arXiv:2605.18414: Prompts do not protect — MCP proxy with ABAC achieves 0% unauthorized tool calls

Research published on arXiv (2605.18414) brings a concerning finding for anyone building autonomous AI agents: instructions in the prompt are not sufficient protection when it comes to controlling tool access. Only an architectural solution — a middleware layer between the agent and its tools — can guarantee reliable protection.

Why prompts cannot protect LLM agents from tool misuse

A model that sees a list of tools in its context can select one not intended for the current user, even when explicitly forbidden by instructions. Author Rohith Uppala tested this on 150 adversarial tasks divided into four attack categories, using three language models — Qwen 2.5 7B, Llama 3.1 8B, and Claude Haiku 3.5. The result is unambiguous: prompt-based restrictions reduce UIR (Unauthorized Invocation Rate — the rate of unauthorized tool calls) by only 11 to 18 percentage points, leaving significant residual risk in every scenario.

UIR measures how often an agent successfully calls a tool for which access has not been granted. Even with strict, precisely worded instructions, models occasionally “forget” the restrictions or are led by adversarial input to bypass them.

How an MCP proxy with ABAC solves the problem architecturally

The proposed solution operates at the level of MCP (Model Context Protocol) — the open standard that defines how AI agents discover and invoke external tools and services. Instead of the agent communicating directly with tools, a governance MCP proxy is introduced that enforces ABAC (Attribute-Based Access Control) — an access control model based on attributes of the user, the tool, and the context.

The proxy acts at two points:

1. Tool discovery — unauthorized tools are removed from context at listing time, so the model physically cannot select what it cannot see.
2. Tool invocation — even if a call arrives, the proxy blocks it before execution.

Result: UIR drops to 0% with median latency under 50 ms — negligible for most production systems.

What this means for AI agent development in practice

The research, planned for the EMNLP 2026 Industry Track, sends a clear message to engineers building agent systems: security logic must not live only in the prompt. Just as web applications protect API endpoints not with code comments but with middleware layers and tokens, AI agents need architectural boundaries — not just verbal ones.

For projects using the MCP ecosystem (a growing practice in 2025/2026), implementing a governance proxy layer with ABAC policies becomes a recommended security hygiene measure, especially in multi-tenant and enterprise environments where different users have different permissions over tool sets.