Google Cloud Adds Agent-Level Perimeters For Enterprise AI Workloads
Google Cloud has added VPC Service Controls features for agentic AI, including agent identities in perimeter rules, MCP attribute controls and native protection for Gemini Enterprise Agent Platform instances.
Google Cloud Extends VPC Service Controls To Agents
Google Cloud has added VPC Service Controls capabilities for agentic AI workloads, giving enterprises more granular perimeter controls as autonomous agents connect to tools, datasets and cloud services.
The update treats agent identity as a first-class control point.
Administrators can place agentic identities inside service perimeter ingress and egress rules through standard IAM principals.
A single principal can map to one agent, while a principalSet can apply consistent and auditable access policies across a fleet of agents.
Google Cloud says the design lets administrators revoke a compromised agent's access at the network perimeter.
That changes the control model for enterprise AI teams because agent access is no longer governed only by broad service accounts or application-level permissions.
MCP Attributes Narrow Tool Access
The update also brings Model Context Protocol attributes into VPC Service Controls.
Conditional access rules can now use fields such as mcp.toolName, mcp.method and mcp.tool.isReadOnly.
Google Cloud used a Workspace MCP example to explain the boundary.
An organization could grant an agent read access to a Workspace MCP server while denying the ability to send emails.
The example is narrow, but it addresses a common enterprise concern: agents may need to inspect information without gaining permission to trigger actions that move data or contact external parties.
VPC Service Controls is also now natively integrated with the Gemini Enterprise Agent Platform.
When administrators include Agent Platform as a protected service inside a VPC-SC perimeter, public internet access to that Agent Platform instance is blocked without extra configuration overhead.
Perimeters Address Data Movement, Not Just Identity
Google Cloud framed the product update as a layered AI security model.
IAM and Principal Access Boundaries govern who can access resources.
Next-generation network firewalls and VPC Service Controls govern data movement across boundaries.
Organization Policy and other resource controls set broader configuration limits.
The distinction matters for agentic workloads because agents can follow prompts, call tools and trigger cloud operations.
A compromised agent may still hold valid IAM credentials, so an identity check alone may not identify an abnormal action.
The company described three threat scenarios mapped to the OWASP Top 10 for LLM Applications.
In one case, an indirect prompt injection tries to make an agent summarize internal data and send it to an external webhook.
VPC-SC blocks the API-layer transfer when the destination sits outside the defined perimeter.
Enterprise AI Teams Still Need Deployment Discipline
The update gives cloud security teams more precise enforcement around AI agents, but it does not remove the work of defining perimeters, mapping agent identities and deciding which tools should be read-only.
It also does not replace IAM, firewalls or organization policies; Google Cloud positions VPC-SC as the destination-based layer among those controls.
Mercado Libre project lead Juan Pablo Boschi said the company uses VPC Service Controls across hundreds of Google Cloud projects to maintain network-level security controls and keep data protected in its cloud environment.
For CIOs and security teams, the remaining implementation burden is concrete: each production agent needs a mapped identity, a perimeter rule, an MCP tool policy where relevant and a destination boundary that blocks data movement outside approved projects.
