Google adds agent controls to VPC Service Controls

Google has added new security features to VPC Service Controls for autonomous AI agents, extending network-level controls for organisations running agentic workloads on Google Cloud.

The update adds agent identities to ingress and egress rules, introduces conditional access rules based on model context protocol attributes, and integrates VPC Service Controls with the Gemini Enterprise Agent Platform. The additions are intended to tighten control over how AI agents access tools, services, and data inside cloud environments.

VPC Service Controls is Google Cloud's perimeter security product, designed to restrict data movement across defined service boundaries. The latest changes target agentic systems, which can connect to multiple tools and datasets and act with a degree of autonomy.

One of the main additions allows administrators to use agent identities directly in service perimeter rules through standard Identity and Access Management principals. Under the change, a single principal can represent one agent, while a principalSet can represent a broader group of agents.

This gives security teams a way to apply access policies across fleets of agents and revoke access at the perimeter if a specific agent is compromised. It also reflects a broader shift in enterprise security towards treating AI agents as distinct operational identities, rather than only as extensions of an application or service account.

MCP controls

Google has also introduced conditional access rules tied to model context protocol, or MCP, attributes. These include mcp.toolName, mcp.method, and mcp.tool.isReadOnly, allowing organisations to set policies at the level of a specific tool or action.

In practice, this means an organisation could allow an agent to read information from a Workspace MCP server while blocking other actions, such as sending emails. The move addresses a growing concern in enterprise AI deployments that agents may be granted broad rights across connected systems without enough control over individual functions.

VPC Service Controls is also now integrated with the Gemini Enterprise Agent Platform. When the platform is placed inside a VPC Service Controls perimeter, public internet access to the Agent Platform instance is blocked automatically.

The integration reduces the manual configuration needed to isolate agent deployments from the open internet. It also places the platform within the same network boundary model many large organisations already use to protect sensitive cloud services and internal data stores.

Layered model

Google presented the changes as part of a broader layered security approach for enterprise AI. In this model, identity controls such as IAM and Principal Access Boundaries define who can access resources, network controls such as VPC Service Controls and firewalls govern where data can move, and resource controls such as Organisation Policy limit how services can be configured.

Google argued that this network layer matters because AI agents can be manipulated through prompts, tool use, or insider instructions in ways that may not breach existing identity rules. In those cases, an agent might still hold valid credentials and attempt actions that appear legitimate to other security systems.

The company cited several threat scenarios where destination-based perimeter checks could stop data leaving an approved environment. These include indirect prompt injection, where an attacker hides instructions in data that causes an agent to send internal information to an external destination, and tool misuse, where a compromised agent chains together allowed tools to move data across trust zones.

Another scenario involves insider abuse, where a data-processing agent is instructed to copy data from a BigQuery dataset to an unauthorised cloud project. In that case, traditional network firewalls may see only valid encrypted traffic and IAM may see only an authorised service account, while VPC Service Controls can still deny the transfer because the destination sits outside the approved perimeter.

The emphasis on destination-based security reflects a broader challenge for companies deploying AI systems that make decisions from probabilistic outputs rather than fixed logic. As a result, cloud providers and security teams are looking for controls that do not rely solely on whether a request comes from an approved identity.

Mercado Libre, one of the companies Google cited, described VPC Service Controls as a central part of its cloud security design across a large number of projects.

"At Mercado Libre, VPC Service Controls serve as an essential, foundational layer of our security architecture. By building a strong perimeter enforcement across hundreds of Google Cloud projects in our organization, we established robust network-level security controls with VPC-SC, ensuring all our data remains protected in our cloud environment," said Juan Pablo Boschi, Project Lead, Mercado Libre.