Agentic AI Security CMM — D5 Egress & Network (Deep Dive)

Companion deep-dive to the CMM’s D5 domain, written under the recalibration method. D5 mediates agent egress at the network layer. The recalibration confirms and extends a correction the program already made: the LLM-egress gateway and MCP-authorization legs are now GA platform-native for an all-Microsoft buyer, so the residual gaps are narrow and specific, not a whole missing plane.

Single-source grounding

Levels and cost model synthesize the recalibration method against the regulated-FI stress test plus vendor documentation. Tooling status is a May 2026 snapshot.

Five of eight D5 capabilities are GA platform-native for a Microsoft shop. The LLM-egress gateway, MCP brokering + authorization, network-layer egress/shadow-AI/PI filtering, per-agent network policy, and identity-scoped tokens are all GA on the Azure/Entra stack. Three remain genuinely off-stack: MCP tool-integrity / rug-pull, per-task capability tokens, and A2A authorization beyond identity. All three sit at L4–L5+, so they do not block an L3 target. This corrects the original framing that an all-Microsoft buyer had to leave the platform for the egress plane.

Threat coverage

D5 is the primary domain for ASI07 (Insecure Inter-Agent Communication) and a secondary control surface for ASI02 (Tool Misuse) via tool authorization, and it carries Class 2 (APT) through egress behavioral baselines. Per-agent egress mediation is capped by D2: it cannot be enforced without per-agent identity. See the Threat Taxonomy Reconciliation matrix and the threat classes.

Control landscape (dated)

CapabilityWhat ships todayStatus (May 2026)Platform-native (MS / AWS / GCP)
LLM-egress gateway (token governance, semantic caching, inline content safety)Cloudflare / Kong AI Gateway; agentgateway (OSS)GAMS: Azure API Management AI Gateway — token limits, semantic caching, content-safety policy, all GA1. AWS: AgentCore Gateway, GA2. GCP: Apigee + Model Armor inline3
MCP brokering + authorization (Entra / OAuth / JWT)Operant, Natoma (COTS)GA for MS/AWS brokering, tools onlyMS: APIM MCP-server management, GA; tools only — not resources/prompts, not in workspaces4. AWS: AgentCore Gateway, OAuth client-credentials2
Network-layer egress / shadow-AI / network PISSE/CASB (Zscaler, Netskope); Smokescreen (OSS, SSRF)GAMS: Entra Internet Access — network-layer prompt-injection protection + Shadow-AI detection, GA5. AWS: AgentCore VPC egress2. GCP: VPC-SC perimeters
Per-agent micro-segmentation / mTLSIstio, Linkerd, SPIFFE/SPIRE (OSS)GA (OSS)AWS: AgentCore ENIs in customer VPC. GCP: VPC-SC Agent Identity as principal — preview6. MS: Entra Agent ID + network policy (identity-scoped)
Mesh-deployed agent-aware proxy sidecarSolo.io agentgateway (Linux Foundation, OSS)OSS, pre-1.07none native
MCP tool-integrity / rug-pull detectionSolo Enterprise, Operant; AgentShield MCP rules (OSS)COTS developingnone native (MS gap) — Microsoft’s own guidance states no single Azure service is dedicated to MCP-specific protection8
Per-task egress capability tokens (holder-bound)Tenuo WarrantOSS, early-stagenone native — Entra issues per-agent-identity (OBO), not per-task
A2A authorization beyond identityA2A v1.0 Agent Card signing; rule-pack COTSspec GA, enforcement org-definedthin everywhere

Capability-decoupled levels

Stated as capabilities per rule 1; a control counts when it operates in production per rule 2. The current D5 levels are already capability-phrased; the recalibration strips named-product dependence and adds the maturity grade.

  • L1 — Initial. Agents have unrestricted network egress.
  • L2 — Developing. Each agent has an outbound destination allowlist (DNS- or proxy-level).
  • L3 — Defined. An agent-aware gateway sits in-path between agent and external tools/LLMs/MCP servers, enforcing per-tool authorization with token governance and inline content safety; MCP calls are brokered with OAuth/JWT identity authorization; inter-agent A2A runs over TLS 1.3 + OAuth/mTLS with a documented enforcement profile; tool fingerprinting is active. Every L3 capability has a GA production path on every major platform — no cadence risk.
  • L4 — Managed. Per-tool-call token exchange (OAuth 2.1); rug-pull / tool-poisoning detection active; A2A content scanning; MCP CVE feed integrated. Maturity note: rug-pull detection is off-stack (COTS-developing) for all three hyperscalers — reachable today but not platform-native.
  • L5 — Optimizing. A mesh-deployed agent-aware proxy runs per agent with zero bypass; per-task egress capability tokens bind to the specific upstream resource; SSRF and direct-egress paths are closed at the network layer so the gateway is the only path out; the A2A signing profile is published and audited per release; the MCP CVE feed is wired to auto-quarantine without HITL.
  • L5+ — Leading Edge. sigstore-for-MCP cross-tenant signing (proposal stage, no shipping verifier); behavioral A2A drift detection (research-stage); cross-cloud egress federation with reconciliation across two or more agent-aware proxies.

Per-task egress capability tokens (L5) have a single early-stage OSS implementation and no platform-native equivalent. The same caveat as D3 applies: the capability stays at L5, but a regulated buyer may treat it as L5+ and record an intentional trade-off.

Right-sizing by deployment shape

Deployment shapeRealistic D5 targetWhy
Member/customer-service RAG chatbot (no external write reach)L2 → L3Little egress need; an allowlist plus the GA gateway and network-layer PI/shadow-AI filtering suffices. With no external-comms path the egress leg of the trifecta is broken by architecture — a lower D5 is sound, recorded as an intentional trade-off
Copilot / generative coding toolL3Source-control + LSP egress only; an agent-aware gateway for any MCP tool use
MCP / skill provider (server-side)L4Consumed by many agents: per-tool-call token exchange, rug-pull detection, CVE-feed integration earn their cost
Multi-agent mesh (A2A)L4 → L5The mesh sidecar, A2A signing + content scanning, and cross-agent ACLs become load-bearing; a single broker suffices up to roughly 50 agents, then per-agent sidecars

D5 is the domain where removing the egress capability most directly defeats the lethal-trifecta: a bot with no sensitive data or no egress path drops the D5 requirement substantially. Confirm the removed leg is genuinely absent, not merely policy-restricted.

Cost model

LevelLicensingOperational laborRun-rate
L2~0 for an E5/Azure incumbentmaintain the allowlist
L3~0 incremental — APIM AI Gateway, Entra Internet Access, MCP brokering are in the Azure/E5 envelope15gateway-policy authoring; A2A enforcement-profile documentationthe AI-gateway run-rate is token-metered and scales with agent/token volume; semantic caching reduces it
L4off-stack rug-pull / tool-poisoning detection — net-new spendper-tool-call token-exchange config; CVE-feed integration; rule-pack tuningtoken-exchange + detector telemetry into the SIEM
L5off-stack: per-task tokens, mesh sidecars — mostly net-newmesh rollout + zero-bypass proof; SSRF-closure verification; per-release A2A auditper-agent sidecar compute + gateway run-rate × agent count

For an E5/Azure incumbent, L2–L3 licensing is near-zero: the gateway, MCP authorization, and network-layer filtering are already paid for. The honest costs are the token-metered gateway run-rate (scales with agent count) and the net-new off-stack spend that begins at L4 and dominates L5. The licensing cliff is at L4, not L3, which matches the right-sizing finding that most chatbot and copilot deployments target L3.

Customer critiques folded in

  • “No Microsoft AI gateway — must go off-stack for the egress plane.” Corrected and confirmed false: Azure API Management AI Gateway is GA with token governance, semantic caching, inline content safety, and MCP brokering with Entra/OAuth/JWT authorization14; Entra Internet Access adds GA network-layer prompt-injection and Shadow-AI detection5.
  • “The egress gaps are real but narrow.” Confirmed and extended: the three genuine off-stack residuals are MCP tool-integrity/rug-pull (Microsoft concedes no dedicated Azure service8), per-task capability tokens, and A2A authorization beyond identity. All sit at L4–L5+, so none blocks an L3 target.
  • “L5 assumes a cadence regulated FIs can’t follow.” The realistic chatbot target (L3) depends only on GA, already-owned Azure controls, so the buyer is not penalized at their actual target level; per-task tokens and mesh sidecars (recent COTS/OSS) sit at L5.

Open questions

  • APIM brokers MCP tools only, not resources or prompts; whether tools-only brokering suffices for richer MCP deployments is unresolved, with no announced GA date for the rest.
  • The OSS mesh-sidecar path (agentgateway) is pre-1.0; treat the L5 mesh path as maturing, not hardened.
  • GCP’s VPC-SC agent-identity egress rules are preview; GA timing matters for GCP buyers who cannot deploy preview features.
  • Per-task capability tokens have effectively one early-stage implementation — the single-vendor concentration mirrors the D1 AIUC-1 concern.
  • No standard A2A authorization rule pack exists; behavioral A2A drift detection is research-stage.

D2→D5 dependency cap

D5’s effective score is capped at D2’s raw score (effective(D5) ≤ raw(D2)): per-agent egress cannot be enforced without a per-agent identity to bind policy to. The Microsoft-native nuance sharpens it twice. Entra Agent ID gives per-agent identity, satisfying the D2 prerequisite; but because it is per-agent-identity and not per-task, the L5 “per-task egress capability tokens” criterion is unreachable on-stack, capping the achievable D5 at L4 absent an off-stack token product. For the persona (D2 L2, D5 L2), standing up the GA gateway alone would not raise effective D5 above L2 until per-agent identity is in production. The sequencing consequence: D5 investment is wasted ahead of D2. Stand up per-agent identity first, because the gateway’s per-agent authorization is inert without it. See the dependency rules.

Notes

Footnotes

  1. Microsoft Learn — AI gateway capabilities in Azure API Management, 2026. Token-limit, token-metric, semantic caching, content-safety policies; OAuth / credential manager; MCP + A2A (core policies GA; Foundry integration preview). 2 3

  2. AWS — AgentCore Gateway and Identity support VPC egress, 2026. Managed egress; OAuth client-credentials for MCP. 2 3

  3. Google Cloud — Model Armor + Agent Gateway integration, 2026. Inline prompt/response screening at the agent gateway.

  4. Microsoft Learn — Overview of MCP servers in Azure API Management, 2025–2026. GA across classic + v2 tiers; JWT via Entra ID; tools only, not resources/prompts, not in workspaces. 2

  5. Microsoft Learn — AI prompt injection protection (Global Secure Access), 2026. Network-layer prompt-injection protection; Shadow-AI detection. 2 3

  6. Google Cloud — VPC Service Controls release notes, 2026. Agent Identity as first-class principal in ingress/egress rules (preview).

  7. Linux Foundation — agentgateway project, 2026. A2A + MCP + LLM data plane (Apache 2.0); pre-1.0.

  8. Microsoft ZT4AI — residual MCP-protection gap, per Microsoft’s OWASP-MCP-for-Azure guidance. 2