Approved Tools
Purpose
This procedure is intended to provide guidance on the process for requesting approval to use AI tools within Rygen.
Scope
This procedure applies to all the employees at Rygen who use or have access to Rygen’s information assets.
This procedure applies to:
- Standalone AI tools and platforms
- MCP (Model Context Protocol) connectors used within approved AI tools (e.g., Claude Desktop, ChatGPT)
- AI tool extensions and plugins that process company data
This procedure does not apply to standard integrations used by approved AI tools (e.g., GitHub, Google Drive, Slack integrations within AI platforms) that are pre-configured by the vendor. These integrations fall under Rygen’s general Security Policy and Acceptable Use Policy.
Definitions
AI Tool: A tool that uses AI to process data or perform tasks.
MCP Connector: A Model Context Protocol connector that extends the capabilities of AI tools by providing access to external data sources, APIs, or services. MCP connectors can read, write, or process data from connected systems.
Approved Tools
Tools approved for use are listed in the Approved AI Tools page along with instructions and requirements for their acceptable use. Employees are not required to request approval for tools in the Approved AI Tools list as long as they are able to comply with the requirements for each tool’s acceptable use.
MCP Connector Requirements
MCP connectors must be reviewed and approved before use if they:
- Access sensitive company data (e.g., databases, internal APIs, file systems)
- Have write capabilities to company systems
- Connect to third-party services not already approved
- Process personal or confidential information
Approved MCP Connectors:
- Pre-approved connectors are listed in the Approved AI Tools page
- Employees may use pre-approved connectors without additional approval
MCP Connector Approval Process:
- Follow the same process as “New Tool Approval Request” below
- Specify the MCP connector name, capabilities, and data access requirements
- Include documentation of security controls and data handling practices
New Tool Approval Request
If an AI tool has not been approved for use but is needed:
- Complete the AI Tool Request Form
- Submit form to IT Security by emailing ai-admin@rygen.com
- Allow 5-10 business days for initial review
- Respond to any follow-up questions or requirements
- Await final approval before using the tool
Evaluation Criteria
New AI tools and MCP connectors are reviewed and approved based on the following:
- Business necessity and use case justification
- Security features and compliance capabilities
- Data privacy controls and opt-out options
- Data access scope and permissions requested
- Cost and licensing requirements
- Integration with existing systems
- Training requirements
- For MCP connectors: authentication methods, data transmission security, and audit capabilities
Implementation
Once a new AI tool is approved:
- The tool will be added to the Approved Tools list
- IT Security will document required configuration
- User will receive setup instructions
- Required training must be completed
- Usage monitoring will be implemented
- Regular compliance checks will be conducted
Non-Compliance
Compliance with this policy shall be verified through various methods, including but not limited to automated reporting, audits, and feedback to the policy owner. Any staff member found to be in violation of this policy may be subject to disciplinary action, up to and including termination of employment or contractual agreement. The disciplinary action shall depend on the extent, intent, and repercussions of the specific violation.
Responsibilities
The Information Security Officer is responsible for approving and reviewing policy and related procedures. Supporting functions, departments, and staff members shall be responsible for implementing the relevant sections of the policy in their area of operation.
Review Schedule
This document shall be reviewed annually and whenever significant changes occur in the organization.
Revision History
| Version | Date | Author | Summary of Change |
|---|---|---|---|
| 1.0 | 2025-06-05 | Field Bradley | Initial draft. |
| 1.1 | 2025-09-02 | Field Bradley | Migrated to markdown and gitlab |
| 1.2 | 2025-11-04 | Field Bradley | Added Appendix for AI Tool Request Form |
| 1.3 | 2025-12-04 | Field Bradley | Added MCP connector requirements and updated scope |
Appendix
AI Tool Request Form
# AI Tool Request Form
## Requestor Information
**Name:**
**Department:**
**Role:**
**Manager:**
**Date:**
## Tool Information
**Tool Name:**
**Vendor:**
**Website:**
**Pricing Model:**
**Number of Required Licenses:**
## Business Justification
**Primary Purpose:**
**Expected Benefits:**
**Alternative Solutions Considered:**
**Impact if Not Approved:**
## Technical Details
**Does the tool offer opt-out from data training?** (Yes/No):
**Data security features:**
**Required integrations:**
**Type of data to be processed:**
**Browser/system requirements:**
**For MCP Connectors:**
- **Connector type:** (filesystem, API, database, etc.)
- **Data access scope:** (read-only, read-write)
- **Authentication method:**
- **Data transmission security:**
## Usage Details
**Who will use this tool?**
**What type of data will be processed?**
**How frequently will it be used?**
**Required access level:**
## Security and Compliance
**Does the vendor offer enterprise security features?** (Yes/No):
**Is a Data Processing Agreement available?** (Yes/No):
**Does the tool comply with relevant regulations?** (List):
**Are there any known security concerns?**
## Additional Information
**Requested implementation timeline:**
**Training requirements:**
**Additional comments:**
## Approval Section (For IT Security Use)
**Security Review Date:**
**Legal Review Date:**
**Technical Assessment:**
**Risk Assessment:**
**Final Decision:**
**Approval Date:**
**Special Conditions:**
---
**Submitted by:** __________________ **Date:** __________________