The first generation of AI security questions sounded familiar: where are the model weights, who can call the endpoint, what data can the system see? The next generation is stranger. A single assistant can now load tools, call MCP servers, delegate work to another agent, write files, query systems, and explain the result in prose that looks reassuring. The control problem is no longer just what the model knows. It is what the agent can ask someone else to do.
An agent boundary is only real if the agent cannot route around it through another tool, skill or teammate.
The tool is the new trust boundary
Model Context Protocol servers and custom skills are powerful because they turn a language model into an operator. They are dangerous for the same reason. A barely reviewed connector can expose files, CRM records, tickets, terminals, cloud APIs or internal search. If the tool has broad permissions and weak logging, the user's prompt becomes a command path through infrastructure the user may not understand. Approval dialogs help, but only when the approver knows the real action, the real data set and the real downstream effect.
Delegation can become privilege transfer
Agent swarms create a subtler failure mode. One agent may be denied access to a repository, database or customer record, but still be allowed to ask a second agent for a summary. If the second agent has broader access and no obligation to enforce the first agent's boundary, the system has built a privilege bridge. The logs may show two innocent actions: one request, one answer. The risk lives in the relationship between them.
What a controlled agent program needs
- A registry of every MCP server, skill, connector and agent that can touch company data.
- Permission checks based on the requesting human, not only the service account or agent runtime.
- Logs that connect prompt, tool call, data touched, delegated agent and final answer in one trail.
- Policy that blocks one agent from obtaining data indirectly through another agent with broader access.
- Review gates for new tools, especially anything that can read files, execute commands, query customers or write to production systems.
We help teams draw the real boundaries around AI agents: tools, permissions, logs, approvals and the handoffs between them.