How do you secure AI agents?
To secure an AI agent, map every context source it can read, every action it can take, and every path where untrusted context can influence privileged behaviour. Then enforce controls at context assembly, retrieval, memory, tool calls, identity, egress, approvals, and audit logging. Prompt filters are not enough once an agent can use tools, RAG, memory, browsers, MCP servers, or customer data.
- Agent security is workflow security, not prompt security.
- Inventory every context source and every sink the agent can reach.
- Treat external content as evidence, not instruction.
- Gate memory writes, inspect tool calls, control egress, and log source-to-sink decisions.
- Re-test after every model, prompt, tool, or policy change.
Inventory context sources and sinks
List everything the agent can read — prompts, RAG chunks, memory, tool output, MCP responses, web pages, files — and everything it can do — tool calls, memory writes, exports, browser actions, code execution, approvals. Security lives in which sources may influence which sinks.
Separate evidence from instruction
Untrusted context should be able to inform an answer but not authorize an action. Retrieved documents, tool results, and memory entries carry provenance and trust labels so they cannot silently become standing instructions. This is the core idea behind a context firewall.
Enforce at the dangerous sinks
Inspect tool calls before execution, gate memory writes, apply egress DLP, and require authenticated approval for high-blast-radius actions. Related controls: prompt injection protection, memory poisoning prevention, and MCP security.