Skip to content
ATAI Today Brief
HomeNewsConceptsGuidesToolbox
AboutSubscribeUA
Subscribe

AI Today Brief

The daily AI-engineering brief. Built in public. EN · UA.

XTelegramLinkedInYouTubeRSS
NewsConceptsGuidesSubscribeAdvertiseAboutEditorial policyAI disclosurePrivacyTerms

© 2026 AI Today Brief. All rights reserved.

  1. Home/
  2. News/
  3. Agents & MCP/
  4. Architectural Security for Agentic Systems: Guiding Identity, Delegation, and Audit Trails
Agents & MCP

Architectural Security for Agentic Systems: Guiding Identity, Delegation, and Audit Trails

July 10, 2026· 7 min read
OKCurated by Oleksandr Kuzmenko, AI Product Engineer·Updated July 10, 2026·Sources cited on every story
AI-assisted · editor-reviewed·How we use AI
Architectural Security for Agentic Systems: Guiding Identity, Delegation, and Audit Trails

A definitive security guide outlines threat models and architectural controls for Agent-to-Agent (A2A) and Model Context Protocol (MCP) networks. It details how to implement robust identity verification, gate delegation, and setup structured audit trails.

Impact: High

Why it matters

AI engineers can now architect secure multi-agent systems that cross organizational boundaries without risking prompt injections or token exfiltration.

TL;DR

  • 01Traditional LLM guardrails are insufficient; they protect conversation, not the action/protocol layer.
  • 02Treat all protocol-carried files and external outputs as untrusted inputs to prevent indirect prompt injection.
  • 03Implement specialized A2A/MCP gateways to handle OAuth scope verification, routing, and structured logging.

Key facts

Core Protocols Covered
MCP (Model Context Protocol) & A2A (Agent-to-Agent)
Recommended Gateway Pattern
A2A Gateway + MCP Proxy

Guardrails vs. Protocol Security vs. Runtime Policy

Securing agentic workflows requires understanding the distinct roles of three architectural layers:

  • LLM Guardrails: Operate directly on model inputs and outputs, blocking prompt injections and validating JSON structures.
  • Protocol Security: Operates at agent boundaries. It enforces who can call an MCP tool, manages OAuth scopes, and ensures downstream agents cannot act on behalf of a user without permission.
  • Runtime Policy: Evaluates safety rules independently of whether the call came via natural language or code, such as requiring human-in-the-loop approval for mutating databases or blocking unauthorized internet egress.

Threat Modeling the Agent Network

When designing multi-agent setups, developers must account for unique vulnerabilities:

  • Poisoned Tool Metadata: A compromised MCP server can alter its tool descriptions to trick the LLM into invoking write-capable backends.
  • Hidden Delegation Chains: High-privilege agents executing tasks for lower-privilege orchestrators can trigger unauthorized actions unless delegated scopes are enforced end-to-end.
  • Artifact-Carried Prompt Injection: PDFs, CSVs, or web pages fetched by an agent can embed adversarial instructions targeting downstream models.

Establishing Robust Gateways

To govern enterprise agent traffic, implement an A2A Gateway paired with an MCP Proxy. The gateway handles: 1. Token Exchange: Terminates external authentication and maps it to scoped internal tokens. 2. Egress & Routing: Prevents agents from calling unverified endpoints and restricts visibility of sensitive skills via tailored Agent Cards. 3. Structured Auditing: Emits standardized logs capturing every task transition and tool invocation.

Try it in 2 minutes

{
  "agent_card": {
    "id": "finance-analyzer-v1",
    "skills": [
      {
        "name": "analyze_invoice",
        "security": {
          "required_oauth_scopes": ["invoices:read"]
        }
      }
    ]
  }
}

json

✓ When to use

  • Designing multi-agent systems where agents belong to different teams, vendors, or access external APIs.
  • Integrating third-party MCP servers that interact with production databases or code repositories.

✕ When NOT to use

  • Simple single-agent applications running entirely in a localized sandbox environment with no external tool access.
  • Basic conversational chat widgets with no ability to delegate tasks or trigger side effects.

What to do today

  • →Audit your current MCP configurations and migrate from blanket "connect all" settings to tool allowlists.
  • →Set up an MCP proxy to monitor outgoing network requests initiated by autonomous developer agents.
#Model Context Protocol

Sources

  • A2A and MCP Agent Security Guide
ShareShare on XShare on LinkedIn
← Previous storyOpenAI Resets ChatGPT Work and Codex Limits for GPT-5.6 Sol LaunchNext story →Open Science Desktop: A Model-Agnostic Open-Source Alternative to Claude Science

Related stories

  • Agents & MCPAI-Powered Job Application Framework Using Claude Code
  • Agents & MCPOpen Science Desktop: A Model-Agnostic Open-Source Alternative to Claude Science
  • Agents & MCPBuild and Deploy a Lightweight Model Context Protocol Server on Edge Compute
  • Agents & MCPAnthropic Unveils Always-On Claude Cowork Mobile and Web Agents

Email digest

Get the morning AI brief

One email a day — the stories that matter for engineers, founders and tech leads. Human-edited, with links to primary sources.

  • ✓120+ sources scanned daily
  • ✓Edited by a human
  • ✓1 email per day
  • ✓EN + UA

By subscribing you agree to the privacy policy.