Skip to main content

Security properties

No self-authorization

The user’s security policy is the sole authorization authority. Agents cannot self-authorize or grant themselves permissions.

Verified identity

Agent identity is verified by infrastructure under the user’s control at the plane boundary — agents cannot self-assert their identity to the Action Plane.

Continuous enforcement

The enforcement point applies security policy on every operation before it reaches MCP servers.

Audit surface

Every EMO crosses the MCP boundary, creating a natural audit point for all agent actions.
By externalizing EMOs, agents avoid executing untrusted or privileged actions internally. Authorization denials are standard and structured, enabling agents to handle them gracefully without leaking policy details.

Implementation notes

GPARS v0.1 intentionally leaves implementation choices open. The following are suggestions, not requirements.
  • Enforcement point implementations: reverse proxies, network isolation, Unix socket permissions, containers, runtime sandboxes, or OS-level isolation.
  • Identity verification mechanisms: mTLS, API keys, process-level isolation, or other methods appropriate to your deployment.
  • Policy management engines: static config files, RBAC engines, or interactive approval prompts.