a agentk.it Browse tools
Back to Signals
arXiv · analysis signal

MCP Security Goes Architectural: Prompts Don't Protect

Prompts Don't Protect: Architectural Enforcement via MCP Proxy for LLM Tool Access Control

Signal thesis

Prompt-based MCP access control is fundamentally broken. The industry is moving toward architectural enforcement at the protocol level.

Why it matters

If agentk.it indexes 63 MCP servers that agents can freely select, every one of those tools becomes a potential attack surface. Understanding how the security model is evolving helps users and developers choose secure architectures.

Original source

https://arxiv.org/abs/2605.18414

Key takeaways

Read this first.

  1. LLMs ignore prompt-based tool restrictions in adversarial scenarios
  2. MCP Proxy approach: intercept tool calls at the protocol layer, enforce before the LLM sees them
  3. ADR system provides observability, detection, and response for enterprise MCP deployments
  4. Directly relevant to MCP server developers and agent platform builders
Ecosystem impact

Where this changes the map.

MCP Server Developers

Should prepare for proxy-based access control as a standard layer

Agent Platform Builders

ADR pattern may become a required component for enterprise deployments

Full English translation

Translated text.

Two papers from the past week mark an inflection point in MCP security thinking.

The Problem: Prompts Are Not Security

Rohith Uppala’s paper “Prompts Don’t Protect” demonstrates a critical finding: when unauthorized tools are visible in an agent’s context window, LLMs will select them in adversarial scenarios — even when explicitly instructed otherwise in the system prompt. The prompt is a suggestion, not a security boundary.

The Solution: Protocol-Layer Enforcement

The proposed MCP Proxy sits between the agent and MCP servers, enforcing access control before tool calls reach the LLM. This is an architectural shift — security moves from the prompt layer (soft, unreliable) to the protocol layer (hard, enforceable).

Enterprise Adoption

A separate paper from the ADR team describes the first large-scale, production-proven enterprise framework for securing AI agents operating through MCP. They identify three challenges: limited observability (existing EDR tools don’t understand MCP), protocol-level attack surfaces, and the need for runtime detection rather than static analysis.

What This Means for agentk.it Users

Every MCP server indexed in this directory is a potential tool an agent can invoke. Understanding that prompt-based restrictions are insufficient helps you evaluate which MCP servers to trust and how to deploy them securely.

Source: arXiv:2605.18414 (Prompts Don’t Protect) and arXiv:2605.17380 (ADR System)

What to watch next

Follow-up signals.

  • Whether Anthropic or OpenAI adopt MCP Proxy patterns in their official MCP implementations
  • Open-source MCP Proxy implementations appearing on GitHub
Source and permission

Trace the origin.

Original title
Prompts Don't Protect: Architectural Enforcement via MCP Proxy for LLM Tool Access Control
Source
arXiv
Author
Rohith Uppala
Original date
2026-05-18
Permission
open_license
Published
2026-05-19
Source URL
https://arxiv.org/abs/2605.18414