Architectural Security for Agentic Systems: Guiding Identity, Delegation, and Audit Trails
A definitive security guide outlines threat models and architectural controls for Agent-to-Agent (A2A) and Model Context Protocol (MCP) networks. It details how to implement robust identity verification, gate delegation, and setup structured audit trails.
Impact: High
Why it matters
AI engineers can now architect secure multi-agent systems that cross organizational boundaries without risking prompt injections or token exfiltration.
TL;DR
- 01Traditional LLM guardrails are insufficient; they protect conversation, not the action/protocol layer.
- 02Treat all protocol-carried files and external outputs as untrusted inputs to prevent indirect prompt injection.
- 03Implement specialized A2A/MCP gateways to handle OAuth scope verification, routing, and structured logging.
Key facts
- Core Protocols Covered
- MCP (Model Context Protocol) & A2A (Agent-to-Agent)
- Recommended Gateway Pattern
- A2A Gateway + MCP Proxy
Guardrails vs. Protocol Security vs. Runtime Policy
Securing agentic workflows requires understanding the distinct roles of three architectural layers:
- LLM Guardrails: Operate directly on model inputs and outputs, blocking prompt injections and validating JSON structures.
- Protocol Security: Operates at agent boundaries. It enforces who can call an MCP tool, manages OAuth scopes, and ensures downstream agents cannot act on behalf of a user without permission.
- Runtime Policy: Evaluates safety rules independently of whether the call came via natural language or code, such as requiring human-in-the-loop approval for mutating databases or blocking unauthorized internet egress.
Threat Modeling the Agent Network
When designing multi-agent setups, developers must account for unique vulnerabilities:
- Poisoned Tool Metadata: A compromised MCP server can alter its tool descriptions to trick the LLM into invoking write-capable backends.
- Hidden Delegation Chains: High-privilege agents executing tasks for lower-privilege orchestrators can trigger unauthorized actions unless delegated scopes are enforced end-to-end.
- Artifact-Carried Prompt Injection: PDFs, CSVs, or web pages fetched by an agent can embed adversarial instructions targeting downstream models.
Establishing Robust Gateways
To govern enterprise agent traffic, implement an A2A Gateway paired with an MCP Proxy. The gateway handles: 1. Token Exchange: Terminates external authentication and maps it to scoped internal tokens. 2. Egress & Routing: Prevents agents from calling unverified endpoints and restricts visibility of sensitive skills via tailored Agent Cards. 3. Structured Auditing: Emits standardized logs capturing every task transition and tool invocation.
Try it in 2 minutes
{
"agent_card": {
"id": "finance-analyzer-v1",
"skills": [
{
"name": "analyze_invoice",
"security": {
"required_oauth_scopes": ["invoices:read"]
}
}
]
}
}json
✓ When to use
- Designing multi-agent systems where agents belong to different teams, vendors, or access external APIs.
- Integrating third-party MCP servers that interact with production databases or code repositories.
✕ When NOT to use
- Simple single-agent applications running entirely in a localized sandbox environment with no external tool access.
- Basic conversational chat widgets with no ability to delegate tasks or trigger side effects.
What to do today
- Audit your current MCP configurations and migrate from blanket "connect all" settings to tool allowlists.
- Set up an MCP proxy to monitor outgoing network requests initiated by autonomous developer agents.
Sources