AgentBound: Securing Execution Boundaries of AI Agents

Computer Science > Cryptography and Security [Submitted on 24 Oct 2025 (v1), last revised 24 Apr 2026 (this version, v3)] AgentBound: Securing Execution Boundaries of AI Agents Christoph Bühler, Matteo Biagiola, Luca Di Grazia, Guido Salvaneschi Large Language Models (LLMs) have evolved into AI agents that interact with external tools and environments to perform complex tasks. The Model Context Protocol (MCP) has become the de facto standard for connecting agents with such resources, but security has lagged behind: thousands of MCP servers execute with unrestricted access to host systems, creating a broad attack surface. In this paper, we introduce AgentBound, the first access control framework for MCP servers. AgentBound combines a declarative policy mechanism, inspired by the Android permission model, with a policy enforcement engine that contains malicious behavior without requiring MCP server modifications. We build a dataset containing the 296 most popular MCP servers, and show that access control policies can be generated automatically from source code with 80.9% accuracy. We also show that AgentBound blocks the majority of security threats in several malicious MCP servers, and that the policy enforcement engine introduces negligible overhead. Our contributions provide developers and project managers with a foundation for securing MCP servers while maintaining productivity, enabling researchers and tool builders to explore new directions for declarative access control and MCP security. Subjects: Cryptography and Security (cs.CR); Artificial Intelligence (cs.AI); Software Engineering (cs.SE) ACM classes: D.2.0 Cite as: arXiv:2510.21236 [cs.CR]   (or arXiv:2510.21236v3 [cs.CR] for this version)   https://doi.org/10.48550/arXiv.2510.21236 Focus to learn more Journal reference: Proceedings of the 34th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (FSE). 2026 Related DOI: https://doi.org/10.1145/3808103 Focus to learn more Submission history From: Christoph Bühler [view email] [v1] Fri, 24 Oct 2025 08:10:36 UTC (199 KB) [v2] Wed, 29 Oct 2025 13:11:21 UTC (200 KB) [v3] Fri, 24 Apr 2026 09:59:19 UTC (193 KB) Access Paper: view license Current browse context: cs.CR < prev   |   next > new | recent | 2025-10 Change to browse by: cs cs.AI cs.SE References & Citations NASA ADS Google Scholar Semantic Scholar Export BibTeX Citation Bookmark Bibliographic Tools Bibliographic and Citation Tools Bibliographic Explorer Toggle Bibliographic Explorer (What is the Explorer?) Connected Papers Toggle Connected Papers (What is Connected Papers?) Litmaps Toggle Litmaps (What is Litmaps?) scite.ai Toggle scite Smart Citations (What are Smart Citations?) Code, Data, Media Demos Related Papers About arXivLabs Which authors of this paper are endorsers? | Disable MathJax (What is MathJax?)