// GLOSSARY -- AI AGENT SECURITY

What is a Trust Boundary?

2 min read Updated

A boundary in a system where the level of trust changes. In MCP architectures, trust boundaries exist between the agent and each MCP server, between Intercept and external services, and between the user and the agent.

WHY IT MATTERS

Trust boundaries are one of the most important concepts in security architecture. Every time data crosses a trust boundary — moving from a trusted zone to an untrusted one, or vice versa — security controls must be applied. Failing to enforce at trust boundaries is the root cause of most security vulnerabilities.

In an MCP agent system, there are several critical trust boundaries. The boundary between the user and the agent: user input may contain prompt injection attempts. The boundary between the agent and MCP servers: the agent sends arguments that servers must not blindly trust. The boundary between MCP servers and the agent: server responses may contain poisoned content. The boundary between the agent and any external systems the servers connect to: databases, APIs, file systems.

Each trust boundary requires specific controls. At the user-agent boundary: input filtering and prompt injection resistance. At the agent-server boundary: argument validation and tool access control. At the server-agent boundary: output filtering and secret scanning. At the server-external boundary: the server's own authentication and authorisation.

The critical architectural insight is that Intercept sits precisely at the agent-server trust boundary — the most consequential boundary in the system. This is where the agent's reasoning translates into real-world actions. Getting enforcement right at this boundary constrains the damage from failures at every other boundary.

HOW POLICYLAYER USES THIS

Intercept is architecturally positioned at the primary trust boundary in MCP systems — between the agent and MCP servers. This placement means every tool call crosses through Intercept's policy evaluation before reaching any server. Intercept enforces bidirectional controls at this boundary: argument validation and tool access control on the request path, and output filtering on the response path. Because the agent-server boundary is where reasoning becomes action, enforcing here provides the highest-leverage security control in the entire system.

FREQUENTLY ASKED QUESTIONS

How many trust boundaries exist in a typical MCP deployment?
At minimum four: user-to-agent, agent-to-proxy (Intercept), proxy-to-MCP-server, and server-to-external-systems. Each MCP server adds another boundary. Multi-agent systems add agent-to-agent boundaries. Security controls are needed at each one.
Which trust boundary is most important to enforce?
The agent-to-server boundary, where Intercept sits. This is where the agent's decisions become real-world actions — tool invocations that modify files, send messages, query databases. Getting enforcement right here constrains the impact of failures at every other boundary.
How do trust boundaries apply to tool responses?
Tool responses cross a trust boundary from the MCP server back to the agent. The server may be compromised, may return unexpected data, or may include content designed to manipulate the agent. Output filtering at this boundary prevents context poisoning and data leakage.

FURTHER READING

Enforce policies on every tool call

Intercept is the open-source MCP proxy that enforces YAML policies on AI agent tool calls. No code changes needed.

npx -y @policylayer/intercept
github.com/policylayer/intercept →
// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.