The hype of AI Agents is in full swing, with Anthropic's Model Context Protocol (MCP) being the highly popular, de facto standard to connect agents with external tools to access files, networks, and APIs. Here, unfortunately, security has been left once again as an afterthought. Ever since LLMs were given the possibility to interact with your computer and environment via tool calls and MCP, not much has been done about security. So, how can we secure AI agent-based systems before we end up in a security nightmare?

In this session for AI-, security-, and software-engineers, we shed some light on the security challenges of agentic AI systems and how to mitigate them. We show how the application of a permission-based access control mechanism can encapsulate MCP servers that are otherwise executed with full privileges. We discuss how our solution comes at little to no performance cost and is compatible with the current implementations of MCP servers, allowing for easy adoption.

Devoxx

A researcher from the University of Zangalan presents security risks posed by agentic AI systems, illustrated by real-world incidents including AI agents deleting production databases and entire drives. The talk covers prompt injection vulnerabilities, jailbreaking via language switching, and the fundamental problem of agents inheriting full user permissions. A proposed mitigation approach wraps MCP servers in Docker containers with a policy enforcement engine that enforces fine-grained access control policies (read/write permissions per directory, internet domain access), adding only ~0.6ms overhead. Limitations include inability to prevent parameter-level prompt injections within permitted access boundaries. Future research directions include behavior analysis inspired by malware detection to distinguish malicious from benign agent actions at runtime.

Why Security Matters: The Risks of Agentic AI and How to Mitigate Them by Christoph Bühler