Current AI agents leverage the Model Context Protocol (MCP) to invoke external tools for complex task execution; however, existing MCP servers widely lack access control, exposing host systems to significant security risks. To address this, we propose AgentBound—the first lightweight access control framework tailored for MCP servers. Inspired by the Android permission model, AgentBound supports declarative policy specification and automatically infers fine-grained permissions via static code analysis—requiring no modifications to the MCP protocol or server-side implementations. It integrates a low-overhead runtime enforcement engine for real-time behavior monitoring and policy-based interception. Evaluated across 296 mainstream MCP servers, AgentBound achieves an 80.9% accuracy in automated policy generation, effectively blocks known malicious behaviors, and incurs an average performance overhead of less than 1.2%.

Large Language Models (LLMs) have evolved into AI agents that interact with external tools and environments to perform complex tasks. The Model Context Protocol (MCP) has become the de facto standard for connecting agents with such resources, but security has lagged behind: thousands of MCP servers execute with unrestricted access to host systems, creating a broad attack surface. In this paper, we introduce AgentBound, the first access control framework for MCP servers. AgentBound combines a declarative policy mechanism, inspired by the Android permission model, with a policy enforcement engine that contains malicious behavior without requiring MCP server modifications. We build a dataset containing the 296 most popular MCP servers, and show that access control policies can be generated automatically from source code with 80.9% accuracy. We also show that AgentBound blocks the majority of security threats in several malicious MCP servers, and that policy enforcement engine introduces negligible overhead. Our contributions provide developers and project managers with a practical foundation for securing MCP servers while maintaining productivity, enabling researchers and tool builders to explore new directions for declarative access control and MCP security.