AI Agent Trust & Governance
Arcade Enterprise: how do I request dedicated tenant isolation, audit logs, and RBAC?
6 min read
Most teams hit the same wall when their agents move from prototype to production: security and governance. That’s exactly where Arcade’s Enterprise features—dedicated tenant isolation, audit logs, and role-based access control (RBAC)—come in. If you’re ready for that level of control, here’s how to request it and what to expect.
Quick Answer: To get dedicated tenant isolation, audit logs, and RBAC, you’ll need to move to an Arcade Enterprise plan. Reach out to the team (typically via sales/demo or contact@arcade.dev) and they’ll scope your usage, enable an Enterprise tenant, and turn on the advanced controls for your organization.
Frequently Asked Questions
How do I request dedicated tenant isolation, audit logs, and RBAC in Arcade Enterprise?
Short Answer: Contact the Arcade team to upgrade to an Enterprise plan; they’ll provision a dedicated tenant and enable audit logs and RBAC for your org.
Expanded Explanation:
Dedicated tenant isolation, audit logs, and RBAC are part of Arcade’s Enterprise offering, designed for teams running production agents at scale. These controls aren’t enabled by default on self-serve tiers—you’ll need an Enterprise subscription to get them.
The path usually looks like this: you share your expected usage and deployment needs (cloud vs. self-hosted, VPC, on‑prem, air‑gapped), Arcade scopes the right Enterprise configuration, and then provisions a dedicated tenant with those governance features turned on. From there, you can wire your IDP, define roles, and start building with the same MCP runtime and tools—just with an enterprise control plane behind it.
Key Takeaways:
- Tenant isolation, audit logs, and RBAC are Enterprise-only features.
- You request them by engaging Arcade sales/support and moving to an Enterprise plan.
What’s the process to upgrade to Arcade Enterprise for these controls?
Short Answer: Share your requirements with Arcade, review an Enterprise plan, then they’ll enable a dedicated tenant with audit logs and RBAC and help you hook it into your existing auth and deployment setup.
Expanded Explanation:
Upgrading to Enterprise is less about flipping a toggle and more about aligning your security and deployment model with Arcade’s runtime. Once you reach out, the team will walk through your current and projected usage: number of MCP servers, types of tools, cloud vs. self‑hosted, and any regulatory or security constraints.
After the plan is agreed, Arcade provisions a dedicated, isolated tenant and enables the Enterprise features—tenant isolation, audit logs, RBAC, and SSO/SAML. You then point your existing agents and MCP servers at the new tenant and start using the advanced controls via the dashboard and SDK.
Steps:
- Contact Arcade – Reach out via the Enterprise/demo form or contact@arcade.dev describing your use case and security needs.
- Plan scoping – Align on usage (MCP servers, tool executions, deployment model) and confirm Enterprise pricing/terms.
- Provision & migrate – Arcade enables your dedicated tenant with audit logs, RBAC, and SSO/SAML; you update configs to target the new tenant and start enforcing policies.
How is Arcade Enterprise different from Growth or self‑serve plans for security and governance?
Short Answer: Enterprise adds dedicated tenant isolation, audit logs, RBAC, and SSO/SAML on top of the same MCP runtime and tools you use on self‑serve tiers.
Expanded Explanation:
Self‑serve and Growth tiers get you the core MCP runtime—agent‑optimized tools, auth patterns, and the ability to run Arcade‑hosted or self‑hosted MCP servers. That’s enough for prototypes, internal tools, and early production. But as soon as security reviews show up, you’ll be asked about tenant isolation, auditability, and least‑privilege access.
Enterprise is where those answers live. You still get the same developer ergonomics (client.auth.start(...), wait_for_completion, and tools like Google.SendEmail), but your runtime runs inside a dedicated tenant with full audit trails and role‑based permissions. You also get SSO/SAML and advanced support (dedicated rep, custom SLA), which matter when these agents sit in critical workflows.
Comparison Snapshot:
- Growth/Self‑serve: Shared tenancy, no built‑in audit logs or RBAC, GitHub/Email support.
- Enterprise: Dedicated tenant isolation, audit logs, RBAC, SSO/SAML, custom SLA, dedicated account rep.
- Best for: Teams running multi‑user agents in production that need security sign‑off, compliance evidence, and fine‑grained control over tools and agents.
How do I actually implement RBAC and audit logs once Enterprise is enabled?
Short Answer: After your Enterprise tenant is provisioned, you configure SSO/SAML, define roles and permissions in Arcade, then route all agent activity and tool execution through that tenant to get full audit trails.
Expanded Explanation:
Once Enterprise is turned on, you’re not rewriting agents—you’re tightening the control plane around them. You’ll integrate your identity provider (e.g., Okta, Azure AD) via SSO/SAML so users and service identities can be mapped into Arcade roles. Then you define RBAC policies: which roles can configure MCP servers, which tools are allowed in which environments, and who can view audit data.
Audit logs start capturing the events you care about: auth attempts, tool calls (e.g., Gmail.ListEmails, Google.CreateEvent, Slack.PostMessage), configuration changes, and deployment updates. Because Arcade is the runtime between AI and action, it sees every tool execution and can record it—without ever exposing tokens to the model.
What You Need:
- Enterprise tenant access – Provisioned by the Arcade team with RBAC, audit logs, and SSO/SAML enabled.
- Admin time to configure – Someone to wire the IDP, define roles, and set policies for tools, agents, and environments.
Why should I care about tenant isolation, audit logs, and RBAC for my agents?
Short Answer: They’re the difference between “this demo is cool” and “security will approve this”—you get isolation, traceability, and least‑privilege access for every agent action.
Expanded Explanation:
Most agent stacks fail security review because they lean on service accounts, shove tokens into prompts, and have no way to answer basic questions like “who authorized this email?” or “what did the agent change in Salesforce last week?” Arcade Enterprise solves that at the runtime layer.
Tenant isolation keeps your workloads and data separate from other customers. Audit logs give you a forensic record of each tool call and configuration change. RBAC lets you lock down who can configure agents, which tools can be used where, and how identity flows from user to agent to system. The result: you can let agents actually send emails, schedule meetings, update CRM records, and post to Slack—with user‑specific permissions, clear visibility, and a story your security team will sign off on.
Why It Matters:
- Security & compliance: You get dedicated tenancy, audit trails, and access controls that align with enterprise review checklists.
- Production reliability: Clear roles and logs make it easier to debug, roll back, and safely expand what your agents are allowed to do.
Quick Recap
If you need dedicated tenant isolation, audit logs, and RBAC, you’re in Enterprise territory. Those features live in Arcade’s Enterprise plan, which gives you a dedicated tenant, full auditability, role‑based access, and SSO/SAML on top of the same MCP runtime and agent‑optimized tools you already use. The path is straightforward: contact Arcade, scope an Enterprise plan, get your tenant provisioned, and then wire your IDP and policies so your agents can move from chat to real actions—without breaking your security model.