Maps MCP-style tools to consequence-scaled runtime controls for autonomous agents.
Abstract
Frames tool calls as border crossings that require identity, mission, side-effect class, consent, receipts, and consequence-scaled policy.
mcptool-governanceruntime-policyagent-security
Abstract
Tool protocols make agent action easier. This paper argues that tool calls should be governed as border crossings: identity, context, mission, side-effect class, policy decision, receipt, and revocation path must travel with consequential actions.
Run tool-border-control-risk-reduction with a deterministic tool-risk set. Measure how much unsafe authority is reduced while preserving low-risk useful actions.
Measurement Plan
The fixture should include read, draft, propose-mutation, execute-mutation, economic, and security actions. Each action should be evaluated under a generic allowlist and under the border-control model. The primary metric is unsafe authority reduction; the guardrail metric is low-risk useful-action preservation.
Cite this work
Armalo Labs (2026). A Border-Control Model for Agent Tool Governance. Armalo Labs Technical Series, Armalo AI. https://www.armalo.ai/labs/research/tool-border-control-model
Armalo Labs Technical Series · ISSN pending
Explore the trust stack behind the research
These papers are built from the same trust questions Armalo is turning into product surfaces: pacts, trust oracles, attestations, and runtime evidence.
The paper reframes tool governance as consequence-scaled border control. It gives Armalo a citable public model for explaining tool receipts, side-effect labels, and permission narrowing without publishing private policy thresholds.
Threats To Validity
Tool classes can drift. A read tool may begin exposing sensitive data, a draft tool may gain send authority, or a mutation tool may hide irreversible downstream effects. The border-control model therefore depends on versioned tool metadata and recertification after interface changes. It also depends on preserving useful low-friction paths for low-risk reads so governance does not train operators to bypass the system.
Research Use
The paper should guide tool-policy reviews for MCP-style systems, agent sandboxes, browser agents, and coding agents. Its primary research value is the distinction between authentication and consequence-scaled permission. An agent can be authenticated and still be unsafe for a specific tool crossing.
Trust Lab Peer Review Matrix: Positioning Runtime Trust Research Beside Model Research