TL;DR
- MCP tool sprawl is the new shadow IT problem — developers connect tools in minutes; security and compliance find out months later.
- Ethira's Slack integration puts the entire MCP tool lifecycle — request, review, approve, onboard, and offboard — into the channel your team already works in.
- Any employee can request a new MCP tool from Slack; the request lands in Ethira as a structured vendor onboarding workflow with a named reviewer and an audit trail.
- Once approved, the tool is added to the Ethira vendor inventory with policies, owner assignment, and an expiry date — ready for DORA, EU AI Act, and ISO 42001 spot-checks.
- When a tool is decommissioned, offboarding is triggered from Slack too: access is revoked, the vendor record is closed, and the full history is preserved.
Why MCP tool governance is the new shadow IT problem
# ai-tools
Request and track AI tool onboarding
@Ethira can we onboard Notion MCP for the product team?
👋 Got it! I've opened an MCP tool request for Notion MCP. A reviewer will be notified to approve or reject it. You'll hear back here once a decision is made.
The Model Context Protocol has changed how fast teams can wire AI tools into their workflows. Connecting a new MCP server to a coding assistant or an internal agent used to require an IT ticket, a procurement review, and a software delivery pipeline. Today it requires a URL and an API key.
That speed is genuinely useful. It is also why MCP tool sprawl has become the fastest-growing source of shadow AI risk inside organisations that have adopted agent-based workflows.
The typical pattern looks like this: a developer finds a useful MCP tool — an internal search server, a third-party data provider, a productivity tool with a model context interface — connects it to their local agent, and shares the config with the team over Slack. Two weeks later, six more people are using it. Neither security nor compliance was consulted. There is no vendor record, no data processing agreement, no named owner, and no process for removing access when someone leaves.
Under DORA, the EU AI Act, and ISO 42001, that pattern is a compliance gap from the moment the first connection is made.
The Ethira + Slack workflow
MCP Tool Requests
Review and manage AI tool access requests from your team
| Tool | Requested by | Team | Requested on | Status | |
|---|---|---|---|---|---|
| Notion MCP | Alex Martins | Product | May 22, 2026 | Pending review | |
| Cursor MCP | Sarah Kim | Engineering | May 20, 2026 | Approved | |
| Zapier MCP | James Ford | Operations | May 18, 2026 | Approved | |
| Salesforce MCP | Priya Nair | Sales | May 15, 2026 | Rejected | |
| GitHub MCP | Tom Chen | Engineering | May 14, 2026 | Approved |
Ethira's Slack integration is designed to close that gap without creating a bureaucratic bottleneck. The entire MCP tool lifecycle — from first request to final decommission — runs through Slack, with Ethira handling the governance layer in the background.
Request
Any employee can request a new MCP tool by posting in your designated Ethira channel or using the Ethira Slack bot directly. The request captures the minimum useful information: the tool name, the vendor, the intended use case, and the team requesting access.
Ethira creates a vendor onboarding workflow from the request automatically. The requesting employee becomes the named owner. The workflow is visible in Ethira from the moment it is created — no manual data entry required on the reviewer's side.
Review and approve
Security and compliance reviewers receive a Slack notification the moment a new tool request lands. The notification includes the tool name, the requesting team, and a direct link into the Ethira workflow where reviewers can check existing vendor documentation, verify whether a DPA is on file, and leave comments visible to the requesting team.
Approval or rejection happens inside Ethira, but the outcome is posted back to the original Slack thread immediately — so the requesting team sees the decision without needing to log into the GRC tool themselves.
Onboard
When a reviewer approves the request, Ethira onboards the tool into the vendor inventory automatically. The vendor record is created with the correct owner, the requesting team, the approved use case, and any attached policy documents or DPA. If your organisation has a standard MCP tool review checklist, it is attached as a completed task.
From that point, the tool is a sanctioned asset in Ethira — visible in your tool inventory, flagged against relevant regulatory frameworks, and included in any DORA third-party reporting or AI Act system inventory you run.
Offboard
When a tool is no longer needed — the project ended, the vendor changed their terms, or the tool was superseded — any team member can trigger offboarding from Slack. Ethira opens a decommission workflow: the named owner is notified, access revocation steps are listed, and the vendor record is closed with a decommission date.
The full history — who requested the tool, who approved it, how long it was in use, and who offboarded it — is preserved in the audit trail. A closed vendor record is not deleted; it is archived with its complete event history, available for regulatory review on demand.
Why this matters
| Without Ethira + Slack | With Ethira + Slack |
|---|---|
| MCP tools adopted ad hoc, no approval trail | Every tool request triggers a structured workflow |
| Security hears about new tools weeks later | Reviewers are notified in Slack the moment a request lands |
| No named owner when something goes wrong | Owner assigned at request time, kept current in inventory |
| Offboarding depends on someone remembering | Decommission workflow triggered from Slack, logged in Ethira |
| Compliance reports built from memory | Audit trail complete from first request to final offboard |
Speed is not the casualty here. A reviewer can approve a standard tool request in under two minutes from their phone. The governance overhead is as close to zero as it can be while still producing a real audit trail.
How it works: step by step
- Install the Ethira Slack app from the Ethira integrations page at Settings → Integrations → Slack.
- Designate a review channel — or use the Ethira bot in any existing channel.
- Set your reviewer list in Ethira under Settings → Integrations → Slack. Reviewers can be individual users or a Slack user group.
- Request a tool by mentioning
@Ethirain Slack — for example: @Ethira I'd like to request access to the Cursor MCP tool for our engineering team. Ethira creates the vendor workflow immediately. - Reviewers are notified in Slack with a link to the Ethira workflow. Approval or rejection is recorded in Ethira and posted back to the original thread.
- Approved tools appear in the vendor inventory automatically. Policies, DPAs, and owner assignments are attached as part of the onboarding workflow.
- Offboard when ready by mentioning
@Ethirain Slack — for example: @Ethira we need to offboard the Zapier MCP — the project is done. Ethira guides the reviewer through access revocation and closes the vendor record.
The audit trail that regulators actually want to see
A vendor record that shows a tool was used is useful. A vendor record that shows the full chain of custody — who requested it, who reviewed it, who approved it, when it was onboarded, who used it, and who eventually decommissioned it — is what DORA Article 28, EU AI Act Article 10, and ISO 42001 clause 8 are actually looking for.
The Ethira + Slack workflow produces that chain of custody as a side effect of the work your team is already doing. Nobody fills in an audit form after the fact. The audit trail is the workflow.
Get started
If your team is adopting MCP tools faster than your security and compliance processes can keep up, the Ethira Slack integration is the lowest-friction path to closing the gap.
Connect Slack in under five minutes from app.ethira.dev → Settings → Integrations → Slack.