OWASP Top 10 for agentic AI 2026: what a local, outbound-free architecture actually mitigates

Until now the AI-security debate centred on individual assistants: a chat window, a prompt injection, a data leak. With agentic AI, the attack surface changes fundamentally. Agents act autonomously, call tools, chain steps and communicate via the Model Context Protocol (MCP) with other servers. In December 2025, OWASP released the first dedicated ranking for this: the Top 10 for Agentic Applications (Version 2026) with the risks ASI01 to ASI10.

The honest question for regulated companies is not "does local AI make us immune?" but "which of these risks does a local, outbound-free architecture actually mitigate — and which not?". That is exactly what we clarify, backed by two real incidents.

What is the OWASP Top 10 for Agentic Applications 2026?

It is the first dedicated OWASP ranking for agentic AI, published in December 2025 (Version 2026) by the OWASP GenAI Security Project and developed with more than 100 experts. It defines ten risks — from Agent Goal Hijack through tool misuse and supply chains to rogue agents — specifically for autonomous agents with tools and MCP, not just for individual chat assistants.

For accurate framing: the official announcement carries the date 9 December 2025; the launch took place in London at the London Agentic Security Summit (OWASP GenAI Security Project), in the same week as Black Hat Europe 2025. It is the first numbered agentic Top 10 — not OWASP's first publication on agentic AI (there was already "Agentic AI – Threats and Mitigations" before).

The ten risks ASI01–ASI10 at a glance

The ranking structures the agentic risks as follows:

• ASI01 Agent Goal Hijack – the agent is diverted from its goal via manipulated input.
• ASI02 Tool Misuse and Exploitation – legitimate tools are misused or exploited.
• ASI03 Identity and Privilege Abuse – excessive or abused agent permissions.
• ASI04 Agentic Supply Chain Vulnerabilities – weaknesses in tools, servers and dependencies.
• ASI05 Unexpected Code Execution (RCE) – unintended code execution along the agent chain.
• ASI06 Memory and Context Poisoning – poisoning of the agent's memory and context.
• ASI07 Insecure Inter-Agent Communication – insecure communication between agents.
• ASI08 Cascading Failures – cascading failures across chained steps.
• ASI09 Human-Agent Trust Exploitation – exploitation of the trust between human and agent.
• ASI10 Rogue Agents – agents that have gone out of control or are malicious.

Anyone who wants to understand individual assistants and the "lethal trifecta" will find the basics in our article on how AI assistants become a data leak. This article extends the picture to autonomous agents plus tools plus MCP.

How do agentic risks differ from classic AI assistants?

Individual assistants are vulnerable to prompt injection plus the lethal trifecta: data access, untrusted content and an exfiltration channel. Agents go further: they act autonomously, call tools, chain steps and communicate via MCP with other servers and agents. This creates new risk classes — tool misuse, identity and privilege abuse, supply-chain and code-execution risks, and cascading failures.

The difference is not academic. As soon as an agent may call a tool, a manipulated input becomes not just a wrong answer but an unintended action — a file access, an API call, a pull request. The question shifts from "what does the model say?" to "what does the agent do in my name?".

Which of these risks does a local, outbound-free architecture actually reduce?

Above all the infrastructure and access risks. ASI04 supply chain and ASI05 code execution largely fall away when no external MCP servers are reachable; ASI02 tool misuse and ASI03 privilege abuse can be markedly reduced through least privilege. It does not solve ASI01 Agent Goal Hijack — that is the honesty limit. This framing is Lokalaise analysis, mapped onto the OWASP taxonomy, not an OWASP statement.

ASI04/ASI05 – supply chain and code execution: the CVE-2025-6514 case

What does the CVE-2025-6514 case concretely show? JFrog discovered an OS command injection with CVSS 9.6 (Critical) in the npm package mcp-remote (CWE-78, affecting 0.0.5 to 0.1.15, fixed in 0.1.16, published on 9 July 2025). It allows full remote code execution on the client — but only when the client connects to an untrusted remote MCP server, or is exposed to a man-in-the-middle over http.

JFrog describes it as the first time "that full remote code execution is achieved in a real-world scenario on the client operating system when connecting to an untrusted remote MCP server" — mcp-remote had been downloaded over 437,000 times at that point. The vendor mitigation reads, verbatim: "Only connect to trusted MCP Servers, using HTTPS (secure connection)." It is exactly this precondition — an untrusted server or an unprotected http connection — that falls away with an internal, vetted, outbound-free MCP posture.

ASI02/ASI03 – tool and privilege misuse: why least privilege matters

On 26 May 2025, Invariant Labs disclosed a prompt-injection "toxic agent flow" against the official GitHub MCP server: a malicious public GitHub issue made the agent pull data from private repositories and leak it via a pull request in a public repo. Invariant stresses that this is "not a flaw in the GitHub MCP server code itself, but rather a fundamental architectural issue" — GitHub alone cannot resolve it through a server-side patch. Recommended countermeasures: least privilege on repo access and limiting to one repository per session.

Important: the GitHub MCP incident is not a CVE but a disclosed architectural weakness. And the "Goal Hijack" label is our mapping onto the OWASP taxonomy (ASI01/ASI02/ASI03), not Invariant's own terminology. The case shows both at once: with minimal rights and tight scoping the damage shrinks — but the trigger remains a prompt injection.

Where does the honesty limit lie? ASI01 Agent Goal Hijack

Here network isolation only helps to a limited extent. The driver of ASI01 is prompt injection, for which OWASP states, in the entry LLM01:2025: "Given the stochastic influence at the heart of the way models work, it is unclear if there are fool-proof methods of prevention for prompt injection." The GitHub MCP case proves it in practice: a malicious issue can hijack a clean, correctly programmed agent.

An outbound-free architecture blocks the exfiltration — sending the data out — but not the hijack itself. That is a strong damage limitation, not a silver bullet. Anyone who promises the opposite is overreaching. The effective countermeasures are not network-technical alone, but least privilege, one repository per session and a deliberate governance of agents — no vendor patch solves ASI01.

How real is the problem? MCP vulnerabilities in numbers

The community-maintained Vulnerable MCP Project listed, as of 26 June 2026, 50 documented MCP vulnerabilities, of which 13 were rated Critical, 30 High and 7 Medium. The range runs from the oldest entry (session IDs in URLs, March 2025) to the most recent (TypeScript SDK cross-client data leak, CVE-2026-25536, February 2026). Because the database is live, these numbers are a snapshot.

That the topic counts in the German-speaking world too is shown by two specialist sources: the leading IT publication heise online ran a background feature by Udo Schneider (Trend Micro) on 7 May 2026, and Kaspersky.de published a guide built entirely on the OWASP ASI Top 10 on 5 February 2026. The framework is therefore not a US niche topic.

Which OWASP ASI risks a local architecture mitigates

The "reduced?" column is Lokalaise analysis based on the OWASP taxonomy — not an OWASP statement. And for completeness: even beyond the network question, what Palo Alto Networks (not OWASP) summarises holds — mitigating agentic risk requires coordinated controls across visibility, identity, data, supply chain and runtime behaviour.

What Lokalaise concretely does

Lokalaise targets exactly the reducible risk classes — without over-promising on ASI01. A grounded AI platform on your own hardware connects data through a permission-aware knowledge layer, runs a vetted internal tool and MCP inventory (ASI02/ASI03/ASI04), assigns least-privilege agent identities and keeps every action traceable in the audit trail. With no outbound connection and air-gap capability, the precondition for supply-chain and code-execution incidents like CVE-2025-6514 falls away (see Security & data sovereignty).

For regulated industries — the AEC beachhead as well as healthcare, law and finance — this means: agentic AI can run on your own hardware, where it is removed from the largest attack surface. It is the same logic we have described from other angles — from data security when using AI in construction to the sovereignty question. To be clear: Lokalaise is an enabler, not legal advice, and the OWASP Top 10 is a voluntary framework, not a law.

Your next steps

Three questions show how large your agentic risk is:

1. Inventory: Do you know which tools and MCP servers your agents may call — and whether these are internal and vetted?
2. Rights: Do your agents run with minimal rights and tight scoping, or with broad access "just in case"?
3. Exfiltration: Is there an outbound channel through which a hijacked agent could send data out — and is it structurally closed?

Where you hesitate, a closer look pays off. In a short demo we show you how a local, permission-aware agent architecture structurally shrinks the reducible ASI risks — and names honestly where the operator's responsibility remains.