# Securing agentic AI with perimeter guardrails: What's new in VPC Service Controls > Source: > Published: 2026-06-26 18:00:00+00:00 As enterprises scale autonomous AI agents into production, enabling safe innovation requires robust architectural guardrails. AI agents connect across tools and datasets, so it’s essential to establish clear network-level boundaries for comprehensive data protection. To help organizations confidently deploy these workflows, we recommend [VPC Service Controls](https://cloud.google.com/security/vpc-service-controls) (VPC-SC) to establish an essential network-level, destination-based perimeter. Today we’re announcing several new capabilities specifically designed for agentic workloads. Designed to enhance AI security, the new capabilities we’re announcing today strengthen boundaries enforced by VPC-SC. The capability updates include: **Agent identity in directional rules**: Enforcing least-privilege access requires treating agents as first-class identities. You can now add [agentic identities](https://docs.cloud.google.com/iam/docs/agent-identity-overview) directly to service perimeter ingress and egress rules using standard [Identity and Access Management (IAM) principals](https://docs.cloud.google.com/iam/docs/principals-overview). A single principal maps to an individual agent, while a [principalSet](https://docs.cloud.google.com/vpc-service-controls/docs/supported-identities) maps to a broader collection of agents. PrincipalSets lets administrators apply consistent, auditable access policies across agent fleets. If an agent is compromised, you can immediately revoke its access at the network perimeter. **Granular control with model context protocol (MCP) attributes**: As MCP becomes the standard integration layer for agentic systems, the ability to enforce policy at the tool level is critical. VPC Service Controls now support conditional access rules based on specific [MCP](https://docs.cloud.google.com/mcp/control-mcp-use-vpc-sc-perimeter) attributes, including `mcp.toolName` , `mcp.method` , and `mcp.tool.isReadOnly` . For example, you can grant an agent read access to a Workspace MCP server while explicitly denying its ability to send emails. **Securing the Gemini Enterprise Agent Platform**: The [Gemini Enterprise Agent Platform](https://cloud.google.com/products/gemini-enterprise-agent-platform) provides a comprehensive foundation for production-grade agent deployments. VPC Service Controls is now natively integrated with Agent Platform. When you include Agent Platform as a protected service within a VPC-SC perimeter, the system automatically blocks all public internet access to the Agent Platform instance — enforcing a secure boundary without additional configuration overhead. "At Mercado Libre, VPC Service Controls serve as an essential, foundational layer of our security architecture. By building a strong perimeter enforcement across hundreds of Google Cloud projects in our organization, we established robust network-level security controls with VPC-SC, ensuring all our data remains protected in our cloud environment," said Juan Pablo Boschi, project lead at Mercado Libre. Securing an autonomous agent requires a layered approach. Identity, network, and resource controls each target a distinct threat vector. **Identity controls**: [IAM](https://docs.cloud.google.com/iam/docs) and [Principal Access Boundaries](https://docs.cloud.google.com/iam/docs/principal-access-boundary-policies) (PAB) focus on "who" can access specific resources. By enforcing strict least-privilege principles for agent identities, you help ensure that autonomous workloads only have the permissions necessary for their specific objectives. **Network controls**: [Next-generation network firewalls](https://cloud.google.com/security/products/firewall) and VPC Service Controls define a robust data perimeter on top of your infrastructure, governing the flow of information across boundaries and preventing data exfiltration. **Resource controls**: [Organization Policy](https://docs.cloud.google.com/organization-policy) and other resource-level guardrails set broad, immutable constraints on how resources can be configured and used, preventing risky configurations by default. While identity and network controls effectively secure the front door, VPC Service Controls provide a critical destination-based defense. In the probabilistic world of autonomous agents, VPC-SC is the control that focuses on the "how” and "where" of the agent’s network and operations, in addition to the “who”. Unlike traditional applications, an AI agent's input can inadvertently prompt it to execute an unintended command or action. If an agent is successfully compromised — whether driven by malicious prompts, tool manipulation, or malicious insider commands — VPC Service Controls serves as a critical network safety net. To illustrate how this network boundary defends against industry-standard risks as mapped by the [OWASP Top 10 for LLM Applications](https://genai.owasp.org/2025/12/09/owasp-top-10-for-agentic-applications-the-benchmark-for-agentic-security-in-the-age-of-autonomous-ai/), here are three real-world threat vectors where VPC Service Controls can help supplement identity-based controls to prevent data exfiltration. **Exfiltration prevention via indirect prompt injection (OWASP ASI01)**: A malicious actor could attempt to embed a hidden prompt asking an agent to summarize internal data and transmit it to an unauthorized user. If the hijacked agent has IAM permissions, IAM detects no anomaly. However, when the agent tries to send that data to an external webhook, VPC-SC blocks the API-layer transfer because the destination is outside the defined perimeter. **Guardrail for tool misuse (OWASP ASI02, ASI08)**: Prompt hijacks can lead agents to chain tools maliciously, such as sending internal directory data to an external service. By enforcing a VPC-SC perimeter around sensitive assets, you prevent misbehaving agents from bridging data across isolated trust zones. **Neutralizing insider threats (OWASP AS103)**: Attackers can command a data-processing agent to perform a direct cloud-to-cloud copy from a BigQuery dataset to an unauthorized project. While network firewalls see legitimate HTTPS traffic to BigQuery, and IAM sees an authorized service account, VPC-SC evaluates the destination resource. Since the destination project is outside the enterprise perimeter, the system immediately denies the API request. Perimeter security has evolved from a recommended best practice in the deterministic application and workload centric age to an absolute requirement for the era of autonomous AI agents. VPC-SC provides the necessary control over data movement that IAM cannot address alone. In an era where agents interpret prompts as code, VPC-SC becomes the mandatory safety net for enterprise data. Pairing the mapping capability of IAM with the rigid data perimeters of VPC-SC lets organizations securely build agentic innovation while maintaining an absolute guardrail against exfiltration. To learn more, you can explore VPC-SC resources [here](https://cloud.google.com/security/vpc-service-controls).