Agentic AI
Security Architecture

For IT Review | 21 February 2026

Agentic AI — Security Architecture | Sergeant Agency | February 2026

Agenda

  • Architecture & Data Flow
  • Credential Isolation & Safeguards
  • What Data Goes to Anthropic
  • Risk Assessment & Compliance
  • Server Inventory & Current Status
Agentic AI — Security Architecture | Sergeant Agency | February 2026

Architecture &
Data Flow.

Agentic AI — Security Architecture | Sergeant Agency | February 2026

Architecture Overview

  • Layer 1: Claude Code — AI agent, runs locally in the terminal
  • Layer 2: MCP Servers — 10 local Node.js processes with API credentials
  • Layer 3: SaaS APIs — Slack, Asana, Google, MOCO, Figma, Bexio, Simap, LinkedIn
  • Claude Code decides which tool to call (e.g. "send Slack message")
  • The MCP server injects the API token and makes the HTTP call
  • The AI only sees tool names and parameters — never credentials
Agentic AI — Security Architecture | Sergeant Agency | February 2026

Data Flow

🔒 User Laptop (local, encrypted)
Claude Code CLI
→ tool calls
no credentials
MCP Servers (10×)
+ credentials injected
→ API calls
SaaS APIs
↓ prompts only
Anthropic API
no credentials, no training

Key: Credentials (local) and AI model (Anthropic) never interact directly.

Agentic AI — Security Architecture | Sergeant Agency | February 2026

Credential Isolation
& Safeguards.

Agentic AI — Security Architecture | Sergeant Agency | February 2026

Credential Isolation

🔑 OAuth
Google SGT — GCP: sgt-api
Google ZEIT — GCP: zeit-api
Google MW — GCP: pending
Figma — Dedicated OAuth
Each account has its own GCP project + OAuth client. No shared credentials.
🗝️ API Key
MOCO — Dedicated key
Anysite — Dedicated key
Bexio — Dedicated key
Simap — Dedicated key
Independent API keys per service. Scoped to minimum permissions.
🎫 Token
Slack — User Token (xoxp)
Asana — Personal Access Token
Dedicated personal tokens. Not shared with other users or apps.
Agentic AI — Security Architecture | Sergeant Agency | February 2026

Implemented Safeguards

  • Scoped API Tokens — minimum required permissions per service
  • Dedicated OAuth Clients — separate GCP project per Google account
  • Audit Logging — all API calls logged by SaaS platforms
  • Local-Only Execution — no cloud, no shared servers, FileVault encrypted
  • Permission System — explicit user confirmation for risky actions
  • Session Hooks — automated health checks at every session start
  • Token Rotation — all tokens rotated February 2026
  • Anthropic API — no training on API data, 30-day retention
  • Network Controls — optional firewall rules for MCP servers (planned)
Agentic AI — Security Architecture | Sergeant Agency | February 2026

What Data Goes to Anthropic?

  • Included: user prompts, tool call results (task names, email subjects), file contents
  • Not included: API keys, tokens, passwords, OAuth secrets
  • Anthropic policy: data is not used for model training
  • Retained for 30 days (trust & safety), then deleted
  • Enterprise plan: zero-retention option available
  • SOC 2 Type II certified, GDPR compliant
Agentic AI — Security Architecture | Sergeant Agency | February 2026

Risk Assessment
& Compliance.

Agentic AI — Security Architecture | Sergeant Agency | February 2026

Comparison with Existing Tools

Aspect MCP + Claude Code Zapier / Make ChatGPT Copy-Paste
API keys visible to AI? No No N/A
Data sent to 3rd party? Prompts to Anthropic Data to Zapier/Make Full data to OpenAI
Used for training? No (API usage) Depends on plan Yes (Free/Plus)
Runs locally? Yes No (cloud) No (browser)
Credential storage Local config file Cloud servers N/A
Data retention 30 days (0 Enterprise) Varies Indefinite
Agentic AI — Security Architecture | Sergeant Agency | February 2026

Risk Assessment

Risk Likelihood Impact Mitigation
API key leaked to Anthropic Very Low Medium MCP separates credentials from AI
Prompt data exposure Low Low-Med Enterprise plan, zero retention
Unauthorized tool actions Low Medium Scoped tokens, audit logs, confirmation
Local config compromised Low High FileVault, standard laptop security
Unintended AI action Medium Low-Med Human-in-the-loop confirmation
Prompt injection Medium Med-High Permission system, scoped tokens, detection
Agentic AI — Security Architecture | Sergeant Agency | February 2026

DSG / Data Protection

  • Anthropic API hosted in US — SOC 2 Type II certified, GDPR compliant
  • US data transfers: standard contractual clauses in API terms
  • Currently processing business operational data (task names, email subjects)
  • Not sensitive personal data under DSG Art. 5
  • Enterprise plan with zero-retention recommended for sensitive data
Agentic AI — Security Architecture | Sergeant Agency | February 2026

Current Status
& Next Steps.

Agentic AI — Security Architecture | Sergeant Agency | February 2026

MCP Server Inventory

Server Auth Method Scope
Slack User Token (xoxp) Messaging, search, channels
Asana Personal Access Token Tasks, projects, search
Google Workspace SGT OAuth (sgt-api) Gmail, Calendar, Drive, Docs, Slides, Contacts
Google Workspace ZEIT OAuth (zeit-api) Gmail, Calendar, Drive, Docs, Slides
Google Workspace MW OAuth (pending) Gmail, Calendar, Drive, Docs, Slides
MOCO API Key Time tracking, invoicing, projects
Figma OAuth Design file access, screenshots
Anysite API Key LinkedIn, social media
Bexio API Key Accounting, invoicing
Simap API Key Public procurement search
Agentic AI — Security Architecture | Sergeant Agency | February 2026

Current Status & Next Steps

  • ✅ Scoped API token configuration per service
  • ✅ All tokens rotated (February 2026)
  • ✅ OAuth refresh token auth for all Google Workspace accounts
  • ✅ Permission system active with user confirmation
  • ✅ Session hooks for automated MCP server health checks
  • ⬜ Evaluate Enterprise plan for zero data retention
  • ⬜ Define token rotation schedule (e.g. quarterly)
  • ⬜ Review SaaS audit logs for AI-initiated actions
Agentic AI — Security Architecture | Sergeant Agency | February 2026

Thank You!

Agentic AI — Security Architecture | Sergeant Agency | February 2026