Least-Privilege Access, By Default
Access is provisioned per engagement, not per relationship. There is no standing admin access left behind after a project phase closes, and no credential is ever reused across customers or shared between team members.
- Scoped roles: your admin grants the FDE and any active AI agent the specific permission sets, profiles, or API scopes a task requires — Configuration and Integration agents get sandbox and change-set access; Cost Analysis and User Utilization agents get read-only reporting access, not the ability to modify records.
- Time-boxed: access tied to a migration, integration build, or audit is reviewed and revoked at the end of that phase — it does not silently persist into steady-state operations.
- Named identities only: no shared logins, no generic service accounts used to mask who (or which agent) made a change. Every action traces back to an individual identity.
No Prohibited License Workarounds
Cost optimization is a core part of what PartnerMCP does — but it is done inside vendor rules, not around them. The License Optimization and Cost Analysis agents are built to find waste, not to find loopholes.
- We right-size licenses to actual usage patterns, optimize the license mix across tiers your vendor already offers, and remove unused access sitting on inactive or over-provisioned seats.
- We do not recommend sharing logins, pooling seats across users to avoid a license count, or any configuration designed to obscure usage from the platform vendor.
- Every license change is checked against the specific terms of your vendor agreement before it's proposed — not assumed from general product knowledge. If a savings idea can't be validated against your contract, it doesn't ship as a recommendation.
Approved Platform Capabilities Only
Portals, integrations, and workflow automation are built entirely on capabilities the platform vendor has published and licensed for that purpose — never on workarounds that bypass authentication or platform rules.
- External-facing portals are built on the vendor's own approved external-user experiences (for example, licensed Experience Cloud or guest-access models), not unlicensed internal accounts repurposed for outside users.
- Integrations run through documented, supported APIs and connectors — not screen-scraping, credential replay, or undocumented endpoints.
- Automation operates within each platform's governance model (sharing rules, permission sets, approval processes) rather than routing around them for speed.
AI Agents Operate Inside Defined Guardrails
The specialized agents behind your engagement — Discovery, Architecture, Configuration, Integration, Workflow, Migration, Testing, Documentation, Monitoring, Cost Analysis, User Utilization, License Optimization, and Savings Verification — each have a scoped mandate and a scoped access level to match.
- Agents that analyze (Cost Analysis, User Utilization, Discovery) operate read-only against your data and metadata.
- Agents that build or change systems (Configuration, Integration, Workflow, Migration) work in sandbox and staging environments first; nothing reaches production without your dedicated FDE reviewing and approving the change.
- Testing and Monitoring agents validate changes before and after they ship, and Savings Verification checks that a license or cost change actually produced the expected result — rather than taking the estimate on faith.
Audit Trail: Nothing Changes in the Dark
Every access grant, configuration change, integration deployment, and license adjustment is logged and attributable to a specific agent action or FDE decision. Your security and compliance stakeholders get visibility into what changed, when, why, and who (or which agent) approved it — not a summary after the fact, but a running record they can pull at any time.
This is also what makes the cost and savings numbers credible: an estimate produced by the Cost Analysis or License Optimization agent is a starting hypothesis, not a claim. It's confirmed against your actual contract terms and technical environment, implemented, and then checked again by the Savings Verification agent — with that whole chain visible in the audit log.
PartnerMCP recommendations are designed to comply with applicable vendor terms, product limitations, security requirements, and customer agreements. Final licensing decisions should be validated against the relevant contract and vendor documentation.
Frequently asked questions
Does PartnerMCP require standing admin access to our systems?
Will PartnerMCP ever recommend sharing logins or pooling licenses to cut costs?
How do you make sure a license change won't violate our vendor agreement?
Who reviews what the AI agents propose before it touches production?
Do you build portals or integrations that bypass our platform's authentication?
Related reading
Cost & Architecture Review
See what this looks like for your stack
Run the numbers on your own users, licenses, and workflows, or talk to a Forward Deployed Engineer about where the cost is actually coming from.