MCP Execution Boundary

Pattern classification

• Pattern type: Agentic execution boundary (proposal → execution separation)
• Primary consequence surface: Enterprise state mutation initiated via tool-orchestrated action
• Typical execution boundary: The boundary where a tool call would otherwise trigger a binding change
• Primary admissibility risk: Tool access is mistaken for execution entitlement; authority and constraints are reconstructed after impact
• Canonical admissibility vector: authority / state / constraints / context / evidence

What this pattern describes

Where execution admissibility control must be placed in MCP-style tool-enabled flows so agent intent is treated as a proposal, and execution becomes real only when admissibility resolves at T=0.

Why the boundary matters

Agents can generate and sequence actions faster than institutions can reliably reconstruct authority, context, and constraints after the fact. If execution is permitted and later “explained” or “audited”, authority is inferred rather than proven, state is reconstructed rather than resolved, and constraints are applied after consequence has already bound.

Existing enterprise flow

Illustrative flow:

Agent → Tool call / MCP server → Enterprise system → execution

Where consequence binds

At the point the tool-triggered action commits a consequence-bearing state change inside the enterprise environment.

T=0 admissibility question

“Is this action allowed to become real — right now?”

What must be admissible

• authority
• Who is initiating the action (human principal and delegated agent identity)?
• What delegation, mandate, or authority envelope applies at T=0?
• state
• What current institutional state makes the action valid or invalid?
• What dependencies and preconditions must already be true?
• constraints
• What rules, limits, prohibitions, approvals, and separation-of-duties conditions apply in this situation?
• context
• What workflow, case, objective, or operating mode applies (normal operations vs incident/exception)?
• evidence
• What evidence supports admissibility, and what must be bound to the action so later review can see what was asserted at T=0?

AoR mapping role

Architecture of Record maps where tool-enabled actions can bind consequence (execution/commit surfaces), so the admissibility boundary can be placed deterministically at the right point.

SCIA Runtime role

SCIA Runtime provides the reference architecture for evaluating admissibility at T=0 and producing a typed execution outcome before consequence binds.

Typed public outcomes

• admissible
• admissible with conditions
• escalate
• not admissible
• insufficient information

What this pattern is not

• not model alignment
• not prompt safety
• not agent monitoring
• not tool integration guidance
• not an MCP implementation guide
• not a claim that Arqua integrates directly with MCP deployments

IP boundary

This page describes architectural placement only. It does not disclose implementation methods, schemas, code, protocols, algorithms, runtime scoring, tuple structures, platform configuration, or proprietary Arqua methods.

Next step

Start with one high-consequence workflow. Identify where execution currently binds, then map the T=0 admissibility boundary.

Links:

• Request a Briefing
• Pre-Execution Pressure Test
• Architecture of Record (AoR)

© Arqua Pty Ltd. All rights reserved.