What is a context firewall for AI agents?
A context firewall is a runtime security boundary for AI agents. It controls which sources of context — user prompts, retrieved documents, memory, MCP responses, tool outputs, web pages, emails, and files — are allowed to influence which actions, such as tool calls, memory writes, data exports, browser actions, approvals, code execution, or final answers.
- A context firewall enforces source-to-sink policy: whether a given source of context may influence a given action.
- Unlike a prompt filter, it does not only ask whether text looks malicious — it controls authority.
- It applies across RAG, memory, MCP, tools, browsers, egress, and approvals.
- Every decision is logged with provenance so exploit paths can be replayed with enforcement off and on.
Why AI agents need a context firewall
Once an agent can read external content and take actions, the security boundary is no longer the prompt — it is the path from context to action. A benign-looking document, tool result, memory entry, or MCP response can still carry instructions that steer a privileged action. A context firewall governs that path.
Sources and sinks
A source is where a span of context comes from, with a trust class, tenant, and freshness: a user prompt, retrieved chunk, memory item, tool output, or MCP response. A sink is any action or output context can influence: a tool call, memory write, data export, browser action, code execution, approval, or final answer. Source-to-sink policy decides which sources may influence which sinks.
Context firewall vs prompt filter
A prompt filter asks whether text looks malicious. A context firewall asks whether a source should be allowed to influence an action. See context firewall vs prompt filter for a side-by-side comparison, and how to secure AI agents for the broader model.
When you do and don't need one
You need a context firewall when your agent can read external context and do something consequential: call APIs, update records, export data, write memory, execute code, browse, or act across tenants. You probably don’t need one if your AI only drafts text from a single user prompt with no tools, memory, retrieval, or side effects.