Production is a different security environment
In development, the worst that happens when an agent misbehaves is a confusing output or a wasted API call. In production, an agent with access to real customer data, live databases, and external communication tools can exfiltrate sensitive records, corrupt data, or generate outputs that violate regulatory requirements — all before a human has a chance to intervene. The security controls that suffice in development are not the security controls that production demands.
This article covers the three security mechanisms that differentiate a development-quality MCP deployment from a production-quality one: PII redaction, input and output guardrails, and systematic data exfiltration prevention.
PII redaction in MCP workflows
AI agents frequently retrieve content that contains personally identifiable information: customer records, support tickets, medical notes, financial statements. In many architectures this content flows directly into the LLM's context window, creating two risks. First, the LLM may echo PII in its output — into a response visible to other users, into a log that persists, or into a tool call parameter sent to an external system. Second, if the LLM provider processes data outside your regulatory jurisdiction, sending PII to it may violate data residency requirements.
Effective PII redaction in an MCP context operates at the gateway layer, on tool call outputs, before they reach agent memory. When a tool returns a customer record, the gateway inspects the response and redacts or pseudonymises fields that should not enter LLM context: social security numbers, credit card numbers, passport numbers, medical identifiers, and similar sensitive categories.
This approach has a significant advantage over redaction in agent code: it is applied consistently regardless of which agent or framework sent the tool call. Developers do not need to implement redaction logic individually; it is enforced at the infrastructure layer.
Compliance note: For HIPAA, GDPR, and EU AI Act compliance, PII redaction at the gateway layer produces an auditable control point. Regulators can be shown that PII does not flow into model context, without relying on individual agent implementations.
Input guardrails: defending against injected instructions
Input guardrails inspect content flowing into the agent — through tool call outputs, through user messages, through retrieved documents — for patterns that suggest prompt injection attempts. The goal is to identify and neutralise malicious instructions before they reach the LLM's reasoning step.
A practical input guardrail stack for production MCP deployments includes:
Injection pattern detection — scanning for instruction-format text in content that should be purely data (tool outputs, database records, email content)
Jailbreak attempt detection — identifying requests that attempt to override the agent's system prompt or operational boundaries
Anomalous instruction detection — flagging content that contains imperative verbs targeting sensitive operations (delete, transfer, exfiltrate) in contexts where such instructions are not expected
Source-aware trust scoring — applying stricter scanning to content from less trusted sources (user-submitted content, scraped web pages) than to content from internal verified systems
Input guardrails are not foolproof — adversarial prompt injection is an active research area and attack patterns evolve — but they significantly raise the cost of successful injection attacks and catch the large category of opportunistic, non-sophisticated attempts.
Output guardrails: controlling what agents produce
Output guardrails operate on what the agent generates — responses, tool call parameters, messages sent to users — before they leave the controlled environment. Key output guardrail functions:
PII detection in agent outputs — ensuring the agent has not included customer data, credentials, or internal identifiers in responses that will be logged or transmitted
Sensitive action validation — requiring a secondary confirmation before agents invoke high-risk tools (write, delete, send) when triggered by unusual reasoning chains
Response schema validation — ensuring agent outputs conform to expected formats before being passed to downstream systems
Content policy enforcement — blocking outputs that violate organisational content policies (competitor mentions, regulatory prohibited language, inappropriate content)
Data exfiltration prevention
The subtlest production security challenge is the multi-step exfiltration scenario: an agent uses a combination of legitimately authorised tool calls to move sensitive data to an unauthorised destination. Each individual tool call passes access control checks, but the sequence achieves an outcome that was never intended to be authorised.
Consider an agent authorised to read from a customer database and send Slack messages. A prompt injection in a retrieved record instructs the agent to read all customer records matching a certain criterion and forward them to an external Slack workspace. Each tool call — database read, Slack message — is authorised. The combination is an exfiltration.
Preventing this requires session-level behavioural monitoring: tracking the sequence of tool calls within a workflow and detecting patterns that deviate from established baselines. Specific controls include:
Volume anomaly detection — alerting when an agent reads an unusually high volume of records in a single session
Cross-system data flow monitoring — flagging when data retrieved from a read tool is passed as a parameter to a write or send tool
Destination validation for communication tools — checking that external communication tool calls target only pre-approved destinations
TrueFoundry MCP Gateway
TrueFoundry's MCP Gateway applies both input and output guardrails to every tool call as a native infrastructure capability. PII redaction runs on tool outputs before they reach agent context, with configurable sensitivity categories. Input guardrails detect prompt injection and jailbreak patterns in retrieved content. Output guardrails enforce content policies and validate tool call parameters. Full session traces via OpenTelemetry enable post-incident investigation and anomaly detection across tool call sequences. All guardrail events are logged with full context for compliance audit trails.
The operational checklist for production MCP security
Before promoting any agentic MCP workflow to production, validate these controls are in place: PII redaction is configured on all tool outputs that return customer or employee data; input guardrails are enabled and tuned for your content sources; output guardrails are active on all tool calls with write access; RBAC is configured at the tool level with least-privilege principles; every tool call is logged with agent identity and full request/response; and a runbook exists for responding to a suspected agent security incident, including how to suspend an agent's tool access without taking the product offline.
[Explore TrueFoundry's Gateways →]{truefoundry.com)
Top comments (0)