autrace
All posts
AgentsMCPOWASPSecurity

Securing AI Agents: Tool-Calling, Excessive Agency, and the Injection Kill-Chain

AE
Autrace Engineering
·July 5, 2026·9 min read

A chatbot that can only talk is low-risk. An agent that can read your email, query your database, and call APIs is a different animal — because now a single manipulated instruction can do something, not just say something.

The industry now treats this as a first-class problem

  • NIST AI Agent Standards Initiative: Launched in early 2026, it spans agent security, interoperability, and identity — a signal that agent security is now standards-track, not research-only.
  • OWASP Top 10 for Agentic Applications: Formalizes agent-specific risks — including agentic supply-chain vulnerabilities (compromised tool / MCP servers) — alongside prompt injection and excessive agency.
  • MCP threat taxonomy: As MCP (the Model Context Protocol) becomes the default way agents call tools, researchers have catalogued attack classes including tool-description poisoning, indirect prompt injection, and parasitic tool chaining.

The kill-chain: how one injection becomes a breach

The dangerous path is a chain, mapped onto the OWASP LLM risks:

  1. Indirect prompt injection (LLM01): The agent ingests attacker-controlled content — a web page, a document, a ticket, a tool description — carrying hidden instructions.
  2. Excessive agency (LLM06): The agent has broad standing permissions, so it acts on the injected instruction — sends the email, runs the query, hits the API.
  3. Improper output handling (LLM05): The result — exfiltrated data, a malicious link, a destructive action — flows downstream unchecked.

Break any one link and the chain fails. That's why the answer is defense-in-depth, not a single magic filter.

Where a gateway fits

No single control solves agent security — but the model-call gateway is one of the highest-leverage places to break the chain, because every reasoning step passes through it:

  1. Injection detection on inbound context: Normalize and screen prompts — including tool output fed back to the model — for known injection and jailbreak patterns before the model acts on them.
  2. Bound the blast radius: Per-key rate limits and hard spend caps stop a hijacked or looping agent from running up cost or hammering downstream systems.
  3. Redact what tools shouldn't emit: PII tokenization keeps sensitive values from flowing out through a compromised step.
  4. Prove what happened: A tamper-evident audit trail of every call is what lets you reconstruct an incident — which step, which tool, what data — after the fact.

What's still on you (and the roadmap)

A gateway governs the model call. Full agent security also needs controls at the tool layer — tool allowlisting, per-tool RBAC, agent-identity binding, and human-in-the-loop checkpoints for high-impact actions. Tool- and protocol-level (MCP) governance is where agent security is heading, and where a gateway naturally extends next. The point today: don't give an agent broad tools without an in-path control and audit layer in front of the model.

References
  • NIST AI Agent Standards Initiative — announced 2026 (agent security, interoperability, identity).
  • OWASP Top 10 for Agentic Applications — including agentic supply-chain (ASI04).
  • MCP threat taxonomy — Cloud Security Alliance and community research on MCP tool security (2026).
  • OWASP LLM Top 10 — LLM01 Prompt Injection, LLM05 Improper Output Handling, LLM06 Excessive Agency.
← Back to blogContact Us →