A chatbot that can only talk is low-risk. An agent that can read your email, query your database, and call APIs is a different animal — because now a single manipulated instruction can do something, not just say something.
The industry now treats this as a first-class problem
- NIST AI Agent Standards Initiative: Launched in early 2026, it spans agent security, interoperability, and identity — a signal that agent security is now standards-track, not research-only.
- OWASP Top 10 for Agentic Applications: Formalizes agent-specific risks — including agentic supply-chain vulnerabilities (compromised tool / MCP servers) — alongside prompt injection and excessive agency.
- MCP threat taxonomy: As MCP (the Model Context Protocol) becomes the default way agents call tools, researchers have catalogued attack classes including tool-description poisoning, indirect prompt injection, and parasitic tool chaining.
The kill-chain: how one injection becomes a breach
The dangerous path is a chain, mapped onto the OWASP LLM risks:
- Indirect prompt injection (LLM01): The agent ingests attacker-controlled content — a web page, a document, a ticket, a tool description — carrying hidden instructions.
- Excessive agency (LLM06): The agent has broad standing permissions, so it acts on the injected instruction — sends the email, runs the query, hits the API.
- Improper output handling (LLM05): The result — exfiltrated data, a malicious link, a destructive action — flows downstream unchecked.
Break any one link and the chain fails. That's why the answer is defense-in-depth, not a single magic filter.
Where a gateway fits
No single control solves agent security — but the model-call gateway is one of the highest-leverage places to break the chain, because every reasoning step passes through it:
- Injection detection on inbound context: Normalize and screen prompts — including tool output fed back to the model — for known injection and jailbreak patterns before the model acts on them.
- Bound the blast radius: Per-key rate limits and hard spend caps stop a hijacked or looping agent from running up cost or hammering downstream systems.
- Redact what tools shouldn't emit: PII tokenization keeps sensitive values from flowing out through a compromised step.
- Prove what happened: A tamper-evident audit trail of every call is what lets you reconstruct an incident — which step, which tool, what data — after the fact.
What's still on you (and the roadmap)
A gateway governs the model call. Full agent security also needs controls at the tool layer — tool allowlisting, per-tool RBAC, agent-identity binding, and human-in-the-loop checkpoints for high-impact actions. Tool- and protocol-level (MCP) governance is where agent security is heading, and where a gateway naturally extends next. The point today: don't give an agent broad tools without an in-path control and audit layer in front of the model.
- NIST AI Agent Standards Initiative — announced 2026 (agent security, interoperability, identity).
- OWASP Top 10 for Agentic Applications — including agentic supply-chain (ASI04).
- MCP threat taxonomy — Cloud Security Alliance and community research on MCP tool security (2026).
- OWASP LLM Top 10 — LLM01 Prompt Injection, LLM05 Improper Output Handling, LLM06 Excessive Agency.