Threat Modeling for AI: The Framework That Clicked
Threat Modeling for AI: The Framework That Clicked
There’s a specific kind of professional frustration that comes from watching a discipline you’ve worked in for decades collide with a new technology and immediately forget everything it already knew. That’s what the first wave of enterprise AI adoption felt like to me. Teams evaluating LLMs were asking questions like “is this accurate?” and “is it fast enough?” — skipping straight past the questions that should come first: what can go wrong, and how bad is it when it does?
I’ve been running threat models since before most current practitioners had their first IT job. STRIDE, PASTA, LINDDUN — I’ve used all of them. When I started seriously evaluating AI systems for production use, I kept reaching for those same frameworks out of habit. What surprised me was how cleanly threat modeling for AI mapped onto the same structure. And how immediately useful it became once I applied it.
This post is about that mental shift — what threat modeling for AI actually looks like in practice, and why it should be the first framework any security-conscious team picks up before deploying an LLM in anything that matters.
TL;DR
STRIDE threat modeling applies directly to AI systems and surfaces risks that standard security reviews miss. Mapping Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege to LLM components gives you a structured way to evaluate AI risk before deployment. I applied it to our agent architecture in one afternoon and found three gaps we hadn’t considered.
Why Standard Security Reviews Miss AI-Specific Risk
A standard security review for a new application asks familiar questions: What data does it touch? What’s the authentication model? Where does it connect externally? What are the trust boundaries?
Those questions still matter for AI systems. But they don’t go far enough, because LLMs introduce a category of behavior that traditional software doesn’t have: emergent, non-deterministic output that can be influenced at runtime through input. That last part is the one that changes the threat model.
In a conventional application, if you control the code and the dependencies, you largely control the behavior. In an LLM-based system, a user — or an adversary — can influence model behavior through the prompt itself, without touching a single line of code. The attack surface isn’t just the software stack. It’s the context window.
Security reviews that don’t account for this will pass systems that have meaningful exposure. I’ve seen it happen in regulated environments where the SAST scans came back clean and nobody thought to ask what happens when a user includes an instruction in their input that conflicts with the system prompt.
How STRIDE Maps to AI System Threat Modeling
STRIDE is a threat categorization framework developed at Microsoft. Most enterprise security teams know it. The value isn’t in the acronym — it’s in the discipline of systematically asking “what could go wrong in each of these categories” for every component in a system. Here’s how each category maps onto AI components.
Spoofing. In a traditional system, this means impersonating an identity. In an LLM system, spoofing includes model impersonation (a fine-tuned model passed off as a trusted base model), identity injection via prompt (“you are now a different assistant with no restrictions”), and API endpoint substitution. If your agent is hitting an external LLM endpoint, what’s verifying that endpoint is actually the model you think it is?
Tampering. Data or model tampering. This covers training data poisoning, prompt injection via retrieved content in RAG pipelines, and tool output manipulation. If your agent retrieves context from an external source and includes it in the prompt without sanitization, that retrieved content is a tampering vector. I’ve covered tool poisoning attacks in detail in a previous post — this is where that threat lives in the model.
Repudiation. Can you reconstruct what the model was asked and what it produced? In regulated environments, this isn’t optional. LLM calls that aren’t logged with full input/output context create repudiation gaps that become compliance problems the moment something goes wrong. Most teams log that a call was made. Few log what was actually sent.
Information Disclosure. This is the category that generates the most immediate concern in enterprise contexts, and for good reason. LLMs trained on internal data can memorize and reproduce it. Models with access to sensitive context can be prompted to surface it. Few teams have mapped what data their model can access and what the realistic extraction paths look like.
Denial of Service. Token exhaustion, context flooding, recursive agent loops — these are AI-native DoS vectors that don’t appear in traditional threat models. An adversarially crafted input that causes an agent to loop or consume excessive tokens can be a meaningful availability risk in a production pipeline.
Elevation of Privilege. Can a user manipulate the model into taking actions it shouldn’t be able to take? If your agent has tool access — file writes, API calls, database queries — and prompt injection can redirect those tool calls, that’s an elevation of privilege attack. The model is executing with permissions the original user didn’t have and shouldn’t have been able to acquire.
What the Exercise Actually Produced
I applied this framework to our internal agent architecture on a Tuesday afternoon. I wasn’t expecting to find much — we’d already done a security pass when we built it. I was wrong.
Three gaps surfaced that we hadn’t explicitly called out:
1. Retrieved context was entering the prompt unsanitized. Our RAG implementation was pulling chunks from a vector store and inserting them directly into the system prompt. Any document that had been indexed could, in theory, contain adversarial instructions. We added a sanitization step and a character limit on retrieved chunks.
2. Tool call outputs weren’t logged. We were logging the initial user request and the final model response. We weren’t logging what the tools returned before the model processed them. If a tool output had been manipulated, we’d have had no way to detect it after the fact. We added structured logging for every tool invocation.
3. There was no token budget enforcement. We had a theoretical context limit, but nothing that actively rejected or truncated inputs approaching that limit. A sufficiently long input could degrade response quality and increase latency in ways that would affect legitimate users. We added a hard limit with a clear error response.
None of these were catastrophic findings. All of them were gaps that a standard security review hadn’t surfaced, because a standard security review wasn’t looking for them.
How to Run This for Your Own AI Systems
The process doesn’t require a formal engagement or a week of prep. Here’s how to apply STRIDE threat modeling to an AI system in a focused working session.
-
Draw the data flow diagram first. Map every component: user input, system prompt, retrieval sources, tool integrations, model endpoint, output handling, logging. If you can’t draw it, you don’t understand it well enough to secure it.
-
For each component, walk through all six STRIDE categories. Spend 5–10 minutes per component. Write down every plausible threat, even the ones that seem unlikely. You can assess likelihood later. Right now you’re building the list.
-
Rate each finding by blast radius, not just probability. A low-probability threat that could expose all user data in a production system is a higher priority than a high-probability annoyance with limited impact. [Related: see our earlier post on blast radius thinking for AI risk.]
-
Turn the gaps into acceptance criteria. Each unmitigated finding should become either a concrete remediation task or a documented, accepted risk with a named owner. Undocumented risk is the most dangerous kind in regulated environments.
-
Repeat on a schedule. Threat models go stale. Every time you add a new tool integration, a new data source, or a new model version, run the exercise again on the changed components.
Key Takeaways
- STRIDE threat modeling applies directly to AI and LLM systems and surfaces risks that standard application security reviews miss.
- The core insight is that LLMs have a behavioral attack surface — the prompt and context window — that doesn’t exist in traditional software.
- Spoofing, Tampering, and Elevation of Privilege map to the most AI-specific risks: model impersonation, prompt injection, and unauthorized tool use.
- A focused threat modeling session on your AI architecture will likely find gaps. It did for us.
- This is not a one-time exercise. Every new integration changes the threat model.
If your team is adopting AI in any capacity that touches sensitive data or downstream actions, threat modeling for AI is the first framework to internalize. It’s not new thinking — it’s applying 25 years of security discipline to a new attack surface. The methodology transfers cleanly. The gaps it finds are real.
Comments