[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"doc-detail-83718-en":3,"doc-seo-83718-105":29,"detail-sidebar-cat-0-en-105":91},{"code":4,"msg":5,"data":6},0,"success",{"doc_id":7,"user_id":8,"nickname":9,"user_avatar":10,"doc_module":4,"category_id":11,"category_name":12,"doc_title":13,"doc_description":14,"doc_content":15,"file_id":16,"file_url":17,"file_type":18,"file_size":19,"view_count":20,"is_deleted":4,"is_public":20,"is_downloadable":20,"audit_status":20,"page_count":21,"language":22,"language_code":23,"site_id":24,"html_lang":23,"table_of_contents":25,"faqs":26,"seo_title":13,"seo_description":14,"update_tm":27,"read_time":28},83718,4398048949847,"Eliana","https://ap-avatar.wpscdn.com/avatar/400002536579ef2da7f?_k=1778318612642679267",6,"Technology","Securing Multi-Tool AI Agent Chains With Dynamic Real-Time Compositional Policies","Modern AI agent systems chain multiple tools at runtime, creating security risks that per-tool guardrails cannot reliably prevent once tools are composed. The Dynamic Security Control Compositor (DSCC) introduces a two-phase compositional defense: session-time policy composition using a Most Restrictive Set algorithm with a monotonicity invariant, plus session-level taint tracking. Runtime monitoring revokes sessions when accumulated data exposure would violate composed policies. A reference implementation over 32 tools and 16 NIST SP 800-53 aligned policies is evaluated under clearance and taint modes, showing substantial blocking of incompatible tool combinations.","Securing Multi-Tool AI Agent Chains With Dynamic, Real-Time  \nCompositional Policies  \nChris Schneider 1 Kriti Faujdar2 Philipp Schoenegger 1 Ben Bariach 1  \n1 Microsoft AI 2 Microsoft  \narXiv :2607 .03423v 1 [ cs .CR] 3 Jul 2026  \nAbstract  \nModern AI agent implementations such as frontier coding agents chain multiple tools at runtime that create a security surface that per-tool guardrails are unable to address, as individually permitted tools can violate organizational policies when composed. We propose the Dynamic Security Control Compositor (DSCC), a two phase approach to compositional security for multi-tool agent chains. In Phase 1, at session checkout, a Most Restrictive Set (MRS) algorithm composes per-tool security policies into a single effective policy for the full chain with a formal monotonicity invariant that extending a chain can only tighten the result, blocking incompatible combinations before any tool executes. Outputs of any tool call propagate their classification constraints into a session-level taint state, so subsequent invocations must satisfy the most restrictive classification constraints seen so far on the chain. In Phase 2, at runtime, the system tracks the sensitivity of data the agent touches through a monotonic taint state and revokes the session if the accumulated exposure would make a subsequent tool call a policy violation. Together, these two phases provide defense in depth, where static composition prevents unsafe chains from starting, and runtime taint tracking catches violations that emerge from the specific data used. We then provide a reference implementation on a catalog of 32 tools governed by 16 NIST SP 800-53 aligned policies and evaluate it under two composition modes. In the default clearance mode, permitted combinations are partitioned into classification-level clusters, blocking 79.2% of policy pairs and 95 . 5% of triples. The alternative taint mode admits mixed-classification chains within the exfiltration boundary, blocking 42 . 5% and 60 . 5% respectively. Lastly, we discuss the governance implications for organizations deploying multi-tool agents, includingthe utility-security tradeoff and the changes needed to operationalize chain-aware policies.  \n1 Introduction  \nLarge language model agents can invoke external tools, ranging from reading files and calling APIs to sending messages and executing code. This has been shown by Schick et al. [1] to be able to be done autonomously with models as early as GPT-J. Later, Yao et al. [2] then demonstrated that interleaving reasoning with tool actions substantially improves metrics such as hallucination rates, error propagation, and interpretable output, leading to improved performance and applicability. This has contributed to the widespread application of LLMs  \nacross a large set of knowledge work due to the added capabilities and reduced error rates. Subsequent work then scaled tool use to thousands of real-world APIs [3, 4], leading to modern deployed agentic coding tools such as GitHub Copilot [5], Claude Code [6], and Codex [7], which give LLMs direct access to a substantial number of file systems, shells, and web APIs, making multi-tool composition a standard mode of operation in pursuit of the user goals, which often include a wide range of sometimes low-level computer operations. Moreover, as agent teams, cross-ecosystem invocations, and agent-swarms become more common-place and capabilities increase even further, the total number of tools and tool chains used in each session is likely to increase dramatically.  \nWe argue that this creates a security surface that current safeguards are not well designed to address and that is likely to become more pressing in the near future. Consider a simple example: a file-reading tooland an [HTTP client](HTTP client) each pass their individual security checks, but when composed, an agent can read an internal document and POST its contents to an external server. Neither tool is prohibited","cbCaibgM1Ap8ry9F","https://ap.wps.com/l/cbCaibgM1Ap8ry9F","pdf",873365,1,13,"English","en",105,"# Abstract\n# Introduction\n## Security risks from tool composition\n## Related work on multi-tool attacks and vulnerabilities\n# DSCC architecture overview","[{\"question\":\"Why do per-tool security guardrails fail for multi-tool AI agent chains?\",\"answer\":\"Each tool may pass its own checks in isolation, but the policy violation can emerge only after composing tools, enabling actions like internal data exfiltration or access-control mismatches.\"},{\"question\":\"How does DSCC enforce compositional security in Phase 1?\",\"answer\":\"At session checkout, DSCC uses a Most Restrictive Set (MRS) algorithm to compose per-tool security policies into a single effective policy for the entire chain, with a monotonicity invariant that can only tighten results when extending the chain.\"},{\"question\":\"What additional protection does DSCC add in Phase 2 during runtime?\",\"answer\":\"DSCC tracks data sensitivity through a monotonic taint state, and revokes the session if the accumulated exposure would make a subsequent tool call violate the composed policy.\"}]",1784189958,33,{"code":4,"msg":30,"data":31},"ok",{"site_id":24,"language":23,"slug":32,"title":13,"keywords":33,"description":14,"schema_data":34,"social_meta":86,"head_meta":88,"extra_data":90,"updated_unix":27},"securing-multi-tool-ai-agent-chains-with-dynamic-real-time-compositional-policies","",{"@graph":35,"@context":85},[36,53,68],{"@type":37,"itemListElement":38},"BreadcrumbList",[39,43,47,50],{"item":40,"name":41,"@type":42,"position":20},"https://docshare.wps.com","Home","ListItem",{"item":44,"name":45,"@type":42,"position":46},"https://docshare.wps.com/document/","Document",2,{"item":48,"name":12,"@type":42,"position":49},"https://docshare.wps.com/document/technology/",3,{"item":51,"name":13,"@type":42,"position":52},"https://docshare.wps.com/document/securing-multi-tool-ai-agent-chains-with-dynamic-real-time-compositional-policies/83718/",4,{"url":51,"name":13,"@type":54,"author":55,"headline":13,"publisher":57,"fileFormat":60,"inLanguage":23,"description":14,"dateModified":61,"datePublished":62,"encodingFormat":60,"isAccessibleForFree":63,"interactionStatistic":64},"DigitalDocument",{"name":9,"@type":56},"Person",{"url":40,"name":58,"@type":59},"DocShare","Organization","application/pdf","2026-07-17","2026-07-16",true,{"@type":65,"interactionType":66,"userInteractionCount":20},"InteractionCounter",{"@type":67},"ViewAction",{"@type":69,"mainEntity":70},"FAQPage",[71,77,81],{"name":72,"@type":73,"acceptedAnswer":74},"Why do per-tool security guardrails fail for multi-tool AI agent chains?","Question",{"text":75,"@type":76},"Each tool may pass its own checks in isolation, but the policy violation can emerge only after composing tools, enabling actions like internal data exfiltration or access-control mismatches.","Answer",{"name":78,"@type":73,"acceptedAnswer":79},"How does DSCC enforce compositional security in Phase 1?",{"text":80,"@type":76},"At session checkout, DSCC uses a Most Restrictive Set (MRS) algorithm to compose per-tool security policies into a single effective policy for the entire chain, with a monotonicity invariant that can only tighten results when extending the chain.",{"name":82,"@type":73,"acceptedAnswer":83},"What additional protection does DSCC add in Phase 2 during runtime?",{"text":84,"@type":76},"DSCC tracks data sensitivity through a monotonic taint state, and revokes the session if the accumulated exposure would make a subsequent tool call violate the composed policy.","https://schema.org",{"og:url":51,"og:type":87,"og:title":13,"og:site_name":58,"og:description":14},"article",{"robots":89,"canonical":51},"index,follow",{"doc_id":7,"site_id":24},{"code":4,"msg":5,"data":92},[93,97,101,105,110,113,118,123,128,131,135],{"id":20,"doc_module":4,"doc_module_name":45,"category_name":94,"show_sort_weight":95,"slug":96},"Story & Novel",90,"story-novel",{"id":46,"doc_module":4,"doc_module_name":45,"category_name":98,"show_sort_weight":99,"slug":100},"Literature",80,"literature",{"id":52,"doc_module":4,"doc_module_name":45,"category_name":102,"show_sort_weight":103,"slug":104},"Exam",70,"exam",{"id":106,"doc_module":4,"doc_module_name":45,"category_name":107,"show_sort_weight":108,"slug":109},5,"Comic",60,"comic",{"id":11,"doc_module":4,"doc_module_name":45,"category_name":12,"show_sort_weight":111,"slug":112},50,"technology",{"id":114,"doc_module":4,"doc_module_name":45,"category_name":115,"show_sort_weight":116,"slug":117},7,"Healthcare",40,"healthcare",{"id":119,"doc_module":4,"doc_module_name":45,"category_name":120,"show_sort_weight":121,"slug":122},8,"Research & Report",30,"research-report",{"id":124,"doc_module":4,"doc_module_name":45,"category_name":125,"show_sort_weight":126,"slug":127},9,"Religion & Spirituality",20,"religion-spirituality",{"id":126,"doc_module":4,"doc_module_name":45,"category_name":129,"show_sort_weight":126,"slug":130},"World Cup","world-cup",{"id":132,"doc_module":4,"doc_module_name":45,"category_name":133,"show_sort_weight":132,"slug":134},10,"Lifestyle","lifestyle",{"id":136,"doc_module":4,"doc_module_name":45,"category_name":137,"show_sort_weight":106,"slug":138},19,"General","general"]