MMODELYST
Papers/Prompts Don't Protect: Architectural Enforcement via MCP Proxy for LLM Tool Access Control
PAP

Prompts Don't Protect: Architectural Enforcement via MCP Proxy for LLM Tool Access Control

May 18, 2026

arXiv
Abstract

Large language models increasingly operate as autonomous agents that select and invoke tools from large registries. We identify a critical gap: when unauthorized tools are visible in an agent's context, models select them in adversarial scenarios -- even when explicitly instructed otherwise. We propose a governed MCP proxy that enforces attribute-based access control (ABAC) at two points: tool discovery, where unauthorized tools are removed from the model's context window, and tool invocation, where a second check blocks any unauthorized call. Across three models (Qwen 2.5 7B, Llama 3.1 8B, Claude Haiku 3.5) and 150 adversarial tasks spanning four attack categories, our proxy reduces unauthorized invocation rate (UIR) to 0% while adding under 50ms median latency. Prompt-based restrictions reduce UIR by only 11--18 percentage points, leaving substantial residual risk. Our results show that architectural enforcement -- not prompting -- is necessary for reliable tool access control in deployed agentic systems.

Select text to highlight · click a highlight to remove · saved in this browser only
Authors
Rohith Uppala
Your notes (browser-local)
saved
Cross-links
arXiv:2605.18414