The agent security conversation has narrowed around the Model Context Protocol, and for good reason. The MCP gives an agent one common way to connect to external tools, which creates a clearer place to think about permissions, routing, and enforcement. But MCP only represents one part of the tool environment agents use in practice, and the risk that matters reaches across the whole toolset.
That toolset is not fixed. The set of tools in front of an agent is often assembled at runtime and shifts with the user, the session, the workspace, and the context it retrieves. The same agent can finish one task with one set of tools and begin the next with another, with no code change and no release in between. An agent vetted at onboarding can change its capabilities and its risk profile in minutes by adding a new tool or writing its own skill. Governing any single tool in isolation falls short.
This guide gives security and AI teams a clear picture of the tools agents actually use, from knowledge sources and hard-coded tools to MCP servers, skills, plugins, extensions, and APIs, and the three foundational principles for governing the whole toolset through the lens of the agent, continuously, as workflows evolve.
What you will take away
- A working map of the tool types your agents use, and why each one changes what an agent can see and do
- Why a changing toolset is normal for agents, and what that means for governance built around fixed manifests
- Three foundational principles for governing the whole agentic toolset, not only the traffic that passes through a gateway
