As enterprises scale autonomous AI agents into production, enabling safe innovation requires robust architectural guardrails. AI agents connect across tools and datasets, so it’s essential to establish clear network-level boundaries for comprehensive data protection.
To help organizations confidently deploy these workflows, we recommend VPC Service Controls (VPC-SC) to establish an essential network-level, destination-based perimeter. Today we’re announcing several new capabilities specifically designed for agentic workloads.
What’s new in VPC Service Controls
Designed to enhance AI security, the new capabilities we’re announcing today strengthen boundaries enforced by VPC-SC.
The capability updates include:
-
Agent identity in directional rules: Enforcing least-privilege access requires treating agents as first-class identities. You can now add agentic identities directly to service perimeter ingress and egress rules using standard Identity and Access Management (IAM) principals.
A single principal maps to an individual agent, while a principalSet maps to a broader collection of agents. PrincipalSets lets administrators apply consistent, auditable access policies across agent fleets. If an agent is compromised, you can immediately revoke its access at the network perimeter.
-
Granular control with model context protocol (MCP) attributes: As MCP becomes the standard integration layer for agentic systems, the ability to enforce policy at the tool level is critical. VPC Service Controls now support conditional access rules based on specific MCP attributes, including mcp.toolName, mcp.method, and mcp.tool.isReadOnly.
For example, you can grant an agent read access to a Workspace MCP server while explicitly denying its ability to send emails.
-
Securing the Gemini Enterprise Agent Platform: The Gemini Enterprise Agent Platform provides a comprehensive foundation for production-grade agent deployments. VPC Service Controls is now natively integrated with Agent Platform. When you include Agent Platform as a protected service within a VPC-SC perimeter, the system automatically blocks all public internet access to the Agent Platform instance — enforcing a secure boundary without additional configuration overhead.
“At Mercado Libre, VPC Service Controls serve as an essential, foundational layer of our security architecture. By building a strong perimeter enforcement across hundreds of Google Cloud projects in our organization, we established robust network-level security controls with VPC-SC, ensuring all our data remains protected in our cloud environment,” said Juan Pablo Boschi, project lead at Mercado Libre.
Defining a layered approach to enterprise AI security with VPC-SC
Securing an autonomous agent requires a layered approach. Identity, network, and resource controls each target a distinct threat vector.
-
Identity controls: IAM and Principal Access Boundaries (PAB) focus on “who” can access specific resources. By enforcing strict least-privilege principles for agent identities, you help ensure that autonomous workloads only have the permissions necessary for their specific objectives.
-
Network controls: Next-generation network firewalls and VPC Service Controls define a robust data perimeter on top of your infrastructure, governing the flow of information across boundaries and preventing data exfiltration.
-
Resource controls: Organization Policy and other resource-level guardrails set broad, immutable constraints on how resources can be configured and used, preventing risky configurations by default.
While identity and network controls effectively secure the front door, VPC Service Controls provide a critical destination-based defense. In the probabilistic world of autonomous agents, VPC-SC is the control that focuses on the “how” and “where” of the agent’s network and operations, in addition to the “who”.
Defending against the unique attack vectors
Unlike traditional applications, an AI agent’s input can inadvertently prompt it to execute an unintended command or action. If an agent is successfully compromised — whether driven by malicious prompts, tool manipulation, or malicious insider commands — VPC Service Controls serves as a critical network safety net.
To illustrate how this network boundary defends against industry-standard risks as mapped by the OWASP Top 10 for LLM Applications, here are three real-world threat vectors where VPC Service Controls can help supplement identity-based controls to prevent data exfiltration.
-
Exfiltration prevention via indirect prompt injection (OWASP ASI01): A malicious actor could attempt to embed a hidden prompt asking an agent to summarize internal data and transmit it to an unauthorized user. If the hijacked agent has IAM permissions, IAM detects no anomaly.
However, when the agent tries to send that data to an external webhook, VPC-SC blocks the API-layer transfer because the destination is outside the defined perimeter.
-
Guardrail for tool misuse (OWASP ASI02, ASI08): Prompt hijacks can lead agents to chain tools maliciously, such as sending internal directory data to an external service. By enforcing a VPC-SC perimeter around sensitive assets, you prevent misbehaving agents from bridging data across isolated trust zones.
-
Neutralizing insider threats (OWASP AS103): Attackers can command a data-processing agent to perform a direct cloud-to-cloud copy from a BigQuery dataset to an unauthorized project. While network firewalls see legitimate HTTPS traffic to BigQuery, and IAM sees an authorized service account, VPC-SC evaluates the destination resource. Since the destination project is outside the enterprise perimeter, the system immediately denies the API request.
