Authorization for LLM Tool Schemas: Formal Model with Noninterference Guarantees [pdf]

Researcher Andrew Gauger has published a formal academic paper proposing a new authorization model for AI tool schemas that prevents language models from even seeing capabilities they are not permitted to use. The work addresses a real security gap in the Model Context Protocol, ...

Andrew Gauger, writing in a self-published academic paper hosted on his GitHub pages site, has proposed a formal security model that would change how large language models are shown tool capabilities based on who is asking. The paper, titled "Type-State Authorization for LLM Tool Schemas: A Formal Model with Noninterference Guarantees," targets a specific and underappreciated flaw in how the Model Context Protocol works today, one that has received almost no public attention despite the protocol's growing role as the connective tissue between AI agents and the software tools they operate.

Why This Matters

The Model Context Protocol is becoming the de facto standard for AI agent tool integration, and the security assumptions baked into its current design were built for single-user scenarios, not enterprise multi-tenant deployments. The vulnerability Gauger identifies is not theoretical: every time an LLM agent can see a tool it cannot legally call, you have an information leak, and information leaks in AI systems tend to compound in strange ways that human-operated systems do not. The broader AI agent tooling ecosystem, which now includes hundreds of MCP-compatible servers and AI tools from major vendors, is scaling fast enough that a foundational authorization flaw left unaddressed now becomes exponentially harder to fix at year three of adoption.

The Full Story

The Model Context Protocol works by letting AI clients, typically LLM agents, ask a connected tool server what it can do. The server responds with a list of tool definitions, each containing a name, a natural-language description, and a JSON Schema object that specifies how to call the tool and what it returns. The problem Gauger identifies is straightforward: every user connected to the same server sees the exact same list of tools, regardless of what that user is actually authorized to . This creates two distinct problems that Gauger carefully separates. The first is operational: an LLM that can see a tool it cannot call will sometimes try to call it anyway, generating errors at runtime. That is annoying but recoverable. The second problem is more serious. The schema itself, the names, the field types, the descriptions, acts as an information channel. Even if every unauthorized invocation is rejected at execution time, the fact that a privileged capability exists has already been disclosed to the model, and through the model's outputs, potentially to the user. You cannot uninform an LLM about something it has already read.

Gauger's proposed solution is what he calls schema-level authorization. Instead of serving a static schema to every principal, the server computes a projected version of the schema tailored to each user's specific capability set. The projection function strips out every tool element that the requesting user is not authorized to see, and Gauger proves mathematically that the result satisfies a noninterference property. In plain terms, noninterference means that the projected schema a user receives is identical whether or not a privileged capability exists on the server. An unauthorized user cannot infer the existence of capabilities they cannot access, because those capabilities leave no trace in their view of the system.

The mathematical proof proceeds by structural induction over schema elements and situates the result within a flat security lattice in the sense described by Dorothy Denning's foundational 1976 work on information flow. Gauger then takes the implementation further by encoding the authorization check as a type-state in the Rust programming language. A zero-sized phantom type called Proof serves as a compile-time witness that a given capability has been verified. Because the type is zero-sized, it erases at monomorphization and adds zero runtime overhead. The only per-request cost is the capability-set membership test, which is a fast set lookup.

The paper also presents implementations in five programming languages, though the scraped content cuts off before naming all five. Rust receives the most attention because of its type system's expressiveness, but the existence of multi-language implementations suggests Gauger is aiming for practical adoption rather than purely academic contribution.

Key Details

• Andrew Gauger authored the paper, publishing it via his personal GitHub Pages academic site.
• The flaw targets the Model Context Protocol's tools/list discovery endpoint, which currently serves identical schemas to all connected clients regardless of authorization level.
• Gauger identifies 2 distinct problems: LLM hallucinated invocations of unauthorized tools, and information disclosure of privileged capability names and types.
• The noninterference proof uses structural induction and references Dorothy Denning's lattice-based security model from her foundational information-flow research.
• The Rust implementation uses a zero-sized phantom type called Proof, which adds zero runtime overhead by erasing at monomorphization.
• Implementations are provided in 5 programming languages.
• The paper was discussed on Hacker News under item ID 47773288.

What's Next

The immediate question is whether Anthropic, which stewards the Model Context Protocol specification, will take note of this work and incorporate schema-level authorization into a future version of the spec. Developers building production MCP servers for enterprise deployments should not wait for a spec update and can implement per-principal schema projection today using the patterns Gauger describes. Watch for follow-on work that tackles the harder problem of dynamic capability sets, where user permissions change mid-session.

How This Compares

Compare this to how OAuth 2.0 scopes work in traditional API authorization. OAuth solved the "what can you see and call" problem for human-operated REST APIs by attaching scope lists to access tokens and refusing calls that exceed those scopes. But OAuth scopes have always been about invocation control, not schema visibility. A developer building against a scoped API can still read the full API documentation and know every endpoint exists. Gauger's proposal extends the authorization boundary one layer earlier, to the point of schema discovery itself, which is the correct instinct for systems where the client is a language model rather than a human developer.

The work also sits in interesting contrast to efforts from companies like Okta and AWS IAM that have built sophisticated permission systems for cloud resources. Those systems are mature and well-understood, but none of them were designed with LLM agents as first-class clients. The broader AI agents news cycle has been full of stories about prompt injection and tool misuse, but very few researchers have focused on the schema-discovery layer specifically. Gauger is working in a genuinely underexplored corner.

Finally, compare this to the emerging work on capability-based security for AI agents coming out of academic groups at places like CMU and MIT. That body of research tends to be more theoretical. Gauger's contribution stands out because he pairs a rigorous formal proof with concrete, multi-language implementations and a direct critique of a specific, widely deployed protocol. That combination is rare and makes the paper more actionable than most security formalism you will find in this space.

FAQ

Q: What is the Model Context Protocol and why should I care? A: The Model Context Protocol, developed by Anthropic, is a standard JSON-RPC interface that lets AI agents discover and call external tools, similar to how a web browser talks to servers. It is becoming the standard plumbing for AI agent systems, which means security flaws in the protocol affect any organization running AI agents connected to business tools.

Q: What does noninterference mean in plain English? A: Noninterference is a formal security property that guarantees a user cannot learn anything about capabilities they are not authorized to access, not even whether those capabilities exist. Gauger proves that his projection function satisfies this property, meaning the schema a restricted user sees looks exactly the same whether privileged tools are present on the server or not.

Q: Can developers implement this today without waiting for a protocol update? A: Yes. Gauger provides implementations in 5 programming languages that developers can adopt in their own MCP server code right now. The guides at AI Agents Daily cover MCP server setup if you need background before diving into the paper's implementation sections.

The security foundations of AI agent infrastructure are being written right now, and work like Gauger's is the kind of foundational thinking that determines whether those foundations hold under real enterprise pressure. Authorization at the schema level is a small idea with large consequences for anyone running multi-tenant AI systems. Subscribe to the AI Agents Daily weekly newsletter for daily updates on AI agents, tools, and automation.

This story matters because it signals a shift in how AI agents are being adopted across the industry. We are tracking this development closely and will report on follow-up impacts as they emerge.

Get stories like this daily

Free briefing. Curated from 50+ sources. 5-minute read every morning.