Prompts Don't Protect: Architectural Enforcement via MCP Proxy for LLM Tool Access Control

TL;DR

This paper introduces an MCP proxy that enforces attribute-based access control to prevent unauthorized tool use by large language models, significantly reducing misuse in adversarial scenarios.

Contribution

The paper presents a novel architectural enforcement method via MCP proxy for reliable tool access control in autonomous LLM agents, outperforming prompt-based restrictions.

Findings

MCP proxy reduces unauthorized invocation rate to 0% across tested models.

Prompt-based restrictions only partially reduce misuse, leaving residual risk.

The approach adds less than 50ms median latency, suitable for deployment.

Abstract

Large language models increasingly operate as autonomous agents that select and invoke tools from large registries. We identify a critical gap: when unauthorized tools are visible in an agent's context, models select them in adversarial scenarios -- even when explicitly instructed otherwise. We propose a governed MCP proxy that enforces attribute-based access control (ABAC) at two points: tool discovery, where unauthorized tools are removed from the model's context window, and tool invocation, where a second check blocks any unauthorized call. Across three models (Qwen 2.5 7B, Llama 3.1 8B, Claude Haiku 3.5) and 150 adversarial tasks spanning four attack categories, our proxy reduces unauthorized invocation rate (UIR) to 0% while adding under 50ms median latency. Prompt-based restrictions reduce UIR by only 11--18 percentage points, leaving substantial residual risk. Our results show that architectural enforcement -- not prompting -- is necessary for reliable tool access control in deployed agentic systems.