Activation required. AI access management must be enabled for your tenant before you can use it. To get started, contact the C1 support team for a walkthrough.
- Registering and configuring MCP servers (from the 3,000+ hosted catalog)
- Discovering and classifying the tools each server exposes
- Governing tool access at a granular level — admins review, approve, or disable individual tools and control which tools each user and agent can call
- Bundling approved tools into toolsets and binding them to access profiles
- Provisioning end-user and agent access through the standard C1 request and approval workflow
- Vaulting and rotating downstream credentials so they are never exposed to end users or stored locally
- Logging every tool call with identity, tool, parameter, and policy context for audit and compliance
C1’s AI Connections feature has two sides. This page covers AI access management (AIAM) — governing outbound AI tool calls to external services like Salesforce and GitHub. If you want AI assistants to query C1’s own identity data instead, see C1 MCP.
Key concepts
How the pieces fit together
A typical end-to-end flow:- Admin registers an MCP server in C1 (for example, the GitHub MCP server) and configures its auth mode.
- C1 discovers the tools the server exposes and lists them as Unset.
- Admin reviews and approves tools, then bundles approved tools into a toolset.
- Admin binds the toolset to an access profile with an approval policy.
- End user registers their AI client with C1.
- End user requests the access profile from the C1 catalog (web, Slack, or from their AI client).
- Approver approves, and the toolset becomes available to the user’s AI client.
- AI client calls a tool → request hits C1 MCP → C1 checks the user’s access profile and the tool’s approval status → forwards to the downstream MCP server using the configured auth mode → returns the result, logging the call.
Where to go from here
- New to AIAM? Start with Enable AI access management.
- Already enabled? Move on to Set up an MCP server.
- Setting up audit and compliance? See Audit AI tool usage.
- Ready to test your setup as an end user? See Get started with AI tools.
- Governing an MCP server that supports the standard? The gateway is one of two paths C1 governs. For servers that can verify C1-issued tokens, C1 can issue a scoped token and let the agent call the server directly. See Enterprise-managed authorization.