STRATEGIC OVERVIEW
Client Context & The Integration Deadlock The client runs hub-and-spoke distribution across North America, Western Europe, and Southeast Asia.
Client Context & The Integration Deadlock
The client runs hub-and-spoke distribution across North America, Western Europe, and Southeast Asia. SAP S/4HANA anchors orders and finance; a custom WMS handles high-velocity lanes; TMS tracks carrier events; ServiceNow-class ITSM manages exceptions. Dispatch supervisors touched six to eleven screens per stuck shipment.
Early copilots drafted emails but could not resolve exceptions—no governed tool execution existed. Inbound MCP proposals (public HTTPS into the DMZ) were rejected twice for lateral movement and weak audit attribution.
Citation anchor: In regulated logistics, the blocker is rarely model quality—it is provable containment. Auditors ask whether an agent can exfiltrate shipment data or write under another user's identity. Without outbound tunnels, per-tool schemas, and HITL on writes, architecture review stops the program.

Why Inbound MCP Exposure Failed Security Review
Security's red-team surfaced three show-stoppers familiar to AI agent ERP integration programs:
| Dimension | Inbound MCP (Rejected) | Outbound Private MCP Tunnel (Selected) |
|---|---|---|
| Firewall posture | New inbound allow rules per environment | Egress-only from MCP zone |
| Blast radius | DMZ compromise may pivot to internal APIs | Broker enforces schema + OIDC per call |
| Audit attribution | Shared service account in logs | Per-session agent JWT + supervisor HITL |
| Time to sign-off | Est. 9–14 weeks | Pilot approved in 4 weeks |
Target Architecture: Private MCP Mesh
The mesh has four planes:
- Orchestration — plans multi-step workflows, selects tools, enforces budgets.
- Tunnel — outbound SSE from enterprise MCP broker to orchestrator; no inbound initiation.
- Tool — on-prem MCP servers wrapping SAP OData, WMS REST, TMS events, ITSM tickets.
- Governance — OIDC for humans, machine identities for agents, immutable audit, HITL console for writes.


Exception Workflow: From Stuck Shipment to Resolved Ticket
Median resolution dropped from 4.2 hours to 38 minutes on 2,400 pilot exceptions.

Trigger: TMS publishes SHIPMENT_DELAYED to Kafka with order ID and lane.
Plan: Orchestrator decomposes into ERP holds, WMS pick status, ITSM search, and proposed carrier rebook.
Write tools (erp.release_credit_hold, wms.reallocate_inventory, itsm.update_ticket) require HITL approval.

Measured Outcomes & Before/After
| Metric | Before | After (Pilot) |
|---|---|---|
| Median exception resolution | 4.2 hours | 38 minutes |
| Manual copy-paste hours / month | ~1,200 | ~310 |
| Systems connected via governed tools | 0 | 14 |
| Critical policy violations (pilot window) | — | 0 |

Lessons for Platform & Engineering Leaders
- Treat enterprise MCP integration as outbound tunnel architecture, not "expose APIs to Claude."
- Version tool manifests in Git; security signs off on manifest diffs, not weekly firewall tickets.
- Bind agent identity → tool allow-list → prompt hash at the gateway to kill confused-deputy risk.
- Ship a two-week shadow study before broker code—swivel-chair tax quantifies ROI better than model benchmarks.
Frequently Asked Questions
How long did the pilot take?
Ninety days for scoped tools across two hubs, plus six weeks for broker hardening and HITL console UAT.
Did you use inbound MCP at all?
No public MCP endpoints. All connectivity is outbound-initiated from the enterprise MCP zone.
What orchestrator was used?
Hybrid Azure zone with vendor-neutral MCP manifests post-AAIF—details anonymized; pattern applies to any MCP-compliant host.
MCP Mesh Control Plane
You read the story — now explore the simulated console that mirrors what was delivered. Fictional data only; no production access.
Simulation could not load. Deploy the v1.2.1.0 upgrade package (demo assets under public/assets/demos/) and purge page cache.
Simulation uses fictional data. Controls are for demonstration only and do not connect to production systems.