Ian Khor activity https://gitlab.com/khornergit 2026-03-18T03:06:07Z tag:gitlab.com,2026-03-17:5214693138 Ian Khor approved merge request !142886: group::compliance Planning update 2026-03-16 at GitLab.com / www-gitlab-com 2026-03-17T20:48:07Z khornergit Ian Khor

Update the 'milestone_goal' of 'phase::now' priorities

 tag:gitlab.com,2026-03-17:5211041362 Ian Khor commented on epic #20176 at GitLab.org 2026-03-17T05:45:36Z khornergit Ian Khor

Thanks for the tag @igor.drozdov , and thanks everyone for the thorough discussion here. Wanted to add some context from the AI Governance side, since a few of the decisions being discussed will directly affect what we're building in the MCP Registry & Tool Catalog epic (https://gitlab.com/groups/gitlab-org/-/work_items/20421).

Two things I'd like to flag:

1. On expanding MCP settings to subgroup/project level

We're aligned that basic MCP ON/OFF controls belong in the DAP control plane. That said, as part of the AI Governance SKU, we're building Layer 3: project-scoped restrictions that go beyond binary ON/OFF. These allow admins to restrict by tool category (e.g., no Write tools for Developers in this project), by specific MCP server, or by specific tool name, scoped to projects via compliance frameworks or group membership.

If the DAP control plane expands MCP settings to the subgroup/project level, we should align on how that interacts with the governance layer so we don't end up with two overlapping mechanisms for project-level MCP control. Happy to walk through the boundaries in more detail if that's helpful.

2. On hide vs. show-but-restricted

Strongly agree with the direction of showing MCP servers with a clear indication of why they're restricted, rather than hiding them. Once our RBAC-based tool permissions (Layer 2) are in place, a tool could be unavailable for multiple reasons: the group has MCP disabled, the user's role doesn't permit that tool category, or a project-scoped restriction is applied. If the foundation is built around hiding, it becomes much harder to surface those layered reasons later.

Showing the tools with clear status indicators (disabled, restricted by role, restricted by project policy) gives admins the visibility they need and sets us up well for the governance controls we're adding. This is also consistent with what we're hearing from enterprise customers, who want to see what's restricted and why, not have things silently disappear.

Happy to sync with anyone here to walk through how these layers connect. I think there shouldn't be an issue with us building on top of what's been proposed here (Nate - feel free to let me know otherwise). The epic linked above has the full enforcement model and workflows if that's useful context.

cc: @nrosandich

 tag:gitlab.com,2026-03-16:5206097425 Ian Khor approved merge request !142826: group::compliance Weekly update 2026-03-11 at GitLab.com / www-gitlab-com 2026-03-16T01:27:32Z khornergit Ian Khor

Update the 'progress' of 'phase::now' priorities