What is an MCP proxy and why does it need an approval layer?

MCP (Model Context Protocol) lets AI agents call external tools. A database query, a file write, an API call -- the agent decides what to do and the MCP server executes it. But there's nothing in the spec that evaluates whether that action should happen.

An MCP proxy sits between the agent and the MCP server. It intercepts every tools/call request, does something with it, and forwards it (or doesn't). The proxy pattern isn't new -- it's how HTTP proxies, API gateways, and service meshes work. Apply it to MCP and you get an enforcement point for agent actions.

Why a plain proxy isn't enough

Most MCP proxies today do routing, load balancing, or observability. They watch traffic. Some log it. A few do rate limiting.

None of that stops an agent from running DROP TABLE customers if the tool call is well-formed and the agent has access.

30 CVEs have been filed against MCP servers in the last 60 days. 38% of those servers had no authentication at all. The attack surface is real. But even with auth in place, the question remains: should this specific tool call, with this specific payload, execute right now? Or should a human look at it first?

That's what an approval layer adds.

What an approval layer actually does

An MCP proxy with an approval layer intercepts tools/call before it reaches the upstream server and does three things:

• Evaluates the action against a policy. Not a binary allow/deny on the tool name -- a policy that considers the action type, the payload content, the agent's identity, and the risk classification. A SELECT is different from a DELETE. Reading a public file is different from reading /etc/passwd.

• Routes high-risk actions to a human reviewer. The reviewer sees the full context: what the agent wants to do, what it's sending, which policy flagged it, and (if the framework provides it) the agent's reasoning. They approve or deny. The action only proceeds after the decision.

• Records everything in an audit trail. Not just "tool was called." The full chain: policy was evaluated, action was flagged, reviewer was notified, reviewer saw context X, reviewer approved at timestamp Y, action executed at timestamp Z. For regulated industries (FINRA 2026, EU AI Act), this chain is what auditors ask for.

The gap in the current ecosystem

Here's what's already shipping for MCP governance:

• Routing/gateway proxies (Gravitee, Cloudflare) handle traffic management and basic auth

• Discovery/posture tools (Cisco DefenseClaw) scan MCP servers for vulnerabilities

• Framework-native flags (OpenAI's needsApproval) work within a single SDK

What's missing: a proxy that sits in front of any MCP server, evaluates each tool call against a real policy engine, and holds high-risk actions for human review with full context. That's the approval layer.

Who's building this

A few teams are working on MCP governance proxies with approval capabilities:

• SidClaw (what we built) wraps any stdio MCP server with policy evaluation, human approval workflows, and hash-chain audit trails. 18+ framework integrations. Apache 2.0 SDK.

• Faramesh Labs published an Action Authorization Boundary with a custom policy language. 13 integrations. Open-core.

• OpenBox AI ships runtime governance with cryptographic attestation. $5M seed.

• hoop.dev routes infrastructure commands through Slack/Teams for approval. Focused on database and SSH, not general-purpose MCP.

The category is forming fast. A year ago nobody was building MCP governance. Now there are arxiv papers, seed rounds, and multiple open-source implementations.

When you need this

If your agents only read data and the stakes are low, a proxy without an approval layer is fine. Log the calls, monitor for anomalies, move on.

But if your agents can send emails, modify production databases, call payment APIs, or take any action that isn't trivially reversible -- you need something that evaluates the action before it happens. Not after. The audit trail is for proving what happened. The approval layer is for controlling what happens.

SidClaw docs: docs.sidclaw.com MCP spec: modelcontextprotocol.io