Your AI Agent Is Leaking PII Through Tool Calls. Here's Proof.

Most agents pass raw PII directly to third-party MCP tool servers. Zero tokenization. Zero audit trail. If you're running autonomous agents in production, the data says you probably have this problem right now — and don't know it.

The Invisible Data Path

Here's how a typical agent workflow handles a customer request: the user provides their name, email, phone number, and maybe a credit card. The LLM processes it. Then the agent calls a tool — a calendar API, a CRM, a payment processor — and forwards that PII in plaintext through the Model Context Protocol.

The MCP specification doesn't inherently carry user context. The tool server can't differentiate between users, can't enforce per-user access controls, and receives whatever the agent sends. Every data category — PII, credentials, financial data — can be accessed and forwarded externally in a single workflow at machine speed.

This isn't theoretical. It's the default behavior of nearly every agent framework shipping today.

The Numbers Are Worse Than You Think

The 2026 data paints a clear picture of how badly the industry is failing at agent data governance:

• Only 38% of enterprises monitor AI traffic end-to-end — prompts, tool calls, and outputs. The other 62% have blind spots in their agent data flows.
• PII leakage via AI outputs is a top risk, flagged by 27% of organizations in the Kiteworks 2026 Forecast.
• Shadow AI breaches disproportionately compromise customer PII at 65%, versus the 53% global average for traditional breaches.
• 63% of breached organizations either lack an AI governance policy or are still developing one. Of those that do have a policy, only 34% perform regular audits.
• Breach cost premium: shadow AI incidents cost an average of $670,000 more than traditional breaches, with detection taking 247 days on average.

The pattern is consistent: agents are moving data faster than security teams can track, and PII is the primary casualty.

Why Traditional DLP Doesn't Work Here

Data Loss Prevention was built for a world where humans copy files and send emails. Agent tool calls break every assumption DLP relies on:

Speed and volume. An agent can make hundreds of tool calls per minute. Traditional DLP inspection can't keep up without becoming a bottleneck that defeats the purpose of automation.

Context loss. DLP policies rely on classifying data at rest or in transit through known channels. MCP tool calls are dynamic, programmatic, and route through arbitrary endpoints. There's no email attachment to scan — the PII is embedded in a JSON payload sent to a tool server the security team may not even know exists.

NER limitations. Even when organizations try to detect PII programmatically, standard NER models trained on natural language struggle with structured data formats. Sensitive items split across multiple tokens create false negatives. Regex and lookup tables catch known formats but miss context-dependent PII like medical conditions mentioned in free text.

The result: your existing security stack was not designed for this threat model.

The Fix: Intercept Before It Leaves

The architecture that works is an interception layer that sits between your agent and its tools — tokenizing PII before it reaches any external service, and de-tokenizing only when strictly necessary on the return path.

This is exactly what VeriSwarm Guard does.

Guard PII Tokenization

Guard uses Presidio NER to detect and tokenize PII before it reaches LLMs or tool servers. Names, emails, phone numbers, SSNs, credit cards, medical record numbers — Guard identifies them and replaces them with reversible tokens. The tool server sees [PERSON_1] instead of "Jane Smith." The LLM reasons over the token. The original value is restored only in the final response to the authorized user.

This isn't post-hoc scanning. It's inline interception — the PII never leaves your infrastructure in plaintext.

Guard Proxy: Transparent MCP Interception

Guard Proxy sits between your agents and their MCP tool servers, intercepting every tool call for:

• PII filtering — tokenize sensitive data before it hits the tool server
• Policy enforcement — block tool calls that violate your data handling rules
• Prompt injection scanning — detect and block injection attempts flowing through tool parameters
• Audit logging — every tool call is recorded in Vault with what was sent, what was tokenized, and what was returned

Three deployment modes, depending on your security posture:

1. Cloud-hosted — point your agent at a VeriSwarm URL. Zero infrastructure on your side.
2. Docker (on-prem) — run Guard Proxy in your own environment. Data never leaves your network.
3. Local (stdio) — for development and testing. Same filtering, local execution.

Vault: The Audit Trail You'll Need

Every PII interception is logged in Vault's immutable, hash-chained ledger. When an auditor asks "where did this customer's data go?" — you have a cryptographically verifiable answer. Chain verification detects any tampering. Exports map directly to GDPR Article 30 record-of-processing requirements.

Deploy It Today

Guard Proxy requires zero changes to your agent code. Point your MCP client at Guard Proxy instead of the tool server directly. Guard Proxy forwards the call — minus the PII — and returns the response. Your agent doesn't know the difference.

Here's what changes:

Before Guard Proxy: Agent → {"name": "Jane Smith", "email": "jane@example.com"} → Tool Server

After Guard Proxy: Agent → Guard Proxy → {"name": "[PERSON_1]", "email": "[EMAIL_1]"} → Tool Server

The tool server gets what it needs to function. It doesn't get what it doesn't need to have.

Sign up at veriswarm.ai — Guard and Guard Proxy are available on the Max plan. Vault audit logging is included. If you're not sure whether your agents are leaking PII, start with Gate on the free tier to get visibility into your agent inventory and event flow. You'll see the problem. Then you'll want Guard.

---

VeriSwarm is agent trust infrastructure. Gate scores behavior. Guard secures tool calls. Passport verifies identity. Vault proves it all happened. Start free at veriswarm.ai.