What is an Agentic Control Plane?

An Agentic Control Plane is a governance layer that sits between AI coding agents and their tools. It logs every tool call, enforces permissions and policies, and provides audit trails — giving teams visibility and control over what their AI agents are doing.

How does ACP work with Claude Code?

ACP installs a PreToolUse hook in Claude Code that fires before every tool call (Bash, Read, Write, Edit, WebFetch). The hook sends the tool name and input to ACP's governance API for policy evaluation and audit logging. Round-trip is approximately 200ms.

How do I install ACP?

Run one command: curl -sf https://agenticcontrolplane.com/install.sh | bash. This auto-detects Claude Code and OpenClaw, installs the appropriate hooks, and opens your browser to set up your workspace.

Quick-start series · Part 5 of 7

Governance in Three Minutes →

Governed Cursor in 3 Minutes

David Crowe · 2 min read

cursor mcp ide

Cursor is where a lot of production code is being written right now. Its agents edit files, run shell commands, call APIs via MCP servers. And by default, your security team has no idea what happened.

Cursor’s built-in permission prompts are fine for solo use. For a team, they’re debug output, not audit data. No structured log, no per-user attribution, no policy enforcement across developer machines.

ACP’s MCP server is the fastest way to fix that for the external-service tools Cursor uses.

The 3-minute setup

Open Cursor → Settings → MCP → Add server. Use this config:

{
  "acp": {
    "url": "https://api.agenticcontrolplane.com/mcp",
    "headers": {
      "Authorization": "Bearer gsk_yourslug_xxxxx"
    }
  }
}

That’s it. Any tool you expose to Cursor through the ACP MCP server — web fetches, database queries, Slack messages, GitHub operations, your internal APIs — now flows through ACP’s governance pipeline before the call happens.

Grab your gsk_ API key from cloud.agenticcontrolplane.com → Settings → API Keys. Drop it into the header value above and you’re done.

What you get for free

Open the ACP dashboard → Activity. Every MCP-dispatched tool call from every developer’s Cursor appears as a row: identity, tool, input, decision, reason, PII findings, session ID. One log across your whole team.

And because ACP is enforcing, not just observing:

Per-user policy — Alice can call stripe.refund; Bob can’t
Rate limits — no one agent can burn a full tenant’s budget
PII redaction — customer emails never leave the perimeter in tool inputs
Audit retention — 7 days on Free, 90 days on Pro, unlimited on Enterprise
Delegation chain — when the Cursor agent delegates to a subagent, the chain is preserved in every downstream call

Known limits worth flagging

Cursor’s internal IDE tools — Edit, Read, Bash, Terminal — do not flow through MCP. They dispatch through Cursor’s own engine and never hit any external governance layer. This is structural to every MCP-only integration in every IDE. We benchmarked this — Cursor + ACP scores 37/48 vs 40-46 for other patterns, specifically because of this gap.

What to do about it: layer server-side mitigations for internal-tool operations (git hooks, branch protection, network-layer enforcement on developer machines). That covers what MCP can’t reach. Full Cursor integration guide walks through the specifics.

Why Cursor + ACP is worth it anyway

Your team’s external-service calls are where the compliance exposure lives. Customer data read from your CRM, messages posted to Slack, files synced to cloud storage, production APIs invoked from a developer laptop — every one of those is an MCP tool call in a Cursor deployment. ACP governs all of them.

Internal IDE tools are the editor’s problem, not yours. Go cover the surface you can.

Next steps:

Cursor integration guide — full MCP config + known limits
Cursor scorecard — 37/48 on AgentGovBench with the structural reason
Governance in Three Minutes series — one install, every framework

Share: Twitter LinkedIn