "CC7.3",
  "title": "MCP invocation log",
  "status": "pass",
  "detail": {
    "table": "mcp_invocations",
    "row_count": 18234,
    "role_grants": {"acc_app": ["INSERT", "SELECT"]},
    "update_delete_revoked": true
  }
},
{
  "framework": "ISO27001",
  "control": "A.8.15",
  "title": "Logging",
  "status": "pass",
  "detail": {
    "audit_tables_protected": 5,
    "logging_coverage": "full",
    "retention_days": 365
  }
},
{
  "framework": "ISO42001",
  "control": "A.6.2",
  "title": "AI risk management",
  "status": "pass",
  "detail": {
    "identity_binding": "envelope_aad",
    "access_control": "ID-JAG + Clerk SAML/OIDC",
    "audit_layer": "SQL-role REVOKE"
  }
},
{
  "framework": "NIST_AI_RMF",
  "control": "MEASURE-2.7",
  "title": "Drift monitoring",
  "status": "pass",
  "detail": {
    "anomaly_detector": "active",
    "anomaly_kinds": ["volume_spike", "cost_spike", "error_spike"],
    "alerting_destinations": ["dashboard", "slack"]
  }
}

Each row maps to a primitive in the crosswalk table above. The pack signs with SHA-256; the auditor runs vis-verify to confirm integrity.

What this does at the procurement conversation

Three concrete uses:

1. Procurement-shortlist conversation. When the security review team asks "map your MCP features to our control framework" — hand them this article. The answer is one document not a 90-minute call.

2. Audit-evidence conversation. When the auditor asks "show me how your MCP gateway satisfies CC7.3" — point them at the mcp_invocation_log evidence row + the role grants on the mcp_invocations table + the migration that REVOKED UPDATE/DELETE. The chain of evidence is single-vendor end-to-end.

3. Regulated-vertical pilot conversation. When a healthcare, defense, or financial-services prospect asks "do you map to ISO 42001" — the answer is "yes, A.6.2 + A.6.2.5 with these primitives" and the evidence pack proves it.

Companion artifacts

The structural claim

Visionality is the only AI Control Plane in the matrix with a public crosswalk from MCP primitives to four-framework controls. Speakeasy markets MCP-shaped features; their compliance posture is SOC 2 Type II + ISO 27001. They do not publish the mapping. Truefoundry has SOC 2 Type II + HIPAA; same gap. None of the MCP-niche entrants (Lunar.dev, Runlayer, MintMCP) have published this level of crosswalk detail.

The crosswalk is the procurement-clarifying artifact. If your audit committee is asking "map your features to controls" and your vendor can't produce a one-document answer — you should be looking at us.

Book a 30-minute walkthrough and we'll generate an evidence pack against a demo dataset and walk you through which controls each row satisfies.

Visionality.AI

See how Visionality handles this.

30-minute demo. Live deployment. Your questions answered directly — no slides, no pitch.

Request a Demo← Back to articles