HiBob scales AI and MCP adoption without slowing engineering

HiBob is a global HR technology company and an early adopter of AI tools, AI agents, and MCP based tooling across its organization.The company actively encourages teams to adopt AI to improve productivity, automation, and decision making.

As AI usage expanded across engineering, HR, support, and operations, HiBob needed a scalable way to govern agent and MCP usage. The goal was to provide strong visibility and control for security teams, while preserving speed and autonomy for engineers.

To achieve this balance, HiBob partnered with Lunar and deployed MCPX as an enterprise MCP Gateway for governing agent and MCP traffic at scale.

The Challange

HiBob’s AI adoption grew rapidly, with teams spinning up new MCP servers to connect agents to SaaS platforms and internal systems. While this unlocked powerful workflows, it also created two growing challenges for the security organization:

Security Became a Bottleneck

Each new MCP server required security review before being approved for use. Evaluating risk exposure, permissions, authentication models, and tool behavior became a manual and time consuming process. As MCP usage increased, security teams struggled to keep up without slowing down business teams waiting for approvals.

No Central Internal MCP Registry

There was no shared, authoritative registry of vetted and approved MCP servers across the organization. Teams often lacked clarity on which MCPs were approved, which were under review, and which should not be used at all. This led to reduced visibility at the organizational level.

HiBob needed a way to centralize MCP governance, reduce manual review overhead, and make approved MCPs easily discoverable by teams, without blocking experimentation.

‍

The Solution: Identity Aware MCP Governance

HiBob implemented Lunar MCPX as a centralized gateway for all MCP and agent traffic, tightly integrated with the company’s identity provider.

By connecting MCPX to HiBob’s IDP, governance could be enforced based on user identity and department, rather than static credentials or manual approvals. This enabled:

• Department based profiles mapped to users via identity
• Automatic access control for MCP servers and tools based on role
• Available MCP connections out of the box
• Scoped access to SaaS platforms, with secrets dynamically resolved per user identity
• Clear separation between teams without duplicating MCP infrastructure

Each department received its own MCP profile, defining which MCP servers and tools were available. Engineers could immediately use approved MCPs within their profile, while security teams retained centralized control.

Central MCP Registry and Reduced Security Bottlenecks

MCPX also became HiBob’s internal MCP registry, serving as a single source of truth for all MCP servers in the organization.

Security teams could approve, version, and manage MCP servers centrally. Once approved, MCPs were automatically made available to relevant teams based on their identity profiles. This eliminated repeated reviews, reduced approval delays, and removed security as a gating factor for adoption.

Our priority was enabling AI adoption safely, not slowing it down. MCPX gave us the visibility, control, and identity-based governance we needed to approve MCP usage with confidence, without turning security into a blocker.
Tamir Ronen, CISO, HiBob

For engineering teams, this meant faster onboarding and clearer guidance on which MCPs were safe to use. For security teams, it meant consistent enforcement and visibility across the organization.

Tool Groups for Accuracy and Security

To further refine agent behavior, HiBob used MCPX’s tool groups and custom tool definitions. Instead of exposing broad tool sets, teams curated focused groups aligned to specific workflows.

This allowed HiBob to:

• Limit agent access to only relevant tools
• Improve agent accuracy by reducing tool noise
• Minimize over permissioning and risk exposure
• Customize tools per department and use case

business teams gained more predictable agent behavior, while security teams benefited from tighter and more auditable boundaries.

Results

Today, Lunar MCPX is used across multiple business teams at HiBob as a foundational layer for AI and MCP governance. Security teams gained centralized visibility, reduced approval bottlenecks, and a consistent governance model. Engineering teams retained speed, autonomy, and easy access to approved MCP tooling.

By aligning governance with identity and real organizational structure, HiBob successfully scaled AI adoption without reducing the  security risk or business velocity.

‍

‍

‍

‍

‍