Agentic AI Security CMM — D5 Egress & Network (Deep Dive)
Companion deep-dive to the CMM’s D5 domain, written under the recalibration method. D5 mediates agent egress at the network layer. The recalibration confirms and extends a correction the program already made: the LLM-egress gateway and MCP-authorization legs are now GA platform-native for an all-Microsoft buyer, so the residual gaps are narrow and specific, not a whole missing plane.
Single-source grounding
Levels and cost model synthesize the recalibration method against the regulated-FI stress test plus vendor documentation. Tooling status is a May 2026 snapshot.
Five of eight D5 capabilities are GA platform-native for a Microsoft shop. The LLM-egress gateway, MCP brokering + authorization, network-layer egress/shadow-AI/PI filtering, per-agent network policy, and identity-scoped tokens are all GA on the Azure/Entra stack. Three remain genuinely off-stack: MCP tool-integrity / rug-pull, per-task capability tokens, and A2A authorization beyond identity. All three sit at L4–L5+, so they do not block an L3 target. This corrects the original framing that an all-Microsoft buyer had to leave the platform for the egress plane.
Threat coverage
D5 is the primary domain for ASI07 (Insecure Inter-Agent Communication) and a secondary control surface for ASI02 (Tool Misuse) via tool authorization, and it carries Class 2 (APT) through egress behavioral baselines. Per-agent egress mediation is capped by D2: it cannot be enforced without per-agent identity. See the Threat Taxonomy Reconciliation matrix and the threat classes.
Control landscape (dated)
| Capability | What ships today | Status (May 2026) | Platform-native (MS / AWS / GCP) |
|---|---|---|---|
| LLM-egress gateway (token governance, semantic caching, inline content safety) | Cloudflare / Kong AI Gateway; agentgateway (OSS) | GA | MS: Azure API Management AI Gateway — token limits, semantic caching, content-safety policy, all GA1. AWS: AgentCore Gateway, GA2. GCP: Apigee + Model Armor inline3 |
| MCP brokering + authorization (Entra / OAuth / JWT) | Operant, Natoma (COTS) | GA for MS/AWS brokering, tools only | MS: APIM MCP-server management, GA; tools only — not resources/prompts, not in workspaces4. AWS: AgentCore Gateway, OAuth client-credentials2 |
| Network-layer egress / shadow-AI / network PI | SSE/CASB (Zscaler, Netskope); Smokescreen (OSS, SSRF) | GA | MS: Entra Internet Access — network-layer prompt-injection protection + Shadow-AI detection, GA5. AWS: AgentCore VPC egress2. GCP: VPC-SC perimeters |
| Per-agent micro-segmentation / mTLS | Istio, Linkerd, SPIFFE/SPIRE (OSS) | GA (OSS) | AWS: AgentCore ENIs in customer VPC. GCP: VPC-SC Agent Identity as principal — preview6. MS: Entra Agent ID + network policy (identity-scoped) |
| Mesh-deployed agent-aware proxy sidecar | Solo.io agentgateway (Linux Foundation, OSS) | OSS, pre-1.07 | none native |
| MCP tool-integrity / rug-pull detection | Solo Enterprise, Operant; AgentShield MCP rules (OSS) | COTS developing | none native (MS gap) — Microsoft’s own guidance states no single Azure service is dedicated to MCP-specific protection8 |
| Per-task egress capability tokens (holder-bound) | Tenuo Warrant | OSS, early-stage | none native — Entra issues per-agent-identity (OBO), not per-task |
| A2A authorization beyond identity | A2A v1.0 Agent Card signing; rule-pack COTS | spec GA, enforcement org-defined | thin everywhere |
Capability-decoupled levels
Stated as capabilities per rule 1; a control counts when it operates in production per rule 2. The current D5 levels are already capability-phrased; the recalibration strips named-product dependence and adds the maturity grade.
- L1 — Initial. Agents have unrestricted network egress.
- L2 — Developing. Each agent has an outbound destination allowlist (DNS- or proxy-level).
- L3 — Defined. An agent-aware gateway sits in-path between agent and external tools/LLMs/MCP servers, enforcing per-tool authorization with token governance and inline content safety; MCP calls are brokered with OAuth/JWT identity authorization; inter-agent A2A runs over TLS 1.3 + OAuth/mTLS with a documented enforcement profile; tool fingerprinting is active. Every L3 capability has a GA production path on every major platform — no cadence risk.
- L4 — Managed. Per-tool-call token exchange (OAuth 2.1); rug-pull / tool-poisoning detection active; A2A content scanning; MCP CVE feed integrated. Maturity note: rug-pull detection is off-stack (COTS-developing) for all three hyperscalers — reachable today but not platform-native.
- L5 — Optimizing. A mesh-deployed agent-aware proxy runs per agent with zero bypass; per-task egress capability tokens bind to the specific upstream resource; SSRF and direct-egress paths are closed at the network layer so the gateway is the only path out; the A2A signing profile is published and audited per release; the MCP CVE feed is wired to auto-quarantine without HITL.
- L5+ — Leading Edge. sigstore-for-MCP cross-tenant signing (proposal stage, no shipping verifier); behavioral A2A drift detection (research-stage); cross-cloud egress federation with reconciliation across two or more agent-aware proxies.
Per-task egress capability tokens (L5) have a single early-stage OSS implementation and no platform-native equivalent. The same caveat as D3 applies: the capability stays at L5, but a regulated buyer may treat it as L5+ and record an intentional trade-off.
Right-sizing by deployment shape
| Deployment shape | Realistic D5 target | Why |
|---|---|---|
| Member/customer-service RAG chatbot (no external write reach) | L2 → L3 | Little egress need; an allowlist plus the GA gateway and network-layer PI/shadow-AI filtering suffices. With no external-comms path the egress leg of the trifecta is broken by architecture — a lower D5 is sound, recorded as an intentional trade-off |
| Copilot / generative coding tool | L3 | Source-control + LSP egress only; an agent-aware gateway for any MCP tool use |
| MCP / skill provider (server-side) | L4 | Consumed by many agents: per-tool-call token exchange, rug-pull detection, CVE-feed integration earn their cost |
| Multi-agent mesh (A2A) | L4 → L5 | The mesh sidecar, A2A signing + content scanning, and cross-agent ACLs become load-bearing; a single broker suffices up to roughly 50 agents, then per-agent sidecars |
D5 is the domain where removing the egress capability most directly defeats the lethal-trifecta: a bot with no sensitive data or no egress path drops the D5 requirement substantially. Confirm the removed leg is genuinely absent, not merely policy-restricted.
Cost model
| Level | Licensing | Operational labor | Run-rate |
|---|---|---|---|
| L2 | ~0 for an E5/Azure incumbent | maintain the allowlist | — |
| L3 | ~0 incremental — APIM AI Gateway, Entra Internet Access, MCP brokering are in the Azure/E5 envelope15 | gateway-policy authoring; A2A enforcement-profile documentation | the AI-gateway run-rate is token-metered and scales with agent/token volume; semantic caching reduces it |
| L4 | off-stack rug-pull / tool-poisoning detection — net-new spend | per-tool-call token-exchange config; CVE-feed integration; rule-pack tuning | token-exchange + detector telemetry into the SIEM |
| L5 | off-stack: per-task tokens, mesh sidecars — mostly net-new | mesh rollout + zero-bypass proof; SSRF-closure verification; per-release A2A audit | per-agent sidecar compute + gateway run-rate × agent count |
For an E5/Azure incumbent, L2–L3 licensing is near-zero: the gateway, MCP authorization, and network-layer filtering are already paid for. The honest costs are the token-metered gateway run-rate (scales with agent count) and the net-new off-stack spend that begins at L4 and dominates L5. The licensing cliff is at L4, not L3, which matches the right-sizing finding that most chatbot and copilot deployments target L3.
Customer critiques folded in
- “No Microsoft AI gateway — must go off-stack for the egress plane.” Corrected and confirmed false: Azure API Management AI Gateway is GA with token governance, semantic caching, inline content safety, and MCP brokering with Entra/OAuth/JWT authorization14; Entra Internet Access adds GA network-layer prompt-injection and Shadow-AI detection5.
- “The egress gaps are real but narrow.” Confirmed and extended: the three genuine off-stack residuals are MCP tool-integrity/rug-pull (Microsoft concedes no dedicated Azure service8), per-task capability tokens, and A2A authorization beyond identity. All sit at L4–L5+, so none blocks an L3 target.
- “L5 assumes a cadence regulated FIs can’t follow.” The realistic chatbot target (L3) depends only on GA, already-owned Azure controls, so the buyer is not penalized at their actual target level; per-task tokens and mesh sidecars (recent COTS/OSS) sit at L5.
Open questions
- APIM brokers MCP tools only, not resources or prompts; whether tools-only brokering suffices for richer MCP deployments is unresolved, with no announced GA date for the rest.
- The OSS mesh-sidecar path (agentgateway) is pre-1.0; treat the L5 mesh path as maturing, not hardened.
- GCP’s VPC-SC agent-identity egress rules are preview; GA timing matters for GCP buyers who cannot deploy preview features.
- Per-task capability tokens have effectively one early-stage implementation — the single-vendor concentration mirrors the D1 AIUC-1 concern.
- No standard A2A authorization rule pack exists; behavioral A2A drift detection is research-stage.
D2→D5 dependency cap
D5’s effective score is capped at D2’s raw score (effective(D5) ≤ raw(D2)): per-agent egress cannot be enforced without a per-agent identity to bind policy to. The Microsoft-native nuance sharpens it twice. Entra Agent ID gives per-agent identity, satisfying the D2 prerequisite; but because it is per-agent-identity and not per-task, the L5 “per-task egress capability tokens” criterion is unreachable on-stack, capping the achievable D5 at L4 absent an off-stack token product. For the persona (D2 L2, D5 L2), standing up the GA gateway alone would not raise effective D5 above L2 until per-agent identity is in production. The sequencing consequence: D5 investment is wasted ahead of D2. Stand up per-agent identity first, because the gateway’s per-agent authorization is inert without it. See the dependency rules.
Notes
Footnotes
-
Microsoft Learn — AI gateway capabilities in Azure API Management, 2026. Token-limit, token-metric, semantic caching, content-safety policies; OAuth / credential manager; MCP + A2A (core policies GA; Foundry integration preview). ↩ ↩2 ↩3
-
AWS — AgentCore Gateway and Identity support VPC egress, 2026. Managed egress; OAuth client-credentials for MCP. ↩ ↩2 ↩3
-
Google Cloud — Model Armor + Agent Gateway integration, 2026. Inline prompt/response screening at the agent gateway. ↩
-
Microsoft Learn — Overview of MCP servers in Azure API Management, 2025–2026. GA across classic + v2 tiers; JWT via Entra ID; tools only, not resources/prompts, not in workspaces. ↩ ↩2
-
Microsoft Learn — AI prompt injection protection (Global Secure Access), 2026. Network-layer prompt-injection protection; Shadow-AI detection. ↩ ↩2 ↩3
-
Google Cloud — VPC Service Controls release notes, 2026. Agent Identity as first-class principal in ingress/egress rules (preview). ↩
-
Linux Foundation — agentgateway project, 2026. A2A + MCP + LLM data plane (Apache 2.0); pre-1.0. ↩
-
Microsoft ZT4AI — residual MCP-protection gap, per Microsoft’s OWASP-MCP-for-Azure guidance. ↩ ↩2