Blog

MCP security

securityai-agentsmcpruntime-trust

Confused Deputy in AI Agents: What It Is & How to Stop It

Untrusted intent can hijack trusted credentials in MCP and agent systems. Learn runtime authorization patterns that break the attack path.

May 27, 20266 min read

Confused deputy issues happen when an agent uses trusted credentials to execute untrusted intent. In AI systems, this often appears as model-influenced tool calls that exceed user intent.

Confused deputy in MCP and agent systems

A confused deputy attack uses a privileged agent or tool to perform actions the user did not intend — often via indirect prompt injection in tool output or web content. The agent "deputizes" trusted credentials for untrusted intent.

  • Separate user intent from model-suggested tool calls with source-trust scoring.
  • Require verification when source trust is tool_output or untrusted_content.
  • Scope OAuth and API tokens per agent identity — no shared super-credentials.

Key takeaways

  • The agent has authority; the attacker controls intent through data.
  • Tool wrappers should enforce actor-aware policy, not generic allowlists only.
  • Human verification helps when delegated authority is high-impact.

Implementation checklist

  1. Separate user intent from tool capability in policy checks.
  2. Include actor identity and source trust in verification context.
  3. Block privileged actions when trust signals are low.

People also ask

Why are AI agents vulnerable to confused deputy attacks?

Because they combine broad machine authority with untrusted external inputs that can influence execution decisions.

Can RBAC alone solve confused deputy risk?

RBAC helps, but you also need runtime context checks and action-level policy decisions at execution time.

What is the safest default for ambiguous intent?

Require verification or block until explicit human confirmation clarifies intent.

Guides: agentic AI risk · MCP security · runtime authorization · HITL approvals · coding agents · get startedMore: all posts · AI trust layer · open Sanctum Console

Give every agent action a trust boundary.

Start with Connect Agent, keep the SDK path for deeper fleets, and prove exactly what was approved, blocked, or contained.