MCP Personally Identifiable Information (PII) Detector Policy
Policy Name |
MCP PII Detector Policy |
Summary |
Blocks elicitation responses containing personally identifiable information (PII) from reaching MCP servers |
Category |
MCP |
First Flex Gateway version available |
v1.9.3 |
Returned Status Codes |
No return codes exist for this policy. The policy reports a policy violation when PII is detected. |
Summary
The MCP PII Detector policy blocks elicitation responses containing personally identifiable information (PII) from reaching MCP servers.
When PII is detected in the elicitation response result field, the policy:
-
Reports a policy violation.
-
Sends a modified response to the MCP server that the request was declined and includes the message
PII data requested or found in user response.
The policy doesn’t send a response to the client when PII is detected.
The policy only scans JSON-RPC responses that contain a result field. JSON-RPC requests with a method field are ignored.
Configuring Policy Parameters
Managed Flex Gateway and Flex Gateway Connected Mode
When you apply the policy to your API instance from the UI, the following parameters are displayed:
| Element | Description |
|---|---|
Entities |
Array that defines the types of PII to detect. You can select multiple PII types. Supported values are |
PII Types
When you configure an MCP PII Detector policy, you can choose which types of PII to detect:
| PII Type | Description |
|---|---|
Standard email addresses such as |
|
US SSN |
United States Social Security Numbers (SSNs) in the standard format: |
Credit Card |
Credit card numbers in the form of four groups of four digits, separated by optional spaces or hyphens. For example, |
Phone Number |
United States phone numbers in various formats, with or without country code, parentheses, spaces, hyphens, or dots. For example, |