AI Agent Security

AI Agent Security

Treating AI agents as security principals — not just helpful assistants that happen to execute code. This topic covers how to constrain AI agent authority so that prompt injection, confused-deputy attacks, and privilege escalation become structurally impossible rather than merely unlikely.

The core problem

An LLM agent authenticates once at session start. After that, every tool call it makes — read a file, run a command, hit the network — runs with the caller’s full ambient authority for the rest of the session. When that agent ingests untrusted content (a repo README, an email, a search result), an attacker can inject instructions that redirect that authority toward exfiltration or destruction.

Key concepts

ConceptSummary
Capability-based authorizationAgents receive tokens that name exactly what they’re allowed to do. No operation exists to widen authority — it’s not just blocked, it’s unrepresentable.
Prompt injection as authorization bugInjection isn’t a “model alignment” problem alone; it’s an authorization boundary problem. The fix is structural: make the runtime incapable of granting permissions the caller didn’t intend.
Content provenance / taint trackingCapability boundaries stop out-of-scope reads. But data read legitimately can still be pasted into outbound channels. Taint tracking traces data from source to sink.
MCP capability gatewaysThe Model Context Protocol lets agents call tools. A gateway between agent and tools can enforce both boundary checks and content-based policies.
Serialization vulnerabilitiesCapabilities cross process boundaries via serialization (JSON, bincode). If the deserialized mirror isn’t covered by the signature, an attacker can widen permissions after verification.

Reading order

Start here and read through. Each post builds on the previous one.

  1. Prompt Injection Is an Authorization Bug Capability-bounded tool calls where widening authority is unrepresentable. Two agents, same injected attack — one leaks secrets, the other can’t.

  2. The Signature Verified, the Authority Widened Anyway How verified crypto signatures still allow privilege escalation when a signed token’s in-memory mirror gets modified across a serialization boundary.

  3. Capability Boundaries Have No Memory When sandboxing isn’t enough and you need content provenance too. Capsule: an MCP gateway combining capability boundaries with taint tracking.

  • Warden — Rust reference runtime enforcing strict, auditable authority limits on agent tool calls via Biscuit tokens.
  • Capsule — MCP capability gateway with sandbox boundaries + content-based taint tracking.