Activation required. AI access management must be enabled for your tenant before you can use it. To get started, contact the C1 support team for a walkthrough.
Enable AIAM for your tenant
Enabling AIAM exposes the AIAM surfaces (MCP servers, tools, AI clients, AIAM audit log) to admins. It does not automatically grant any end user access to any tool — every tool still has to be approved, added to a toolset, and bound to an access profile before it becomes requestable.1
Log in to your C1 tenant as a Super Admin.
2
Navigate to AI > C1 Gateway and click Settings.
3
Find AI connections and click Edit.
4
Toggle Enable AI Connections to on.
5
Click Save to confirm.
Configure tenant defaults
After enabling AIAM, configure the five tenant-wide defaults below. All of them have safer, stricter defaults pre-selected — only adjust them if your organization has a reason to loosen them.Allowed client types
Controls which categories of AI client are allowed to register against your tenant. A client whose type is not allowed is rejected at registration time, before any tool is exposed to it.
To change which types are allowed:
1
In AI > C1 Gateway > Settings, find Allowed client types.
2
Check the boxes for the types you want to permit.
3
Click Save.
Any in-flight client of a now-disallowed type continues to function until its existing tokens expire. New registrations of that type are rejected immediately.
Default tool classification
When C1 discovers a new tool on a registered MCP server, it assigns the tool this initial state. Until an admin reviews and approves the tool, it cannot be added to a toolset and end users cannot request it.- State: Pending Review / Unset (recommended — keeps every newly-discovered tool out of end-user reach until you’ve reviewed it)
- Classification: Unclassified (recommended)
1
In AI > MCP > Settings, find Default tool classification.
2
Select the state and classification to apply to newly-discovered tools.
3
Click Save.
Require tool approval
When on, every newly-discovered tool starts in Pending Review and must be approved by an admin before it can be added to a toolset. When off, tools become available to be added to toolsets immediately on discovery.- Default: On
- Recommended: On for production tenants. Off is appropriate only for sandbox tenants where you’re testing the end-to-end flow.
Turning this off does not bypass access profile approval — end users still go through the access profile’s approval policy when they request a toolset.
Client lifecycle inactivity policy
C1 tracks how long it’s been since each registered AI client made a tool call. After configurable thresholds, the client transitions through three states:
To change the thresholds:
1
In AI > C1 Gateway > Settings, find Client lifecycle.
2
Set the inactivity threshold for each state.
3
Click Save.
Emergency kill switch
The kill switch immediately revokes every AI client’s access to every tool, across all MCP servers in your tenant. Use it when you suspect an active compromise — for example, a leaked client credential or an MCP server that’s behaving unexpectedly. What happens when you flip it:- All in-flight tool calls fail.
- All AI clients are forced into the Closed state.
- End users see an access-denied error in their AI client until you turn the switch off and they re-authenticate.
- Audit log entries are still written for any failed call attempts after the switch is flipped.
1
In Settings > System management, find Emergency kill switch.
2
Click Disable all AI access.