Agent Firewalls Are Here: Lock Down AI Agents with Google Model Armor, AWS AgentCore Policy, and Microsoft Agent 365 [7‑Day Plan]

Agents moved from demos to production headlines this week. Google launched managed MCP servers with Model Armor (an agent‑aware firewall) and an Interactions API; AWS shipped AgentCore Policy and Evaluations; Microsoft is rolling out Agent 365 to manage fleets like digital employees. This playbook turns that news into a concrete, one‑week rollout.

Sources: Google’s managed MCP servers + Model Armor, Deep Research + Interactions API, AWS AgentCore Policy/Evals, Microsoft Agent 365, AAIF open standards.

Why this matters now

• Agents can act. OS‑ and desktop‑level control plus API access means agents can move money, update records, and trigger deploys—great for speed, risky for security.
• The ecosystem is converging on a control plane. Registries, identity, policy, and telemetry are no longer optional; they’re being productized (Agent 365, AgentCore) and standardized (AAIF, MCP).
• Attack surface is real. Browser/desktop agents are vulnerable to prompt injection and data exfiltration without guardrails. See TechCrunch’s overview of agent security risks.

What is an “agent firewall” in 2026?

Think of it as a new layer that sits between your agents and the outside world. It combines four controls:

1. Identity: Every agent has its own verifiable identity and least‑privilege credentials.
2. Policy: Every tool/API call is checked against allow/deny/confirm rules before execution.
3. Telemetry: Every step is traced for auditability and rollback.
4. Standards: Connect via MCP and publish predictable instructions so skills remain portable.

Concretely, that looks like Microsoft Entra Agent ID + Agent 365 (registry/identity), AWS AgentCore Policy/Evaluations (real‑time checks and quality), and Google’s managed MCP servers + Model Armor (secure, audited connectors with an agent‑aware firewall).

Ship it in 7 days (copy‑paste plan)

Day 1 — Inventory surfaces and risks

• List your top 10–20 agent tasks (e.g., WISMO, refunds ≤$100, flaky test triage, catalog updates). Note tools touched, data classes (PII/PCI), and blast radius.
• Write three non‑negotiables (e.g., “No PII export,” “No payouts >$100 without HITL,” “No prod deploys without green canary”).

Helpful references: our 10‑step agent security checklist.

Day 2 — Put policy in front of every tool call

• If you’re on AWS, turn on AgentCore Policy and codify allow/deny/confirm rules in plain language (e.g., “Auto‑approve refunds ≤$50; 2FA + human above”).
• Elsewhere, enforce the same checks in your gateway/orchestrator before agents hit Salesforce, Shopify, Slack, or payment APIs.

Day 3 — Register agents and issue identities

• Create a registry (name, owner, environment, scopes, SLA). If eligible, pilot Agent 365 for centralized visibility.
• Issue per‑agent identities (e.g., Entra Agent ID) with least privilege, short‑lived secrets, and lifecycle policies (provision → review → deprovision).

Deep dive: Agent identity blueprint.

Day 4 — Standardize connectors with MCP; add Model Armor

• Expose your internal tools via MCP so agents discover and use them predictably. If you’re on Google Cloud, test the new managed MCP servers for Maps, BigQuery, and GCE; secure with IAM and Model Armor for agent‑aware filtering, logging, and threat defenses.
• If you use Apigee, evaluate the “API → MCP server” translation to reuse your existing quotas, auth, and monitoring.

Context: Google’s managed MCP + Model Armor.

Day 5 — Baseline reliability with evaluations

• Stand up a 25–50 example eval set per workflow and track: success rate, policy compliance, tool selection accuracy, latency, and cost.
• On AWS, enable AgentCore Evaluations (13 prebuilt evaluators). Otherwise, wire OpenAI Evals or your CI to run the suite on every change.

Tutorial: Agent Evals in 7 Days.

Day 6 — Turn on trace‑level telemetry and tripwires

• Emit OpenTelemetry spans for prompts, tool calls, tokens, cost, and policy decisions. Alert on sensitive file reads, high‑risk actions, or unusual egress.
• Add kill switches and auto‑rollback for policy violations; keep canary deploys and feature flags on for any agent that can change state.

Runbook: 14‑day incident‑safe rollout.

Day 7 — Red‑team prompt injection; ship a guarded pilot

• Test agents against untrusted inputs (web pages, PDFs, emails). Verify your policy wall blocks risky actions and your MCP connectors stay least‑privilege.
• Launch two guarded workflows (e.g., refunds ≤$50 with HITL >$50; flaky test fixes via PR only). Review metrics after one week, then expand deliberately.

Example policies you can copy

• Refunds: “Auto‑approve ≤$50; $51–$200 requires 2FA + manager approval; >$200 human‑only.”
• PII: “Mask emails/phones by default; block CSV export unless ticket is escalated + approved.”
• Deploys: “No direct pushes to main; PR + canary (10%) + green tests are mandatory.”

Founder FAQ

Do I have to pick one vendor? No. Use AAIF‑aligned standards (MCP, Agents.md, Goose) so your skills and connectors stay portable across Agent 365, AgentCore, and Google’s stack.

Where do I start if I have no security team? Start with the policy wall, per‑agent identities, and evals. That gets you 80% of the risk reduction in a week.

How do I measure success? Track success rate, policy‑violation rate, median latency, cost per resolution, and human‑handoff rate. Review weekly and tighten policies before expanding autonomy.

What good looks like after 30 days

• Reliability: ≥92% task success on scoped workflows; Safety: zero unauthorized actions; Efficiency: median latency < 90s; Cost: clear cost‑per‑resolution with trend down as skills improve.

Keep going

• If you missed the breaking changes and why they matter, read our roundup on OS‑level agents and the new control plane.
• If you need a governance refresher, start with the security checklist and agent identity blueprint.

---

Want this done‑for‑you? Hire a managed Ninja and ship a governed pilot fast—policy walls, MCP connectors, evals, and dashboards included.

• Browse Ninjas (Customer Support, Blogger, and more)
• See pricing and start a 14‑day pilot
• Talk to HireNinja about an agent firewall for your stack