sanitizeModelResponse API on your behalf and translates the result into a pass / modify / block verdict on the tool message. Add it from Rule Engines → Add → Google Model Armor.
What Model Armor is
Google Cloud Model Armor is a managed AI-safety service that screens content against filters you configure in a template — both prompts on the way in and model (or tool) responses on the way out. Its defining property for governance is that it enforces controls that don’t depend on a model cooperating: unlike instructions embedded in a prompt, a Model Armor verdict doesn’t rely on the model’s reasoning quality. It is model-independent and cloud-agnostic — it evaluates text, so it works regardless of which model your client ultimately talks to.How MCP Manager integrates it
Model Armor exposes asanitizeModelResponse endpoint that evaluates content against a template without invoking any foundation model — standalone content screening, decoupled from inference. MCP Manager sends the tool message text from your MCP traffic to that endpoint (as modelResponseData), Model Armor applies the template’s filters, and MCP Manager acts on the verdict. Two consequences are worth knowing:
- It’s response-direction today. MCP Manager fires this engine on tool responses — the result your agent is about to receive — and screens that text. (Model Armor also has a
sanitizeUserPromptendpoint for the request direction; MCP Manager uses the response endpoint.) - It complements model-side safety rather than replacing it. Safety attached to a model call protects that call; screening at the MCP gateway protects the data flowing through your connections. You can run both.
What a template can detect
You configure Model Armor’s filters in the template, and MCP Manager surfaces which filter fired in the rule’s alert and logs. The current set, per Google:Responsible AI filters
Responsible AI filters
Prompt injection and jailbreak detection
Prompt injection and jailbreak detection
Sensitive Data Protection (PII)
Sensitive Data Protection (PII)
Malicious URL detection
Malicious URL detection
Child safety (CSAM)
Child safety (CSAM)
Detecting PII with Sensitive Data Protection
Model Armor’s PII detection runs on Sensitive Data Protection (SDP), Google’s data-inspection service. You turn it on inside your Model Armor template in one of two modes: Basic for a quick start, or Advanced when you want to choose exactly what to detect — or to redact matches in place instead of blocking.gcloud services enable dlp.googleapis.com, or accept the enable prompt the first time you open the SDP console.Default detection (Basic)
The fastest way to start, with nothing to configure beyond a toggle.Open your template
Choose Basic
Custom detection (Advanced)
Use Advanced when you want to pick specific data types, add your own, or redact PII in place instead of blocking. Advanced mode points your Model Armor template at one or two templates you create in Sensitive Data Protection.Create an inspection template
(Optional) Create a de-identification template
[REDACTED], or mask it (for example, showing only the last four digits of a card number).Let Model Armor use your templates
roles/dlp.user) and DLP Reader (roles/dlp.reader) roles on the project that holds the SDP templates. The service agent is service-<project-number>@gcp-sa-modelarmor.iam.gserviceaccount.com (your project number is on the Cloud console dashboard). Skip this and Advanced mode fails with a permission error.Point your Model Armor template at them
projects/<project>/locations/<location>/inspectTemplates/<template-id>.- Inspect template only (no de-identification) → a match blocks the tool response.
- With a de-identification template → Model Armor returns the de-identified text and MCP Manager applies it as a modify: the agent receives the redacted or masked version instead of the original, and the message still flows through.
Turn it into a high-value PII engine
A few choices take a basic Advanced setup and make it genuinely protective for MCP traffic — most of the value comes from the first two:- Mask instead of block. Pair your Inspect template with a De-identify template so matches are redacted in place (a modify) rather than blocking the whole response. The agent keeps working — an email becomes
[EMAIL_ADDRESS], a card is masked to its last four digits — and the raw value never reaches it. Reserve blocking for data that must never appear at all; masking is usually the better default for tool output. - Catch credentials, not just classic PII. Tool responses leak API keys, OAuth/JWT tokens, and passwords far more often than Social Security numbers, and an agent that ingests a live credential is a real risk. Add Sensitive Data Protection’s credentials-and-secrets detectors — it’s the single highest-value addition for an MCP gateway. (See the infoType reference for exact names such as
AUTH_TOKEN,GCP_API_KEY, andPASSWORD.) - Add one custom infoType for your own identifiers. A single regex or word-list detector teaches Model Armor your organization’s data — employee IDs (e.g.
EMP-\d{6}), internal project codenames, customer account numbers, internal hostnames. This is what makes the engine feel tailor-made rather than generic. - Keep the set tight and raise the threshold to cut noise. Start with a focused list (emails, phone numbers, payment cards, your region’s national ID, credentials) instead of all 150+ detectors, and set the inspection minimum likelihood to
LIKELYso borderline guesses don’t flood your logs with false positives. You can always widen it later. - Define it once, reuse it everywhere. An SDP Inspect (and De-identify) template is a reusable resource — point multiple Model Armor templates at the same one so every gateway enforces the same definition of “sensitive.”
What you need from Google Cloud
Set up the template and a service account in Google Cloud first.Enable the API and create a template
gcloud services enable modelarmor.googleapis.com), then create a template that defines your filters. Creating templates requires the Model Armor Admin (roles/modelarmor.admin) role. Note the project ID, the location, and the template ID you choose.Create a service account with the Model Armor User role
roles/modelarmor.user) role on the project that holds your template — this is the role that lets it call the API (Admin is only needed to create templates).Download a JSON key
client_email and private_key) is what you paste into MCP Manager.Connecting it in MCP Manager
In the Google Model Armor rule-engine form, provide:Project, location, and template
Service account key (JSON)
https://modelarmor.<location>.rep.googleapis.com/v1/projects/<project>/locations/<location>/templates/<template>:sanitizeModelResponse and the HTTP method is fixed to POST. It validates that URL is a canonical Model Armor endpoint before sending any credential, so the access token can only ever go to Google.Authentication is handled for you
You provide the service-account key once and MCP Manager authenticates to your Model Armor template for you — handling the Google Cloud access tokens server-side. Those tokens arecloud-platform-scoped, used only to call your Model Armor template, and never persisted. The stored key itself is encrypted at rest and is redacted (shown as [Redacted]) whenever the engine is read back in the UI.
How it behaves as a rule
Once saved, the Model Armor engine appears in the Detection method dropdown on any gateway rule. On the rule’s detection hook, MCP Manager forwards the tool message to your template throughsanitizeModelResponse and acts on the result. As with every custom engine, there is no action picker — Model Armor’s verdict drives the outcome:
Cost
Model Armor’s standalone API — the way MCP Manager uses it — is billed by Google Cloud. These are Google behaviors and can change — confirm against Google before relying on them.- There is no charge for the first 2 million tokens per month; usage beyond that is billed at roughly $0.10 per million tokens.
- Model Armor counts a token as four UTF-8 characters (excluding whitespace), the same definition Vertex AI uses — so a longer tool message counts as more tokens.
- Because MCP Manager calls the standalone screening API, there is no model inference to pay for — a blocked or flagged message costs only the screening.

