« All posts

AI Agent Security Decisions Belong at the Tool Call

Real security for AI agents lies not in setting up MCP connections but in runtime control of each tool call; the HCP paper shows why with concrete evidence.

In MCP-style agent architectures, the real security problem is not setting up a connection to a resource but governing what happens at every subsequent tool call. The HCP paper lays out eight runtime invariants for this: metadata cannot carry authority, approval must be grant-backed, resources must be resolved canonically, principals must be bound, capabilities invoked within scope, data flow authorized, denials fully audited, and protocol state made explicit. These aren't abstract ideals — they're framed as the minimum viable safeguards for concrete agent actions like updating a CRM record.

The piece argues that approval prompts commonly fire too early: approving a model's proposed action is not the same as approving it once resources, policy, and tool state have actually resolved. Because agents chain tool outputs into other tools' inputs and replay learned action sequences, real governance needs to sit both before the tool call and, just as importantly, in the runtime path after approval is granted. In the HCP benchmark, a naive baseline architecture is vulnerable to all ten modeled attacks, practice-informed mitigations block six, while the HCP approach blocks all ten and produces complete audit evidence.

Tool metadata is described as descriptive rather than authoritative — the runtime must independently resolve the canonical resource with the provider and check it against the principal's actual grants. Data an agent passes between tools, such as search results, transcript excerpts, or database rows, should be treated as scoped handles with owners and data classes rather than free-floating text; Anthropic's Google Drive-to-Salesforce example illustrates how dramatically cutting token costs through code execution shifts security obligations into the runtime. The rise of code execution accelerates this shift: the CE-MCP paper catalogs sixteen attack classes across execution phases, while LangChain's sandbox-as-tool pattern tries to manage the risk by keeping credentials and execution state separate from agent state.