Parameter-Level Authorization for AI Agents: Enforcing Policy on Live MCP Tool Calls

Visibility isn’t enforcement

Most MCP runtimes answer one question: which tools can this agent see or call? That’s useful, and it’s also where most of them stop. Once a tool is on the allow-list, the runtime steps aside and the call goes through with whatever arguments the model produced.

Step-up authorization for AI agents is a different model. A gateway evaluates every live tool call, and when a request crosses a defined risk threshold, it pauses the call, triggers an authentication and approval flow, issues short-lived elevated access, and records the full approval path before the call proceeds. The decision isn’t made once at connection time. It’s made on each request, against the actual content of that request.

That shift, from static visibility to dynamic enforcement, is the difference between knowing an agent could call a tool and controlling how it does on any given call.

Two layers, two jobs

Securing AI agents in production takes two distinct layers, and they have different jobs.

×

The authorization layer decides what an agent or user is actually permitted to do. Ory treats agents as first-class identities, issues and manages their tokens through Ory Hydra (OAuth 2.0 and OIDC), and expresses least-privilege policy through Ory Keto. This is where “who is this agent, and what is it allowed to do” gets answered.

The runtime enforcement layer applies those decisions to live traffic. Tetrate Agent Router Enterprise sits in the path of every call an agent makes to models, tools, and enterprise services, and enforces Ory’s policies there, including which request parameters are allowed, not just which tools. When a call exceeds a risk threshold, Tetrate pauses it, runs the step-up flow through Ory, and forwards the request only once elevated access has been granted.

The hard part isn’t controlling which tools an agent can access. It’s controlling how it uses them, down to the parameter level, across a globally distributed gateway.

How it works: a refund that needs a human

Walk through a customer-support agent that can issue refunds.

A routine $40 refund comes in. The agent calls the refund tool, Tetrate evaluates the request against the policy in Ory Keto, the amount is within bounds, and the call goes straight through. No friction, no human in the loop.

Now the agent tries to refund $7,500. Same tool, same agent, different parameter. This time the amount crosses the threshold the policy defines. Tetrate intercepts the call before it reaches the MCP server and triggers step-up: a human approver authenticates with a passkey and approves that specific action. Ory issues a short-lived, scoped token representing the approval. Tetrate forwards the now-authorized call, and the elevated grant expires right after, either after a single use or on a short timer. Every stage, the request, the approval, the execution, and the expiry, lands in an audit trail.

The agent never holds standing permission to move large amounts of money. It earns that permission, briefly, for one call, with a person accountable for it.

Why parameter-level control is the hard part

Plenty of systems can gate tool access. Far fewer can reason about the arguments. Parameter-level control is what lets a single policy say “refunds are fine up to $X, approval required above it” instead of forcing a blunt choice between blocking the refund tool entirely or trusting the agent with unlimited amounts.

Because Tetrate enforces this at the gateway, the policy stays consistent across providers, regions, and environments, and it doesn’t depend on each agent or MCP server implementing controls correctly on its own. You define the policy once in Ory and enforce it everywhere through Tetrate.

A foundation that’s already in production

The solution runs on Tetrate’s Envoy-based AI gateway. Envoy AI Gateway is an open source project already used in production by organizations like Bloomberg, and Tetrate is a major contributor to both Envoy and Envoy Gateway.

The partnership also has a proof point built in: Ory was a Tetrate customer first. Ory migrated the infrastructure behind its global IAM and CIAM platform to Tetrate Enterprise Gateway for Envoy, a move that cut its resource use by 40 percent and improved its operations and observability. Running a distributed Envoy traffic layer at that scale, for a company that manages billions of identities, is the same capability now extended to securing AI agents.

Frequently asked questions

What is parameter-level authorization for AI agents?

It’s enforcement that evaluates not just which tool an agent calls, but the arguments it passes. A policy can allow a tool for low-risk inputs and require approval for high-risk ones, based on the actual content of each request.

How is this different from MCP tool allow-lists?

Allow-lists decide tool visibility once, at connection time. This solution evaluates every live call against policy, so the same tool can be permitted or escalated depending on the parameters and risk of each individual request.

Do I have to modify my agents or MCP servers?

No. Enforcement happens at the Tetrate gateway, in the path of agent traffic, so policy applies consistently without changing agent or server code.

What identity and token standards does it use?

Ory Hydra issues and manages OAuth 2.0 and OIDC tokens for agent and user identity, including the scoped, short-lived tokens that carry step-up approvals into runtime enforcement.

Where does the policy live?

Policies are defined in Ory Keto and enforced by Tetrate Agent Router Enterprise on live traffic at the gateway.

See it on your own traffic

The joint solution is available now. If you’re putting AI agents into production and need dynamic, parameter-level control over what they can do, book a demo with the Tetrate team. We’ll also be showing the partnership at Identiverse 2026.