// GLOSSARY -- AI AGENT SECURITY

What is an Allowlist (Tools)?

2 min read Updated

An explicit list of MCP tools an agent is permitted to use. Any tool not on the allowlist is denied by default — the most secure approach to tool access control because it grants only what is explicitly intended.

WHY IT MATTERS

Allowlisting inverts the security model. Instead of trying to enumerate everything dangerous and blocking it (denylisting), you enumerate everything safe and allow only that. This is fundamentally more secure because the failure mode is denial rather than exposure — an unknown tool is blocked rather than permitted.

For MCP tool access, allowlisting is especially important because the tool landscape is dynamic. MCP servers can expose new tools at any time. Without an allowlist, a new tool added to a server is automatically available to every connected agent. With an allowlist, new tools are denied until explicitly approved — the secure default.

Allowlisting also forces intentionality. Adding a tool to an allowlist requires a conscious decision: 'this agent needs this tool for this reason.' This decision can be reviewed in a pull request, documented in the policy file, and audited later. Denylisting, by contrast, permits everything by default and only blocks specific items — a fundamentally weaker posture.

The trade-off is operational overhead. Allowlisting requires knowing upfront what tools the agent needs. For exploratory use cases, this may feel restrictive. The solution is to use Intercept's log-only mode during development to discover required tools, then lock down to an allowlist for production.

HOW POLICYLAYER USES THIS

Intercept natively supports tool allowlisting through YAML policies. When a policy specifies allowed tools for a server, any tool not in the list is denied automatically. This is Intercept's recommended configuration for production deployments. Combined with fail-closed mode, it ensures that agents can only invoke explicitly approved tools with explicitly validated arguments. Policy changes go through version control, making every allowlist modification auditable.

FREQUENTLY ASKED QUESTIONS

Should I use allowlisting or denylisting?
Allowlisting is always more secure. Use it for production and any environment with sensitive data. Denylisting may be acceptable for development environments where convenience is prioritised, but understand that it permits unknown tools by default.
How do I build an allowlist from scratch?
Deploy Intercept in log-only mode and run the agent through its intended workflows. The audit log shows exactly which tools the agent invokes. Write a policy that allows only those tools, review it, and switch to enforcement mode.
What happens when an MCP server adds a new tool?
With an allowlist, the new tool is denied by default. This is the intended behaviour — it prevents supply chain attacks where a compromised server exposes malicious tools. You review the new tool, assess whether the agent needs it, and add it to the allowlist if appropriate.

FURTHER READING

Enforce policies on every tool call

Intercept is the open-source MCP proxy that enforces YAML policies on AI agent tool calls. No code changes needed.

npx -y @policylayer/intercept
github.com/policylayer/intercept →
// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.