Introducing MCP Tool ACLs: Fine-Grained Authorization for AI Agent Tools

Kong AI Gateway 3.13 introduces MCP Tool ACLs, offering a solution to the 'all-or-nothing' access problem by enabling granular authorization and security policies for AI agent tools. This feature addresses challenges posed by modern AI agents interacting with external systems via the Model Context Protocol (MCP), allowing organizations to implement detailed authorization policies at the gateway layer. MCP Tool ACLs provide the ability to filter tools based on identity, apply default-deny policies, and leverage consumer group functionalities, ensuring that only authorized tools are accessible to specific users or applications. The feature integrates seamlessly with OAuth2/OIDC for robust authentication and offers dynamic tool filtering to ensure only permitted tools are visible to clients. This development is crucial for securing and governing AI agent architectures, especially in regulated industries, by facilitating compliance and auditability while enabling safer and more compliant AI systems. Organizations can now deploy AI agents with confidence, applying fine-grained tool authorization to enhance their AI governance approach.