This mapping reflects ThornGuard’s role as an MCP gateway and security proxy.
Model training, dataset curation, inference pipeline tuning, and broader
organizational AI governance programs are outside ThornGuard’s scope. The
controls described here apply to the tool-use and data-flow layer between
AI clients and upstream MCP servers.
Coverage Summary
| RMF Function | Coverage | ThornGuard Capabilities |
|---|---|---|
| GOVERN | Partial | Policy engine, approval workflows, RBAC, audit retention, feature flags |
| MAP | Emerging | Tool inventory, risk scoring, TOFU schema pinning, connection metadata |
| MEASURE | Partial | Behavioral anomaly detection, structured audit logs, webhook alerting |
| MANAGE | Direct | Command blocking, PII redaction, SSRF prevention, rate limiting, data flow governance |
MANAGE is the most directly addressed function — ThornGuard’s core value
proposition is runtime risk treatment at the MCP transport layer. GOVERN
and MEASURE are partially addressed through policy tooling and monitoring
capabilities. MAP coverage is emerging as tool inventory and schema
observation features mature.
GOVERN — Policies, Roles, and Oversight
The GOVERN function establishes organizational policies, roles, and accountability structures for AI risk management. ThornGuard contributes to GOVERN by providing enforceable policy primitives and role-based access at the gateway layer.Policy Engine (Allow / Block / Audit)
ThornGuard’s structured policy rules let organizations codify acceptable MCP usage. Each rule targets a scope (method, tool, domain) and operates in one of three modes:- Allow — Explicitly permit matched traffic.
- Block — Reject matched traffic and log the decision (
BLOCKED_POLICY). - Audit — Permit the traffic but flag it for review (
POLICY_AUDIT).
Approval Workflows
High-risk tool invocations can require human-in-the-loop approval before execution. Approval profiles define which tools or risk levels trigger a hold, and approval requests are tracked with full audit context. This maps directly to GOVERN’s emphasis on human oversight of consequential AI actions.Team RBAC
Team tokens support three roles — owner, admin, and viewer — with scoped permissions. Role-based access ensures that policy changes, approval decisions, and configuration updates are restricted to authorized personnel.Audit Retention and GDPR Purge
Configurable per-license retention policies govern how long audit data is stored. GDPR purge capabilities (AUDIT_PURGE) ensure compliance with data subject deletion requests. These controls support organizational data governance requirements.
Feature Flags for Phased Rollout
New security capabilities (OAuth 2.1, approval workflows, custom redaction) are gated behind feature flags in production. This allows organizations to adopt controls incrementally and validate behavior before broad enforcement — a risk-aware deployment practice consistent with GOVERN principles.MAP — Context and Risk Identification
The MAP function focuses on understanding AI system context, identifying risks, and characterizing the system’s operational environment. ThornGuard’s MAP-aligned capabilities are centered on tool discovery and schema observation.Tool Inventory with Automated Risk Scoring
ThornGuard maintains atool_inventory of every upstream tool observed in MCP traffic. Each tool is assigned a computed risk level based on its capabilities, parameter patterns, and historical usage. This inventory provides visibility into the AI system’s tool surface area — a prerequisite for meaningful risk assessment.
TOFU Schema Pinning
On first observation, ThornGuard records a SHA-256 hash of each tool’s definition (Trust On First Use). Subsequent requests are compared against the pinned schema, and any drift is flagged. This detects:- Upstream tool definitions being modified (supply chain risk).
- Schema injection or tool poisoning attempts.
- Unannounced capability changes in third-party MCP servers.
Connection Metadata Tracking
ThornGuard tracks connection-level metadata including target URLs, transport types, and authentication methods. This contextual data supports the MAP function’s goal of understanding how the AI system interacts with external services.Tool Poisoning Detection
ThornGuard scans tool definitions for signs of poisoning — instruction override attempts, hidden Unicode characters, and schema integrity violations. These checks help identify risks in the tool ecosystem before they reach the AI client.MEASURE — Monitoring and Assessment
The MEASURE function covers ongoing risk assessment, analysis, and monitoring. ThornGuard contributes through runtime behavioral analysis and comprehensive audit infrastructure.Behavioral Anomaly Detection
ThornGuard applies statistical methods to detect abnormal MCP usage patterns:- EWMA baselines — Exponentially Weighted Moving Averages track normal request rates and flag deviations.
- Page-Hinkley drift detection — Identifies sustained shifts in usage patterns that may indicate compromised clients or prompt injection campaigns.
- Markov chain analysis — Models expected tool-call sequences and flags transitions that deviate from learned patterns.
Structured Audit Logs with Correlation IDs
Every proxied request generates a structured audit record in D1 with:- Correlation IDs (
trace_id,log_id) for cross-system tracing. - Response time measurements for performance monitoring.
- Policy rule IDs linking decisions to specific governance rules.
- Client IP tracking for source attribution.
Webhook Alerting
Integration endpoints deliver real-time event notifications to external systems (SIEM, Slack, PagerDuty). Webhook deliveries are tracked with retry logic, ensuring that risk-relevant events reach the teams responsible for assessment and response.Tool Risk Scoring
Automated risk scores assigned to inventoried tools provide a quantitative input to risk assessment. Scores incorporate tool capabilities, parameter sensitivity, and observed usage patterns.MANAGE — Risk Treatment and Response
The MANAGE function addresses risk treatment, mitigation, and response. This is ThornGuard’s primary domain — the gateway enforces runtime controls that directly reduce AI-related risks at the transport layer.Command Injection Blocking
ThornGuard maintains approximately 40 blocked command patterns targeting destructive operations (rm -rf, sudo, shell metacharacters, and similar payloads). Matched requests are rejected immediately (BLOCKED_MALICIOUS) and logged with full context. This directly mitigates the risk of AI agents executing harmful system commands.
PII and Secret Redaction
Outbound request parameters and inbound responses (including SSE streams) are scanned for 10 pattern types plus credit card numbers:- Credentials: AWS keys, GCP keys, GitHub tokens, Slack tokens, private keys, JWTs.
- Personal data: Email addresses, SSNs, phone numbers.
- Financial data: Credit card numbers validated with IIN prefix matching and Luhn checksum.
SSRF Prevention
ThornGuard blocks Server-Side Request Forgery attempts through DNS-aware target validation:- Localhost and loopback addresses are rejected.
- Cloud metadata endpoints (169.254.169.254, fd00::, etc.) are blocked.
- DNS rebinding is mitigated through resolution-time checks.
- Non-resolvable and private-range targets are rejected.
Rate Limiting
Per-license rate limits enforced through Durable Objects prevent runaway AI agent loops and resource exhaustion. Exceeded limits produceBLOCKED_RATE_LIMIT audit events and immediate request rejection.
Cross-Server Data Flow Governance
ThornGuard enforces namespace isolation and taint tracking across multi-server MCP configurations:- Namespace isolation prevents data from one MCP server context from leaking into another.
- Taint tracking with a four-level sensitivity lattice (PUBLIC, INTERNAL, CONFIDENTIAL, RESTRICTED) ensures that data classified at a higher level cannot flow to lower-trust destinations without explicit policy authorization.
Domain and Command Blocklists
Per-license custom blocklists allow organizations to restrict which upstream domains and command patterns are permitted. These lists layer on top of ThornGuard’s built-in protections, enabling organization-specific risk treatment.IP Whitelisting
Enterprise customers can restrict proxy access to specific source IP addresses, ensuring that only authorized network locations can route MCP traffic through ThornGuard.OAuth 2.1 Proxy
ThornGuard’s OAuth 2.1 implementation provides token isolation between the AI client and upstream MCP servers:- PKCE-enforced authorization flows.
- Encrypted token storage (AES-256-GCM) at the proxy layer.
- Token revocation support.
- Upstream credential isolation — AI clients never see raw upstream tokens.
ANSI/VT Escape Stripping
Tool definitions and responses are sanitized to remove ANSI and VT control character sequences. This prevents terminal injection attacks where malicious upstream responses could manipulate client-side rendering or execute escape-sequence exploits.Scope and Limitations
This mapping covers the MCP proxy and gateway layer only. The following
areas of the NIST AI RMF are outside ThornGuard’s scope and must be addressed
by other components of an organization’s AI risk management program:
- Model training and fine-tuning governance
- Training and evaluation dataset curation
- Inference pipeline configuration and model selection
- Broader organizational AI ethics policies and impact assessments
- Third-party model provider due diligence
- End-user disclosure and transparency requirements