Source

arXiv:2603.12230 — Security Considerations for Artificial Intelligence Agents (2026-03-12, Perplexity/NIST response)

Technique

Systematic analysis of attack surfaces across input/model/execution layers with emphasis on:

Confused-deputy problem in agents: When an agent simultaneously holds two trust levels (e.g., acts as a trusted server to one party and an untrusted client to another), a malicious input from the untrusted side can exploit the agent's trusted credentials on the other side.

Privilege control gaps identified:

• Agents executing tool calls with the same privilege as the user (no least-privilege)
• MCP passthrough creating implicit privilege amplification
• Multi-agent handoffs leaking credentials across trust boundaries

Assessment methodology: Structured privilege audit across 8 agent architectures. Identifies where each architecture has privilege boundary gaps.

Applicability to Zeph — Specific gap

Zeph in ACP+MCP configuration acts as:

1. ACP server — trusted by Zed IDE (has filesystem, terminal capabilities)
2. MCP client — connects to external MCP servers (untrusted third-party tools)

A malicious MCP server could craft a tool response that, when processed by Zeph's ACP layer, causes Zeph to use its trusted ACP credentials to perform actions on behalf of the attacker.

Current mitigations in Zeph:

• ContentIsolation + spotlight_untrusted = true — partially mitigates
• ExfiltrationGuard — prevents URL-based exfiltration
• MCP trust_level = "untrusted" + tool_allowlist — per-server trust

Gap: No explicit privilege boundary enforcement between MCP response processing and ACP capability invocation paths. No audit trail linking MCP tool calls to ACP actions in the same turn.

Implementation sketch

1. Audit zeph-acp/src/ for any code path that processes MCP tool results and then invokes ACP capabilities
2. Ensure MCP tool results entering the ACP-serving path are treated as untrusted content (equivalent to spotlight_untrusted)
3. Add cross-subsystem audit log entry when MCP result influences an ACP capability invocation
4. Config: [security.content_isolation] mcp_to_acp_boundary = true

Related

• research(security): formal 4-property security model for Zeph — Task/Action/Source/Data alignment audit (arXiv:2603.19469) #2417 — formal 4-property security model
• research(security): attack/defense landscape for agentic AI — taxonomy for #2417 and #2420 (arXiv:2603.11088) #2426 (arXiv:2603.11088) — attack/defense taxonomy
• research(security): MCP tool trust/confidentiality metadata — capability labels + STPA-based data-flow policy (arXiv:2601.08012) #2420 — MCP tool trust metadata
• Existing: [security.content_isolation] spotlight_untrusted = true