Helmwart
← Atlas · Threats Medium

T46 · Helmwart ID · OWASP MAS Guide source

Data Residency / Compliance Violation via MCP Server

Extends T8: Repudiation and Untraceability · base threat in OWASP v1.1 catalog

L6 · Security and Compliance AML.T0085 ↗AML.T0086 ↗
Last reviewed 2026-05-14 · Severity heuristic: medium

Definition

An MCP server transfers data across geographical boundaries or processes data in ways that violate data-privacy regulations or compliance requirements, including the General Data Protection Regulation (GDPR), the Health Insurance Portability and Accountability Act (HIPAA), and financial data residency regulations. The MCP protocol facilitates data access and transfer between agents and external sources; if the server is not configured with awareness of data residency requirements, it inadvertently routes regulated data through prohibited jurisdictions.

What it looks like in practice

An MCP server is deployed in a US-East cloud region to serve company data to AI agents. The company’s EU customer database is connected as a resource, including personal data subject to GDPR. An agent queries the MCP server for EU customer records; the server retrieves and returns the data, routing it through the US-East region without any data residency check. The transfer violates GDPR’s requirement that personal data of EU citizens not be transferred to jurisdictions without an adequacy decision or appropriate safeguards.

A second variant: an agent uses MCP to combine data from two sources (a customer interaction history and a product usage log), aggregating them in a way that creates a profile that violates GDPR’s data minimisation principle (collect only what is necessary), even though each individual source access was compliant.

Why it’s dangerous in multi-agent context

AI agents using MCP may access and aggregate data from multiple sources in a single interaction, crossing data classification and residency boundaries in ways that no individual human request would. The autonomous, high-speed nature of agent interactions means compliance violations can occur at scale before they are detected. MCP’s design as a general-purpose data access protocol does not inherently enforce data residency constraints. The server must be explicitly configured to do so. T44 (Insufficient Logging in MCP Server / Client) compounds the risk: without per-request logging of data transfers, compliance violations cannot be audited retrospectively.

Detection signals

Data residency violations are only detectable if data transfers are logged with enough geographic and classification metadata to compare against the applicable regulatory ruleset at audit time.

  • An MCP resource retrieval log entry where the server’s hosting region differs from the residency zone recorded in that resource’s data classification tag. A per-request residency check against the classification registry will catch cross-border transfers at access time.
  • Two or more data sources with different regulatory classifications (e.g., GDPR-scoped EU customer data and a HIPAA-scoped health record) combined within a single MCP session response. Log the set of resource classification labels retrieved per session and alert when a session aggregates labels from incompatible regulatory regimes.
  • VPC flow logs showing data egress from an EU-region host to a non-EU endpoint exceeding the volume that agent query patterns can account for. A flow-log volume alert on cross-region egress above a defined byte threshold provides a coarse residency trip wire.
  • An MCP resource tagged as personally identifiable information (PII) being retrieved by an agent whose declared purpose scope does not include PII access. Compare the agent’s registered purpose scope against the classification of resources retrieved in each session.
  • A compliance audit query against the request log returning zero records for a time window during which the agent is known to have processed EU customer data. Absence of log records for a regulated transfer is itself a reportable violation signal.

Mitigations

  • Classify the data exposed by each MCP server according to applicable regulatory requirements; apply data classification tags to MCP resources.
  • Enforce residency controls at the MCP server level: reject requests for regulated data from clients outside permitted jurisdictions, and route server infrastructure within the required geographical boundary.
  • Log all data transfers through MCP with client identity, resource retrieved, and destination; retain these logs for the period required by applicable regulations.
  • Conduct a data flow mapping exercise for each MCP server deployment to identify all paths through which regulated data can flow and verify compliance before production.

Relation to base threat (T1–T17)

T46 extends T8 Repudiation and Untraceability. The compliance violation arises because data transfers are not audited against regulatory requirements: T8’s traceability gap enables T46’s compliance failure to go undetected. T44 (Insufficient Logging in MCP Server / Client) is the direct enabler: without per-request logging, the data residency violation is structurally invisible to auditors.

OWASP Top 10 for Agentic Applications 2026

The Agentic Top 10 (ASI01 through ASI10) is a separate practitioner-facing publication that maps onto the master Threats & Mitigations threat numbering. T46 is covered by the following Top 10 entries:

  • ASI08 Cascading Failures related

    A single low-severity fault (a hallucinated value, a corrupted tool output, a poisoned memory entry) propagates across a network of agents that each build on the last agent's output, compounding into system-wide harm that is disproportionate to the original defect. ASI08 is about propagation and amplification, not the fault's origin; the initial trigger may itself be innocuous.

    OWASP LLM Top 10: LLM01:2025LLM04:2025LLM06:2025

Source: OWASP Top 10 for Agentic Applications 2026 (Dec 2025) · the Top 10 is a compass into the master Threats & Mitigations taxonomy, not a replacement for it.

Design principles at stake

When T46 is present, these security design principles are the ones being violated or tested. Each links to the full principle; the mitigations below are how you restore them.

  • Defence-in-Depth A data residency violation can occur on any individual query: an agent requests EU customer records, the server retrieves and returns them through the wrong jurisdiction, and the transfer is complete before any single control has a chance to intervene. Depth means three independent gates must all be absent for a violation to succeed: data classification tags on MCP resources identify regulated data before retrieval, residency controls at the server level reject requests from clients outside permitted jurisdictions, and per-request logging with client identity and resource retrieved creates the audit trail that exposes any transfer that slipped through the first two. Without all three, the autonomous, high-speed nature of agent interactions means violations occur at scale before detection.
  • Data Minimization & Privacy T46's second variant shows data-minimisation violated without any single access being non-compliant: combining a customer interaction history with a product usage log through MCP creates a profile that GDPR's purpose-limitation principle prohibits, even though each individual source access was lawful. Data minimisation at the MCP layer means classifying the data each server exposes according to applicable regulatory requirements, enforcing residency controls that prevent cross-jurisdiction retrieval, and conducting a data flow mapping exercise to identify every aggregation path through which regulated data can be combined in a way that exceeds the original collection purpose. Per-request logging of what was retrieved and from which resource gives auditors the visibility to detect purpose creep before it accumulates into a reportable violation.

Recommended mitigations

Auto-generated from the mitigation catalog: every mitigation whose coverage map includes T46, sorted by maturity tier (Tier 1 production-canonical first, then Tier 2, then Tier 3 research-stage).

  • Tier 2 Data classification (Data classification with tool-access allow-lists — a sensitivity label on every dataset, enforced at every access seam)

    Every dataset, document, and external system an agent can reach carries a classification label. The agent's permitted-class set and the tool's permitted-class set are intersected at the moment of every read or write. When the requested data's class falls outside that intersection, access is denied at the seam. This is the data-side complement to least-privilege: it adds a data-sensitivity constraint that role scoping alone does not provide.

    why it helps Data residency and compliance violations occur when data crosses a jurisdictional or regulatory boundary it must not cross. Classification labels that encode jurisdictional scope (for example, EU-PII or HIPAA-PHI) can drive MCP server access-control rules that block cross-border data transfer to agents outside permitted jurisdictions, directly reducing compliance-violation risk.

  • Tier 2 Egress DLP (Output egress DLP — inspection gate for PII, secrets, and IP at the agent boundary)

    An agent produces output continuously across multiple channels: user-facing responses, tool-call parameter envelopes, log records, and outbound HTTP requests. Any of those channels can carry sensitive content the agent has retrieved, been fed, or been tricked into including. Output egress DLP places an inspection gate at the boundary so that PII, credentials, and proprietary content are classified and either redacted or quarantined before they leave the trust boundary, regardless of how they got into the output.

    why it helps Data residency violations occur when PII or regulated data crosses jurisdictional boundaries through an agent's output channel. The egress gate detects regulated-data patterns in outbound payloads and quarantines them before the cross-border transfer completes.

  • Tier 2 RBAC/ABAC (RBAC and ABAC: role-based and attribute-based access control for agents)

    Role-Based Access Control (RBAC) assigns every agent identity a named role that sets the outer limit on what it can reach. Attribute-Based Access Control (ABAC) narrows individual decisions inside that role by evaluating contextual attributes at request time. Used together, they enforce least privilege for non-human identities: the agent can only do what its role permits, and only when the request attributes satisfy the policy.

    why it helps Data residency violations occur when an agent in one jurisdiction reads or transfers data classified as belonging to another. ABAC conditions that encode jurisdictional attributes on both the requesting agent and the target resource enforce residency at the access-control layer, before any read or transfer takes place.

Red-team pivot: MITRE ATLAS techniques

MITRE ATLAS catalogues adversary techniques against AI systems. Where this OWASP threat has an attacker-perspective counterpart, the ATLAS technique is shown below. That is what a red team would actually be doing on the wire. Use this for detection-signal anchoring, threat-hunting hypotheses, and IR runbooks. Source: mitre-atlas/atlas-data v5.6.0.

AML.T0085 Data from AI Services view on ATLAS ↗

Adversary collects data from AI service interfaces. Sub-technique .000 (RAG Databases) names retrieval-augmented generation stores; .001 (AI Agent Tools) names tool-call data.

AML.T0086 Exfiltration via AI Agent Tool Invocation view on ATLAS ↗

Adversary exfiltrates data by chaining the agent's legitimate tools (e.g. read-only DB query plus an outbound email tool), neither of which is alarming on its own.

Agentic angle: Each step looks routine in audit logs; the *combination* is the attack.

References

  • OWASP MAS Threat Modelling Guide v1.0 (April 2025) §5 Anthropic MCP — Layer 6 Security and Compliance.

Sources

  • OWASP-MAS-Guide · 1.0 (Apr 2025) · §5 Anthropic MCP — Layer 6 Security and Compliance