-
Notifications
You must be signed in to change notification settings - Fork 161
OWASP MCG Project Draft
OWASP Model Context Governance (MCG) Practitioner Guide & Toolkit
OWASP Incubator Project
Category: Application Security / Capability Governance / Continuous Assurance
Traditional governance programs such as Identity Governance & Administration (IGA) were designed to satisfy compliance requirements that required organization to certify human entitlements via periodic compliance reviews. These approaches cannot address the growing scale of machine-to-machine interactions, token-based authority, and autonomous software components that make real-time authorization decisions.
Model Context Governance (MCG) defines a new approach centered on capabilities. MCG says rather then inventory the people, inventory the locks--it's simpler.
MCG seeks to define an engineering framework for continuous, provable, and federated governance. It enables enterprises to govern through policies that are declarative, verifiable, and responsive to telemetry and threat data.
MCG is based on key architectural and operational principles derived from the Trust Governance Architecture:
- Inventory capabilities, not identities – manage risk by enumerating what can be done (action–resource pairs), not who performs it.
- Declarative governance with formal reasoning – express policies and token claims in verifiable form; use proofs to reduce subjective review.
- Continuous governance – treat each code, configuration, or deployment change as a governance event.
- Federation by policy schema – enable cross-domain interoperability via shared capability and token semantics, not centralized directories.
- Multi-layer visibility – connect the human, software, observability, and trust management layers into a unified governance fabric.
- Data provenance – use signed tokens (e.g., JWTs or verifiable credentials) to propagate trust and traceability.
- Actionability – governance outputs must enable safe policy change, rollback, and verification, not just reporting.
These principles make governance measurable, testable, and automatable across distributed systems.
- Define a capability governance lifecycle for MCP servers and proxies, including discovery, modeling, issuance, enforcement, telemetry, and proof.
- Publish a practitioner guide explaining how to model capabilities, author declarative policies, and integrate formal reasoning techniques.
- Provide tool-agnostic templates for capability definitions, token schemas, assurance levels, and rollout checklists.
- Develop a federated policy reference model demonstrating interoperability between autonomous governance domains.
- Create a continuous governance playbook that embeds automated validation and telemetry feedback into DevSecOps pipelines.
- Establish the foundation for future formal specifications and verification tools for capability governance.
| Deliverable | Description | Format | Target Version | Target Date |
|---|---|---|---|---|
| MCG Practitioner Guide v0.1 (MCP Edition) | Initial draft describing the capability governance lifecycle, token flows, and policy examples for MCP servers/proxies | Markdown / PDF | 0.1 | Month 3 |
| Capability & Token Templates | Editable templates defining capability models (action-resource), JWT claim sets, and trust assertions | Markdown / JSON | 0.2 | Month 4 |
| Continuous Governance Playbook | Implementation guide for integrating observability, threat data, and verification pipelines | Markdown / YAML | 0.3 | Month 5 |
| Federated Policy Reference Model (MCP Use Case) | Diagrams and schemas illustrating multi-domain governance via capability exchange | Diagram / YAML | 0.4 | Month 6 |
| MCG Practitioner Guide v1.0 | Consolidated release with guide, templates, and reference models | PDF / Web | 1.0 | Month 7 |
| Launch Webinar & Slides | Public presentation introducing Model Context Governance principles and toolkit | PPTX / Video | — | Month 8 |
| Maintenance & Expansion Roadmap | Plan for extending MCG to additional systems (API gateways, AI agents, observability platforms) | Markdown | 1.1 | Month 9 |
In Scope
- Governance lifecycle for MCP servers and proxy systems
- Capability and token-based policy modeling and enforcement
- Integration of runtime telemetry and threat data into governance feedback loops
- Federated policy exchange across autonomous domains
- Declarative policy authoring and continuous validation
Out of Scope
- Vendor-specific or proprietary integrations
- Human identity access certification and entitlement reviews (traditional IGA)
- Compliance frameworks outside technical governance and assurance
- Application Security and DevSecOps engineers
- Platform architects managing distributed authorization and policy systems
- AI and agent governance engineers
- GRC professionals building continuous assurance models
- Researchers exploring federated and formal governance mechanisms
| Role | Name / Placeholder | Responsibilities |
|---|---|---|
| Project Leader | Michael Schwartz | Direction, documentation, and community coordination |
| Co-Leader | Manoj Kumar | Technical design, contributor coordination |
| Community Manager | Ravindra Neriyanuri | Repository maintenance, contributor engagement |
| Technical Writers | Community volunteers | Content development, editing, and formatting |
| Review Board | AppSec & Governance experts | Peer review and technical validation |
| Design Lead | TBD | Visual design, diagrams, and presentation assets |
All materials are released under the Creative Commons Attribution 4.0 International License (CC BY 4.0), consistent with OWASP project policy.
- GitHub: https://github.com/OWASP/MCG
- Website: https://owasp.org/www-project-mcg-practitioner-guide
-
Community Chat: OWASP Slack →
#mcg-project - Documentation Format: Markdown (MkDocs)
- Issue Tracking: GitHub Issues & Discussions