Beyond the Model: Context, Harnesses, and the New AI Security Boundary

For the past few years, most AI security conversations have focused on the model. Teams worried about prompt injection, jailbreaks, hallucinations, model alignment, and data leakage. Security researchers explored ways to manipulate model behavior while vendors raced to improve safeguards and reduce risk. Those concerns remain important.

But over the last year, something significant has changed.

Modern AI systems are no longer isolated chat interfaces responding to prompts. They retrieve information from enterprise knowledge bases, maintain memory across sessions, invoke tools through MCP, interact with APIs, browse websites, coordinate with other agents, and increasingly perform actions on behalf of users.

In other words, they don’t simply generate responses anymore.

They execute workflows.

That shift has important security implications. The model is no longer operating alone. It now exists within a larger ecosystem of context, memory, retrieval systems, tools, and orchestration frameworks.

Together, these components determine what information an agent sees, what it believes, what it can access, and ultimately what actions it performs.

As organizations embrace agentic systems, the security boundary is expanding beyond the model itself. And increasingly, one of the most important components in that ecosystem is the agent harness.

From Prompts to Actions

Early AI applications were relatively simple. A user submitted a prompt. A model generated a response. The interaction ended.

Security discussions naturally focused on the prompt and the model because those were the primary components of the system.

Prompt Injection: The SQL Injection of the AI Era

Today’s agentic systems operate differently.

A modern agent may retrieve information from a vector database, load memories from previous interactions, access external tools through MCP, analyze repositories, coordinate with other agents, evaluate possible actions, and then execute a workflow.

The model remains important, but it is no longer the entire system.

The harness increasingly becomes the runtime environment that coordinates everything around it.

That includes:

Loading context and specifications
Retrieving memory
Invoking tools
Managing MCP connections
Coordinating subagents
Applying policies and approvals
Executing actions

The model contributes reasoning.

The harness turns that reasoning into behavior.

This distinction is becoming increasingly important because most of the highest-risk activities occur after the model has generated a response.

Models Reason. Harnesses Act.

One observation keeps surfacing across modern agent platforms. Models rarely perform dangerous actions directly. Harnesses do.

The model doesn’t deploy infrastructure.
The model doesn’t create pull requests.
The model doesn’t modify production databases.
The model doesn’t send emails.
The model doesn’t invoke tools.

The harness does.

This may seem like a subtle architectural distinction, but it fundamentally changes how we think about AI security. For years, we’ve focused on influencing model behavior.

Today, attackers are increasingly interested in influencing execution.

That means understanding how context enters the system, how trust is established, how decisions are made, and how actions are ultimately performed.

Can an attacker influence the harness into performing an action?

Context Poisoning Meets Runtime Execution

Over the past year, we’ve seen growing awareness around prompt injection, retrieval poisoning, memory corruption, adversarial RAG attacks, and malicious embeddings. While the technical details differ, these attacks share a common objective. They attempt to influence what the model believes to be true.

Consider a seemingly simple scenario.

An AI agent has access to:

Internal documentation
Ticketing systems
Git repositories
MCP tools
Cloud infrastructure

A malicious instruction is embedded inside a ticket, wiki page, retrieved document, or memory store. The instruction appears legitimate. The model incorporates it into its reasoning. The harness then executes the resulting action. The vulnerability was not a software flaw.

The vulnerability was misplaced trust.

This is why prompt injection is evolving from a content problem into an execution problem. The more capable the harness becomes, the greater the potential impact of compromised context.

The New AI Supply Chain

Security teams have spent years learning how to secure software supply chains.

We scan packages.
We verify dependencies.
We track provenance.
We monitor third-party components.

Agentic systems introduce a similar challenge. The difference is that the supply chain increasingly consists of context and runtime dependencies rather than code alone.

Five Ways Humans Accidentally Make AI Dangerous

Modern agent ecosystems rely on:

Retrieval systems
Vector databases
Memory stores
MCP servers
Agent skills
Tool providers
External APIs
Shared context platforms

Each component contributes information that may influence behavior. Each becomes a trust boundary. A poisoned package can compromise an application. A poisoned context source can compromise an agent’s decision-making process.

The attack looks different. The outcome may be remarkably similar.

Why MCP Changes the Risk Profile

One of the most important developments in agentic systems has been the emergence of Model Context Protocol. MCP dramatically simplifies how agents discover and interact with tools, resources, and external systems.

The benefits are obvious.

Agents become significantly more useful when they can access repositories, cloud platforms, databases, ticketing systems, browsers, and operational tooling. The challenge is that every MCP connection introduces a new trust relationship.

Each MCP server potentially provides:

Context
Capabilities
Permissions
Execution paths

A compromised MCP resource may influence reasoning. A compromised MCP tool may influence execution. This is one reason MCP security is rapidly becoming a critical component of enterprise AI governance.

MCP Security: Tools, Risks, and Best Practices

As organizations expand their MCP ecosystems, harness security and MCP security become increasingly intertwined.

Compliance Is Catching Up

Security is only part of the conversation. Compliance teams are beginning to ask many of the same questions.

How do we audit autonomous actions?
How do we demonstrate accountability when decisions are influenced by dynamically retrieved context?
How do we prove that governance controls were consistently applied?

Frameworks such as ISO 42001, NIST AI RMF, SOC 2, HIPAA, and GDPR increasingly require organizations to demonstrate visibility, accountability, and risk management.

Design-Time DevSecOps: Security Before the First Commit

The challenge is that traditional compliance approaches were designed for deterministic systems.

Agentic systems are different.

Context changes.
Memory evolves.
Retrieval results vary.
Agent behavior adapts.

This is one reason the harness is becoming so important.

It is often the most logical location for policy enforcement, approval workflows, observability, audit collection, and governance controls.

Securing the Harness

If the harness is becoming a primary security boundary, organizations need to treat it accordingly. The good news is that many familiar security principles still apply. The difference is where those controls are enforced.

Several areas deserve particular attention:

1. Context Governance

Organizations must understand where context originates, how it is validated, and what level of trust it deserves before influencing decisions.

2. Tool Governance

Least privilege remains essential. Agents should have access only to the tools and capabilities necessary for their intended purpose.

3. Memory Governance

Persistent memory introduces new risks around trust, retention, auditing, and lifecycle management.

4. Runtime Policy Enforcement

Guardrails should constrain actions even when context becomes compromised.

5. Observability and AgentOps

Organizations need visibility into plans, retrievals, memory usage, tool invocations, evaluations, and execution traces.

Without visibility, trust becomes impossible.

Beyond Sandboxes: Layered Security for AI Agent Infrastructure

The Future of AI Security

Over the past several years, AI security has largely focused on models. That focus made sense because the model sat at the center of the system. Today, the system is much larger.

Agents operate within ecosystems of context, memory, retrieval pipelines, MCP resources, tools, orchestration frameworks, and runtime execution layers.

As a result, the security conversation is evolving. The next phase of AI security will focus less on protecting models and more on protecting the systems that surround them.

Context governance.
Harness security.
Runtime policy enforcement.
Agent observability.
Execution accountability.

These are rapidly becoming the foundations of enterprise AI security.

Conclusion

We’ve spent years securing code. More recently, we’ve learned how to secure models. The next challenge is securing the systems that surround those models.

Context.
Memory.
MCP resources.
Agent harnesses.
Runtime workflows.

These components increasingly determine how AI systems behave in the real world. The organizations that succeed will recognize that the security boundary has expanded far beyond the model itself. Because in modern agentic systems, compromise doesn’t necessarily begin when code executes.

It begins when trust is misplaced.

~~~

This post is part of my AI Security & Development series, where I explore emerging security challenges across AI, cloud, and modern web platforms. If this topic interests you, check out my previous work on Cloud Architecture and DevOps for deeper technical insights.

💡Follow me for more practical perspectives on AI, security, and scalable system design. 🚀

My TOC; Exploring Cloud Architecture, DevOps, Blockchain & AI