The Authorization Boundary: Why MCP and AI Gateways Are Necessary—But Not Sufficient—for Regulated Agentic AI

This paper defines the authorization boundary for agentic AI systems operating in regulated environments. As AI agents transition from generating text to producing side effects—writing to databases, submitting regulatory filings, executing transactions—the governance question shifts from "did the agent connect correctly?" to "was the agent's output authorized under governing policy, and can we prove it?"

The paper introduces a distinction between access authorization (identity and scope verification, addressed by OAuth 2.1 and MCP authentication) and action authorization (evidence that a specific output complies with the specific policy version governing it at the time of the event). It argues that the emerging MCP gateway ecosystem—while solving necessary problems of interoperability, traffic management, and operational control—does not produce the independently verifiable decision artifacts that regulated industries require.

The paper presents minimum requirements for evidence-grade governance, including deterministic evaluation under a defined governed state, version-binding with temporal validity, and pre-execution evidence generation gated by effect-token issuance. It introduces five anti-laundering tests for distinguishing genuine deterministic governance from trust-based imitation, and references the Four Tests Standard (4TS), a vendor-neutral conformance specification for verifiable AI systems.

Intended audience: infrastructure architects, compliance officers, and policy makers evaluating governance requirements for enterprise agentic AI deployments.

Keywords: AI governance, agentic AI, Model Context Protocol, MCP, authorization, proof-carrying decisions, deterministic governance, regulatory compliance, Four Tests Standard, AI safety