What is context authority in AI agent security?
Context authority is the permission for a context source to influence an action, not merely to appear in the prompt. The dangerous question in agent security is not whether text looks malicious, but whether a given source should be allowed to influence a given sink — a tool call, memory write, export, browser action, approval, or final answer.
- Context authority = permission to influence an action, not just to be in the prompt.
- Appearing in context is not the same as being allowed to drive a sink.
- Source-to-sink policy encodes which sources may influence which actions.
- This reframes prompt injection as an authority problem, not a text problem.
Presence is not permission
Every span of context that enters the agent state — prompt, retrieved chunk, memory, tool result, MCP response — has a provenance and trust class. Being present in the window does not mean it may authorize an action. Context authority makes that distinction explicit and enforceable.
From authority to policy
A source-to-sink policy records, for each source class, which sinks it may influence and under what conditions. This is the object a context firewall enforces — see the founder essay prompt injection is not the problem, context authority is.