A new paper argues that the way most AI agent runtimes handle security stops at the connection layer — and that is not nearly enough.
Researchers built a benchmark of 10 attack cases targeting Model Context Protocol-style agent systems, the kind of tool-connection infrastructure increasingly used to wire up language models to external services. A baseline runtime with no mitigations failed all 10. A more careful runtime — one with metadata checks, session validation, and per-call approval dialogs — still permitted 6 of the 10 attacks. Only HCP, the paper's own reference runtime built around explicit execution-layer controls, blocked every case while preserving audit trails. The researchers measured sub-millisecond latency for core policy operations, suggesting the overhead is not prohibitive.
The finding matters because MCP-style ecosystems are spreading fast, and most implementations are still treating security as a connection problem rather than an execution problem. The paper defines eight specific invariants — things like grant-backed approval, scoped capability invocation, and data-flow authorization — that a runtime should enforce deterministically, not leave to prompts or approval dialogs that users will click through.
This is academic research, not a shipping product, and the authors are careful to limit their claims. But the gap they identify is real: agent systems are accreting complexity faster than anyone is defining what the security primitives should actually be.