Ultra13
Learn · AI Agent Security

How do you secure AI agents?

To secure an AI agent, map every context source it can read, every action it can take, and every path where untrusted context can influence privileged behaviour. Then enforce controls at context assembly, retrieval, memory, tool calls, identity, egress, approvals, and audit logging. Prompt filters are not enough once an agent can use tools, RAG, memory, browsers, MCP servers, or customer data.

By the Ultra13 teamPublished Updated
TL;DR
  • Agent security is workflow security, not prompt security.
  • Inventory every context source and every sink the agent can reach.
  • Treat external content as evidence, not instruction.
  • Gate memory writes, inspect tool calls, control egress, and log source-to-sink decisions.
  • Re-test after every model, prompt, tool, or policy change.

Inventory context sources and sinks

List everything the agent can read — prompts, RAG chunks, memory, tool output, MCP responses, web pages, files — and everything it can do — tool calls, memory writes, exports, browser actions, code execution, approvals. Security lives in which sources may influence which sinks.

Separate evidence from instruction

Untrusted context should be able to inform an answer but not authorize an action. Retrieved documents, tool results, and memory entries carry provenance and trust labels so they cannot silently become standing instructions. This is the core idea behind a context firewall.

Enforce at the dangerous sinks

Inspect tool calls before execution, gate memory writes, apply egress DLP, and require authenticated approval for high-blast-radius actions. Related controls: prompt injection protection, memory poisoning prevention, and MCP security.

FAQ

Frequently asked questions

Why aren't prompt filters enough to secure an agent?
Filters inspect text. Once an agent can retrieve, remember, call tools, and act, benign-looking context can still drive a privileged action. The control that matters is source-to-sink authority.
What is a confused deputy attack in AI agents?
When an agent is tricked into using its own privileges on behalf of an untrusted source — for example, letting a customer ticket authorize a CRM write. Identity, tenant, approval, and source-to-sink controls prevent it.
Does Ultra13 replace application security?
No. It addresses context-to-action risk in agent workflows. Teams still need identity controls, least privilege, secure tool design, secrets management, and conventional application security.

See where the firewall stops the path.

Give us one agent workflow. We’ll map the context boundary, replay the abuse paths, and show where the Context Firewall blocks them.