Indirect prompt injection, tool misuse, and insider threats each share a single weak point: IAM alone cannot tell if an authorized agent is shipping data to an unauthorized destination. Google Cloud just shipped VPC Service Controls updates that plug exactly that hole with agent-level identities, MCP attribute rules, and native Agent Platform integration.
Agent-Level IAM and MCP Attributes Close the OWASP Exfiltration Paths
VPC-SC now treats agents as first-class principals. You assign a single IAM principal to an individual agent or a principalSet to a fleet. If an agent is compromised, revoke that principal at the perimeter, instantly. No more batching agent traffic under a shared service account.
More useful: VPC-SC rules can key off Model Context Protocol attributes like mcp.toolName, mcp.method, and mcp.tool.isReadOnly. You can let an agent read your Workspace MCP server but explicitly deny it from sending emails. That granularity directly maps to OWASP ASI02 and ASI08 tool misuse vectors.
Agent Platform Airwall Without Config Overhead
Gemini Enterprise Agent Platform instances are now first-class protected services inside a VPC-SC perimeter. Once you include the platform as a protected service, all public internet traffic is blocked automatically. No extra firewall rules, no peering gymnastics. Mercado Libre's project lead Juan Pablo Boschi calls VPC-SC "an essential, foundational layer" across hundreds of GCP projects.
Three Attack Vectors VPC-SC Now Covers That IAM Misses
Indirect prompt injection (OWASP ASI01): an agent with valid IAM creds tries to exfiltrate data to an external webhook. IAM sees legitimate traffic. VPC-SC blocks the API call because the destination is outside the perimeter.
Tool misuse (OWASP ASI02, ASI08): a hijacked agent chains tools to dump internal directories to an external service. VPC-SC prevents cross-boundary data bridging.
Insider threat (OWASP ASI03): an attacker uses a legitimate agent to copy BigQuery data to an unauthorized project. Network firewalls see HTTPS to BigQuery, IAM sees an authorized service account. VPC-SC evaluates the destination project and denies it.
The pattern is consistent: IAM handles who, VPC-SC enforces where. For autonomous agents, that destination check is the difference between a containment event and a breach.
Perimeter security has shifted from a best practice to an operational requirement when agents interpret prompts as code. These updates make VPC-SC the mandatory safety net for enterprise AI workloads, not another checkbox.
Source: Securing agentic AI with perimeter guardrails: What's new in VPC Service Controls
Domain: cloud.google.com
Comments load interactively on the live page.