Prompts Don't Protect: Architectural Enforcement via MCP Proxy for LLM Tool Access Control
For developers deploying LLM agents with tool access, this work demonstrates that architectural enforcement is necessary for reliable security, as prompt-based methods leave substantial residual risk.
The paper identifies that prompt-based restrictions are insufficient to prevent unauthorized tool selection by LLM agents in adversarial scenarios, and proposes a governed MCP proxy that enforces attribute-based access control at tool discovery and invocation, reducing unauthorized invocation rate to 0% with under 50ms median latency across three models and 150 adversarial tasks.
Large language models increasingly operate as autonomous agents that select and invoke tools from large registries. We identify a critical gap: when unauthorized tools are visible in an agent's context, models select them in adversarial scenarios -- even when explicitly instructed otherwise. We propose a governed MCP proxy that enforces attribute-based access control (ABAC) at two points: tool discovery, where unauthorized tools are removed from the model's context window, and tool invocation, where a second check blocks any unauthorized call. Across three models (Qwen 2.5 7B, Llama 3.1 8B, Claude Haiku 3.5) and 150 adversarial tasks spanning four attack categories, our proxy reduces unauthorized invocation rate (UIR) to 0% while adding under 50ms median latency. Prompt-based restrictions reduce UIR by only 11--18 percentage points, leaving substantial residual risk. Our results show that architectural enforcement -- not prompting -- is necessary for reliable tool access control in deployed agentic systems.