Agentic AI Security, Part 6: Threat Modeling, OWASP Agentic Top 10, and Quarterly Review

Modules 18–20 focus on STRIDE-style threat modeling for agentic systems, mitigations aligned with the OWASP Agentic Top 10, and a practical quarterly security review checklist you can adapt to your org.

Threat Modeling with STRIDE for Agentic AI Systems

Original module on ClawQL Docs: Threat Modeling with STRIDE for Agentic AI Systems.

Threat modeling is not a one-time exercise. In agentic MCP platforms, where systems are dynamic and agents can chain tools unpredictably, STRIDE must be a living process that evolves with the platform. This module explains how to apply STRIDE specifically to agentic AI systems.

STRIDE for Agentic Systems

STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) is adapted to address the unique risks of MCP, autonomous agents, and multi-backend orchestration.

• S — Spoofing: Agent identity spoofing via forged session claims or stolen JWTs; model weight impersonation (model-in-the-middle attacks).
• T — Tampering: Merkle tree manipulation of memory graph or documents; tool call parameter tampering in transit; model weight poisoning.
• R — Repudiation: Agents denying tool calls or actions; lack of immutable audit trails.
• I — Information disclosure: PII leakage through logs or MCP responses; cross-tenant or cross-vertical recall exposing restricted data.
• D — Denial of service: Rogue agent GPU exhaustion; MCP gateway flooding or policy-bypass attempts.
• E — Elevation of privilege: Agent escaping sandbox to host; privilege escalation via tool chaining or vertical bypass.

Living Threat Model Process

Mature programs treat the threat model as a living artifact:

• Updated quarterly or on any major change (new integration, new proxy plugin, new MCP tool).
• Linked directly to controls in your defense-in-depth documentation.
• Reviewed as part of significant Helm or infrastructure upgrade gates.
• Stored in version-controlled, signed repositories with full history.

New components (e.g., a new vertical or external MCP proxy) require a STRIDE entry before production deployment.

Gating Deployments with STRIDE

No high-risk production change should ship without:

• Updated STRIDE analysis for the affected components.
• Mapping of new threats to existing or new controls.
• Sign-off from the security owner.

This ensures security scales with platform growth rather than becoming a checkbox.

Key Takeaways

STRIDE for agentic systems must address dynamic behaviors like tool chaining, memory recall, and multi-backend routing. Threat modeling must be continuous and tied to deployment gates, not a static document. Every new feature or integration requires explicit threat analysis and control mapping. A living STRIDE model turns security from reactive to proactive across the entire software lifecycle.

This strategic practice ties together all technical controls in this curriculum and prepares the platform for long-term evolution.

Next module: OWASP Agentic Top 10: Mapping Risks to Architectural Controls.

Further reading (vendor-neutral)

These resources are independent of any single product; use them to deepen the topic for audits, architecture reviews, or procurement discussions.

• Microsoft STRIDE / threat modeling
• OWASP Threat Dragon
• MITRE ATLAS (AI threats)

---

OWASP Agentic Top 10: Mapping Risks to Architectural Controls

Original module on ClawQL Docs: OWASP Agentic Top 10: Mapping Risks to Architectural Controls.

The OWASP Agentic Top 10 highlights the most critical risks in autonomous AI agent systems. These risks apply to any autonomous agent architecture. This module maps each major risk to the specific controls and architecture patterns that mitigate it.

1. Prompt Injection / Jailbreaking

Risk: Malicious instructions that override agent behavior.
Example control patterns: ATR scoping + Panguard synchronous enforcement. Capabilities are restricted at the tool level, not through prompt filtering. Natural language is never the security boundary.

2. Sensitive Information Disclosure

Risk: Leakage of PII, credentials, or proprietary data.
Example control patterns: Presidio redaction in the Fluent Bit pipeline before any log write, combined with GraphQL projection and Memory 2.0 token-budget trimming. Redaction-before-write ensures sensitive data never reaches persistent stores.

3. Privilege Escalation

Risk: Agent gaining unauthorized access to tools or data.
Example control patterns: JWT ATR claims validated on every MCP call, explicit tool scoping per role/vertical, and least-privilege RBAC. Cross-vertical actions require elevated claims.

4. Model Denial of Service

Risk: Resource exhaustion through runaway loops or heavy inference.
Example control patterns: GPU ResourceQuota + LimitRange, Panguard rate limiting, and token-budget controls in Memory 2.0 recall.

5. Supply Chain Vulnerabilities

Risk: Compromised dependencies, images, or model weights.
Example control patterns: Harbor as single trust root with allowlist-only resolution, Cosign keyless signing, golden distroless images, and init-container model weight verification.

6. Insecure Output Handling

Risk: Agent output leading to command injection or unsafe actions.
Example control patterns: Structured tool calling through the intelligent MCP gateway. All outputs are validated and scoped before execution. No raw shell or direct code execution outside Kata sandboxes.

7. Training Data / Memory Poisoning

Risk: Contaminated knowledge graph or RAG corpus.
Example control patterns: Merkle-rooted provenance on every Memory 2.0 ingest, Cuckoo filter deduplication, and Presidio redaction on document intake. Cross-vertical recall requires explicit elevated ATR.

8. Unauthorized Code Execution

Risk: Agent executing arbitrary code.
Example control patterns: Kata Containers as default runtime for all MCP/sandbox workloads, combined with explicit sandbox_exec tool gating and read-only root filesystems.

9. Overreliance on Agent Autonomy

Risk: Blind trust in agent decisions without oversight.
Example control patterns: Human-in-the-loop via HITL approval gates in automation, audit logging of all decisions, and Merkle-rooted workflow trails for full accountability.

10. Multi-Step Tool Chaining Attacks

Risk: Agents chaining tools in harmful sequences.
Example control patterns: Intelligent routing engine with historical success scoring and sensitivity checks, plus Panguard session-level ATR rules that evaluate cumulative risk across chained calls.

Key Takeaways

Defense in depth mitigates the OWASP Agentic Top 10 through defense-in-depth rather than single-point solutions. The majority of risks are addressed at the architectural level (ATR scoping, sandboxing, cryptographic provenance) rather than reactive prompt filtering. Every major risk has multiple overlapping controls from different layers of the stack. This mapping is reviewed quarterly as part of the living STRIDE process (Module 18).

The complete series equips you with both tactical implementation details and strategic understanding of agentic security.

Next module (final): Quarterly Security Review Checklist – Keeping Defense-in-Depth Alive.

Further reading (vendor-neutral)

These resources are independent of any single product; use them to deepen the topic for audits, architecture reviews, or procurement discussions.

• OWASP Top 10 for Agentic Applications (2026)
• OWASP Top 10 for LLM Applications
• NIST AI RMF

---

Quarterly Security Review Checklist: Keeping Defense-in-Depth Alive

Original module on ClawQL Docs: Quarterly Security Review Checklist: Keeping Defense-in-Depth Alive.

Defense-in-depth is not a set-it-and-forget-it architecture. It requires continuous validation and maintenance. This final capstone guide provides the operational checklist that must be executed quarterly to keep the entire security posture effective over time.

Quarterly Review Cadence

Perform this full review every three months, or after any major change (new vertical, new proxy backend, Helm upgrade, or Kubernetes version bump). Assign a named security owner responsible for completion and documentation.

1. Supply Chain & Image Verification

Verify all running images are pulled from Harbor with valid Cosign signatures. Confirm allowlist-only resolution is enforced and no external registries are in use. Review Trivy/OSV-Scanner results for new critical vulnerabilities. Validate SBOMs exist for all production images and model weights.

2. Admission Control & Runtime Policies

Check Kyverno policies are active and in “Enforce” mode. Confirm all MCP and sandbox pods use Kata runtime. Verify model weight verification init containers are functioning on inference pods. Review and approve any temporary namespace exemptions.

3. Identity & Zero Trust Controls

Audit Vault dynamic secret leases and revoke any orphaned credentials. Rotate JWT signing keys if due. Verify ATR claim enforcement is working on a sample of MCP tool calls. Confirm YubiKey signing requirement is enforced on all Helm chart changes.

4. Network & Containment

Review Istio ServiceEntries and egress allowlists against current needs. Validate default-deny NetworkPolicy is blocking unauthorized traffic. Check Kiali for unexpected east-west connections. Confirm mTLS is in strict mode everywhere.

5. Monitoring & Observability

Review Wazuh and Falco alert tuning — reduce noise, improve signal. Check Prometheus metrics for Merkle root verification and Cuckoo filter health. Confirm observability workloads are pinned away from GPU nodes. Test Talon quarantine and release process on a non-production pod.

6. Data Protection & Logging

Verify Presidio redaction is active in the Fluent Bit pipeline. Sample WORM logs to ensure no raw PII is present. Confirm Merkle roots are being recorded for all critical workflows.

7. Backup & Recovery Testing

Perform a full restore test of a primary application instance (including memory, documents, and audit trails). Document restore time, success rate, and any issues. Verify 3-2-1+ backup strategy is functioning.

8. STRIDE & OWASP Review

Update the living STRIDE threat model with any new components. Re-map OWASP Agentic Top 10 risks to current controls. Document any new threats and required mitigations.

9. Documentation & Runbooks

Confirm all PICERL runbooks are current. Verify out-of-band communication (Matrix/Mattermost) is tested and ready. Ensure this quarterly checklist itself is up to date.

Key Takeaways

Security is a continuous process, not a destination. Quarterly reviews with a named owner and documented results prevent drift and degradation. Every layer — supply chain, admission, network, runtime, monitoring, and recovery — must be actively validated. Treat the full defense-in-depth stack as a living system that requires ongoing care.

Completing this checklist keeps your organization’s security posture strong, auditable, and ready for both current and future threats.

End of curriculum

Further reading (vendor-neutral)

These resources are independent of any single product; use them to deepen the topic for audits, architecture reviews, or procurement discussions.

• NIST CSF 2.0
• CIS Controls
• ISO/IEC 27001 (ISMS overview)

Canonical curriculum and module-by-module versions: Agentic AI Security Curriculum (ClawQL Docs)