Security & Access Control

Policy-based tool call gating for AI agents

Why Tool Call Security Matters

When AI agents have access to tools, each function invocation is a potential attack surface. Traditional prompt-injection defenses guard the language model, but attackers can still exploit tool calls directly. MCP Tool Call Gating Proxy moves the security chokepoint to where it matters: the tool invocation layer.

This means:

Policy Framework: Allow / Ask / Block

Every tool call matches one of three security postures:

Policy Behavior Use Case
ALLOW Tool executes immediately; logged for audit Safe, read-only operations (list, query, describe)
ASK Suspends execution; waits for human approval State-changing ops (create, update, delete, deploy)
BLOCK Execution rejected; logged as blocked attempt Dangerous tools (system commands, external APIs, admin funcs)

Threat Model

MCP gating proxy defends against four attack vectors:

1. Prompt Injection → Unauthorized Tool Call
Attacker embeds instruction in user input to invoke tools the agent shouldn\'t touch.

Defense: Policy rules prevent tool invocation regardless of prompt content.
2. Argument Smuggling
Agent is tricked into passing dangerous arguments to an approved tool.

Defense: Argument schema validation and type checking before execution.
3. Privilege Escalation
Agent uses a lower-privilege tool to invoke a higher-privilege one (chained calls).

Defense: Each tool call is evaluated independently against policies.
4. Compliance Violation
Agent invokes a tool that shouldn\'t be used together (e.g., read PII then send to external API).

Defense: Contextual rules can block sequences or high-risk combinations.

Policy Definition Example

Define policies as JSON rules. This example protects a database tool:

{ "tools": [ { "name": "database.query", "policy": "ALLOW", "conditions": [ { "arg": "query_type", "in": ["SELECT", "DESCRIBE"] } ] }, { "name": "database.execute", "policy": "ASK", "conditions": [ { "arg": "query_type", "in": ["INSERT", "UPDATE", "DELETE"] } ], "require_human_approval": true }, { "name": "system.shell", "policy": "BLOCK" } ] }

Audit Logging

Every tool call decision is logged for compliance and debugging:

{ "timestamp": "2026-06-18T07:05:27Z", "agent_id": "claude-agent-001", "tool": "database.execute", "policy_matched": "ASK", "status": "pending_approval", "args": { "query_type": "DELETE", "table": "users" }, "approved_by": null, "execution_time_ms": 0 }

Integration Patterns

Pattern 1: Deny by Default

Block all tools unless explicitly allowed. Safest for high-stakes environments (financial systems, healthcare).

Pattern 2: Whitelist Per Agent

Each agent type gets its own tool access profile. A research agent can\'t write to prod; a deployment agent can\'t query customer data.

Pattern 3: Context-Aware Policies

Tool access depends on conversation context. Approvals during business hours might be instant; after-hours always ask. High-cost operations always ask regardless of time.

Pattern 4: Rate Limiting + Gating

Combine tool call frequency limits with approval gates. If an agent tries the same tool 10+ times in 1 minute, block and alert.

Compliance & Audit

Performance & Latency

Gating decisions are evaluated in <1ms for ALLOW policies (cached lookup). ASK policies suspend but don\'t block the agent thread. BLOCK decisions fail-fast. Proxy scales to 10k+ tool calls per second.

Security Best Practices