Security and governance are foundational pillars of Agent Interoperability inside Automation Anywhere. Our Model Context Protocol (MCP) implementation is designed with a security-by-design philosophy to ensure that sensitive data, automations, and enterprise assets are protected across Agent-to-Agent and Agent-to-Automations interactions.

Our security framework enforces strict trust boundaries, strong authentication, authorization, encryption, and full auditability, aligned with enterprise and industry security standards.

Zero-Trust security model

Automation Anywhere Model Context Protocol (MCP) implementation follows a zero-trust architecture, where no user, agent, tool, or connection is implicitly trusted.
  • Every interaction , tool discovery, invocation, or automation execution must be explicitly authenticated and authorized.
  • Trust is never assumed based on network location, agent identity, or prior requests.
  • Each request is evaluated independently with enforced security checks, ensuring that unauthorized access or lateral movement is not possible.
This approach significantly reduces the risk of credential misuse, compromised agents, or unauthorized tool execution.

Secure authentication and identity validation

All users and systems interacting with Automation Anywhere MCP Server must be authenticated before any operation is allowed.
  • API key–based authentication is used to identify and authenticate MCP clients.
  • Each inbound request validates:
    • The API key
    • The associated user identity
    • The active security context
  • Authentication is performed against the Automation Anywhere Control Room authentication system, ensuring centralized identity enforcement.
  • Authentication is applied per request, not per session, eliminating reliance on long-lived implicit trust.
This ensures that only verified identities can start MCP tool calls or automation executions.

User security context and session isolation

Automation Anywhere MCP implementation enforces strict user security context propagation and session isolation:
  • Every MCP call is executed within the security context of the authenticated user.
  • Automation Anywhere MCP server does not execute actions with elevated or shared privileges.
  • Automations triggered by third-party AI assistants run as the requesting user, inheriting:
    • That user’s permissions
    • That user’s access restrictions
  • Sessions are logically isolated, ensuring:
    • No cross-user data leakage
    • No shared execution context between different MCP clients or users
This design prevents privilege escalation and ensures least-privilege execution at all times.

Role-Based Access Control (RBAC)

RBAC is enforced at multiple layers of the MCP lifecycle inside the Automation Anywhere platform:
  1. MCP tool creation and management
    • The creation, configuration, and management of MCP inbound tools (from the AI -> Agent connections page) is governed by RBAC.
    • Only users with explicitly assigned roles can:
      • Create MCP inbound tools
      • Modify tool definitions
      • Manage tool exposure to AI assistants
  2. Tool discovery and invocation
    • Every tool discovery and invocation request is validated against the user’s assigned roles.
    • Unauthorized users cannot discover or invoke tools, even if they are aware of tool identifiers.
  3. Automation execution using AI assistants
    • When running automations through:
    • Users can only access and execute automations that they are authorized for in the Control Room repository.
    • RBAC policies defined in Control Room are strictly enforced during runtime.
This ensures consistent authorization across human users, AI assistants, and automated agents.

Secure communication and data protection

All communication channels within the Automation Anywhere MCP ecosystem are encrypted and secured.
  • TLS 1.2 encryption is used for:
    • MCP client ↔ Automation Anywhere MCP server communication
    • Automation Anywhere MCP server ↔ Automation Anywhere Control Room communication
  • Encryption ensures:
    • Data confidentiality
    • Data integrity
    • Protection against man-in-the-middle (MITM) attacks
  • Sensitive payloads, credentials, and execution metadata are never transmitted in plain text.
This aligns with enterprise security and compliance requirements for data-in-transit protection.

Auditing, logging, and governance

Automation Anywhere MCP implementation provides comprehensive logging for governance, compliance, and forensic analysis.
  • All MCP inbound tool calls are logged, including:
    • User identity
    • Tool invoked
    • Timestamp
    • Execution outcome
  • Logs enable:
    • End-to-end traceability of AI-initiated actions
    • Compliance with regulatory and audit requirements
    • Monitoring and anomaly detection
  • Logging supports governance use cases such as:
    • Security reviews
    • Incident investigation
    • Usage analysis and policy enforcement

Industry-Aligned security controls summary

Security Aspect MCP Implementation
Zero Trust Explicit authentication and authorization for every request
Authentication API key–based, validated against the Control Room
Session Isolation Per-user execution context, no shared sessions
Authorization Multi-layer RBAC enforcement
Least Privilege Automations run only with user-granted permissions
Encryption TLS 1.2 for all communication
Auditability Full logging of MCP inbound tool calls
This layered, defense-in-depth security model ensures that Automation Anywhere Agent Interoperability using MCP is safe, governable, and enterprise-ready, while enabling controlled collaboration between AI assistants, agents, and automation assets.