New AI toolkit for enterprise AI-driven access request!

Introducing the SailPoint MCP Server

The SailPoint MCP (Model Context Protocol) Server is our AI-ready interface that transforms how organizations approach access management.

By serving as a standardized bridge between AI applications and SailPoint’s Identity Security Cloud, it leverages the industry-standard MCP protocol to enable seamless integration between AI systems and enterprise identity management. This launch marks the beginning of SailPoint’s vision to make access requests as simple as asking a colleague for help, while maintaining enterprise-grade security.

The IAM Challenge

Access management remains a critical productivity bottleneck for mid-large size enterprises. Today, customers either use multiple access request center supported by identity providers or have to develop custom solutions to integrate IAMs with custom UIs.

End User Challenges

• Lack of Context: Users don’t know what items to request, what’s available across IAM systems, or how to request access
• Productivity Crisis: 64% of organizations experience frequent productivity loss due to access issues(Ref: StrongDM)
• Complex User Experience: Challenges navigate between pages/systems and understanding access items.

IT Department Challenges

• IT Resource Drain: Self-service access often results in overwhelming amount of IT tickets
• Integration Challenges: While AI promises up to 80% reduction in IT requests, current integration approaches are:
  • Fragmented across multiple tools
  • Complex to implement and maintain
  • Introduce new security concerns
  • Require extensive IAM expertise to develop custom solutions
• AI Scaling Challenges: 93% of IT leaders intend to introduce autonomous agents in the next 2 years, but 95% of IT leaders report integration as a hurdle to implementing AI effectively. (MuleSoft)

Solution

The SailPoint MCP Server functions as a standardized interface between AI applications and SailPoint’s Identity Security Cloud, eliminating integration complexity while maintaining enterprise-grade security.

• MCP Server Interface: Standardized bridge between AI applications and SailPoint ISC APIs
• Access Request Toolkit: Four core tools enabling AI applications to create access requests on behalf of users.
• Integration with ISC: All access requests, audit logging, and notifications can be managed within existing SailPoint ISC web portal.
• "Bring Your Own AI" approach: customers can use any AI assistants/apps with MCP support.

Core Capabilities at Launch

Four core tools to enable natural language access request:

• list-requestable: Search for roles, entitlements, access profiles using everyday language.
• create-access-request: Enable AI applications to create access requests on behalf of users.
• view-access-requests: Check access request status and view request history.
• cancel-access-request: Cancel pending requests that are in a cancelable state.

Key Benefits:

• Quick Integration: quickly connect AI applications to SailPoint in 5-15 minutes without complex custom development.
• Natural Language Processing: Enable conversational access request at scale.
• Future-Proof Architecture: Built on MCP standard and regular updates to ensure compatibility with emerging AI platforms and security.
• Enterprise-grade: Maintains SailPoint’s proven IAM expertise and enterprise-grade scalability and security.

Important Note: The MCP Server provides the interface and tools for AI-ISC interaction. The AI reasoning, decision logic, and natural language understanding are implemented by the AI applications (clients) that connect to the MCP Server.

Target Customers

• Enterprise organizations using SailPoint Identity Security Cloud seeking AI integration and experiencing access request bottlenecks.
• Organizations investing in custom access request bots to integrate all access needs into a unified solution.
• Organizations seeking to reduce IT help desk burden from routine access requests, actively exploring GenAI solutions for productivity improvement.

Getting Started

• SailPoint Identity Security Cloud access is required.
• Choose integration approach based on technical requirements.
• Setup authentication following provided guides (coming soon).
• Begin building AI-powered access management experiences.

Integration options

Quick Integration with popular AI application building platforms and IDE tools:

• Claude Desktop (quick connection; zero-code setup)
• n8n workflow automation (visual agentic workflow builder)
• LangChain development framework (full programmatic control)
• Voice agents (hands-free access requests)
• Any platform supporting remote MCP connections and HTTP streaming (Cursor, VCS, etc.)

Additional Resources

• The SailPoint SaaS Documentation
• Technical Documentation

Important Dates

• General Availability: Sept 29, 2025
• Integration Documentation: Sept 29, 2025
• Expanded Toolkit: 6-12 months post-GA for expanded MCP tools

Ready to transform your access management with AI? Get started with the SailPoint MCP Server today.

Is there going to be any sort of demo on this? I think it might help to flesh out use cases and connect the dots on the fuzzy bits.

Technical documentation(including use cases, examples) are coming soon. Stay tuned!

Sometimes I observe announcements that mention recognizable problems and then a solution that does not actually solve those problems. It seems this is such an announcement to me.

One reason for this is that when looking at the requestable roles in the SailPoint Access Request Center, which sources it would grant access to. The solution would be to for the UI to specify this information and allow users to filter on requestable roles granting access to a specific source. The search API does not support querying for roles based on such criteria, so an AI would not be able to do that either. You could ask an AI this anyway and if the AI is fully correct and will not hallucinate, it would have to call a lot of API calls to truly answer this question. Both AI and those API calls would then be a waste of electricity for a problem that can simply be solved efficiently and 100% correctly if you turn off the mentality of “The solution MUST be using AI, regardless of the problem”.

One reason I hear and see from customers is access requests that are stuck in approval flow where the approver is a governance group. The requester/recipient are not being shown the current approvers at that point, and only see the governance group name. So they don’t know who to ping to ask to look at the request with priority. SailPoint says that some customers don’t want the requester/recipient to know who the members are. The clear solution would be a configurable setting mentioning whether this should be visible or not allow different customers to make different choices., and for the ISC request center to then properly show the members. I don’t see how the solution would solve this here. Respect customers who don’t want this information to be known while allowing other customers to configure it such that current approvers are visible to the recipient/requester (taking into account that governance group members might have reassigned the approval request, or it might have been escalated to other approvers). See this 4 year old idea here, which is still not implemented: https://ideas.sailpoint.com/ideas/GOV-I-1567

This is also an easy one. Navigating between pages in ISC has been made more difficult since SailPoint removed the navigation bar from many pages. See the request to add it back here:

All of the given examples above explains why custom UIs are being built. To show which roles point to which sources. To show which approvers you are waiting for in your access request. To allow more easy navigation between different ISC objects.

In addition SailPoint does not have read-only admin access, If people want to just see the notification templates in the ISC UI for example, you would need to have full org admin access. So this also could trigger users in building their own UI to mitigate this big security risk. See this top voted, but already 4 year old idea here: https://ideas.sailpoint.com/ideas/GOV-I-737

Kind regards,
Angelo

I’ve followed the step by step setup for both the MCP Inspector and vsCode and for both prod and sandbox and for both admin and non-admin users and it did not work.

I raised a support case to report the issue and ask if this is a licensed component and I was redirected to Expert Services as seems I’m requesting help for a “new integration”. So connecting my vsCode (I have many of MCP servers connected with no issues, even a couple I’m developing myself) to that MCP server it’s an Expert Services ($$$) thing.

Ridiculous

Totally agree with you. Same thing happened with us, SailPoint support just redirect everything to Expert Services even when it is not required.

I ran tests in VSCode using GPT-4.1 and found it quite interesting, but I don’t know how this could be integrated in practice.

In the tests I did, I used my admin token, but I can only list/execute actions for my user, even though the token has elevated permissions.

For example, I can only list my last requests. One of the uses I imagined was for the company’s support team to be able to perform actions in natural language, such as “list the last accesses of user x,” this would greatly facilitate support because they wouldn’t need to log into the platform and search for information in the interface, but this is not allowed as far as I understand.

I also don’t know how to make it available in a way where the generated token would always be that of the user using the chat.

It would be interesting to have some tutorials teaching how to do this.

What scopes are needed for the Personal Access Tokens to use MCP? I haven’t been able to find that information in the MCP documentation.

@Carlatto, did you ever find your answer? I am looking for that information as well.

I did not. From our testing, it appears no particular scopes are needed on the PAT.