What is an MCP server?

An MCP server exposes tools, resources, or prompts through the Model Context Protocol so an AI application can retrieve context or request actions from an external system.

Why do enterprise security teams need an MCP server inventory?

MCP servers often hold OAuth grants, API tokens, database roles, cloud roles, browser sessions, or repository access. A server inventory helps teams understand which tools can read, write, mutate, or export enterprise data.

How should MCP servers be governed?

Treat MCP servers like privileged integration software: inventory each server, assign an owner, scope credentials, separate read and write permissions, log tool invocations, review retrieved data, and keep LLM provider traffic behind a governed gateway.

RESOURCE / MCP SERVER DIRECTORY

MCP Server Directory for Enterprise AI Teams

Known tool connectors, ranked by credential exposure and governance priority.

MCP servers make agents useful by connecting them to databases, SaaS systems, browsers, repositories, cloud control planes, and internal tools. They also expand the blast radius of agent access. This directory helps security and platform teams decide which servers need the strongest review before production use.

Request enterprise review →Review gateway controls →

MODEL CONTEXT PROTOCOL / GOVERNANCE

The server list is useful. The access model is what matters.

MCP adoption creates a new integration layer between agents and enterprise systems. Treat every server as a privileged connector with its own credentials, permissions, data access, and runtime audit requirements.

Inventory the server

Track owner, environment, host, exposed tools, upstream system, credential type, write capability, and whether the server is approved for production agent use.

Constrain credentials

Prefer short-lived tokens, read-only roles, narrow OAuth scopes, project allowlists, and separate credentials for development, staging, and production agents.

Record tool access

Log tool name, arguments, resource IDs, retrieved documents, write operations, actor, model route, and final outcome so security teams can reconstruct activity.

Govern model calls

Keep LLM provider traffic behind an on-prem gateway with virtual keys, budgets, guardrails, and durable audit while tool-specific permissions stay scoped at the source system.

CURATED MCP SERVER LIST

Popular MCP servers by enterprise risk surface

Use this as a starting inventory. Confirm each server implementation, version, OAuth scope, and deployment model before approving it for production use.

Data & Storage

Databases, warehouses, files, and operational records that often contain regulated data.

07 SERVERS

ServerSystemCredential SurfaceRiskRecommended Control

PostgreSQLSchema inspection, read-only analytics, controlled SQL queriesReviewed 2026-06-23 · MCP reference serverRelational databaseDatabase user, host allowlist, schema grantsCriticalUse read-only roles, query allowlists, row-level security, and full query logging.

MySQLOperational database lookup and controlled reportingReviewed 2026-06-23 · MySQL docsRelational databaseDatabase user, network path, table grantsCriticalSeparate production credentials, restrict write operations, and rotate exposed secrets.

BigQueryWarehouse analysis, BI lookup, governed data explorationReviewed 2026-06-23 · BigQuery docsCloud warehouseGoogle service account, dataset IAM, billing projectCriticalBind service accounts to approved datasets and monitor query cost per agent workflow.

SnowflakeEnterprise analytics over governed warehouse dataReviewed 2026-06-23 · Snowflake docsCloud warehouseUser, role, warehouse, network policyCriticalUse least-privilege roles, masking policies, warehouse quotas, and query audit exports.

SupabaseApplication data access, schema lookup, developer automationReviewed 2026-06-23 · Supabase docsPostgres application platformProject token, service role key, database roleHighAvoid service-role keys in agents and enforce row-level security for all agent paths.

Google DriveDocument retrieval, knowledge lookup, file searchReviewed 2026-06-23 · Google Drive APIDocument storageOAuth scopes, domain delegation, shared-drive permissionsHighConstrain OAuth scopes, isolate service accounts, and log file IDs returned to agents.

BoxDocument search, policy lookup, content workflowsReviewed 2026-06-23 · Box developer docsEnterprise content managementOAuth app, enterprise token, folder permissionsHighLimit folder scope and require approval before agents access customer or legal records.

Cloud & Infrastructure

Cloud, cluster, deployment, and runtime systems where MCP tool access can affect production assets.

05 SERVERS

ServerSystemCredential SurfaceRiskRecommended Control

AWSResource inventory, operational lookup, automation assistanceReviewed 2026-06-23 · AWS docsCloud platformIAM role, access key, STS session, resource policyCriticalPrefer short-lived roles, deny destructive APIs by default, and stream CloudTrail evidence.

AzureTenant inventory, deployment context, operational automationReviewed 2026-06-23 · Azure docsCloud platformManaged identity, app registration, RBAC assignmentCriticalScope app registrations tightly and alert on privileged role assignment or secret creation.

CloudflareDNS, Workers, observability, and edge configuration lookupReviewed 2026-06-23 · Cloudflare API docsEdge and developer platformAPI token, account scope, zone permissionHighUse account-scoped tokens with read-only defaults and approvals for DNS or deploy actions.

KubernetesCluster diagnostics, workload status, deployment investigationReviewed 2026-06-23 · Community MCP serverCluster orchestrationKubeconfig, service account, RBAC bindingCriticalBind read-only roles by namespace and block exec, secret read, and mutating verbs unless approved.

TerraformState review, drift context, infrastructure planningReviewed 2026-06-23 · Terraform docsInfrastructure as codeWorkspace token, cloud backend, provider credentialsHighSeparate plan from apply and keep state access away from broad agent prompts.

Development Tools

Code, CI/CD, observability, and security platforms used by engineering and platform teams.

09 SERVERS

ServerSystemCredential SurfaceRiskRecommended Control

GitHubRepository search, pull request review, issue triage, code contextReviewed 2026-06-23 · Official GitHub MCP serverRepository and SDLC platformOAuth app, GitHub App token, PAT, repository permissionCriticalPrefer GitHub Apps, repository allowlists, branch protections, and audit every write action.

GitLabProject lookup, merge request context, issue and pipeline operationsReviewed 2026-06-23 · GitLab API docsRepository and DevOps platformProject token, group token, OAuth app, CI permissionsCriticalConstrain project scope, separate read and write tokens, and block pipeline mutation by default.

GitLocal code search, diff inspection, repository history analysisReviewed 2026-06-23 · MCP reference serverVersion controlLocal repository path, SSH key, filesystem accessHighRun in a sandboxed workspace and prevent arbitrary filesystem traversal.

DatadogMetrics, logs, monitors, incidents, and dashboard contextReviewed 2026-06-23 · Datadog API docsObservability platformAPI key, application key, site, org roleHighUse read-scoped apps and prevent agents from muting monitors or changing incident routing.

GrafanaDashboard lookup, incident context, metrics and log explorationReviewed 2026-06-23 · Grafana API docsObservability platformService account token, data-source permissionsHighScope service accounts by folder and data source; log query text and panel access.

SentryError triage, release context, stack trace analysisReviewed 2026-06-23 · Sentry API docsApplication monitoringOrganization token, project token, issue permissionMediumRestrict project scope and redact PII in stack traces before agent retrieval.

SemgrepStatic analysis findings, policy context, remediation workflowsReviewed 2026-06-23 · Semgrep docsCode security scanningOrganization token, project permissionMediumAllow read-only finding access and route remediation changes through pull requests.

PostmanAPI collection lookup and test execution contextReviewed 2026-06-23 · Postman API docsAPI collaborationAPI key, workspace role, environment secretsHighPrevent environment secret exposure and separate collection read from execution privileges.

VercelDeployment lookup, project status, build contextReviewed 2026-06-23 · Vercel API docsApplication hostingTeam token, project scope, deployment permissionHighKeep deployment tokens read-only unless change control approves release actions.

Content & Search

Web, browser, crawler, documentation, and search tools that expand what agents can retrieve.

06 SERVERS

ServerSystemCredential SurfaceRiskRecommended Control

Brave SearchWeb research, source discovery, external contextReviewed 2026-06-23 · Brave Search APISearch APIAPI key, query quota, usage billingMediumLog query terms and keep search output outside trusted data boundaries until validated.

FetchFetch web pages and convert content for model contextReviewed 2026-06-23 · MCP reference serverWeb retrievalOutbound network access, URL allowlistMediumApply domain allowlists, malware scanning, and prompt-injection filtering on retrieved text.

FirecrawlStructured website extraction and research automationReviewed 2026-06-23 · Firecrawl docsCrawler and extraction APIAPI key, crawl quota, outbound domainsMediumRestrict crawl domains and retain provenance for every retrieved page.

PlaywrightWeb app testing, UI inspection, workflow automationReviewed 2026-06-23 · Playwright docsBrowser automationBrowser session, cookies, filesystem, networkCriticalRun isolated browsers, block credential reuse, and record screenshots plus network traces.

PuppeteerHeadless browser tasks, scraping, and UI workflow executionReviewed 2026-06-23 · Puppeteer docsBrowser automationBrowser session, cookies, filesystem, networkCriticalUse disposable profiles, outbound allowlists, and strict download/upload restrictions.

Google MapsGeocoding, route planning, place lookupReviewed 2026-06-23 · Google Maps docsLocation APIAPI key, quota, project billingLowRestrict API keys by referrer or service account and monitor quota consumption.

Productivity & SaaS

Collaboration systems where agent access can expose conversations, tickets, docs, and CRM data.

06 SERVERS

ServerSystemCredential SurfaceRiskRecommended Control

AtlassianTicket lookup, project context, documentation retrievalReviewed 2026-06-23 · Atlassian developer docsJira, Confluence, and CompassOAuth scopes, API token, project and space permissionHighLimit Jira projects and Confluence spaces; require approval for writes or status changes.

SlackConversation lookup, incident context, workflow notificationsReviewed 2026-06-23 · Slack API docsMessaging and collaborationBot token, user token, channel membership, OAuth scopesHighRestrict channels, redact sensitive messages, and separate read bots from posting bots.

NotionKnowledge base lookup, database update, project documentationReviewed 2026-06-23 · Notion API docsWorkspace documentationIntegration token, page and database permissionsMediumShare only approved pages with the integration and avoid workspace-wide access.

LinearIssue lookup, roadmap context, engineering workflow automationReviewed 2026-06-23 · Linear API docsIssue trackingOAuth app, API key, workspace permissionMediumSeparate issue read access from mutation and log every generated comment or status change.

AsanaTask lookup, project updates, planning contextReviewed 2026-06-23 · Asana developer docsWork managementOAuth app, workspace permission, project membershipMediumConstrain projects and route task creation or assignment through approval flows.

HubSpotAccount lookup, customer context, CRM workflow assistanceReviewed 2026-06-23 · HubSpot API docsCRM and marketing platformPrivate app token, OAuth scopes, object permissionsHighMinimize CRM object scopes and redact customer PII before passing context to models.

AI & Memory

Model, vector, memory, and retrieval systems that shape agent context and long-lived recall.

04 SERVERS

ServerSystemCredential SurfaceRiskRecommended Control

Hugging FaceModel lookup, dataset search, inference and deployment contextReviewed 2026-06-23 · Hugging Face docsModel and dataset platformAccess token, organization permission, gated model accessMediumSeparate public model discovery from organization tokens and gated asset access.

QdrantVector search, retrieval, and memory-backed agent contextReviewed 2026-06-23 · Qdrant docsVector databaseAPI key, collection permission, network endpointHighPartition collections by tenant and log every vector query plus document ID returned.

LlamaCloudRAG indexing, document retrieval, managed knowledge workflowsReviewed 2026-06-23 · LlamaCloud docsManaged retrieval and data pipeline platformAPI key, index permission, data source connectorHighSeparate indexing credentials from retrieval credentials and review source permissions.

MemoryLong-lived agent context and preference recallReviewed 2026-06-23 · MCP reference serverPersistent agent memoryLocal store, database token, user profile dataHighExpire memory records, classify stored facts, and block regulated data from persistence.

Business Systems

Payments, support, and workflow systems where tool calls can read or mutate customer operations.

04 SERVERS

ServerSystemCredential SurfaceRiskRecommended Control

StripeCustomer, subscription, invoice, and payment workflow lookupReviewed 2026-06-23 · Stripe Agent ToolkitPayments platformRestricted key, webhook secret, account permissionCriticalUse restricted read keys and require explicit approval for refunds, disputes, or price changes.

IntercomSupport context, customer history, workflow automationReviewed 2026-06-23 · Intercom developer docsCustomer supportAccess token, workspace permission, conversation scopeHighRedact customer data and separate read-only context from outbound message generation.

SalesforceAccount lookup, pipeline context, support and sales workflowsReviewed 2026-06-23 · Salesforce REST API docsCRM platformOAuth app, connected app policy, object permissionsCriticalConstrain object permissions, require field-level security, and monitor bulk export attempts.

monday.comOperational workflow lookup, project updates, board automationReviewed 2026-06-23 · monday.com API docsWork operating systemAPI token, board permission, workspace accessMediumScope tokens by board and require review before agents create automations or change owners.

ENTERPRISE REFERENCE ARCHITECTURE

Keep MCP tool access and LLM provider access governed as separate control planes.

MCP servers authorize tools and data sources. Agent Access Manager governs LLM provider access through virtual keys, routing, budgets, guardrails, metering, and audit. Separating these paths gives platform teams clearer evidence and fewer shared secrets.

01Agent applicationuses MCP tools + virtual LLM key

02MCP serverscoped to source-system credential

03Agent Access Managerroutes model call through /v1/chat/completions

04Audit planerecords tool evidence + model usage outcome

MCP ACCESS REVIEW

Prioritize the MCP servers that can touch regulated data or production systems.

Review your current MCP server inventory, model-provider keys, data boundaries, and audit requirements with an enterprise AI gateway architecture session.

Request enterprise review →Recommended for CISO, CTO, platform, and AppSec teams