Inovativi logo
ENDE
← Case studies
Internal R&D Reference Architecture

Nervora: Governed Tool Execution for Enterprise AI Agents

A secure MCP gateway reference architecture showing how AI agents can call enterprise tools without bypassing identity, RBAC, audit, approval, and operational controls.

Context

Nervora is Inovativi's flagship reference architecture for secure enterprise AI tool execution. It demonstrates how AI agents can interact with business systems through a controlled MCP gateway rather than direct, uncontrolled API access. The system includes OIDC authentication, tool-level RBAC, PII redaction, dry-run handling for sensitive write actions, async job execution, idempotency, structured audit logs, and OpenTelemetry tracing.

Problem

Most enterprise AI pilots fail when they move from chat interfaces to real business systems. The hard part is not generating text; it is giving agents safe, auditable, policy-controlled access to tools, data, workflows, and legacy systems. Enterprises need to know who called what, which role allowed it, what data was exposed, whether the action was read-only or destructive, and whether failures can be retried without accidental duplicate execution.

What was built / modernized

Nervora acts as a governed execution layer between AI agents and enterprise systems. Instead of allowing agents to call backend systems directly, all tool calls pass through a policy-aware MCP gateway. The gateway validates identity, checks tool-level permissions, redacts sensitive data, logs every decision, routes long-running tasks through an async worker path, and blocks destructive actions unless they are explicitly approved or run in dry-run mode.

Governed execution path

  1. AI Agent

    Finance, Sales, or HR agent requests a tool

  2. OIDC Authentication

    Azure Entra ID-ready identity layer

  3. Tool-Level RBAC

    Per-tool permission matrix by role

  4. PII Redaction Boundary

    Sensitive fields redacted before model-visible output

  5. Dry-Run / Approval Gate

    Destructive writes require explicit approval

  6. Async Worker

    Long-running jobs queued via Azure Service Bus abstraction

  7. Enterprise Tools / Databricks

    Connectors to APIs, CRM, and data workflows

  8. Audit Trail + OpenTelemetry

    Structured audit records and shared trace IDs

Governed execution path from AI agent to enterprise tools, including identity validation, tool-level RBAC, PII redaction, async workflow execution, audit logging, and tracing.

Reference demo flow

  1. 1. Budget variance request

    Finance Agent requests a report

  2. 2. Identity & role validated

    Gateway authenticates the caller

  3. 3. RBAC allows the call

    Tool-level permission granted

  4. 4. Report executed & audited

    Result returned, audit record written

  5. 5. Databricks workflow triggered

    Finance Agent starts a long-running job

  6. 6. Queued asynchronously

    Routed through the worker path

  7. 7. Worker processes the job

    Job completes successfully

  8. 8. Duplicate idempotency key

    Same job ID returned, no re-execution

  9. 9. Sales Agent denied HR data

    Cross-role access blocked and logged

  10. 10. HR profile redaction

    PII fields redacted in output

  11. 11. CRM update as dry-run

    Proposal requires human approval

  12. 12. Destructive execution blocked

    Disabled by default

An end-to-end walkthrough of the governance, async execution, idempotency, RBAC, redaction, and approval controls Nervora demonstrates.

Security flow

  • OIDC / Azure Entra ID-ready authentication for every caller
  • Tool-level RBAC matrix enforced at the gateway
  • Sensitive HR tools available only to HR/Admin roles
  • Sales agents blocked from HR data
  • PII fields redacted before model-visible output
  • Destructive CRM updates disabled by default
  • CRM changes created as dry-run proposals requiring human approval
  • Denied calls are logged, not silently ignored

Tool-calling controls

  • Tool registry with explicit policy metadata — no hidden tools
  • Tool policies classify read, write, destructive, sync, async, and PII-sensitive operations
  • Idempotency keys for safe retries on external actions
  • Async-only execution for long-running jobs
  • Dry-run proposals before any destructive write executes
  • Dead-letter queue and retry design for failed jobs

Observability

  • Structured audit records for every tool call
  • Shared trace IDs across gateway, worker, and audit records
  • OpenTelemetry spans for auth, RBAC, redaction, queueing, worker execution, and audit writes
  • Clear error states for denied, dry-run, queued, executed, and failed actions

Databricks & data workflow integration

  • Databricks Workflow / SQL Warehouse connector abstraction
  • Async execution path through an Azure Service Bus abstraction
  • Worker service for long-running workflows
  • Job status tracking instead of synchronous blocking
  • Idempotent re-submission returns the original job ID

Production judgment — what we deliberately do not allow

  • Agents cannot execute destructive write actions without explicit approval.
  • Agents cannot bypass tool-level RBAC.
  • Agents cannot access raw PII unless policy allows it.
  • Agents cannot trigger long-running jobs synchronously.
  • Agents cannot retry non-idempotent actions without an idempotency key.
  • Agents cannot call hidden tools outside the published tool registry.
  • Agents cannot write directly to production systems in demo mode.
  • Agents cannot suppress audit logging.

Workflow highlights

  • FastAPI-based MCP gateway with a typed tool interface
  • Tool registry with explicit policy metadata
  • OIDC / Azure Entra ID-ready authentication layer
  • Tool-level RBAC matrix
  • PostgreSQL audit trail
  • PII redaction boundary
  • Async execution path through an Azure Service Bus abstraction
  • Databricks Workflow / SQL Warehouse connector abstraction
  • Idempotency keys, dead-letter queue, and retry design
  • OpenTelemetry tracing across the call path

Security, auditability & governance

  • Agents cannot bypass tool permissions
  • Sensitive HR tools are only available to HR/Admin roles
  • PII fields are redacted before model-visible output
  • Destructive CRM execution is disabled by default and gated behind dry-run approval
  • Denied calls are logged, not silently ignored
  • Tool policies classify read, write, destructive, sync, async, and PII-sensitive operations

Value delivered

  • Demonstrates the governance and audit controls required before agents touch sensitive systems
  • Shows destructive actions gated behind dry-run approval rather than direct execution
  • Proves async, idempotent execution so retries never duplicate business actions
  • Provides a concrete, inspectable pattern for moving enterprise AI from pilot to controlled execution

Technologies

  • Python
  • FastAPI
  • MCP
  • PostgreSQL
  • OIDC / Azure Entra ID
  • Azure Service Bus
  • Databricks
  • OpenTelemetry
  • Docker Compose
  • Pytest
  • Terraform

Relevant roles

  • Senior AI Backend Engineer
  • MCP / OpenAPI Tool Gateway Engineer
  • AI Integration Engineer
  • DevOps / Terraform Engineer

Status & transparency

Nervora is an internal R&D reference architecture, not a packaged SaaS product. It is mock-first by design, with connector abstractions prepared for Databricks, Azure Service Bus, Azure Entra ID, and enterprise APIs. The purpose is to demonstrate the governance, auditability, and execution-control patterns required before AI agents are connected to sensitive real-world systems — not to claim a production deployment.

Next step

Discuss a similar project

We can adapt this pattern to your systems and provide the engineers to build it. Reach us at info@inovativi.com.

Discuss a similar projectRequest engineer profiles