// GLOSSARY -- AI AGENT SECURITY

What is Defence in Depth (Agent)?

2 min read Updated

A security strategy that layers multiple independent controls — policy enforcement, argument validation, rate limiting, audit logging, and fail-closed design — so that no single point of failure compromises the security of an AI agent system.

WHY IT MATTERS

Defence in depth is a military concept applied to information security: if the outer wall is breached, the inner walls still hold. For AI agents, this is not just good practice — it is essential, because no single control is sufficient.

Consider the layers. System prompts instruct the agent on intended behaviour, but they can be overridden by prompt injection. Tool-level access control restricts which tools are available, but does not validate arguments. Argument validation checks parameters, but does not prevent abuse through volume. Rate limiting constrains volume, but does not detect sophisticated attacks. Audit logging provides visibility, but does not prevent anything. Each control addresses a different failure mode.

The strength of defence in depth is that an attacker must defeat every layer, not just one. A prompt injection that bypasses the system prompt still faces tool-level policies in Intercept. Even if the attacker finds a permitted tool, argument validation blocks dangerous parameters. Even if arguments pass validation, rate limiting constrains the volume of damage. Even if all active controls are bypassed, the audit trail captures everything for post-incident response.

The weakness of relying on any single control is catastrophic failure. Organisations that rely solely on system prompts have no defence against prompt injection. Those that rely solely on network segmentation have no defence against compromised internal agents. Layering is the only resilient approach.

HOW POLICYLAYER USES THIS

Intercept provides multiple layers of defence in a single enforcement point. Tool-level allowlists and denylists control which tools are accessible. Argument conditions validate parameters against constraints. Rate limiting prevents abuse through volume. Fail-closed design ensures that infrastructure failures do not create security gaps. Structured audit logging captures every decision for accountability. These layers are defined declaratively in YAML policies, making the entire defence-in-depth posture reviewable, version-controlled, and reproducible.

FREQUENTLY ASKED QUESTIONS

What is the minimum number of layers I should implement?
At minimum: tool-level access control, argument validation, and audit logging. Rate limiting and fail-closed design add significant resilience. The more layers you have, the more failures you can absorb without compromise.
Does defence in depth mean redundant controls?
Not redundant — complementary. Each layer addresses a different attack vector or failure mode. Redundancy means multiple instances of the same control. Defence in depth means different types of controls that work together.
How does this apply when using multiple MCP servers?
Each MCP server connection is a separate attack surface. Apply defence in depth per server: individual tool policies, server-specific argument validation, per-server rate limits, and comprehensive audit logging across all connections. Intercept supports per-server policy files for exactly this purpose.

FURTHER READING

Enforce policies on every tool call

Intercept is the open-source MCP proxy that enforces YAML policies on AI agent tool calls. No code changes needed.

npx -y @policylayer/intercept
github.com/policylayer/intercept →
// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.