Glossary

Access control is the security mechanism that determines which entities (users, agents, contracts) are authorized to perform specific actions on speci...

Cryptographic proof of an agent's identity, capabilities, and authorization — issued by a trusted party and verifiable by counterparties for establish...

The degree of independent financial decision-making an agent has — from fully supervised (human approves every transaction) to fully autonomous (withi...

Agent credential theft is stealing the credentials — API keys, tokens, secrets — that an AI agent uses to authenticate with MCP servers or external se...

Agent delegation is the process by which one AI agent assigns a task or subtask to another agent, potentially transferring context, authority, and res...

The gradual divergence of an AI agent's behaviour from its intended purpose over time, potentially caused by context accumulation, model updates, envi...

Agent evaluation is the process of measuring AI agent performance across dimensions like task completion accuracy, efficiency, safety, cost, and relia...

A collection of AI agents operated by a single organization, managed as a group with shared treasury, consistent policies, and centralized oversight. ...

An agent framework is a software library that provides abstractions for building AI agents, handling concerns like tool management, state persistence,...

A structured set of controls — identity verification, permission scoping, spending limits, audit logging, and kill switches — that ensures AI agents o...

An agent graph is a directed graph representation of an AI agent's workflow, where nodes represent computation steps (LLM calls, tool executions, poli...

Safety mechanisms constraining AI agent behaviour within acceptable boundaries. Guardrails operate at multiple levels — from prompt instructions to in...

An agent handoff is the transfer of control, context, and responsibility from one AI agent to another during a workflow — enabling specialized agents ...

Agent identity is the ability to attribute every agent action — in MCP deployments, every tool call — to the specific person or agent that initiated i...

Agent jailbreaking bypasses an AI agent's safety constraints and operational boundaries through crafted prompts or tool interactions, causing it to ig...

The practice of periodically replacing an AI agent's cryptographic keys to limit the damage from potential key compromise. New keys are issued while o...

The agent lifecycle encompasses all phases of an AI agent's operational existence — from provisioning and configuration through active operation, moni...

The agent loop is the fundamental execution cycle of an AI agent: observe the current state, think about what to do (using an LLM), take an action (ca...

A platform where AI agents advertise capabilities and users can discover, hire, and pay agents for services. Marketplaces enable an open economy of sp...

Agent memory refers to the mechanisms that allow AI agents to store, retrieve, and use information across interactions and sessions — including conver...

Infrastructure sitting between an AI agent and external systems (MCP servers, APIs, databases), intercepting and processing requests before they reach...

Understanding an agent's behaviour through external outputs — logs, metrics, traces, and audit trails. For MCP-based agents, observability means track...

Agent orchestration is the coordination of multiple AI agents working together on complex tasks, managing their execution order, communication, resour...

The gradual, often unnoticed expansion of an AI agent's access rights and spending authority beyond its original scope — analogous to privilege escala...

The specific tools and operations an AI agent is authorised to perform — which MCP tools it can invoke, with what arguments, and under what constraint...

An agent persona is the defined identity, behavioral style, and capability set of an AI agent — configured through system prompts, available tools, an...

Agent planning is the process by which an AI agent breaks down a complex goal into a sequence of actionable steps, determines the optimal order of exe...

An agent protocol is a standardized specification for how AI agents communicate, discover capabilities, exchange data, and coordinate actions — enabli...

Restricting the number or frequency of an agent's tool calls within a time window — preventing runaway loops, excessive resource consumption, and deni...

Agent reflection is the capability of an AI agent to evaluate its own outputs, reasoning, and past actions — identifying errors, adjusting strategies,...

Agent reputation is a quantifiable measure of an AI agent's trustworthiness and reliability, based on its history of behavior — including transaction ...

Assigning dynamic risk scores to AI agents based on their behavior, transaction patterns, spending history, and policy compliance — used to adjust spe...

An agent runtime is the execution environment that manages the lifecycle of an AI agent — handling the agent loop, tool execution, state management, c...

Principles, practices, and infrastructure preventing AI agents from causing harm — including system damage through unauthorised tool calls, data exfil...

An agent sandbox is a controlled environment that constrains which tools an AI agent can access and how it can use them — preventing the agent from af...

Agent Skills are reusable packages of instructions, and optionally scripts and reference files, that extend what an AI agent can do without modifying ...

Agent state is the structured data that an AI agent maintains across execution steps — including conversation history, task progress, accumulated resu...

An agent supply chain attack compromises an MCP server, tool package, or agent dependency to inject malicious behaviour that affects all agents using ...

An agent swarm is a collection of AI agents that collaborate through decentralized, emergent coordination patterns — inspired by biological swarms — r...

A systemic trap where an attacker fabricates multiple pseudonymous agent identities to disproportionately influence collective decision-making, voting...

A systematic analysis of threats to an AI agent system: what can go wrong, who might attack it, what assets are at risk, and what controls mitigate ea...

Malicious web content or tool output specifically crafted to hijack an AI agent's behaviour, as defined by Google DeepMind's taxonomy of six trap cate...

Google's open standard for AI agent discovery, communication, and task delegation across different frameworks — enabling interoperability in the agent...

A portable, verifiable credential standard (from the NANDA protocol) that AI agents carry across platforms to prove their identity, authority, and com...

AI systems that act autonomously to achieve goals — perceiving environment, making decisions, taking actions without step-by-step human instruction. T...

An agentic workflow is a multi-step process where AI agents autonomously plan, execute, and adapt their actions to complete a complex task — making de...

The flagship annual conference of the Agentic AI Foundation (AAIF), bringing together the agentic AI ecosystem to discuss open standards, interoperabi...

An AI agent is an autonomous software system that perceives its environment, reasons about it, and takes actions to achieve specified goals — often us...

AI alignment is the challenge of ensuring that AI systems — particularly autonomous agents — act in accordance with human values, intentions, and goal...

An AI gateway is a proxy layer that sits between applications and LLM providers, centralising concerns such as rate limiting, API key management, cost...

Adversarial testing of AI agent systems to find vulnerabilities, policy bypasses, and unintended behaviours before attackers do. Includes testing prom...

Alert escalation is the process of routing policy violation alerts to increasingly senior or specialised responders based on the severity, frequency, ...

An alert rule is a rule that triggers a notification when specific policy events occur — such as repeated denials, unusual tool call patterns, or acce...

An explicit list of MCP tools an agent is permitted to use. Any tool not on the allowlist is denied by default — the most secure approach to tool acce...

Anomaly detection is the identification of patterns in data that deviate significantly from expected behavior — used in crypto security to flag suspic...

A rule in a YAML policy that restricts the value of a tool call argument. Argument constraints can enforce regex patterns, allowed enumerations, numer...

Replacing sensitive argument values with masked versions in audit logs — for example, card_number: "****1234". Argument masking preserves auditability...

Completely removing sensitive argument values from logs and audit trails. Stronger than masking — the value is never persisted in any form. Redaction ...

An argument schema defines the expected structure, types, and constraints of arguments for an MCP tool, used by PolicyLayer to validate tool calls aga...

Argument validation is the process of checking tool call arguments against policy-defined constraints before the call reaches the MCP server — for exa...

Audit compliance is the practice of maintaining complete, tamper-evident records of all AI agent tool calls and policy decisions to satisfy regulatory...

An audit log is the structured log output from PolicyLayer containing tool call details, matched policies, evaluation results, timestamps, and context...

An audit trail is a chronological, immutable record of every tool call, policy evaluation, and decision made by PolicyLayer — essential for compliance...

AutoGen is an open-source framework by Microsoft for building multi-agent systems where agents collaborate through structured conversations — supporti...

AutoGPT is an open-source autonomous AI agent that chains LLM calls together to accomplish complex goals with minimal human intervention, pioneering t...

An autonomous agent is an AI system capable of operating independently over extended periods, making decisions and taking actions — including MCP tool...

A flow control mechanism where the proxy signals the agent to slow down when downstream MCP servers are overloaded. Backpressure prevents cascading fa...

An agent trap that hijacks an agent's capabilities to force unauthorised actions such as data exfiltration, sub-agent spawning, or embedded jailbreak ...

The maximum potential damage if an AI agent is compromised or misbehaves. Determined by the agent's tool access, permissions, argument ranges, and the...

An AI autonomously navigating web pages — clicking links, filling forms, executing actions. When accessing e-commerce or financial services, it can in...

A bug bounty program offers financial rewards to security researchers who discover and responsibly disclose vulnerabilities — creating economic incent...

The maximum number of tool calls permitted in a short burst before rate limiting kicks in. Burst limits allow temporary spikes in throughput — accommo...

Chain of Thought (CoT) is a prompting technique where an LLM is guided to show its step-by-step reasoning process before arriving at an answer, signif...

CI/CD policy enforcement is the practice of integrating policy validation — linting, testing, and compliance checks — into continuous integration and ...

An automated safety mechanism that halts an agent's tool calls when anomalous patterns are detected — call rate spikes, repeated denied calls, or erro...

Claude is a family of large language models built by Anthropic, designed with a focus on safety, helpfulness, and honesty — widely used for building A...

Claude Code is Anthropic's agentic coding tool, available as a terminal CLI, IDE integration, and desktop app. It runs Claude in an agent loop that re...

A coding agent is an AI system that autonomously writes, modifies, tests, and deploys code — going beyond code completion to handle multi-file changes...

An agent trap that corrupts an agent's long-term memory, knowledge bases, and learned behavioural policies — including RAG knowledge poisoning, latent...

Compliance automation is the use of software systems to automatically enforce regulatory requirements — sanctions screening, transaction monitoring, r...

A compliance framework is a structured set of guidelines, controls, and best practices — such as SOC 2, GDPR, HIPAA, or PCI DSS — that organisations m...

A compliance rule is a policy rule specifically designed to enforce regulatory or organisational compliance requirements on AI agent tool calls, ensur...

A systemic trap that partitions a malicious payload into semantically benign fragments distributed across multiple agents, which only reconstitute int...

An AI controlling a computer interface — clicking, filling forms, navigating websites. When accessing financial interfaces, these agents can initiate ...

A confused deputy attack tricks a privileged AI agent into performing actions it shouldn't by exploiting its access to MCP tools. The agent becomes th...

A systemic trap where an attacker broadcasts signals that synchronise homogeneous agents into exhaustive demand for limited resources — causing denial...

Constitutional AI (CAI) is Anthropic's alignment methodology where AI behavior is guided by a written set of principles (a 'constitution') that the mo...

Container escape in the agent context is when an agent running inside a containerised MCP server breaks out of the container boundary to access the ho...

An agent trap that exploits the gap between human perception and machine parsing, using hidden text, dynamic rendering, or encoding tricks to inject i...

A filter applied to MCP tool inputs or outputs that detects and blocks harmful, offensive, or policy-violating content in AI agent interactions, ensur...

Context engineering is the discipline of deciding what enters an AI agent's context window at each step — tool definitions, retrieved documents, memor...

Context poisoning corrupts an agent's context window by injecting misleading information through MCP tool responses, causing the agent to make flawed ...

A context window is the maximum number of tokens an LLM can process in a single interaction, encompassing system prompt, conversation history, retriev...

A mandatory waiting period imposed after a policy violation or rate limit hit before the agent can retry the tool call. Cooldowns prevent rapid retry ...

Agent credential stuffing uses an AI agent's tool access to systematically test stolen credentials against services, leveraging the agent's speed and ...

CrewAI is an open-source framework for orchestrating autonomous AI agents as collaborative teams ('crews'), where each agent has a defined role, goal,...

A cross-server attack is when a compromised or malicious MCP server manipulates an AI agent into performing harmful actions on a different, trusted MC...

A vulnerability where one MCP server's tool descriptions influence or override how agents use tools from other servers, enabling stealthy data exfiltr...

Agent data exfiltration is when an AI agent is manipulated into sending sensitive data — API keys, user data, internal documents — to an unauthorised ...

Data integrity is the assurance that data remains accurate, consistent, and unaltered throughout its lifecycle — a fundamental guarantee provided by b...

A decision log is a specific audit log entry that records why a tool call was allowed or denied, including which policy rule matched, what conditions ...

A policy configuration where all tool calls are rejected unless an explicit allow rule exists, ensuring that newly discovered or unclassified tools ca...

A security strategy that layers multiple independent controls — policy enforcement, argument validation, rate limiting, audit logging, and fail-closed...

MCP denial of service overwhelms an MCP server or proxy with excessive tool calls to degrade or prevent legitimate agent operations....

A list of MCP tools an agent is explicitly forbidden from using, with all other tools permitted by default. Less secure than allowlisting but easier t...

An attack where an AI agent resolves an MCP server name to a malicious package instead of the intended one, mirroring the dependency confusion attacks...

Policy evaluation that produces identical allow/deny decisions given identical inputs, with no probabilistic reasoning or LLM involvement — ensuring a...

Dynamic Client Registration (DCR) is the OAuth 2.0 protocol defined in RFC 7591 that lets a client register itself with an authorisation server at run...

An embedding is a dense vector representation of data in a continuous mathematical space, where semantic similarity is captured by vector proximity — ...

Encryption is the process of converting data into an unreadable format using cryptographic algorithms — protecting information confidentiality so that...

Restricting a tool call argument to a predefined set of allowed values. Enum constraints enforce closed vocabularies — for example, currency must be o...

Excessive agency is when an AI agent has more tool access, permissions, or autonomy than required for its task. It is a core vulnerability that amplif...

Fail-closed is a security posture where if PolicyLayer cannot evaluate a policy — due to a configuration error, crash, or unexpected condition — the t...

A security posture where tool calls are blocked by default when the policy engine or proxy is unavailable, ensuring that enforcement failures never re...

Fail-open is a security posture where if policy evaluation fails for any reason, the tool call is allowed to proceed — prioritising availability over ...

Few-shot learning is a technique where an LLM is given a small number of examples in the prompt to guide its behavior — enabling task-specific perform...

Fine-tuning is the process of further training a pre-trained language model on a domain-specific dataset to improve its performance on particular task...

A policy rule that blocks tool calls containing a specific argument or argument value. Forbidden argument constraints prevent agents from using danger...

Function calling is the capability of large language models to generate structured output that specifies which external function to invoke and with wh...

GDPR in an agent context refers to the application of the General Data Protection Regulation to AI agent operations — specifically how agents processi...

GitOps for policy is the practice of using git as the single source of truth for AI agent security policies. All policy changes go through pull reques...

A global policy applies across all MCP servers in an PolicyLayer configuration, enabling universal rules like rate limiting, mandatory audit logging, ...

GPT (Generative Pre-trained Transformer) is OpenAI's family of large language models that have become foundational to the AI agent ecosystem through s...

Grounding in AI refers to techniques that anchor a language model's outputs to verifiable, real-world data sources — reducing hallucination and improv...

In AI, hallucination refers to when a language model generates confident, plausible-sounding output that is factually incorrect or fabricated — a fund...

HIPAA in an agent context refers to the application of the Health Insurance Portability and Accountability Act to AI agents — specifically how agents ...

Human-in-the-loop (HITL) is a control pattern in which designated high-risk agent actions — destructive tool calls, production changes, irreversible o...

An agent trap that commandeers the agent to attack the human overseer by exploiting cognitive biases — using the agent as a channel to manipulate huma...

An immutable audit is an audit log that cannot be modified or deleted after creation. This tamper-evidence is essential for compliance and forensic in...

Incident response is the organized process of detecting, analyzing, containing, and recovering from security incidents — including established procedu...

The process of detecting, investigating, and recovering from security incidents involving AI agents — including policy violations, data breaches, prom...

Malicious instructions embedded in external data sources (websites, documents, APIs) that agents process unknowingly, potentially triggering unauthori...

Indirect tool injection is an attack where malicious instructions are embedded in data returned by an MCP tool, which then influences the AI agent's s...

Inference is the process of running a trained AI model on new inputs to generate outputs — the production phase where models serve real requests, as o...

Infrastructure-as-code (IaC) is the practice of managing and provisioning infrastructure through declarative configuration files rather than manual pr...

The process of cleaning and validating arguments that an AI agent passes to MCP tools before execution, preventing injection attacks, path traversal, ...

MCP tools that ship with permissive default settings — such as unrestricted file access, no authentication, or broad argument ranges — creating vulner...

Crafting inputs that bypass AI safety guidelines and constraints. For financial agents, jailbreaking could override spending instructions and trigger ...

Key management encompasses the practices and systems for securely generating, storing, distributing, rotating, and revoking cryptographic keys — the f...

An emergency mechanism that instantly blocks all agent tool calls — denying every request with a single action for immediate harm cessation when an ag...

LangChain is an open-source framework for building applications powered by large language models, providing abstractions for chains, agents, memory, a...

LangGraph is a framework by LangChain for building stateful, multi-step AI agent applications using directed graphs, where nodes represent computation...

A Large Language Model (LLM) is a neural network trained on vast text corpora that can understand, generate, and reason about natural language, servin...

The principle that AI agents should be granted only the minimum autonomy required for their task — not just what they can access (least privilege), bu...

Applying the principle of least privilege to MCP tool access: AI agents should only have access to the specific tools and argument ranges required for...

The Lethal Trifecta is Simon Willison's term for the combination of three agent capabilities — access to private data, exposure to untrusted content, ...

Line jumping is an MCP attack class, described by Trail of Bits, in which a malicious server embeds prompt injection payloads in tool descriptions ret...

An LLM router is a system that intelligently directs AI requests to different models based on task complexity, cost, latency requirements, or domain —...

A local MCP server is an MCP server that runs on the user's own machine, launched by the client as a subprocess and communicating over the stdio trans...

Log forwarding is the practice of sending audit logs from the MCP proxy to external logging systems — such as SIEM platforms, S3 buckets, or Elasticse...

Log retention refers to policies governing how long audit logs of AI agent tool calls are stored. Different regulations require different retention pe...

A malicious MCP server is an MCP server deliberately designed to exfiltrate data, execute harmful operations, or manipulate the AI agent through poiso...

A man-in-the-middle (MITM) attack on MCP intercepts and potentially modifies protocol traffic between client and server. This is relevant when using n...

An MCP aggregator is a server that multiplexes many upstream MCP servers behind a single MCP endpoint. The client makes one connection; the aggregator...

MCP Apps is the first official extension to the Model Context Protocol (SEP-1865), allowing MCP servers to deliver interactive HTML user interfaces — ...

MCP Authorization is the OAuth 2.1-based authorisation framework the Model Context Protocol specification defines for HTTP transports. The MCP server ...

An MCP client is the component within an AI agent or application that connects to MCP servers, discovers available tools and resources, and invokes th...

An MCP configuration file (.mcp.json or mcp.json) is the JSON file an AI client such as Claude Code or Cursor reads to determine which MCP servers to ...

A protocol-aware intermediary that inspects, transforms, or enriches MCP traffic between clients and servers — performing functions like policy enforc...

A protocol feature allowing MCP servers to request additional structured input from users during an interaction, creating a dynamic feedback channel t...

An MCP fleet is the complete set of MCP servers, clients and associated credentials in use across an organisation — every server developers have confi...

An MCP gateway is a service that sits between MCP clients and multiple upstream MCP servers, providing a single point for authentication, policy enfor...

MCP governance is the organisation-level control of MCP usage: maintaining an inventory of approved servers, running approval workflows for new ones, ...

An MCP host is the application that embeds and coordinates MCP clients — for example Claude Desktop, Claude Code, Cursor or an IDE. The host creates o...

MCP Inspector is the official interactive developer tool for testing and debugging MCP servers, run via npx @modelcontextprotocol/inspector. It connec...

An MCP prompt is a reusable, parameterised prompt template exposed by an MCP server that provides standardised workflows and interaction patterns for ...

An MCP proxy is a transparent intermediary placed in the connection between an MCP client and one or more MCP servers. It speaks the protocol on both ...

An MCP resource is a read-only data source exposed by an MCP server that provides context to AI agents — such as files, database records, API response...

MCP roots are filesystem boundaries that a client exposes to servers, defining which directories and files a server is meant to operate within. Server...

An attack where an MCP server silently modifies a tool's description or behaviour after the client has approved it, turning a previously trusted tool ...

MCP sampling is a capability in the Model Context Protocol that allows an MCP server to request LLM completions through the connected client — enablin...

MCP security scanning is the static and dynamic analysis of MCP servers and their tools before adoption, covering tool description review, permission ...

A service exposing capabilities to AI agents via the Model Context Protocol — tools, resources, and prompts that any MCP-compatible agent can discover...

A centralised index of available MCP servers with metadata about capabilities, versioning, and verification status, functioning as the discovery layer...

MCP server spoofing is impersonating a legitimate MCP server to intercept or manipulate tool calls between the client and the real server....

An MCP session is the logically related sequence of interactions between a client and server, beginning with the initialization handshake in which pro...

Exploitation of the MCP server distribution chain — through compromised npm packages, malicious SDK updates, or dependency injection — to gain executi...

MCP token cost is the context-window overhead incurred by connecting MCP servers: every connected server's tool definitions — names, descriptions, and...

An MCP tool is an executable capability exposed by an MCP server, described with a name, description, and JSON Schema parameters, that AI agents can d...

Server-declared metadata hints (readOnlyHint, destructiveHint, idempotentHint, openWorldHint) that describe a tool's behavioural properties, introduce...

A JSON-RPC request from an AI agent to execute a specific function exposed by an MCP server, containing the tool name, arguments, and optional metadat...

The uncontrolled proliferation of MCP tools across an organisation, where agents accumulate access to hundreds of tools without centralised inventory,...

The communication layer between MCP clients and servers, currently supporting stdio (local process) and Streamable HTTP (remote services), which deter...

A gateway-configured logical endpoint that exposes a curated subset of tools from one or more upstream MCP servers, scoped by team, use case, or acces...

An open standard by Anthropic defining how AI agents connect to external tools and data sources. MCP provides a universal interface for discovering an...

A multi-agent system (MAS) is an architecture where multiple AI agents collaborate, compete, or coordinate to accomplish tasks that would be difficult...

A multi-modal agent is an AI system that can process and generate multiple types of data — text, images, audio, video — enabling richer interaction wi...

The voluntary standards initiative launched by NIST's Centre for AI Standards and Innovation (CAISI) in February 2026, covering agent authentication, ...

An open-weights model is an AI model whose trained parameters are publicly released, allowing anyone to download, run, fine-tune, and deploy it — dist...

The OpenAI Agents SDK is a lightweight, production-focused framework for building AI agents with built-in support for tool calling, agent handoffs, gu...

Inspecting and filtering MCP tool responses before they are returned to the AI agent, preventing sensitive data leakage, blocking context poisoning at...

An AI agent configured with access to more MCP tools or broader argument ranges than its task requires, violating the principle of least privilege and...

The Open Web Application Security Project's list of the ten most critical security risks for applications built with large language models. The standa...

Applying distinct policy rules to individual AI agents or agent identities, ensuring that one agent's permissions, rate limits, and budget constraints...

A rate limit applied to a specific MCP tool rather than globally across all tools. Allows operators to set different throughput ceilings for different...

Rate limits scoped to individual users or agent identities rather than applied globally. Ensures one agent cannot consume another's quota, enabling fa...

The gradual accumulation of MCP tool permissions over time as new capabilities are added to an agent's configuration but old, unnecessary ones are nev...

A semantic manipulation attack where a narrative about an AI model's identity is seeded into content that re-enters the agent's context via retrieval,...

Detecting personally identifiable information in MCP tool call arguments or responses to prevent AI agents from inadvertently exfiltrating, processing...

Policy actions are the three possible outcomes of policy evaluation in PolicyLayer: allow (the tool call proceeds to the MCP server), deny (the tool c...

A policy condition is a constraint within a policy rule that evaluates tool call arguments against defined criteria (e.g. amount < 1000, branch != "ma...

A policy diff is the comparison between two versions of a policy file to see exactly what changed — which rules were added, removed, or modified. Esse...

A policy dry run is a mode where PolicyLayer evaluates policies and logs the decisions that would be made, but does not enforce them — all tool calls ...

A policy engine evaluates requests against predefined rules and returns allow/deny decisions. In PolicyLayer, the policy engine evaluates every MCP to...

The policy evaluation pipeline is the sequence of steps PolicyLayer follows to evaluate every tool call: match server, match tool, evaluate conditions...

A policy file is the physical YAML file (e.g. stripe.yaml, github.yaml) that contains policy rules for one or more MCP servers, stored alongside your ...

Policy hot reload is the ability to update policy files without restarting PolicyLayer, with changes taking effect on the next tool call to enable zer...

Policy inheritance is the mechanism by which tool-level policies inherit from server-level policies, which in turn inherit from global policies, with ...

Policy linting is the static analysis of YAML policy files to catch syntax errors, unreachable rules, conflicting conditions, type mismatches, and oth...

A policy override is a mechanism to temporarily or permanently bypass a policy rule, granting an exception for a specific tool call, agent, or time wi...

Policy priority is the order in which policies are evaluated when multiple rules could match a tool call, with higher-priority rules overriding lower-...

Policy rollback is the process of reverting to a previous version of a YAML policy when a new policy causes issues — such as blocking legitimate tool ...

A policy rule is a single rule within a policy file that specifies an action (allow, deny, or log) for a specific tool or tool pattern, optionally wit...

A pre-built, reusable YAML policy configuration for common agent use cases — such as coding assistants, data analysis agents, or DevOps automation. Te...

Policy testing is the practice of validating policies against predefined test cases before deployment, ensuring they behave as expected — allowing wha...

Policy versioning is the practice of tracking changes to YAML policy files over time using version control (git), enabling audit trails of who changed...

When an AI agent attempts a tool call that violates a YAML-defined policy — calling a denied tool, passing disallowed arguments, or exceeding rate lim...

A policy violation event is emitted when a tool call is denied by policy, signalling that an agent attempted an operation outside its permitted bounda...

Policy-as-code is the practice of defining security and compliance policies as version-controlled, machine-readable code rather than manual configurat...

Expressing MCP tool access rules as version-controlled, machine-readable configuration (typically YAML) rather than UI-configured settings, enabling a...

The principle of least privilege states that every entity (user, agent, process) should have only the minimum permissions necessary to perform its int...

Privilege escalation is a security exploit where an entity gains access to tools or capabilities beyond what was initially authorised — either by expl...

Prompt chaining is the technique of connecting multiple LLM calls in sequence, where each call's output feeds into the next call's input — enabling co...

Prompt engineering is the practice of designing and optimizing input text to guide large language models toward producing desired outputs, including t...

An attack where malicious input manipulates an AI agent's behaviour by injecting instructions that override its programming. Successful prompt injecti...

Tool-layer prompt injection embeds malicious instructions in MCP tool descriptions, schemas, or return values to hijack agent behaviour. It targets th...

Prompt leaking is when an MCP tool or server extracts the agent's system prompt, user instructions, or conversation context through crafted tool inter...

PydanticAI is a Python agent framework by the creators of Pydantic that emphasizes type safety, structured outputs, and production reliability — using...

A cognitive state attack that injects fabricated statements into retrieval corpora so agents treat attacker-authored content as verified fact, corrupt...

Restricting a numeric tool call argument to a minimum and/or maximum value. Range constraints set safe operational bounds — for example, ensuring a tr...

Rate limiting is a security control that restricts the frequency of operations — transactions per minute, API calls per hour, or spending events per d...

Constraining how frequently an AI agent can invoke specific MCP tools within a defined time window. Rate limiting prevents runaway agents, protects do...

A ReAct agent follows the Reasoning + Acting paradigm, alternating between thinking steps (reasoning about what to do) and action steps (executing too...

A reasoning agent is an AI agent that uses explicit step-by-step thinking — such as chain-of-thought or extended thinking — to break down complex prob...

Using regular expressions in YAML policies to validate tool call argument values before they reach the MCP server. Regex constraints can enforce email...

Regulatory compliance is the adherence to laws, regulations, and industry standards governing cryptocurrency operations — including KYC/AML requiremen...

Reinforcement Learning (RL) is a machine learning paradigm where an agent learns optimal behavior through trial and error, receiving rewards or penalt...

A remote MCP server is a hosted MCP server that clients reach over the network using the Streamable HTTP transport, rather than launching it as a loca...

A replay attack on tool calls captures and re-sends a valid MCP tool call to execute it again, potentially duplicating financial transactions, destruc...

A policy rule enforcing that a specific argument must be present in a tool call. Required argument constraints prevent tools from being called with mi...

Agent resource exhaustion is when an AI agent consumes excessive compute, memory, API calls, or tokens — either through manipulation or runaway behavi...

Inspecting and modifying MCP tool responses before they reach the agent. Response filtering can strip sensitive data, block certain patterns, redact i...

Checking MCP tool responses against expected schemas or patterns before passing them to the agent. Response validation catches malformed, unexpected, ...

The practice of developing and deploying AI systems in ways that are safe, fair, transparent, and accountable. For AI agents, this includes enforcing ...

Retrieval-Augmented Generation (RAG) is an architecture that enhances LLM responses by retrieving relevant documents from an external knowledge base a...

Reinforcement Learning from Human Feedback (RLHF) is a training technique that aligns LLM outputs with human preferences by training a reward model on...

An AI agent that has deviated from its intended behaviour — whether through prompt injection, misconfiguration, or emergent behaviour — and is now per...

Role-Based Access Control (RBAC) is a security model that assigns permissions to roles rather than individual entities, and then assigns roles to user...

Sandbox escaping is when an AI agent or MCP tool breaks out of its intended execution environment to access system resources, files, or networks it sh...

A scoped token is a credential issued to a specific person or agent that grants access to a defined subset of resources — in MCP deployments, particul...

Scanning MCP tool responses for accidentally exposed secrets — API keys, passwords, tokens, private keys, and connection strings — before they enter t...

A security audit is a comprehensive review of a system's security posture — examining code, architecture, access controls, and operational practices t...

The logical perimeter around an AI agent's permitted operations, defined by which MCP servers it can connect to, which tools it can invoke, and what a...

Semantic Kernel is Microsoft's open-source SDK for integrating LLMs into applications — providing abstractions for AI plugins, memory, and planning th...

An agent trap that manipulates input data distributions to corrupt an agent's reasoning without issuing overt commands — using biased phrasing, author...

Semantic routing is the technique of directing requests, queries, or tasks to the appropriate handler (agent, tool, or model) based on the semantic me...

A server-level policy applies default rules to all tools on a given MCP server, establishing baseline permissions that can be overridden by more speci...

An unauthorised AI agent operating within an organisation, connecting to MCP servers without IT or security team oversight. The agent equivalent of sh...

MCP servers deployed by employees without IT oversight, giving AI agents ungoverned access to production systems, databases, and APIs — the 2026 equiv...

SIEM integration is the process of connecting MCP proxy audit logs to a Security Information and Event Management system for real-time threat detectio...

A rate limiting approach that uses a rolling time window rather than fixed intervals. Instead of resetting a counter every minute on the minute, it co...

SOC 2 is a compliance framework developed by the AICPA for service organisations, focused on five trust service criteria: security, availability, proc...

The SSE transport (HTTP+SSE) was the original remote transport in MCP protocol revision 2024-11-05, using a GET-opened Server-Sent Events stream for s...

The stdio transport is the local MCP transport in which the client launches the MCP server as a subprocess and exchanges newline-delimited JSON-RPC me...

Streamable HTTP is the current HTTP transport in the MCP specification: the server exposes a single endpoint that accepts POST and GET requests, retur...

Restricting the length of a string argument in a tool call. String length constraints prevent excessively long inputs that could be used for prompt in...

Structured output refers to LLM responses formatted in machine-readable schemas like JSON or typed objects, enabling reliable integration with downstr...

Structured tool output is the typed result an MCP tool returns as a JSON object in the structuredContent field of a tools/call response, optionally va...

A subagent is a child agent spawned by an orchestrating agent to handle a delegated task, running with its own context window and typically a constrai...

A supply chain attack compromises software by targeting its dependencies, build tools, or distribution channels — injecting malicious code through tru...

A system prompt is a privileged instruction set provided to an LLM that defines the model's role, behavior, constraints, and output format — serving a...

An agent trap that seeds the environment with inputs designed to trigger macro-level failures via correlated agent behaviour — including congestion tr...

A systemic trap where environmental signals act as correlation devices, synchronising anticompetitive agent behaviour — such as coordinated pricing or...

Task decomposition is the process by which an AI agent breaks a complex goal into smaller, manageable sub-tasks that can be executed sequentially or i...

Threat modeling is a structured security analysis process that identifies potential threats to a system, evaluates their likelihood and impact, and de...

Deliberately slowing down agent tool call throughput rather than hard-blocking. A softer alternative to outright denial that allows agents to continue...

A rate limiting algorithm where tokens are added to a bucket at a fixed rate. Each tool call consumes a token; calls are denied when the bucket is emp...

Token exfiltration is extracting authentication tokens, session tokens, or API tokens from an AI agent's environment through malicious tool calls or p...

Token passthrough is the anti-pattern in which an MCP server accepts access tokens that were not issued for it, or forwards the token it received from...

Tokenization in AI refers to breaking text into smaller units (tokens) that a language model can process — typically subword pieces that balance vocab...

Tool call approval is the gate applied to an individual tool call before it executes, resolving to one of three outcomes — auto-allow, prompt a human,...

Enforcing a maximum number of tool invocations within a time window, applied per-tool, per-agent, or globally, to prevent runaway execution, cost over...

Tool calling is the mechanism by which a large language model generates structured requests to invoke external tools, APIs, or functions — enabling th...

A discrepancy between what a tool's metadata claims it does and what the underlying code actually executes, found in approximately 13% of MCP servers ...

Tool discovery is the process by which an MCP client learns what tools a server offers: the client sends a tools/list request and receives each tool's...

A tool input schema is the JSON Schema an MCP tool publishes in its inputSchema field, describing the names, types, and required status of the argumen...

When an AI agent invokes a legitimate tool in an unsafe way — through ambiguous prompts, manipulated input, or unexpected tool chaining — causing data...

Tool name collision occurs when multiple MCP servers expose tools with the same name, creating ambiguity about which tool the AI agent actually invoke...

Tool poisoning is an attack where a malicious actor manipulates an MCP tool's description, schema, or metadata to trick an AI agent into performing un...

A classification label (Read, Write, Execute, Destructive, Financial) assigned to an MCP tool based on its potential impact, used to enforce graduated...

Tool shadowing is an attack where a malicious MCP server exposes a tool with the same name as a trusted server's tool, silently intercepting calls the...

Tool squatting is registering an MCP server with a name deliberately similar to a popular, trusted server to intercept agent tool calls. It is the MCP...

Tool use refers to an AI agent's ability to interact with external systems — calling APIs, executing code, querying databases, writing files, or perfo...

A tool-level policy targets a specific MCP tool (e.g. create_payment_intent on the Stripe server) rather than an entire server, providing the most gra...

A Transformer is the neural network architecture underlying all modern large language models, using self-attention mechanisms to process sequential da...

A boundary in a system where the level of trust changes. In MCP architectures, trust boundaries exist between the agent and each MCP server, between P...

Two-factor authentication (2FA) is a security measure requiring two different verification methods to access an account — typically combining somethin...

An enforcement pattern where the proxy atomically reserves a budget or counter increment before forwarding a tool call, then commits on success or rol...

Vibe coding is the practice of building software by describing desired behavior to an AI coding assistant in natural language, iterating through conve...

A YAML policy is a declarative configuration file that defines rules governing what an AI agent can and cannot do with MCP tools, specifying allowed a...

A security model where no AI agent, tool call, or MCP server is inherently trusted. Every tool invocation is verified against policy regardless of its...

Zero-shot learning is an LLM's ability to perform a task with only instructions and no examples — relying entirely on the model's pre-trained knowledg...