Skip to main content
Activation required. AI access management must be enabled for your tenant before you can use it. To get started, contact the C1 support team for a walkthrough.
AIAM lets you govern which AI clients can call which tools on your behalf, and which end users are allowed to use them. Enabling AIAM for your tenant is a one-time task that requires the Super Administrator role. Configuring tenant defaults, registering MCP servers, governing tools, managing AI clients, and using kill switches can be performed by either a Super Administrator or a user with the AI Governance Administrator role. Individual MCP servers, tools, and clients can override most of these defaults later. Set the defaults to the safest configuration you’re willing to live with as a fallback.

Enable AIAM for your tenant

Enabling AIAM exposes the AIAM surfaces (MCP servers, tools, AI clients, AIAM audit log) to admins. It does not automatically grant any end user access to any tool — every tool still has to be approved, added to a toolset, and bound to an access profile before it becomes requestable.
1
Log in to your C1 tenant as a Super Admin.
2
Navigate to AI > C1 Gateway and click Settings.
3
Find AI connections and click Edit.
4
Toggle Enable AI Connections to on.
5
Click Save to confirm.
Once enabled, MCP servers, AI clients, and the AIAM audit log appear in the tenant.

Configure tenant defaults

After enabling AIAM, configure the five tenant-wide defaults below. All of them have safer, stricter defaults pre-selected — only adjust them if your organization has a reason to loosen them.

Allowed client types

Controls which categories of AI client are allowed to register against your tenant. A client whose type is not allowed is rejected at registration time, before any tool is exposed to it. To change which types are allowed:
1
In AI > C1 Gateway > Settings, find Allowed client types.
2
Check the boxes for the types you want to permit.
3
Click Save.
Any in-flight client of a now-disallowed type continues to function until its existing tokens expire. New registrations of that type are rejected immediately.

Default tool classification

When C1 discovers a new tool on a registered MCP server, it assigns the tool this initial state. Until an admin reviews and approves the tool, it cannot be added to a toolset and end users cannot request it.
  • State: Pending Review / Unset (recommended — keeps every newly-discovered tool out of end-user reach until you’ve reviewed it)
  • Classification: Unclassified (recommended)
To change the defaults:
1
In AI > MCP > Settings, find Default tool classification.
2
Select the state and classification to apply to newly-discovered tools.
3
Click Save.

Require tool approval

When on, every newly-discovered tool starts in Pending Review and must be approved by an admin before it can be added to a toolset. When off, tools become available to be added to toolsets immediately on discovery.
  • Default: On
  • Recommended: On for production tenants. Off is appropriate only for sandbox tenants where you’re testing the end-to-end flow.
Turning this off does not bypass access profile approval — end users still go through the access profile’s approval policy when they request a toolset.

Client lifecycle inactivity policy

C1 tracks how long it’s been since each registered AI client made a tool call. After configurable thresholds, the client transitions through three states: To change the thresholds:
1
In AI > C1 Gateway > Settings, find Client lifecycle.
2
Set the inactivity threshold for each state.
3
Click Save.

Emergency kill switch

The kill switch immediately revokes every AI client’s access to every tool, across all MCP servers in your tenant. Use it when you suspect an active compromise — for example, a leaked client credential or an MCP server that’s behaving unexpectedly. What happens when you flip it:
  • All in-flight tool calls fail.
  • All AI clients are forced into the Closed state.
  • End users see an access-denied error in their AI client until you turn the switch off and they re-authenticate.
  • Audit log entries are still written for any failed call attempts after the switch is flipped.
1
In Settings > System management, find Emergency kill switch.
2
Click Disable all AI access.