AgentBound: Securing Execution Boundaries of AI Agents

TL;DR

AgentBound is a novel access control framework that enhances the security of MCP servers used by AI agents, preventing malicious behavior with minimal performance impact.

Contribution

It introduces a declarative policy mechanism and enforcement engine for MCP servers, automatically generates policies with high accuracy, and demonstrates effective threat blocking.

Findings

AgentBound blocks most security threats in malicious MCP servers.

Policies can be generated automatically from source code with 80.9% accuracy.

The enforcement engine adds negligible overhead.

Abstract

Large Language Models (LLMs) have evolved into AI agents that interact with external tools and environments to perform complex tasks. The Model Context Protocol (MCP) has become the de facto standard for connecting agents with such resources, but security has lagged behind: thousands of MCP servers execute with unrestricted access to host systems, creating a broad attack surface. In this paper, we introduce AgentBound, the first access control framework for MCP servers. AgentBound combines a declarative policy mechanism, inspired by the Android permission model, with a policy enforcement engine that contains malicious behavior without requiring MCP server modifications. We build a dataset containing the 296 most popular MCP servers, and show that access control policies can be generated automatically from source code with 80.9% accuracy. We also show that AgentBound blocks the majority of security threats in several malicious MCP servers, and that the policy enforcement engine introduces negligible overhead. Our contributions provide developers and project managers with a foundation for securing MCP servers while maintaining productivity, enabling researchers and tool builders to explore new directions for declarative access control and MCP security.