MCP Server Platform Guides Integrations Features Pricing Docs Blog Contact
← Back to Blog
OWASP Agentic AI March 16, 2026 · 8 min read

OWASP Top 10 for Agentic AI:
PII Risks and Mitigations

OWASP published its Top 10 for Agentic AI in December 2025 — a framework specifically for autonomous AI agents that can take actions, call tools, and chain decisions without per-step human oversight. Unlike the LLM Top 10, the Agentic AI list recognises that agents amplify every PII risk: a single poisoned memory entry or misconfigured tool can leak data across an entire workflow. Here's what each risk means for personal data — and how to mitigate it.

What changed: LLM risks vs. agentic AI risks

The original OWASP LLM Top 10 (2023/2025) focused on risks where a human was still in the loop — prompt injection, training data poisoning, excessive agency. The Agentic AI Top 10 assumes a fundamentally different threat model: the AI is running a multi-step workflow, calling real APIs, writing to real databases, and making decisions faster than any human can review.

The consequence for PII is stark. In an agentic workflow, personal data doesn't just pass through one model — it can be stored in vector memory, forwarded to sub-agents, written to external tools, and logged at each step. Every hop is a potential exposure point.

Scale problem: A single agentic workflow that processes a CRM export can touch 10+ tool calls, 3+ model contexts, and 2–4 memory stores — each a new PII exposure surface. Traditional data handling policies designed for single-model API calls don't address this surface area.

The OWASP Agentic AI Top 10 (2026)

The full list was released in December 2025 as part of OWASP's response to the rapid adoption of autonomous agent frameworks. The top seven entries with direct PII relevance:

ID Risk PII Exposure Mechanism anonymize.dev Mitigation Coverage
AA1 Memory Poisoning Attacker injects malicious data into the agent's long-term memory store. Retrieved in future sessions, causing PII from other users to surface in unrelated responses. Anonymize PII before it enters any memory store. Placeholders in memory — not real names or IDs — cannot be weaponised across user boundaries. Full
AA2 Tool Misuse Agent calls tools (file system, APIs, databases) with real PII in parameters — beyond the intended scope. Tool logs then contain sensitive data. MCP Server intercepts all tool call inputs and outputs, applying operator transformations before PII reaches tool parameters or response payloads. Full
AA3 Privilege Compromise Agent operates with over-broad permissions; PII accessible in one context leaks into another. Credential or token data treated as context and forwarded to sub-agents. Operator configuration restricts which entity types are anonymized per tool call. CREDENTIAL, API_KEY, and PERSON entities redacted before any sub-agent context handoff. Full
AA4 Tool Poisoning A compromised or malicious MCP tool description includes hidden prompt instructions that cause the agent to exfiltrate PII to attacker-controlled endpoints. anonymize.dev anonymizes outbound payloads before they reach the tool — so even a poisoned tool receives placeholders, not real personal data. Full
AA5 Uncontrolled Recursion Agent enters an infinite loop processing documents; each iteration re-analyses PII and logs it — multiplying exposure in audit trails and debug outputs. Partial: anonymization at the input layer ensures each iteration operates on clean data. Loop detection is the application's responsibility. Partial
AA7 Data Exfiltration Agent exfiltrates personal data to external services via tool calls, webhook payloads, or generated code that makes outbound HTTP requests with embedded PII. All outbound tool call parameters are anonymized before dispatch. Real PII is never present in the payload the agent constructs for external services. Full
AA9 Overreliance on Agent Output Agent hallucinates PII values (fabricated names, emails, IBANs) that are treated as real and stored in downstream systems. Deanonymization with stored mapping prevents hallucinated values from being substituted for real PII — only verified original values are restored. Partial

AA1 — Memory Poisoning: the most dangerous PII risk

Memory poisoning tops the OWASP Agentic AI list because it is the hardest to detect and the widest in impact. Unlike a single-turn prompt injection (which affects one response), a poisoned memory entry persists across all future sessions and all users who share the same memory store.

The PII scenario: an attacker submits a document containing a carefully crafted "data about a user" that includes real personal identifiers embedded in apparently innocuous text. The agent extracts these as facts and stores them in its vector memory. In a future session — for a completely different user — the agent retrieves this memory entry when a semantically similar query is made, and the injected PII surfaces in the response.

Mitigation: Anonymize all document content before it reaches any memory store or embedding pipeline. If the stored text contains [PERSON_1] and [EMAIL_1] rather than real values, cross-user contamination is prevented at the structural level — the memory store holds no PII to leak.

AA3 & AA4 — Sensitive Information Disclosure and Tool Poisoning

AA3 (Sensitive Information Disclosure) and AA4 (Tool Poisoning) are the two Agentic AI risks that map most directly to the MCP security crisis of early 2026. The Model Context Protocol has no native authentication, no encryption, and no PII-aware filtering — making it an ideal attack surface for both risks.

Tool Poisoning (AA4) exploits the fact that MCP tool descriptions are trust-implicitly executed by agents. A malicious tool description can instruct the agent to include env:ANTHROPIC_API_KEY or the contents of ~/.ssh/id_rsa in its next tool call — both real vulnerabilities documented in the January–February 2026 CVE disclosures against MCP servers.

The only structural defence against AA4 is ensuring that even if an agent is manipulated into including sensitive content in a tool call payload, that content has been anonymized before it exits the trust boundary. An anonymized payload containing [CREDENTIAL_1] gives an attacker nothing useful.

AA7 — Data Exfiltration: agentic automation as an exfil channel

Traditional data exfiltration required an attacker to actively extract data — gain access, run queries, move data out. Agentic AI inverts this: the agent itself becomes the exfiltration mechanism. A compromised or poorly configured agent with access to customer data and the ability to make outbound HTTP calls (via webhooks, notification tools, or file uploads) can be instructed to forward that data to an attacker-controlled endpoint in a single, auditably normal-looking tool call.

The OWASP AA7 mitigation is twofold: restrict outbound tool permissions, and anonymize all outbound payloads. anonymize.dev addresses the second control — every parameter passed to an outbound tool call is processed through the anonymization pipeline before dispatch.

The Toxic Agent Flow: combining AA1 + AA3 + AA7

The most dangerous agentic PII scenario isn't a single vulnerability — it's a chain. Security researchers have documented what's now called the "Toxic Agent Flow":

  1. AA1 (Memory Poisoning): Attacker poisons the agent's memory with a trigger instruction embedded in a customer document.
  2. AA3 (Privilege Compromise): The trigger activates when a privileged user queries the agent — their session token or context is passed to the poisoned memory retrieval.
  3. AA7 (Data Exfiltration): The memory-retrieved instruction directs the agent to summarise the user's recent documents and POST the summary to an external URL.

The full chain requires no code execution, no vulnerability exploitation, and no network intrusion. It requires only that the agent processes untrusted document content and has sufficient permissions.

Defence-in-depth: No single control stops the Toxic Agent Flow. PII anonymization at the input layer breaks the chain at step 1 — poisoned memory contains no real PII to exfiltrate. Combined with least-privilege tool configuration and human-in-the-loop approval for outbound operations, it is the strongest structural control available.

How anonymize.dev addresses the Agentic AI Top 10

The MCP Server integration model is aligned with the OWASP Agentic AI defensive architecture: treat every AI input and every tool call parameter as untrusted, and apply PII controls at the protocol layer rather than in application code.

Input Layer

  • All prompt content anonymized before model context
  • Document uploads stripped of PII before embedding
  • Memory store writes contain only placeholders

Output Layer

  • Tool call parameters anonymized before dispatch
  • AI responses deanonymized before user sees them
  • Operator log records contain no real PII values

The operator system allows fine-grained control over which entities are anonymized per tool and per workflow step. A financial agentic workflow might use replace for customer names and redact for account numbers — applied consistently across all 7 MCP tools in the integration.

GDPR compliance implications of agentic AI processing

From a GDPR perspective, agentic AI workflows introduce three distinct legal obligations that single-model integrations do not:

  • Data minimisation (Art. 5(1)(c)): Each agent step should process only the personal data necessary for that specific operation. Anonymization at each step enforces data minimisation structurally.
  • Purpose limitation (Art. 5(1)(b)): Data collected for one agentic task must not be repurposed by other agents or memory lookups. Anonymized memory stores cannot be repurposed because they contain no identifiable data.
  • Data processing agreements (Art. 28): Each external tool called by an agent is a separate data processor. If the tool receives PII, a DPA is required. Anonymizing tool inputs may eliminate this requirement for many tools.

EU AI Act intersection: For agentic AI systems classified as high-risk under Annex III of the EU AI Act (healthcare, HR, critical infrastructure), GDPR data minimisation is not just a best practice — it is a conformity requirement. The high-risk provisions become enforceable August 2, 2026. Agentic workflows in these domains must demonstrate PII controls as part of their technical documentation.

Implementation: privacy-as-code for agentic workflows

The practical implementation pattern for OWASP Agentic AI compliance with anonymize.dev is four lines of configuration in your MCP server setup:

Claude Desktop / Cursor / VS Code — mcp config
{
  "anonymize": {
    "command": "npx",
    "args": ["-y", "@anonymize/mcp-server"],
    "env": {
      "ANONYMIZE_API_KEY": "your-key",
      "ANONYMIZE_OPERATORS": "replace"
    }
  }
}

With this configuration, every tool call made by your AI coding agent passes through the anonymize.dev MCP Server. PII in prompts, file reads, and tool outputs is intercepted and replaced before it reaches the model — addressing AA1, AA2, AA3, AA4, and AA7 with a single infrastructure control.

Sources

OWASP Top 10 for Agentic AI — published December 2025. owasp.org

OWASP Top 10 for Large Language Model Applications 2025. owasp.org

EU AI Act — Regulation (EU) 2024/1689. Official Journal of the European Union. eur-lex.europa.eu

GDPR — Regulation (EU) 2016/679. Art. 5, 25, 28, 44. gdpr-info.eu

MCP CVE disclosures, January–February 2026. See: MCP Server Security Vulnerabilities 2026.

Related Articles

MCP Security

MCP Server Security Vulnerabilities 2026

30 CVEs in 60 days. What they mean and how to protect your agentic AI stack.

AI Security

Shadow AI in 2026: How Developers Leak Corporate Data

88% of organisations use AI tools outside IT control. Six leakage channels explained.

Compliance

EU AI Act August 2026 Developer Checklist

Risk tiers, GPAI obligations, and the August 2 deadline explained.

Protect your agentic AI workflows from PII leaks

The anonymize.dev MCP Server addresses AA1, AA2, AA3, AA4, and AA7 with a single infrastructure control — no code changes required.

Start Free MCP Server Docs