Threat Assessment (TA)

Endpoints Domain - HAIAMM v3.0


Practice Overview

Objective: Build and maintain a reusable threat library for AI/HAI-enabled endpoints and user-facing AI interfaces the organization deploys, one archetype-level threat model per endpoint AI type, so every endpoint AI entering the inventory produces a threat snapshot in minutes rather than a blank-page exercise.

Description: TA-Endpoints catalogs the threats specific to AI/HAI interfaces the organization deploys or procures on endpoints and in customer-facing surfaces, not tools it uses to do security. At L1 the library covers one threat model per endpoint AI archetype (AI assistant / copilot on managed endpoint, browser-based AI tool, chatbot / conversational UI, multi-modal AI interface, AI-augmented productivity (SaaS-AI), mobile AI app, edge AI device) mapped to HAIAMM's HAI-specific TTPs (EA, AGH, TM, RA), to MITRE ATLAS tactics (TA0001–TA0014), and to OWASP LLM / Agentic Top 10, OWASP Browser-Extension Security Top 10, and OWASP MASVS where applicable. Each new endpoint AI registered in SM's inventory generates a threat snapshot by pulling the archetype model and adding endpoint-specific deltas (specific tool list, specific data classes accessible, specific deployment tier). L2 layers per-deployment deep models for Critical-tier cases (customer-facing chatbots, customer-data-handling AI assistants) and runs quarterly red-team probes. L3 contributes discovered TTPs back to MITRE ATLAS, AVID, OWASP MASVS / Browser-Extension Top 10, and CSA endpoint working groups.

Context: Endpoint AI introduces failure modes that classic endpoint-security threat modeling was not designed to enumerate, confidential data egressing to vendor models through developer paste behavior, prompt injection arriving through opened files or browser page content reaching an assistant's context window, silent SaaS-AI feature enablement giving a tenant-wide LLM access to all documents, edge-device model integrity attacks. These are first-party risks owned by IT, security, and product teams that deploy or configure the AI. TA-Endpoints closes the gap by making endpoint-AI-specific threats a first-class library that threat modelers pull from at every intake, tied to ATLAS tactic IDs so the walk from attacker capability to endpoint exposure is concrete, not narrative.


Maturity Level 1

Objective: Build the AI/HAI endpoint archetype threat library, integrate a threat snapshot into every SM intake, and ensure every endpoint AI's threat surface is documented before deployment approval

At this level, the organization gives every threat modeler and endpoint reviewer a reusable, archetype-keyed library that maps endpoint AI failure modes to HAI TTPs and ATLAS tactics, so no endpoint AI enters the managed estate without a documented threat view.

Dependencies

  • SM-Endpoints L1 (required): the endpoint AI inventory defines which archetypes exist and what deployments need threat models; without it, TA operates on guesswork about scope.
  • PC-Endpoints L1 (required): the priority compliance map identifies which regulatory obligations (EU AI Act Art. 50 disclosure, GDPR Art. 22, sector-specific AI obligations) must be reflected in the threat library.
  • EG-Endpoints L1 (required for reviewer activity): reviewers must recognize endpoint AI archetypes and TTPs before they can produce a credible snapshot.
  • Supports / unblocks: SR-Endpoints L1 (requirements derive from archetype threats), SA-Endpoints L1 (reference patterns cover archetype threat surfaces), ST-Endpoints L1 (test battery targets archetype threats), ML-Endpoints L1 (detections prioritized from threat library), IM-Endpoints L1 (incident classifications derive from the threat library).

Desired Outcomes

  • Every endpoint AI reaching SM intake gets a threat snapshot within one business day, pulled from the archetype library and adapted to the specific deployment's tool list, data classes accessible, deployment tier, and user population.
  • HAIAMM's HAI-specific TTPs, EA (Excessive Agency), AGH (Agent Goal Hijack), TM (Tool Misuse), RA (Rogue Agents), are tagged to each archetype's threats; reviewers can explain the tag and its implications for the specific endpoint deployment.
  • MITRE ATLAS tactics (TA0001 Reconnaissance through TA0014 Impact) are walked for each archetype at intake; a tactic with no relevant technique is an explicit exclusion, not a gap.
  • The threat library is versioned, owned, and refreshed on a documented cadence, it does not rot as endpoint AI attack research emerges.
  • Downstream practices (SR, SA, ST, ML, IM) inherit the library rather than re-deriving threats per deployment.

Activities

A) Build the AI/HAI endpoint archetype threat library

Author one threat model per endpoint AI archetype. Each archetype model is concise (target ≤2 pages), explicitly scoped to AI/HAI interfaces the organization deploys or procures on endpoints and customer-facing surfaces, and maps threats to HAI TTPs, ATLAS tactic IDs, applicable OWASP references (LLM/Agentic Top 10, MASVS, Browser-Extension Top 10), and the PC-Endpoints priority compliance map.

Archetypes to cover at L1 (from SM-Endpoints's inventory schema):

  • AI assistant / copilot on managed endpoint, a desktop or IDE-integrated assistant (e.g., code copilot, writing assistant, research assistant) running on an organization-managed device, calling a vendor LLM API and having access to local file system, clipboard, or developer tooling.
  • Browser-based AI tool, a browser extension or web-accessible AI interface that reads page content, DOM state, cookies, or form data; may communicate with a vendor AI backend.
  • Chatbot / conversational UI, a customer-facing or employee-facing conversational interface deployed on a web, mobile, or embedded surface; interacts with users in natural language and may access org or customer data.
  • Multi-modal AI interface, an AI interface that accepts image, audio, or video inputs in addition to text; may perform recognition, generation, or summarization across modalities.
  • AI-augmented productivity (SaaS-AI on endpoint), a SaaS platform (e.g., productivity suite, CRM, project management) with an AI feature layer (Notion AI, Slack AI, Microsoft 365 Copilot, Salesforce Einstein) that can access the full data scope of the underlying SaaS environment.
  • Mobile AI app, a native or hybrid mobile application using an on-device or cloud-based AI model to deliver AI-powered features; may have access to device sensors, contacts, location, camera, or microphone.
  • Edge AI device, a physical device running AI inference locally (industrial sensor, camera, kiosk, embedded controller) with limited remote management capability and potential physical-access exposure.

Per-archetype threat content (minimum):

AI assistant / copilot on managed endpoint: - Confidential-data egress to vendor, developer or knowledge worker pastes source code, customer records, or confidential documents into the assistant context; content crosses the organizational data boundary and reaches the vendor's LLM API; regulated data (PII, PHI, source code) may be retained or used for vendor model improvement if no-train assertions are absent or unverified. HAI-TTP: EA (assistant silently exfiltrates data within its tool scope). ATLAS: TA0011 Exfiltration; AML.T0024. Compliance: GDPR Arts. 28, 44–49; EU AI Act Art. 26. - Prompt injection via opened files or browser content, a document opened by the user or a web page loaded in a browser injects instructions into the assistant's context window; the assistant acts on the injected instructions rather than the user's intent. HAI-TTP: AGH. ATLAS: AML.T0051 LLM Prompt Injection; TA0003 Initial Access. OWASP LLM: LLM01. - AGH via tool-using assistant manipulating local files, an assistant with local file-system or shell tool access processes an injected instruction and modifies, exfiltrates, or deletes local files. HAI-TTP: AGH + EA. ATLAS: TA0004 Execution; TA0007 Privilege Escalation. OWASP LLM: LLM06 Excessive Agency. - TM via assistant invoking endpoint tools maliciously, a prompt injection causes the assistant to invoke permitted tools (file write, command execution, calendar access, email send) outside the intended scope. HAI-TTP: TM. ATLAS: TA0004 Execution; TA0006 Persistence. OWASP LLM: LLM06. - ATLAS tactic walk: TA0001 (adversary identifies assistant's tool list and accessible file paths), TA0003 (injected instructions in opened documents), TA0004 (tool invocation via injection), TA0006 (injected instruction persisting in shared memory or project context), TA0007 (tool scope broader than user's manual permissions), TA0008 (obfuscated injection payloads), TA0011 (regulated data in paste reaching vendor API), TA0014 (destructive local file actions via tool call).

Browser-based AI tool: - Extension permission abuse, an AI extension granted <all_urls> host permission reads cookies, session tokens, form-field content (including passwords), and full page DOM across every site the user visits; this surface far exceeds the stated AI use case. HAI-TTP: EA (extension scope wider than any individual user permission). ATLAS: TA0009 Discovery; TA0010 Collection. OWASP Browser-Extension Security Top 10. - DOM injection via AI extension, an AI extension with DOM-write capability injects malicious markup or scripts into pages the user trusts (bank portals, internal apps). HAI-TTP: TM. ATLAS: TA0004 Execution; TA0040 ML Attack Staging. - Data egress via extension to vendor, page content, highlighted text, or form values are sent to the extension's vendor AI backend without the user's awareness; regulated customer or organizational data crosses the data boundary. HAI-TTP: EA. ATLAS: TA0011 Exfiltration. - AGH via tainted page content reaching extension context, a malicious or attacker-controlled webpage embeds prompt-injection payloads in visible or hidden text; the AI extension ingests the page and processes the injection as if it were user intent. HAI-TTP: AGH. ATLAS: AML.T0051; TA0003. - ATLAS tactic walk: TA0001 (adversary identifies extension-accessible DOM structure), TA0002 (crafting pages with hidden injection payloads), TA0003 (tainted page content reaches extension context), TA0004 (DOM-write or script injection), TA0009 (page-content discovery across all sites), TA0010 (form-field and credential harvesting), TA0011 (bulk page-content egress to vendor API), TA0014 (user deceived into unsafe actions by injected UI).

Chatbot / conversational UI: - Prompt injection from user input, attacker-crafted user message overrides system-prompt instructions, safety guardrails, or persona constraints; causes policy-violating output or information disclosure. HAI-TTP: AGH. ATLAS: AML.T0051; TA0003. OWASP LLM: LLM01. - Jailbreak, adversarial framing bypasses the chatbot's safety layer; produces harmful, policy-violating, or regulated content. ATLAS: TA0007 Privilege Escalation; TA0008 Defense Evasion. - Data exfiltration via crafted prompts, crafted multi-turn interactions extract system-prompt content, training data memorized by the model, or other users' session context. HAI-TTP: AGH + TM. ATLAS: TA0009 Discovery; TA0010 Collection. OWASP LLM: LLM07 System Prompt Leakage. - Art. 50 disclosure suppression, system prompt or UX instructs the chatbot not to disclose its AI nature when asked; violates EU AI Act Art. 50 user-facing disclosure obligation. Compliance: EU AI Act Art. 50. - Brand-impact prompts, adversarial users craft prompts that cause the chatbot to produce reputationally harmful, defamatory, or legally problematic outputs under the organization's brand. ATLAS: TA0014 Impact. - ATLAS tactic walk: TA0001 (adversary enumerates chatbot's knowledge scope and session state), TA0003 (injection via crafted user turn), TA0008 (obfuscated jailbreak framing evading safety layer), TA0009 (system-prompt probing via inference), TA0010 (training data extraction via targeted prompts), TA0011 (customer PII from other sessions extracted via crafted prompt), TA0014 (brand-impact output, policy-violating content).

Multi-modal AI interface: - Image / voice prompt injection, attacker embeds instructions in an image (steganography, invisible text, optical-illusion characters) or audio channel (ultrasonic instruction injection) that the model processes as legitimate context; the model follows embedded instructions rather than the stated task. HAI-TTP: AGH. ATLAS: AML.T0051 (multimodal variant); TA0003. - Steganography in images, hidden textual payloads in images bypass text-based input filters; reach the vision model and influence output. ATLAS: TA0008 Defense Evasion. - Audio-channel injection, inaudible or noise-masked audio instructions direct a voice-activated AI interface. ATLAS: TA0003 Initial Access; TA0008. - Deepfake-content acceptance, multi-modal interface accepts AI-generated synthetic audio or video and treats it as authentic; enables impersonation of authorized users or high-authority principals. HAI-TTP: RA. ATLAS: TA0040 ML Attack Staging. - Biometric-input abuse, biometric data (face image, voice print, retina scan) submitted to the interface is retained, leaked, or used outside the declared purpose. Compliance: GDPR Art. 9 (biometric data as special-category); EU AI Act Art. 50. - ATLAS tactic walk: TA0001 (adversary identifies modality-specific input surfaces and accepted formats), TA0002 (staging hostile images or audio payloads), TA0003 (image / audio injection at the input edge), TA0008 (steganographic payload evades text-based safety filters), TA0040 (adversarial modality-specific inputs), TA0011 (biometric data egress), TA0014 (injected instruction causes downstream harm via model output).

AI-augmented productivity (SaaS-AI on endpoint): - Silent feature-enablement, a SaaS-AI feature (Notion AI, Slack AI, Microsoft 365 Copilot) is enabled by an admin at the tenant level without an intake review; the AI inherits access to all documents, channels, emails, or records within the SaaS platform's data scope, including regulated data never intended for AI processing. HAI-TTP: EA (AI scope inherits full SaaS data scope without explicit permission grant). ATLAS: TA0006 Privilege Escalation. - Data scope inheritance, the AI feature can access all data accessible to the authenticated user (all shared drives, all email, all project channels); a user with broad access inadvertently exposes regulated data to the AI without a documented lawful basis. Compliance: GDPR Arts. 6, 28; EU AI Act Art. 26. - Regulated-data flow into vendor model, when an AI feature processes data, that data transits to the SaaS vendor's model infrastructure; if no-train assertions are absent or unverified, customer or employee PII may be used in vendor model training. ATLAS: TA0011 Exfiltration; AML.T0024. - ATLAS tactic walk: TA0001 (adversary enumerates SaaS-AI feature scope and accessible data), TA0003 (attacker crafts documents / messages with injection payloads that the AI feature processes), TA0006 (AI feature inherits full SaaS data scope without granular permission), TA0009 (AI feature used to enumerate confidential documents the end user can access), TA0011 (regulated data processed by SaaS-AI transits to vendor), TA0014 (business-logic manipulation via AI-generated content in productivity workflows).

Mobile AI app: - Local-model integrity, an on-device AI model binary is replaced (via sideload, rooted device, or over-the-air update without cryptographic verification) with a tampered model that produces different outputs; enables adversary to control AI-driven decisions silently. HAI-TTP: RA. ATLAS: TA0005 Persistence; TA0040. - Over-broad permissions, the mobile AI app requests access to contacts, location, microphone, camera, or health data beyond the scope of its stated AI function; these sensor feeds are processed by or egressed to the AI backend. HAI-TTP: EA. ATLAS: TA0010 Collection. OWASP MASVS. - Mobile-specific exfiltration vectors, on-device inference logs, conversation history, or sensor-derived features are stored in a world-readable location or shared with third-party analytics SDKs bundled in the app. ATLAS: TA0011 Exfiltration. OWASP MASVS. - Biometric / MFA bypass via AI image generation, an AI image-generation capability in the app or accessible from the device produces a synthetic biometric that unlocks an application with a weak biometric implementation. ATLAS: TA0007 Privilege Escalation; TA0040 ML Attack Staging. - ATLAS tactic walk: TA0001 (adversary identifies on-device model path and update mechanism), TA0002 (staging tampered model binary), TA0003 (model swap as initial access), TA0005 (tampered model persists through app updates if update mechanism lacks signing), TA0007 (biometric bypass), TA0008 (tampered model produces outputs that evade safety classifiers), TA0010 (over-broad sensor access collection), TA0011 (sensor-derived data egress to backend), TA0014 (unsafe AI recommendations driven by tampered model).

Edge AI device: - On-device model integrity (firmware attack, model swap), the AI model artifact or device firmware is replaced via physical access, unprotected firmware update channel, or supply-chain compromise; the device thereafter produces attacker-desired outputs (e.g., access control bypass, false sensor readings). HAI-TTP: RA. ATLAS: TA0005 Persistence; AML.T0010 ML Supply Chain Compromise. - Physical-access attacks, an attacker with physical access extracts the model artifact, model weights, or sensitive sensor data; debug interfaces (JTAG, UART) expose firmware. ATLAS: TA0010 Collection. - Sensor-input injection, adversarial physical inputs (adversarial stickers, infrared signals, audio tones) manipulate sensor readings that the edge AI model processes; causes incorrect classification, access grant, or process actuation. HAI-TTP: AGH. ATLAS: TA0040 ML Attack Staging; TA0003. - Uplink data exfiltration, sensor data or inference outputs sent over the uplink to backend systems is intercepted or manipulated; if the uplink lacks integrity protection, an attacker can inject false inference results or harvest sensitive sensor streams. ATLAS: TA0011 Exfiltration; TA0008. - ATLAS tactic walk: TA0001 (adversary enumerates update channel, debug interfaces, uplink protocol), TA0002 (staging tampered firmware or model binary), TA0003 (firmware/model swap via physical access or unprotected update channel), TA0005 (tampered firmware persists across power cycles), TA0007 (adversarial input causes privilege escalation: door unlocked, system actuated), TA0008 (adversarial physical input evades sensor-based safety classifier), TA0010 (physical model extraction via debug interfaces), TA0011 (sensor-stream interception on uplink), TA0014 (physical-world impact from manipulated AI output).

OWASP LLM / Agentic Top 10 cross-references per archetype: Tag each archetype's dominant threats to the relevant OWASP references. AI assistants with tool access and browser-based AI tools map primarily to LLM01 (Prompt Injection), LLM06 (Excessive Agency), LLM07 (System Prompt Leakage), and the Agentic Top 10. Chatbots map to LLM01, LLM02 (Insecure Output Handling), LLM07, LLM10 (Unbounded Consumption). Mobile AI apps map to OWASP MASVS (storage, network, platform, code controls). Browser extensions map to OWASP Browser-Extension Security Top 10.

Compliance linkage: tag each threat to the PC-Endpoints priority compliance item it activates, EU AI Act Art. 50 (disclosure obligation for all customer-facing chatbots and conversational UIs), EU AI Act Art. 26 (deployer duties for high-risk AI system uses), GDPR Art. 22 (automated decisioning safeguards where the endpoint AI drives consequential decisions), GDPR Arts. 6, 9, 28, 44–49 (data-handling obligations for data flowing to vendor models).

Owner: named TA-Endpoints library steward; cadence: reviewed quarterly; versioned in a single location linked from the SM inventory record for every deployment.

B) Produce a per-intake threat snapshot for every SM inventory registration

Bind TA into the SM intake flow, every new endpoint AI registration emits a threat snapshot before a Sanctioned status is issued; Provisional-status deployments receive a snapshot within five business days of registration.

Snapshot contents (designed to fit one screen):

  • Which archetype(s) apply (a deployment may be composite, e.g., a SaaS productivity platform with an AI feature and a browser extension frontend is both AI-augmented productivity and browser-based AI tool).
  • Deployment-specific deltas over the archetype model: SM-Endpoints tier (Critical / High / Medium / Low per user population, data classes accessible, action capability, customer-data egress potential, deployment scale, regulatory scope, Art. 50 disclosure obligation); specific tool list or sensor access; specific data classes accessible; customer-data egress potential.
  • Top-5 threats for this deployment, each with: HAI TTP tag, ATLAS tactic ID, OWASP reference, and compliance linkage.
  • Controls already evident from the design or existing configuration vs. gaps for SR/SA follow-up.
  • Reviewer, date, expiry (re-snapshot on new tool addition, permission scope change, model swap, data class change, or user population expansion).

Time target: ≤1 business day per intake with the library available.

C) Author the shadow-endpoint-AI threat view

Unsanctioned endpoint AI, employees installing AI browser extensions on managed devices, developers enabling SaaS-AI features without intake, mobile AI apps on BYOD, has its own threat surface distinct from sanctioned deployments. Author a standalone shadow-endpoint-AI threat document covering:

  • Entry vectors: employees self-installing AI browser extensions with <all_urls> permissions on managed endpoints; SaaS-AI features silently enabled by workspace admins without security review; AI assistant apps installed via personal app stores on BYOD devices accessing org email; edge AI kiosks deployed by facilities teams without IT involvement.
  • Elevated threats for shadow deployments: no threat snapshot; no SR requirements pack; no no-train assertion verified; Art. 50 disclosure obligations unreviewed; regulated data flowing to vendor models without a documented data processor agreement.
  • Specific failure modes: developer pasting customer PII into an unapproved AI assistant with training enabled; SaaS-AI feature with access to confidential M&A documents enabled tenant-wide without intake; AI browser extension harvesting session cookies from internal applications.
  • Detections available at L1: MDM/UEM telemetry (unauthorized app installs, extension installs on managed endpoints); network egress monitoring (outbound connections to AI provider domains from unregistered services); SaaS-admin audit logs (AI feature enablement events); endpoint DLP alerts on data patterns in AI API calls.

Output: a "Shadow Endpoint AI, Threat View" one-pager reviewed by the program sponsor and feeding the ML-Endpoints detection backlog and the IM-Endpoints triage playbook.

Outcome Metrics (L1)

Metric Baseline L1 Target Source
% of endpoint AI deployments in SM inventory with a current-year threat snapshot measure 100% for Sanctioned; ≥90% for all Inventory × TA snapshot artifacts
Archetype coverage (endpoint archetypes with a published threat model) 0 / 7 7 / 7 TA library
Median snapshot turnaround from SM intake to threat snapshot delivery measure ≤1 business day Intake telemetry
% of snapshot top-5 threats tagged to a HAI TTP and an ATLAS tactic ID measure 100% TA snapshot metadata
Shadow-endpoint-AI threat view published and reviewed in last 12 months n/a Yes Document registry

Process Metrics (leading)

  • Threat library review cadence, quarterly archetype refresh recorded; no quarter with zero updates.
  • New-archetype lead time, from "first intake in new endpoint AI category" to "archetype model published" ≤30 days.
  • Snapshot-to-SR linkage, % of snapshots whose top-5 threats are referenced by at least one downstream SR-Endpoints requirement.
  • Library steward named and active, single owner, not a committee.

Effectiveness Metrics (business value)

  • Threats that converted to prevented production issues, documented cases where a snapshot-identified threat caused a control to be added before deployment approval (e.g., no-train assertion verified after AI assistant snapshot flagged data egress; extension removed after snapshot flagged <all_urls> permission abuse).
  • Reviewer consistency, EG-Endpoints calibration exercises use live threat snapshots; inter-reviewer threat-identification drift stays within target.
  • Downstream reuse, SR, SA, ST artifacts cite snapshot threats in ≥80% of cases rather than re-deriving independently.

Success Criteria

  • Seven archetype threat models published (AI assistant / copilot on managed endpoint, browser-based AI tool, chatbot / conversational UI, multi-modal AI interface, AI-augmented productivity, mobile AI app, edge AI device), each tagged to HAI TTPs, ATLAS tactic IDs, applicable OWASP LLM / Agentic / MASVS / Browser-Extension references, and the PC-Endpoints priority compliance map.
  • Threat snapshot gate live in the SM intake flow, 100% of newly Sanctioned endpoint AI deployments in the last 90 days have a snapshot attached.
  • Shadow-endpoint-AI threat view published, reviewed by the program sponsor, and feeding the ML-Endpoints detection backlog.
  • Named library steward and quarterly refresh cadence operating.
  • ≥90% of active endpoint AI deployments in the inventory carry a current-year snapshot.

Maturity Level 2

Objective: Layer per-deployment deep threat models on top of archetype snapshots for Critical-tier deployments, integrate external AI endpoint threat intelligence, and red-team the threat library quarterly against novel real-world attack patterns

At this level, threat assessment stops being "snapshot plus go" for high-stakes endpoint AI. Critical-tier deployments (customer-facing chatbots, customer-data-handling AI assistants) receive full per-deployment deep threat models with adversarial overlays. External threat intel (MITRE ATLAS updates, AVID submissions, OWASP LLM / MASVS / Browser-Extension revisions, sector ISACs, academic adversarial-ML research) is wired in and triaged quarterly. The library is stress-tested by running quarterly red-team probes against real in-scope endpoint AI deployments to surface what the library catches and what it misses.

Dependencies

  • TA-Endpoints L1 (required): archetype threat library and per-intake snapshot gate.
  • SM-Endpoints L2 (required): the risk-tier rubric (user population, data classes accessible, action capability, customer-data egress potential, deployment scale, regulatory scope, Art. 50 disclosure obligation) determines where per-deployment deep modeling is required (Critical) vs. archetype-only (Medium/Low).
  • ST-Endpoints L2 (required for red-team-the-library activity): the red-team capability to probe real endpoint AI deployments comes from ST.
  • Supports / unblocks: SR-Endpoints L2 (per-tier threat depth drives per-tier requirements), SA-Endpoints L2 (threat depth drives pattern complexity), DR-Endpoints L2, ML-Endpoints L2 (detections tuned to per-deployment threats).

Desired Outcomes

  • Every Critical-tier endpoint AI deployment has a current-year per-deployment deep threat model, not a recycled archetype snapshot.
  • High-tier deployments receive archetype snapshot plus deployment-specific deltas and an ATLAS full tactic walk; no High-tier deployment on archetype-only.
  • External AI endpoint threat intel is routinely consumed and reflected in the library; the library is not frozen at publication time.
  • The library is proved against reality, quarterly red-team exercises show what it catches and misses; gaps are closed with owners and expiry dates.
  • Per-tier threat-assessment depth is visibly differentiated, matching the SM L2 tier-treatment matrix.

Activities

A) Per-deployment deep threat modeling for Critical-tier deployments

For every Critical-tier endpoint AI deployment, produce a full per-deployment threat model covering:

  • Attack trees beyond the archetype snapshot: deployment-specific tool list or sensor access with per-capability abuse paths; specific data classes accessible and their exposure consequence; specific user population and their privilege levels; Art. 50 disclosure obligations and disclosure-suppression risk.
  • Abuse-case catalog: named adversary archetypes (external attacker crafting adversarial inputs, malicious insider with access to the endpoint AI admin console, compromised SaaS-AI vendor, attacker with physical access to edge device) with concrete attack narratives for this specific deployment.
  • Deployer-duty mapping: EU AI Act Art. 26 obligations mapped to the threat-control chain specific to this deployment; Art. 50 disclosure obligations; GDPR Art. 22 automated-decisioning safeguards where the chatbot or assistant drives decisions affecting individuals.
  • ATLAS full tactic walk for the deployment: all 14 ATLAS tactics enumerated; techniques selected for this specific archetype, tool access, and data boundary; exclusions explicit with rationale.
  • Refresh cadence: Critical semi-annual plus change-driven (model swap, new tool, new sensor, scope change, user population expansion); High annual plus change-driven.

B) External AI endpoint threat intelligence integration

Subscribe to and operationalize: - MITRE ATLAS updates, new technique additions and practitioner-submitted evidence relevant to endpoint AI archetypes. - AVID (AI Vulnerability Database), new entries for techniques relevant to chatbots, browser extensions, mobile AI, and edge AI. - OWASP LLM Top 10 / Agentic Top 10 revisions and OWASP MASVS / Browser-Extension Security Top 10 updates. - Academic adversarial-ML venues, early signal on novel multimodal injection, model-integrity attacks, and edge-device adversarial inputs. - Sector ISAC AI working groups, operationally-observed attack patterns relevant to the org's industry and customer-facing AI surfaces. - CSA endpoint security working group outputs on AI-specific endpoint threats.

Quarterly triage cadence: which new intel items change the archetype library, change per-deployment models, or change the SR or ST artifacts that depend on the library. Changes are change-logged; reviewed by the library steward and the IM backlog owner.

C) Red-team the threat library itself

Each quarter, ST-Endpoints runs an adversarial probe against an in-scope endpoint AI deployment using ONLY the threat scenarios documented in the library for that archetype. Threats the red-team exercise identifies that are NOT in the library are library gaps, not passing findings.

Gap closure: every gap becomes a ticket with a named owner and expiry date; Critical-tier gaps close within 30 days; High-tier within 60 days. Gap rate per quarter trends down as the library matures. Gaps are also reviewed for SR and ST update implications.

Outcome Metrics (L2)

Metric Baseline L2 Target Source
% Critical-tier deployments with current-year per-deployment deep threat model measure 100% TA library × SM inventory
% High-tier deployments with archetype snapshot + deployment-specific deltas + ATLAS tactic walk measure ≥90% TA library × SM inventory
External intel triage cadence met (quarterly) measure 4 / year Intel triage log
Library gaps discovered per quarter (red-team exercises) measure tracked; trending down Red-team library exercise output
Threat-library change lead time from intel signal to library update measure ≤30 days for Critical-impact items Intel → library telemetry

Process Metrics (leading)

  • Library change-log cadence, no quarter with zero changes.
  • Per-deployment deep model age, no Critical model older than 180 days; no High model on archetype snapshot alone.
  • Red-team-the-library exercise cadence, at least quarterly; exercise artifact on file.
  • Gap closure SLA tracked; no Critical gap open past 30 days.

Effectiveness Metrics (business value)

  • Incidents caught by pre-existing library entries vs. library gaps, ratio trends toward pre-existing over time.
  • Downstream reuse at tier, SR, SA, DR, ST artifacts for Critical-tier deployments cite per-deployment threats in ≥80% of cases.
  • Library becomes a named internal resource, endpoint engineering and product teams consult it before launching new AI features or configuring new endpoint AI tools, reducing DR send-backs.

Success Criteria

  • Per-deployment deep threat models live for 100% of Critical-tier and ≥90% of High-tier deployments, with refresh cadence met.
  • External threat intel integrated with quarterly triage and documented change-log.
  • Quarterly red-team-the-library exercise operating; gaps closed with named owners and expiry dates.
  • Intel-to-library update lead time ≤30 days on Critical-impact items.

Maturity Level 3

Objective: Automate threat-library maintenance from telemetry and external feeds, and contribute discovered endpoint AI TTPs back to MITRE ATLAS, AVID, OWASP MASVS / Browser-Extension Top 10, and CSA endpoint working groups

At this level, the threat library is self-updating. Telemetry from ML-Endpoints detections and incident patterns from IM-Endpoints, combined with external signal feeds (ATLAS, AVID, OWASP revision pipelines, CSA), auto-propose library updates; human curators review and approve. The program contributes emerging first-party-observed TTPs, endpoint AI attack patterns discovered in own-deployed interfaces, to MITRE ATLAS, AVID, OWASP MASVS / Browser-Extension Top 10, and CSA endpoint AI security working groups.

Dependencies

  • TA-Endpoints L2 (required): per-deployment models and external intel integration must be operational before automation is trustworthy.
  • ML-Endpoints L2+ (required): detection telemetry that proposes library updates comes from the monitoring pipeline.
  • IM-Endpoints L2+ (required): incident pattern data feeds update proposals for threat actors, TTPs, and impact scenarios.

Desired Outcomes

  • Library staleness is measured in weeks, not quarters, material new attack patterns reach the library within 14 days of first observation.
  • Program-sourced TTPs appear in MITRE ATLAS, AVID, OWASP MASVS / Browser-Extension Top 10, and CSA endpoint AI security outputs, the org is cited as a practitioner contributor.
  • The org becomes a trusted node in endpoint AI threat sharing (sector ISACs, ATLAS practitioner network, OWASP AI chapter, CSA endpoint working group).

Activities

A) Telemetry-driven library updates

Wire the following signal sources into an auto-proposal pipeline: - ML-Endpoints detections, alert patterns that do not map to any existing library entry are surfaced as candidate new threats. - IM-Endpoints incident records, post-incident review records generate structured threat updates; the incident's ATLAS tactic walk is auto-ingested. - External feeds, ATLAS technique additions, AVID new entries, OWASP LLM / MASVS / Browser-Extension revision drafts, sector-ISAC AI-specific advisories, CSA endpoint AI security updates. - Academic publication scanning, weekly digest of adversarial-ML, multimodal-attack, and edge-AI-security papers; new attack classes auto-tagged for human curator review.

Human curators approve, reject, or defer each auto-proposal. Change-log is machine-readable; downstream SR, SA, ST artifacts subscribe to the change feed and receive update-required notifications when a threat they reference changes.

B) Industry contribution

Contribute to: - MITRE ATLAS, new techniques observed in own-deployed endpoint AI (novel multimodal injection patterns, edge-device model integrity attacks, browser-extension DOM-injection chains, SaaS-AI feature-scope-inheritance exploitation); submissions follow ATLAS evidence-and-provenance requirements. - OWASP MASVS / Browser-Extension Security Top 10, substantive comments and real-world telemetry evidence submitted during revision cycles. - AVID, structured disclosure submissions for newly discovered vulnerabilities in endpoint AI components or upstream vendor model deployments. - CSA endpoint AI security working group, contribute archetype threat models as input to endpoint AI security guidance.

Target: minimum 4 substantive contributions per year; quality-graded and legally vetted before submission; every contribution anonymized.

C) Shared threat-model artifacts

Publish anonymized archetype threat models (scrubbed of org-specific tool names and deployment details) under a permissive license for peer-org adoption. Host or co-host at least one industry tabletop per year tied to the library (ATLAS practitioner table, OWASP AI chapter, CSA endpoint working group, sector ISAC AI working group).

Outcome Metrics (L3)

Metric Baseline L3 Target Source
Library change lead time from telemetry / external signal to update measure ≤14 days Library telemetry
Industry contributions per year (MITRE ATLAS / AVID / OWASP / CSA) 0 ≥4 Contribution log
External-recognized TTPs originating from the program 0 ≥2 / year External artifact citations
Peer-org adoption of published archetype threat models 0 tracked External telemetry
% of library changes auto-proposed vs. manually authored measure ≥60% auto-proposed Curation telemetry

Process Metrics (leading)

  • Auto-proposal pipeline health, ≥1 actionable auto-proposal per week; staleness alert if feed silent for 7 days.
  • Contribution pipeline always ≥2 in-flight (draft, in-review, or being prepared).
  • External tabletop cadence, at least 1 per year.
  • Library change-log machine-readable and consumed by at least one downstream practice (SR or ST) for auto-update notifications.

Effectiveness Metrics (business value)

  • Program cited in industry advisories as a practitioner contributor to ATLAS / OWASP / AVID / CSA on endpoint AI attack techniques.
  • Time-to-defend shrinks for library-sourced threats, controls are in place before incidents because the library leads external disclosure timelines.
  • Talent signal, endpoint AI security engineering talent attracted by the program's external profile and contribution record.

Success Criteria

  • Library auto-update pipeline operating with ≤14-day lead time from signal to update.
  • ≥4 industry contributions per year; ≥2 recognized in external artifacts (ATLAS merge, AVID entry, OWASP revision, CSA guidance).
  • Anonymized archetype threat models published under permissive license with tracked adoption.
  • Industry tabletop hosted or co-hosted in last 12 months.

Key Success Indicators

Level 1: - Seven archetype threat models published (AI assistant / copilot on managed endpoint, browser-based AI tool, chatbot / conversational UI, multi-modal AI interface, AI-augmented productivity, mobile AI app, edge AI device), each tagged to HAI TTPs (EA/AGH/TM/RA), ATLAS tactic IDs (TA0001–TA0014), applicable OWASP LLM / Agentic / MASVS / Browser-Extension references, and the PC-Endpoints priority compliance map. - Threat snapshot gate live in the SM intake flow, 100% of newly Sanctioned endpoint AI deployments in the last 90 days have a snapshot attached before Sanctioned status is issued. - Each snapshot documents: archetype(s), deployment-specific deltas (tool list, data classes accessible, tier, user population, Art. 50 disclosure obligation), top-5 threats with HAI TTP tags and ATLAS tactic IDs, controls evident, and gaps for SR/SA follow-up. - Shadow-endpoint-AI threat view published, reviewed by the program sponsor, and linked to the ML-Endpoints detection backlog and the IM-Endpoints triage playbook. - Named library steward, quarterly refresh cadence, and ≥90% of active endpoint AI deployments carrying a current-year snapshot.

Level 2: - Per-deployment deep threat models live for 100% of Critical-tier deployments and ≥90% of High-tier deployments, with refresh cadence (Critical semi-annual, High annual) met. - External AI endpoint threat intel (ATLAS, AVID, OWASP LLM / MASVS / Browser-Extension, academic venues, sector ISACs, CSA) integrated with quarterly triage and a documented change-log; intel-to-library update ≤30 days for Critical-impact items. - Quarterly red-team-the-library exercise operating; every gap closed with a named owner and expiry date; Critical gaps ≤30 days, High gaps ≤60 days.

Level 3: - Library auto-update pipeline operating with ≤14-day lead time; ≥60% of changes auto-proposed; change-log machine-readable and consumed by downstream SR and ST practices. - ≥4 substantive industry contributions per year to MITRE ATLAS / AVID / OWASP MASVS / Browser-Extension Top 10 / CSA, with ≥2 externally recognized. - Anonymized archetype threat models published under permissive license with tracked peer-org adoption; at least one industry tabletop hosted or co-hosted annually.


Common Pitfalls

Level 1: - ❌ Threat models describe endpoint AI performing security monitoring (v2.0 framing) rather than describing the endpoint AI interface as the subject being assessed, the library catalogs what AI tools do for security rather than what threats face the endpoint AI the org deploys. - ❌ Archetype library covers chatbots and AI assistants but omits browser extensions and edge AI devices, the two archetypes with the most direct exposure to physical-access and permission-abuse threats remain without threat models. - ❌ Threat snapshot is completed at deployment approval and never refreshed, a SaaS-AI feature that gains new data-scope access or an AI assistant whose tool list expands does not trigger a re-snapshot. - ❌ ATLAS tactic walk is performed for narrative completeness but no technique IDs are assigned, the walk produces prose, not structured references that ST and IR can act on. - ❌ HAI TTPs (EA/AGH/TM/RA) are listed in the library header but not tagged per-threat, reviewers cannot triage which threats matter for a specific endpoint archetype's failure modes. - ❌ Library steward is unnamed, the quarterly refresh calendar item is no one's job and the library drifts from current endpoint AI attack research within two quarters.

Level 2: - ❌ "Per-deployment deep model" is the archetype snapshot with the deployment name swapped in, no deployment-specific tool list analysis, no data-class exposure consequence, no user-population risk assessment; the depth is cosmetic. - ❌ External intel is subscribed but never triaged, ATLAS update emails and OWASP MASVS revision drafts pile up unread; the library is frozen at L1 publication. - ❌ Red-team-the-library exercise is a threat-hunting session that adds entries to a finding log but never cross-checks findings against the library, gaps are never surfaced because the comparison was never made. - ❌ Critical-tier accepted gaps from the library red-team lack owners or expiry dates, gap backlog grows without accountability. - ❌ Deep modeling stops at Critical; High-tier deployments (customer-data-handling AI assistants) remain on archetype-only snapshots.

Level 3: - ❌ Auto-proposal pipeline accepts signals without curation, false-positive detections from ML-Endpoints pollute the library with phantom threats; downstream SR and ST artifacts generate incorrect requirements and tests. - ❌ "Contributions" to MITRE/AVID/OWASP/CSA are observer submissions (comments, conference talks) rather than technical artifacts with evidence, they appear in the contribution log but produce no substantive change. - ❌ Published anonymized archetype models are not maintained after release, external adopters build on a stale version while the internal library has advanced. - ❌ Telemetry-driven update loop fires on every minor endpoint configuration change, overwhelming the curation queue, endpoint teams disable telemetry to stop the noise rather than tune signal sensitivity.


Practice Maturity Questions

Level 1: 1. Are there published, versioned threat models for all seven endpoint AI archetypes (AI assistant / copilot on managed endpoint, browser-based AI tool, chatbot / conversational UI, multi-modal AI interface, AI-augmented productivity, mobile AI app, edge AI device), each mapping archetype-specific threats to HAI TTPs (EA/AGH/TM/RA), ATLAS tactic IDs, applicable OWASP LLM / Agentic / MASVS / Browser-Extension references, and PC-Endpoints compliance items, with a named library steward and a documented quarterly refresh cadence? 2. Does every endpoint AI deployment entering the SM inventory receive a threat snapshot (delivered within one business day of intake) that documents: the applicable archetype(s), deployment-specific deltas (tool list, data classes accessible, tier, user population, Art. 50 disclosure obligation), top-5 threats with HAI TTP tags and ATLAS tactic IDs, and gaps for SR/SA follow-up, with 100% of newly Sanctioned deployments carrying a snapshot in the last 90 days? 3. Is there a published shadow-endpoint-AI threat view, reviewed by the program sponsor in the last 12 months, that documents entry vectors, elevated threat scenarios for unsanctioned endpoint AI deployments, and the specific detections (MDM telemetry, egress monitoring, SaaS-admin audit logs, endpoint DLP signals) used to surface them?

Level 2: 1. Does every Critical-tier endpoint AI deployment have a current-year per-deployment deep threat model (not an archetype snapshot) covering deployment-specific attack trees, an abuse-case catalog by adversary archetype, deployer-duty mapping, and a full ATLAS tactic walk with technique-level specificity, with a semi-annual refresh cadence and change-driven updates on tool additions, sensor changes, or scope expansion? 2. Is external AI endpoint threat intel (MITRE ATLAS updates, AVID, OWASP LLM / Agentic / MASVS / Browser-Extension revisions, sector ISACs, academic adversarial-ML venues, CSA endpoint AI outputs) integrated with a quarterly triage cadence and a documented change-log, with intel-to-library update ≤30 days on Critical-impact items? 3. Do you run a quarterly red-team-the-library exercise that probes an in-scope endpoint AI deployment using only library threats and surfaces misses as library gaps, with every gap carrying a named owner and an expiry date, Critical gaps closing within 30 days, and the gap rate trending down quarter over quarter?

Level 3: 1. Does the threat library auto-update from telemetry (ML-Endpoints detections, IM-Endpoints incidents) and external feeds (ATLAS, AVID, OWASP, CSA, academic) via a human-curated auto-proposal pipeline, with ≥60% of changes auto-proposed, a ≤14-day lead time from signal to update, and a machine-readable change-log consumed by downstream SR and ST practices? 2. Does the program contribute at least four substantive, evidence-backed technical artifacts per year to MITRE ATLAS / AVID / OWASP MASVS / Browser-Extension Top 10 / CSA endpoint AI security, with at least two externally recognized in published advisory or standard revisions? 3. Are anonymized endpoint archetype threat models published under a permissive license with tracked peer-org adoption, and does the program host or co-host at least one industry tabletop per year (ATLAS practitioner table, OWASP AI chapter, CSA endpoint working group, or sector ISAC AI working group) tied to the library?


Document Version: HAIAMM v3.0 Practice: Threat Assessment (TA) Domain: Endpoints Last Updated: 2026-05-14 Author: Verifhai

☑ Interactive Self-Assessment

Answer each question based on your current, implemented practices only. Progress saves automatically in your browser.