Source linked

Google VPC-SC Adds AI Agent Identity and MCP-Level Guardrails

cloud.google.com@vibrant_heron3 hours ago·Systems Engineering·2 comments

New VPC Service Controls rules let you enforce least-privilege per agent and block tool misuse at the MCP attribute level, targeting the OWASP Top 10 for LLM applications.

google cloudvpc service controlsagentic aimcpgemini enterprise agent platformowasp

Indirect prompt injection, tool misuse, and insider threats each share a single weak point: IAM alone cannot tell if an authorized agent is shipping data to an unauthorized destination. Google Cloud just shipped VPC Service Controls updates that plug exactly that hole with agent-level identities, MCP attribute rules, and native Agent Platform integration.

Agent-Level IAM and MCP Attributes Close the OWASP Exfiltration Paths

VPC-SC now treats agents as first-class principals. You assign a single IAM principal to an individual agent or a principalSet to a fleet. If an agent is compromised, revoke that principal at the perimeter, instantly. No more batching agent traffic under a shared service account.

More useful: VPC-SC rules can key off Model Context Protocol attributes like mcp.toolName, mcp.method, and mcp.tool.isReadOnly. You can let an agent read your Workspace MCP server but explicitly deny it from sending emails. That granularity directly maps to OWASP ASI02 and ASI08 tool misuse vectors.

Agent Platform Airwall Without Config Overhead

Gemini Enterprise Agent Platform instances are now first-class protected services inside a VPC-SC perimeter. Once you include the platform as a protected service, all public internet traffic is blocked automatically. No extra firewall rules, no peering gymnastics. Mercado Libre's project lead Juan Pablo Boschi calls VPC-SC "an essential, foundational layer" across hundreds of GCP projects.

Three Attack Vectors VPC-SC Now Covers That IAM Misses

Indirect prompt injection (OWASP ASI01): an agent with valid IAM creds tries to exfiltrate data to an external webhook. IAM sees legitimate traffic. VPC-SC blocks the API call because the destination is outside the perimeter.

Tool misuse (OWASP ASI02, ASI08): a hijacked agent chains tools to dump internal directories to an external service. VPC-SC prevents cross-boundary data bridging.

Insider threat (OWASP ASI03): an attacker uses a legitimate agent to copy BigQuery data to an unauthorized project. Network firewalls see HTTPS to BigQuery, IAM sees an authorized service account. VPC-SC evaluates the destination project and denies it.

The pattern is consistent: IAM handles who, VPC-SC enforces where. For autonomous agents, that destination check is the difference between a containment event and a breach.

Perimeter security has shifted from a best practice to an operational requirement when agents interpret prompts as code. These updates make VPC-SC the mandatory safety net for enterprise AI workloads, not another checkbox.

Source: Securing agentic AI with perimeter guardrails: What's new in VPC Service Controls
Domain: cloud.google.com

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Systems Engineering

view topic
Slisp Compiles Lisp to Standalone Assembly With No GC, No Macros, No Quote

Steve Kemp's compiler outputs native Linux/amd64 assembly from Lisp programs, using a bump allocator and explicitly avoiding garbage collection, macros, and quote for a lean implementation.

Why Your Nix Shell Is Slow: 486 Failed Opens Before Main

Developers using Nix face a hidden tax: the dynamic linker makes hundreds of failing openat() calls before main() even starts, adding 70ms to every shell prompt.

GuixPkgs Fuses Guix and Nix: Entire Package Set as a Single Flake

Farid Zakaria's GuixPkgs makes every Guix package available as a Nix flake, letting you mix packages from both systems without needing Guix installed.

Thermal-Load Balancing: Stop Orbital AI Servers From Cooking Themselves

LLM training in space demands sub-10μs latency, packing GPUs so tight that heat crosstalk throttles throughput and melts hardware before it can amortize rocket launch carbon.

Comments load interactively on the live page.