Coding agents are often deployed locally on a user's workstation leveraging authority delegated by their controlling user to access data. Generally, coding agents run with all the privileges of the user, but unlike humans are susceptible to prompt injection dictating their actions. This can pose risks to your infrastructure and data that you should consider.
Agents may erroneously interpret data as instructions, sometimes referred to as indirect prompt injection. For instance, a malicious actor may create some malicious prompts, share with a victim directly (e.g., in an email or calendar) or indirectly (e.g., by including them in Cloud Storage or BigQuery) and wait for the agent to act on these malicious prompts.
To help reduce risk, we recommend you consider the following additional guardrails.
Run the agents in a constrained environment when possible. A canonical example is to have users bring up agents only on Cloud Workstations, disabling internet access and without root privileges. We also recommend configuring VPC-SC protections on Cloud Workstations.
Organization Restriction Header – As an alternative, organizations with network security proxies at the boundary of their corporate network can enable the Organization Restriction Header. When deployed, this will restrict the set of resources accessible from the corporate network to a particular set of Google Cloud Organizations (such as the home organization of the enterprise), blocking agents (and humans) from accessing resources outside of the corporate tenant of Google Cloud. If your organization already uses an egress proxy, it may support this feature out of the box.
Principal Access Boundaries (PAB) – PABs provide the ability to limit the set of resources that a particular set of identities can access. For coding agents, the agents can either run as their own identity (for example, a service account or the newly available Agent Identity supported by Vertex AI Agent Engine) or using delegated authority from the user. PABs can be enabled to restrict access to only the organization's resources in either case, though applying the limit to human identity will also limit the access of the human.
VPC Service Controls - Organizations that include their corporate network within a VPC Service Controls perimeter are already protected from these risks when directly originated from outside of the VPC perimeter. Organizations that are concerned with data exfiltration through Google Cloud, including via agents, may want to consider whether VPC Service Controls makes sense in their environment.
Model Armor - Enable Model Armor to detect and block potential prompt injection attacks from data accessed through Google’s managed MCP servers.