SAIL 2.0

/

AI Policy & Safe experimentation (Plan)

/

Incomplete Threat Modeling for AI and Agentic Systems

1.9

.

Incomplete Threat Modeling for AI and Agentic Systems

sail
1.9
Risk

Incomplete Threat Modeling for AI and Agentic Systems

Description

Threat models are absent, generic, or fail to capture the unique agentic architectures, leading to design-phase blind spots and misaligned security controls.

Example

An agent chain is deployed without identifying risks from indirect tool invocation, A2A handoffs, or memory poisoning across sessions, leading to unforeseen privilege escalation.

Assets Affected

AI Policy

System Prompt

Agent Config

Dataset / RAG

Tool

Agentic Platform

MCP Server

Agent Communication Protocol (ACP)

Mitigation
  • Apply AI- and agent-specific threat modeling methods (OWASP Agentic Top 10, OWASP Multi-Agentic System Threat Modeling Guide, MITRE ATLAS, MAESTRO)
  • refresh threat models as systems evolve
  • consider LLM-assisted threat modeling feed architecture and plans to a model grounded in these guides alongside manual application.
Standards Mapping
  • ISO: Clause 6.1.2, A.6.2.2
  • OWASP agentic: ASI04, ASI06
  • EU AI Act: Art. 9(2)
  • DASF: Operations 11.1
  • AIUC-1: C001, B001