// GLOSSARY -- AI AGENT SECURITY

What is Blast Radius (Agent)?

3 min read Updated

The maximum potential damage if an AI agent is compromised or misbehaves. Determined by the agent's tool access, permissions, argument ranges, and the sensitivity of the MCP servers it connects to.

WHY IT MATTERS

Blast radius is a concept borrowed from infrastructure security: if this system is compromised, how bad can it get? For AI agents, it is the single most important metric for evaluating security posture. An agent with a small blast radius — limited tools, constrained arguments, non-sensitive servers — can be compromised with minimal consequences. An agent with an unlimited blast radius can cause catastrophic damage.

Calculating blast radius requires enumerating what the agent can do, not what it typically does. An agent that usually reads files but has write access to the entire file system has a blast radius that includes destructive writes — even if it has never written anything harmful. The blast radius is the worst case, not the average case.

Blast radius is multiplicative across dimensions. An agent connected to five MCP servers has roughly five times the blast radius of one connected to a single server. An agent with access to ten tools has a larger blast radius than one with three. An agent with unrestricted arguments has a larger blast radius than one with constrained values. Each permission dimension multiplies the potential damage.

Minimising blast radius is the primary goal of agent security. Every control — allowlists, argument validation, rate limiting, server restriction — reduces blast radius. The question for every deployment should be: 'if this agent is fully compromised right now, what is the worst it can do?' If the answer is unacceptable, the blast radius must be reduced.

HOW POLICYLAYER USES THIS

Intercept directly reduces blast radius by constraining every dimension of agent capability. Tool allowlists limit which operations are possible. Argument conditions limit how operations are performed. Server-level policies limit which systems are reachable. Rate limiting constrains the volume of damage per unit time. Together, these controls shrink the blast radius from 'everything the MCP servers expose' to 'only what the YAML policy explicitly allows.' Calculating blast radius becomes straightforward: read the policy file.

FREQUENTLY ASKED QUESTIONS

How do I calculate my agent's blast radius?
Enumerate every tool the agent can access, every argument range permitted, and every MCP server it connects to. For each, assess the worst-case impact if used adversarially. The sum of worst cases is your blast radius. With Intercept, this analysis is simplified — the policy file defines the boundary.
What is an acceptable blast radius?
It depends on context. A development agent that can only read local files has an acceptable blast radius for most teams. An agent with production database write access has a high blast radius that requires strong justification. The general principle: the blast radius should not exceed the value the agent provides.
Does rate limiting reduce blast radius?
It reduces blast radius per unit time. An agent that can make one database query per minute has a smaller effective blast radius than one that can make a thousand. Rate limiting does not prevent damage entirely, but it constrains the speed at which damage accumulates.

FURTHER READING

Enforce policies on every tool call

Intercept is the open-source MCP proxy that enforces YAML policies on AI agent tool calls. No code changes needed.

npx -y @policylayer/intercept
github.com/policylayer/intercept →
// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.