// GLOSSARY -- AI AGENT SECURITY

What is a Security Boundary (Agent)?

2 min read Updated

The logical perimeter around an AI agent's permitted operations, defined by which MCP servers it can connect to, which tools it can invoke, and what argument ranges are valid. Everything inside the boundary is allowed; everything outside is denied.

WHY IT MATTERS

Every secure system has boundaries — perimeters that separate permitted operations from prohibited ones. For traditional applications, these are network perimeters, authentication boundaries, and authorisation scopes. For AI agents, the security boundary is defined by tool access, argument constraints, and server connectivity.

Defining an agent's security boundary requires answering three nested questions. Outer boundary: which MCP servers can the agent reach? This determines the universe of available capabilities. Middle boundary: within those servers, which tools can the agent invoke? This scopes the specific operations available. Inner boundary: within those tools, what argument values are permitted? This constrains how operations are performed.

A well-defined security boundary has the property that an agent operating entirely within it cannot cause harm beyond acceptable risk. If the boundary is drawn correctly, even a fully compromised agent — manipulated by prompt injection, hallucinating wildly, or adversarially controlled — is contained. The damage is bounded by the boundary.

The challenge is that security boundaries are often implicit rather than explicit. An agent's boundary is whatever its MCP client configuration and server capabilities happen to permit. Without a tool like Intercept that makes boundaries explicit and enforceable, the boundary is undefined — meaning the agent's effective boundary is 'everything accessible through configured MCP servers.'

HOW POLICYLAYER USES THIS

Intercept makes agent security boundaries explicit, declarative, and enforceable. YAML policies define the boundary at each level: server connectivity, tool access, and argument constraints. The boundary is documented in version-controlled policy files, making it reviewable by security teams and auditable by compliance. Intercept enforces the boundary on every tool call — any operation outside the defined boundary is denied, regardless of why the agent attempted it.

FREQUENTLY ASKED QUESTIONS

How do I determine the right security boundary for my agent?
Start from the agent's task requirements: what does it need to accomplish? Map those requirements to specific MCP servers, tools, and argument ranges. The boundary should be the minimum set of permissions that enables the task. Use Intercept's log-only mode to validate that the boundary is sufficient.
Should different agents have different security boundaries?
Absolutely. A code review agent needs a different boundary than a deployment agent or a customer support agent. Each agent's boundary should reflect its specific task requirements. One-size-fits-all boundaries are either too permissive for some agents or too restrictive for others.
What happens when an agent needs to cross its security boundary?
The tool call is denied and logged. This is a signal that either the boundary needs updating (if the operation is legitimate) or the agent is misbehaving (if it is not). The policy update goes through version control and review, maintaining the integrity of the boundary.

FURTHER READING

Enforce policies on every tool call

Intercept is the open-source MCP proxy that enforces YAML policies on AI agent tool calls. No code changes needed.

npx -y @policylayer/intercept
github.com/policylayer/intercept →
// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.