1.9
.
Incomplete Threat Modeling for AI and Agentic Systems
sail
1.9
Risk
Incomplete Threat Modeling for AI and Agentic Systems
Description
Threat models are absent, generic, or fail to capture the unique agentic architectures, leading to design-phase blind spots and misaligned security controls.
Example
An agent chain is deployed without identifying risks from indirect tool invocation, A2A handoffs, or memory poisoning across sessions, leading to unforeseen privilege escalation.
Assets Affected
AI Policy
System Prompt
Agent Config
Dataset / RAG
Tool
Agentic Platform
MCP Server
Agent Communication Protocol (ACP)
Mitigation
- Apply AI- and agent-specific threat modeling methods (OWASP Agentic Top 10, OWASP Multi-Agentic System Threat Modeling Guide, MITRE ATLAS, MAESTRO)
- refresh threat models as systems evolve
- consider LLM-assisted threat modeling feed architecture and plans to a model grounded in these guides alongside manual application.
Standards Mapping
- ISO: Clause 6.1.2, A.6.2.2
- OWASP agentic: ASI04, ASI06
- EU AI Act: Art. 9(2)
- DASF: Operations 11.1
- AIUC-1: C001, B001