Threat Assessment (TA)

Processes Domain - HAIAMM v3.0


Practice Overview

Objective: Build and maintain a reusable threat library for the business workflows that embed AI/HAI, one archetype-level threat model per workflow type, so every workflow entering the SM inventory produces a threat snapshot in minutes rather than a blank-page exercise.

Description: TA-Processes catalogs the threats specific to AI/HAI-embedded business workflows the organization operates, not tools used to secure those workflows, but the failure modes specific to the workflows themselves. At L1 the library covers one threat model per workflow archetype (decision pipeline, customer-facing flow, human-AI collaboration chain, back-office augmentation, approval/review workflow, content-generation workflow, knowledge-management workflow) mapped to HAIAMM's HAI-specific TTPs (EA, AGH, TM, RA), to MITRE ATLAS tactics (TA0001–TA0014), and to OWASP LLM/Agentic Top 10. Each workflow registered in SM's inventory generates a threat snapshot by pulling the archetype model and adding workflow-specific deltas (specific decision stakes, specific customer reach, specific HITL placement, specific data classes). L2 layers per-workflow deep models for Critical-tier workflows and red-teams the library quarterly against real workflows. L3 contributes discovered process-level TTPs back to MITRE ATLAS, AVID, and sector ISACs.

Context: Classic business-process risk management was not designed to enumerate AI-specific workflow failure modes, decision-laundering via AI endorsement, rubber-stamp HITL that creates governance theater without substantive review, silent-decision-drift as AI scoring thresholds shift and change outcomes without human awareness, adversarial prompt injection arriving through customer-supplied content and propagating to downstream systems. These are process-level risks owned by the teams that design, operate, and govern workflows that embed AI output. TA-Processes closes the gap by making workflow-specific threats a first-class library that threat modelers pull from at every intake, and by tying every archetype threat to a specific ATLAS tactic so the walk from attacker capability to workflow exposure is concrete.


Maturity Level 1

Objective: Build the AI/HAI workflow archetype threat library, integrate a threat snapshot into every workflow intake, and ensure every workflow's threat surface is documented before AI embedding is sanctioned

At this level, the organization gives every threat modeler and process-security reviewer a reusable, archetype-keyed library that maps AI/HAI workflow failure modes to HAI TTPs and ATLAS tactics, so no AI/HAI-embedded workflow is sanctioned without a documented threat view.

Dependencies

  • SM-Processes L1 (required): the workflow inventory defines which archetypes exist and what workflows need threat models; without it, TA operates on guesswork about scope.
  • PC-Processes L1 (required): the priority compliance map identifies which regulatory obligations (EU AI Act Art. 26 deployer duties, Art. 50 transparency, Art. 22 automated decisioning, GDPR Art. 22/35, sector-specific rules) must be reflected in the threat library.
  • EG-Processes L1 (required for reviewer activity): reviewers must recognize AI/HAI-specific workflow archetypes and TTPs before they can produce a credible snapshot.
  • Supports / unblocks: SR-Processes L1 (requirements derive from archetype threats), SA-Processes L1 (reference patterns address archetype threat surfaces), ST-Processes L1 (test battery targets archetype threats), ML-Processes L1 (detections prioritized from threat library), IM-Processes L1 (incident classifications derive from the threat library).

Desired Outcomes

  • Every AI/HAI-embedded workflow reaching SM intake gets a threat snapshot within one business day, pulled from the archetype library and adapted to the specific workflow's decision stakes, customer reach, HITL placement, and data classes.
  • HAIAMM's HAI-specific TTPs, EA (Excessive Agency), AGH (Agent Goal Hijack), TM (Tool Misuse), RA (Rogue Agents), are tagged to each archetype's threats; reviewers can explain the tag and its workflow-specific implications.
  • MITRE ATLAS tactics (TA0001 Reconnaissance through TA0014 Impact) are walked for each archetype at intake; a tactic with no relevant technique is an explicit exclusion, not a gap.
  • The threat library is versioned, owned, and refreshed on a documented cadence, it does not rot as new process-abuse patterns emerge.
  • Downstream practices (SR, SA, ST, ML, IM) inherit the library rather than re-deriving threats per workflow.

Activities

A) Build the AI/HAI workflow archetype threat library

Author one threat model per AI/HAI workflow archetype. Each archetype model is concise (target ≤2 pages), explicitly scoped to business workflows that embed AI/HAI output or decisions, and maps threats to HAI TTPs, ATLAS tactic IDs, OWASP LLM/Agentic Top 10 references, and the PC-Processes priority compliance map.

Archetypes to cover at L1 (from SM-Processes' inventory schema):

  • Decision pipeline, a workflow in which AI output (score, classification, recommendation) is the input to a consequential decision affecting persons, systems, or financial outcomes.
  • Customer-facing flow, a workflow in which AI-generated output is delivered to an external customer or end user as information, response, advice, or service output.
  • Human-AI collaboration chain, a workflow structured with explicit human review or approval gates over AI output before action is taken (HITL chain).
  • Back-office augmentation, an internal workflow in which AI output supports staff decisions, drafts, or analyses without direct customer exposure.
  • Approval/review workflow, a workflow in which AI classifies, surfaces, or scores items for human approval or rejection (e.g., loan screening, content moderation, procurement approval).
  • Content-generation workflow, a workflow that produces text, media, or structured content via AI for publication, distribution, or regulatory submission.
  • Knowledge-management workflow, a workflow that surfaces information to staff or customers from an AI-connected corpus (RAG-backed knowledge base, internal copilot, documentation assistant).

Per-archetype threat content (minimum):

Decision pipeline: - Decision-bypass, the AI output is used to justify a decision but the actual decision logic ignores or overrides the AI without recording the override; accountability for the outcome is diffused. HAI-TTP: EA (AI participates in a decision with no recorded accountability boundary). ATLAS: TA0008 Defense Evasion (outcome obscured from audit). - Decision-laundering, AI output is solicited after a human has already determined the outcome, used to provide algorithmic legitimacy to a pre-determined decision; the AI endorsement shields the decision from challenge. Compliance: GDPR Art. 22 (automated-decision safeguard circumvented in form while preserved in appearance). - Silent-decision-drift, AI threshold or model version changes produce a measurable shift in outcomes (approval rates, rejection rates, score distributions) without a corresponding governance review; the drift may disadvantage a protected class or change material business decisions without stakeholder awareness. HAI-TTP: RA (unintended drift in goal execution). Compliance: EU AI Act Art. 9 risk-management duty, FCRA adverse-action obligations. - Adversarial-input-against-decision, an affected party deliberately manipulates inputs to the AI (feature values, supporting documents, application fields) to flip a decision in their favor; gaming the scoring model. ATLAS: TA0040 ML Attack Staging; TA0043 Impact. - Class-shift on protected groups, AI scoring changes disproportionately affect a legally protected class in a way that triggers anti-discrimination obligations, creating both legal and reputational exposure. Compliance: EEOC, NYC Local Law 144, CO SB-21-169, FCRA.

Customer-facing flow: - AI hallucination reaching customer with material consequence, AI-generated output delivered to a customer contains false or misleading information that results in a harmful customer decision, financial loss, safety risk, or regulatory violation. OWASP LLM: LLM09 Misinformation. ATLAS: TA0043 Impact. - Art. 50 disclosure failure, the customer is not informed they are interacting with an AI system or receiving AI-generated output, in violation of EU AI Act Art. 50 transparency requirements. Compliance: EU AI Act Art. 50. - Prompt-injection via customer input reaching downstream systems, customer-supplied content (messages, form fields, uploaded documents) contains injected instructions that propagate to backend AI systems or agentic components. HAI-TTP: AGH. OWASP LLM: LLM01. ATLAS: TA0003 Initial Access; TA0004 Execution. - Brand/reputation impact via AI-generated output failure, AI-generated communications, recommendations, or service outputs cause customer harm or public embarrassment at scale; the failure mode is systemic rather than isolated. - CSAT-impacting failure, AI-generated output consistently degrades customer satisfaction through poor quality, inappropriate tone, or incorrect information; the degradation is not surfaced by monitoring until CSAT metrics decline.

Human-AI collaboration chain (HITL chain): - Rubber-stamp HITL, the human reviewer in the HITL chain always approves AI output without substantive review; the oversight gate provides governance theater but no actual human judgment, creating false confidence in decision quality. HAI-TTP: RA (agent operates unchecked despite nominal oversight). ATLAS: TA0008 Defense Evasion (the control exists on paper but not in practice). - Reviewer overload, HITL review volume exceeds reviewer capacity; the fallback is auto-approval or extended backlogs, eliminating the human oversight the workflow was designed to provide. ATLAS: TA0043 Impact (availability of the oversight function degraded). - Reviewer-side prompt injection, the review UI displays AI-generated content (summaries, recommendations, rationale) that contains injected instructions influencing the reviewer's behavior or causing the review tool to take unintended actions. HAI-TTP: AGH. OWASP LLM: LLM01. ATLAS: TA0004 Execution. - Override audit trail gap, HITL overrides of AI recommendations are not recorded with rationale; the workflow cannot demonstrate human oversight was exercised meaningfully; audit evidence is absent. Compliance: EU AI Act Art. 14 human oversight, Art. 26 deployer duties.

Back-office augmentation: - Confidential-data egress to AI assistant, staff copy regulated, confidential, or customer data into an AI assistant to support a task; the data exits governed storage and reaches an AI provider without DPA coverage. HAI-TTP: TM (tool invoked with data outside its authorized scope). ATLAS: TA0011 Exfiltration. - AI-output incorporated into decisions without review, back-office staff act on AI-generated analysis, draft, or recommendation without a review step; errors or biases in the AI output propagate into decisions, contracts, or records. HAI-TTP: EA. ATLAS: TA0043 Impact. - AI-suggestion bias affecting back-office outcomes, the AI assistant systematically favors certain options, vendors, or interpretations in its suggestions; staff following suggestions uncritically amplify the bias at scale. HAI-TTP: RA.

Approval/review workflow: - AI-screen poisoning, items submitted for approval are crafted to exploit the AI classifier's decision boundary, causing preferred items to be surfaced and unfavorable items to be suppressed without human awareness. ATLAS: TA0040 ML Attack Staging; TA0043 Impact. - Approval-bypass via AI-classifier exploit, by understanding or probing the classifier, a submitter routes items around the review gate entirely, bypassing the control the workflow is designed to enforce. ATLAS: TA0007 Privilege Escalation; TA0008 Defense Evasion. - Class-shift on approvals, AI scoring changes disproportionately affect a legally protected class in approval outcomes; triggers anti-discrimination obligations. Compliance: EEOC, NYC LL 144, FCRA, sector-specific.

Content-generation workflow: - Generated content propagating to customers or regulators without review, AI-generated text, reports, or disclosures are published or submitted without human review, delivering errors, hallucinated facts, or inappropriate content to external audiences or regulatory bodies. OWASP LLM: LLM09. ATLAS: TA0043 Impact. - Copyright/legal liability, AI-generated content incorporates protected material, trademarks, or regulated language that creates intellectual property or legal liability. Compliance: copyright law, sector-specific content regulations. - Brand-voice failure with material business effect, AI-generated content systematically deviates from brand standards, legal safe-harbor language, or regulatory disclosure requirements; the deviation creates compliance or reputational risk at scale. - Injection-via-generated-content into downstream systems, AI-generated content is passed to downstream systems (APIs, databases, processing pipelines) without input validation; injected instructions in the generated content execute in the downstream context. HAI-TTP: AGH. OWASP LLM: LLM02. ATLAS: TA0004 Execution.

Knowledge-management workflow: - RAG-poisoning of internal corpus, malicious or incorrect content is inserted into the knowledge base that feeds the AI retrieval system; all users querying the corpus receive contaminated results. HAI-TTP: AGH (retrieval is the trusted path). OWASP LLM: LLM08 Vector and Embedding Weaknesses. ATLAS: TA0002 Resource Development; TA0005 Persistence. - Retrieval-extraction by malicious insiders, an insider crafts retrieval queries to extract confidential documents or data from the corpus beyond their access entitlement; the AI retrieval layer bypasses document-level access controls. HAI-TTP: TM. ATLAS: TA0010 Collection; TA0011 Exfiltration. - Misinformation propagation through knowledge base, outdated, incorrect, or manipulated knowledge-base content is served to staff or customers as authoritative; the AI presents it with high apparent confidence; errors spread across decisions and communications before they are detected. ATLAS: TA0043 Impact.

  • ATLAS tactic walk per archetype: For each archetype, walk the full ATLAS tactic sequence and document which techniques apply and which are excluded with rationale. Decision pipelines weight TA0040 ML Attack Staging and TA0043 Impact. Customer-facing flows weight TA0003 Initial Access and TA0004 Execution (injection) and TA0043 (misinformation impact). HITL chains weight TA0008 Defense Evasion (rubber-stamp). Content-generation and knowledge-management workflows weight TA0002 Resource Development (corpus poisoning), TA0005 Persistence (corrupted content persisting), and TA0011 Exfiltration (retrieval extraction).

  • OWASP LLM / Agentic Top 10 cross-references per archetype: Decision pipelines, LLM09 Misinformation, LLM06 Excessive Agency. Customer-facing flows, LLM01 Prompt Injection, LLM09, LLM10 Unbounded Consumption. HITL chains, LLM06, LLM01. Back-office augmentation, LLM06, LLM02 Insecure Output Handling. Content-generation, LLM09, LLM02. Knowledge-management, LLM08, LLM01.

  • Compliance linkage: tag each threat to the PC-Processes priority compliance item it activates, EU AI Act Art. 26 deployer duties, Art. 50 transparency, Art. 14 human oversight, GDPR Art. 22 automated-decision safeguards, Art. 35 DPIA, Art. 27/EU AI Act FRIA triggers, sector-specific rules (FCRA, EEOC, NYC LL 144, CO SB-21-169, FINRA).

Owner: named TA-Processes library steward; cadence: reviewed quarterly; versioned in a single location linked from the SM inventory record for every workflow.

B) Produce a per-intake threat snapshot for every SM workflow registration

Bind TA into the SM intake flow, every new workflow registration emits a threat snapshot before Sanctioned status is issued; Provisional-status workflows receive a snapshot within five business days of registration.

Snapshot contents (designed to fit one screen):

  • Which archetype(s) apply (a workflow may be composite, e.g., a customer loan application is both a decision pipeline and a customer-facing flow).
  • Workflow-specific deltas over the archetype model: specific decision stakes (what outcome changes for which population); HITL placement and depth; data classes in scope; regulatory exposure (Annex III high-risk trigger, Art. 22 lawful basis, sector-specific rules); downstream systems receiving AI output.
  • Top-5 threats for this workflow, each with: HAI TTP tag, ATLAS tactic ID, OWASP reference, and compliance linkage.
  • Controls already evident from the workflow design vs. gaps for SR/SA follow-up.
  • Reviewer, date, expiry (re-snapshot on scope change, new data classes, AI model swap, material HITL restructuring, or regulatory change).

Time target: ≤1 business day per intake with the library available.

C) Author the shadow-AI-in-processes threat view

Shadow AI in processes, AI tools embedded in workflows without governance, staff using consumer GenAI to augment business tasks outside sanctioned channels, has its own threat surface. Author a standalone shadow-AI-in-processes threat document covering:

  • Entry vectors: staff copying customer data into consumer GenAI for task support; departmental SaaS tools with AI features enabled without IT/security review; business units building lightweight automation with AI APIs outside the intake process; AI-embedded features in approved SaaS silently enabled without corresponding workflow governance.
  • Elevated threats for shadow workflows: no threat model applied; no SR requirements pack; no disclosure or oversight design; deployer duties under EU AI Act Art. 26 unmet because the workflow is unknown to the deployer-duty owners.
  • Specific failure modes: customer PII reaching an unsanctioned AI provider via staff copy-paste; AI-generated decisions affecting persons without Art. 22 lawful basis or override path; regulated content (PHI, financial data) flowing to AI tools without DPA coverage.
  • Detections available at L1: DLP signals for AI provider domains in egress; SaaS admin console reports of newly enabled AI features; staff survey discovery; expense/billing signals for consumer AI subscriptions.

Output: a "Shadow AI in Processes, Threat View" one-pager reviewed by the program sponsor and feeding the ML-Processes detection backlog and IM-Processes triage playbook.

Outcome Metrics (L1)

Metric Baseline L1 Target Source
% of AI/HAI-embedded workflows in SM inventory with a current-year threat snapshot measure 100% for Sanctioned; ≥90% for all Inventory × TA snapshot artifacts
Archetype coverage (workflow archetypes with a published threat model) 0 / 7 7 / 7 TA library
Median snapshot turnaround from SM intake to threat snapshot delivery measure ≤1 business day Intake telemetry
% of snapshot top-5 threats tagged to a HAI TTP and an ATLAS tactic ID measure 100% TA snapshot metadata
Shadow-AI-in-processes threat view published and reviewed in last 12 months n/a Yes Document registry

Process Metrics (leading)

  • Threat library review cadence, quarterly archetype refresh recorded; no quarter with zero updates.
  • New-archetype lead time, from "first intake in new workflow category" to "archetype model published" ≤30 days.
  • Snapshot-to-SR linkage, % of snapshots whose top-5 threats are referenced by at least one downstream SR-Processes requirement (expected to rise once SR-Processes L1 is in place).
  • Library steward named and active, single owner, not a committee.

Effectiveness Metrics (business value)

  • Threats that converted to prevented workflow failures, documented cases where a snapshot-identified threat caused a control to be added before the workflow was sanctioned (e.g., HITL gate added after snapshot flagged rubber-stamp risk; Art. 50 disclosure added after snapshot flagged transparency gap).
  • Reviewer consistency, EG-Processes calibration uses live snapshots; inter-reviewer drift stays within target.
  • Downstream reuse, SR, SA, ST artifacts cite snapshot threats in ≥80% of cases rather than re-deriving independently.

Success Criteria

  • Seven archetype threat models published (decision pipeline, customer-facing flow, HITL chain, back-office augmentation, approval/review workflow, content-generation workflow, knowledge-management workflow), each tagged to HAI TTPs, ATLAS tactic IDs, OWASP LLM/Agentic Top 10 references, and the PC-Processes priority compliance map.
  • Threat snapshot gate live in the SM intake flow, 100% of newly Sanctioned AI/HAI-embedded workflows in the last 90 days have a snapshot attached.
  • Shadow-AI-in-processes threat view published, reviewed by the program sponsor, and feeding the ML-Processes detection backlog.
  • Named library steward and quarterly refresh cadence operating.
  • ≥90% of active AI/HAI-embedded workflows in the inventory carry a current-year snapshot.

Maturity Level 2

Objective: Layer per-workflow deep threat models on top of archetype snapshots for Critical-tier workflows, integrate external threat intelligence, and red-team the library quarterly against real in-scope workflows

At this level, threat assessment stops being "snapshot plus go" for high-stakes workflows. Critical-tier workflows (per SM-Processes L2's tier rubric, using dimensions: decision-affecting effect, customer reach, reversibility, human-oversight depth, regulatory scope, data classes, business criticality) receive full per-workflow deep threat models. External threat intelligence is wired in and triaged quarterly. The library is stress-tested by running quarterly red-team probes against real in-scope workflows.

Dependencies

  • TA-Processes L1 (required): archetype threat library and per-intake snapshot gate.
  • SM-Processes L2 (required): the risk-tier rubric determines where per-workflow deep modeling is required (Critical) vs. archetype-only (Medium/Low); without L2 tiers, every workflow appears equally important.
  • ST-Processes L2 (required for red-team-the-library activity): the red-team capability to probe real workflows comes from ST.
  • Supports / unblocks: SR-Processes L2 (per-tier threat depth drives per-tier requirements), SA-Processes L2 (threat depth drives pattern complexity), DR-Processes L2 (scenario-based design reviews need per-workflow models), ML-Processes L2 (detections tuned to per-workflow threats).

Desired Outcomes

  • Every Critical-tier AI/HAI-embedded workflow has a current-year per-workflow deep threat model, not a recycled archetype snapshot.
  • High-tier workflows receive archetype snapshot plus workflow-specific deltas and ATLAS full tactic walk; no High-tier workflow on archetype-only.
  • External AI-security threat intelligence is routinely consumed and reflected in the library; the library is not frozen at publication time.
  • The library is proved against reality, quarterly red-team exercises show what it catches and misses; gaps are closed with owners and expiry dates.
  • Per-tier threat-assessment depth is visibly differentiated, matching the SM-Processes L2 tier-treatment matrix.

Activities

A) Per-workflow deep threat modeling for Critical-tier workflows

For every Critical-tier workflow in the SM inventory, produce a full per-workflow threat model covering:

  • Attack trees beyond the archetype snapshot: workflow-specific decision stakes with per-stakeholder abuse paths; specific HITL placement with failure modes at each gate; specific data classes with exfiltration and misuse paths; specific downstream system dependencies with propagation risks.
  • Abuse-case catalog: named adversary archetypes (affected persons gaming the system, malicious insiders, compromised AI vendor, external attacker via customer input channel) with concrete attack narratives for this specific workflow.
  • Deployer-duty mapping: EU AI Act Art. 26 obligations mapped to the threat-control chain for this workflow (accuracy/robustness under Art. 15, human oversight under Art. 14, documentation under Art. 13); sector-specific obligations mapped where applicable.
  • ATLAS full tactic walk for the workflow: all 14 ATLAS tactics enumerated; techniques selected from the Processes-domain threat context; exclusions explicit with rationale.
  • Refresh cadence: Critical semi-annual plus change-driven (HITL restructuring, AI model swap, scope expansion, regulatory change); High annual plus change-driven.

B) External AI-security threat intelligence integration

Subscribe to and operationalize: - MITRE ATLAS updates relevant to process-level techniques. - AVID (AI Vulnerability Database), entries for process-domain abuse patterns. - Sector ISACs with AI working groups relevant to the org's process domains (HR-AI/employment decision systems, FinAI/credit decision systems, ClinAI/clinical decision support). - Regulatory enforcement actions and supervisory guidance touching AI-in-processes (FTC actions on AI decision systems, CFPB adverse-action guidance, EEOC AI bias enforcement, EU AI Act Annex III enforcement developments).

Quarterly triage cadence: which new intel items change the archetype library, change per-workflow models, or change SR or ST artifacts that depend on the library.

C) Red-team the threat library itself

Each quarter, ST-Processes runs an adversarial probe against an in-scope AI/HAI-embedded workflow using ONLY the threat scenarios documented in the library for that archetype. Threats the red-team exercise identifies that are NOT in the library are library gaps, not passing findings.

Gap closure: every gap becomes a ticket with a named owner and expiry date; Critical-tier gaps close within 30 days; High-tier within 60 days. The gap rate per quarter trends down as the library matures.

Outcome Metrics (L2)

Metric Baseline L2 Target Source
% Critical-tier workflows with current-year per-workflow deep threat model measure 100% TA library × SM inventory
% High-tier workflows with archetype snapshot + workflow-specific deltas + ATLAS tactic walk measure ≥90% TA library × SM inventory
External intel triage cadence met (quarterly) measure 4 / year Intel triage log
Library gaps discovered per quarter (red-team exercises) measure tracked; trending down Red-team library exercise output
Threat-library change lead time from intel signal to library update measure ≤30 days for Critical-impact items Intel → library telemetry

Process Metrics (leading)

  • Library change-log cadence, no quarter with zero changes.
  • Per-workflow deep model age, no Critical model older than 180 days; no High model with archetype snapshot alone.
  • Red-team-the-library exercise cadence, at least quarterly; exercise artifact on file.
  • Gap closure SLA tracked; no Critical gap open past 30 days.

Effectiveness Metrics (business value)

  • Incidents caught by pre-existing library entries vs. library gaps, ratio trends toward pre-existing over time.
  • Downstream reuse at tier, SR, SA, DR, ST artifacts for Critical-tier workflows cite per-workflow threats in ≥80% of cases.
  • Library becomes a named internal resource, workflow owners and process architects consult it before embedding AI, reducing DR send-backs caused by uncaptured threat surfaces.

Success Criteria

  • Per-workflow deep threat models live for 100% of Critical-tier and ≥90% of High-tier workflows, with refresh cadence met.
  • External threat intel integrated with quarterly triage and documented change-log.
  • Quarterly red-team-the-library exercise operating; gaps closed with named owners and expiry dates.
  • Intel-to-library update lead time ≤30 days on Critical-impact items.

Maturity Level 3

Objective: Automate threat-library maintenance from telemetry and external feeds; contribute discovered process-level AI/HAI TTPs back to MITRE ATLAS, AVID, and sector ISACs

At this level, the threat library is self-updating from telemetry and external feeds. The program contributes emerging first-party-observed process-level TTPs to MITRE ATLAS, AVID, and sector ISACs (HR-AI, FinAI, ClinAI), making the org a net contributor to the industry's AI-process threat knowledge base.

Dependencies

  • TA-Processes L2 (required): per-workflow models and external intel integration must be operational before automation is trustworthy.
  • ML-Processes L2+ (required): the detection telemetry that proposes library updates comes from the monitoring pipeline.
  • IM-Processes L2+ (required): incident pattern data feeds update proposals for threat actors, TTPs, and impact scenarios.

Desired Outcomes

  • Library staleness is measured in weeks, not quarters, material new attack patterns reach the library within 14 days of first observation in external feeds or internal telemetry.
  • Program-sourced process-level TTPs appear in MITRE ATLAS, AVID, and sector ISAC advisories.
  • External threat-landscape shifts are reflected in the library before most peers.
  • The org becomes a trusted node in AI-process-security threat sharing (sector ISACs, ATLAS practitioner network, OWASP AI working groups).

Activities

A) Telemetry-driven library updates

Wire the following signal sources into an auto-proposal pipeline: - ML-Processes detections, alert patterns not mapping to any existing library entry are surfaced as candidate new threats. - IM-Processes incident records, post-incident review records generate structured threat updates; the incident's ATLAS tactic walk is auto-ingested. - External feeds, ATLAS technique additions, AVID new entries, sector ISAC AI advisories, regulatory enforcement actions.

Human curators approve, reject, or defer each auto-proposal. Change-log is machine-readable; downstream SR, SA, ST artifacts subscribe and receive update-required notifications when a threat they reference changes.

B) Industry contribution

Contribute to: - MITRE ATLAS, new process-level techniques observed in AI-embedded workflows (decision-laundering as a Defense Evasion technique, rubber-stamp HITL as a Persistence-of-effect technique, silent-decision-drift as an Impact technique); submissions follow ATLAS evidence-and-provenance requirements. - AVID, structured disclosure submissions for newly discovered process-domain vulnerabilities. - Sector ISACs (HR-AI, FinAI, ClinAI), operationally-observed process-abuse patterns relevant to the sector. - ISO/IEC 42005 / OECD AI, practitioner input on process-level AI risk taxonomy grounded in program experience.

Target: minimum 4 substantive contributions per year; quality-graded and legally vetted before submission; every contribution anonymized.

C) Shared threat-model artifacts

Publish anonymized workflow archetype threat models (scrubbed of org-specific details) under a permissive license. Host or co-host at least one industry tabletop per year tied to the library (ATLAS practitioner table, sector ISAC AI working group, OWASP AI chapter).

Outcome Metrics (L3)

Metric Baseline L3 Target Source
Library change lead time from telemetry / external signal to update measure ≤14 days Library telemetry
Industry contributions per year (MITRE ATLAS / AVID / sector ISACs) 0 ≥4 Contribution log
External-recognized TTPs originating from the program 0 ≥2 / year External artifact citations
Peer-org adoption of published archetype threat models 0 tracked External telemetry
% of library changes auto-proposed vs. manually authored measure ≥60% auto-proposed Curation telemetry

Process Metrics (leading)

  • Auto-proposal pipeline health, ≥1 actionable auto-proposal per week; staleness alert if feed silent for 7 days.
  • Contribution pipeline always ≥2 in-flight (draft, in-review, or being prepared).
  • External tabletop cadence, at least 1 per year.
  • Library change-log machine-readable and consumed by at least one downstream practice (SR or ST) for auto-update notifications.

Effectiveness Metrics (business value)

  • Program cited in sector ISAC advisories or ATLAS updates as a practitioner contributor to process-level AI threat research.
  • Time-to-defend shrinks for library-sourced threats, controls in place before incidents because the library leads external disclosure timelines.
  • Talent signal, AI process-security expertise is attracted by the program's external profile and contribution record.

Success Criteria

  • Library auto-update pipeline operating with ≤14-day lead time from signal to update.
  • ≥4 industry contributions per year; ≥2 recognized in external artifacts (ATLAS merge, AVID entry, sector ISAC advisory, ISO/OECD input).
  • Anonymized archetype threat models published under permissive license with tracked adoption.
  • Industry tabletop hosted or co-hosted in last 12 months.

Key Success Indicators

Level 1: - Seven archetype threat models published (decision pipeline, customer-facing flow, HITL chain, back-office augmentation, approval/review workflow, content-generation workflow, knowledge-management workflow), each tagged to HAI TTPs (EA/AGH/TM/RA), ATLAS tactic IDs, OWASP LLM/Agentic Top 10 references, and the PC-Processes priority compliance map. - Threat snapshot gate live in the SM intake flow, 100% of newly Sanctioned AI/HAI-embedded workflows in the last 90 days have a snapshot attached before Sanctioned status is issued. - Each snapshot documents: archetype(s), workflow-specific deltas (decision stakes, HITL placement, data classes, regulatory exposure, downstream systems), top-5 threats with HAI TTP tags and ATLAS tactic IDs, controls evident, and gaps for SR/SA follow-up. - Shadow-AI-in-processes threat view published, reviewed by the program sponsor, and linked to the ML-Processes detection backlog and the IM-Processes triage playbook. - Named library steward, quarterly refresh cadence, and ≥90% of active AI/HAI-embedded workflows carrying a current-year snapshot.

Level 2: - Per-workflow deep threat models live for 100% of Critical-tier workflows and ≥90% of High-tier workflows, with refresh cadence (Critical semi-annual, High annual) met. - External AI-security threat intelligence (ATLAS, AVID, sector ISACs, regulatory enforcement actions) integrated with quarterly triage and a documented change-log; intel-to-library update ≤30 days for Critical-impact items. - Quarterly red-team-the-library exercise operating; every gap closed with a named owner and expiry date; Critical gaps ≤30 days, High gaps ≤60 days.

Level 3: - Library auto-update pipeline operating with ≤14-day lead time; ≥60% of changes auto-proposed; change-log machine-readable and consumed by downstream SR and ST practices. - ≥4 substantive industry contributions per year to MITRE ATLAS / AVID / sector ISACs / ISO/OECD, with ≥2 externally recognized. - Anonymized archetype threat models published under permissive license with tracked peer-org adoption; at least one industry tabletop hosted or co-hosted annually.


Common Pitfalls

Level 1: - ❌ Threat models describe "the AI" as the actor performing a security task (v2.0 framing) rather than describing the AI-embedded workflow as the subject being assessed, the library ends up cataloging what AI does rather than what threats face the workflows the org operates. - ❌ Archetype library covers only customer-facing workflows; back-office augmentation and knowledge-management workflows are excluded because "they're internal only", the largest actual-harm surface for data-egress and decision-bias is missed. - ❌ Threat snapshot is a checklist checkbox without workflow-specific deltas, no HITL placement documented, no decision stakes recorded, making the snapshot useless for SR and SA follow-through. - ❌ ATLAS tactic walk is performed for narrative completeness but no technique IDs are assigned, the walk produces prose, not structured references that ST and IR can act on. - ❌ HAI TTPs (EA/AGH/TM/RA) are listed in the library header but not tagged per-threat, reviewers cannot triage which threats matter for a specific workflow's failure modes. - ❌ Library steward is unnamed, "the security team owns it", so the quarterly refresh calendar item is no one's job and the library drifts from current process-abuse patterns within two quarters.

Level 2: - ❌ "Per-workflow deep model" is the archetype snapshot with the workflow name swapped in, no workflow-specific decision stakes, no HITL failure-mode analysis, no regulatory mapping; the depth is cosmetic. - ❌ External intel is subscribed but never triaged, ATLAS updates and sector ISAC advisories pile up unread; the library is frozen at L1 publication. - ❌ Red-team-the-library exercise adds findings to a log but never cross-checks against the library, gaps are never surfaced because the comparison was never made. - ❌ Critical-tier accepted gaps from the library red-team lack owners or expiry dates, gap backlog grows without accountability. - ❌ Deep modeling stops at Critical; High-tier workflows affecting regulated populations remain on archetype-only snapshots.

Level 3: - ❌ Auto-proposal pipeline accepts signals without curation, false-positive detections from ML-Processes pollute the library with phantom threats; downstream SR and ST artifacts generate incorrect requirements and tests. - ❌ "Contributions" to ATLAS/AVID/sector ISACs are observer submissions rather than technical artifacts with evidence, they appear in the contribution log but produce no substantive change. - ❌ Published anonymized archetype models are not maintained after release, external adopters build on a stale version while the internal library has advanced. - ❌ Telemetry-driven update loop fires on every minor workflow change, overwhelming the curation queue, teams disable telemetry to stop the noise rather than tune signal sensitivity.


Practice Maturity Questions

Level 1: 1. Are there published, versioned threat models for all seven AI/HAI workflow archetypes (decision pipeline, customer-facing flow, HITL chain, back-office augmentation, approval/review workflow, content-generation workflow, knowledge-management workflow), each mapping archetype-specific threats to HAI TTPs (EA/AGH/TM/RA), ATLAS tactic IDs, OWASP LLM/Agentic Top 10 references, and PC-Processes compliance items, with a named library steward and a documented quarterly refresh cadence? 2. Does every AI/HAI-embedded workflow entering the SM inventory receive a threat snapshot (delivered within one business day of intake) that documents: the applicable archetype(s), workflow-specific deltas (decision stakes, HITL placement, data classes, regulatory exposure, downstream systems), top-5 threats with HAI TTP tags and ATLAS tactic IDs, and gaps for SR/SA follow-up, with 100% of newly Sanctioned workflows carrying a snapshot in the last 90 days? 3. Is there a published shadow-AI-in-processes threat view, reviewed by the program sponsor in the last 12 months, that documents entry vectors, elevated threat scenarios for unsanctioned AI-embedded workflows, and the specific detections used to surface them?

Level 2: 1. Does every Critical-tier AI/HAI-embedded workflow have a current-year per-workflow deep threat model (not an archetype snapshot) covering workflow-specific attack trees, an abuse-case catalog, deployer-duty mapping, and a full ATLAS tactic walk with technique-level specificity, with a semi-annual refresh cadence and change-driven updates on HITL restructuring, AI model swap, or scope change? 2. Is external AI-security threat intelligence (MITRE ATLAS updates, AVID, sector ISACs, regulatory enforcement actions) integrated with a quarterly triage cadence and a documented change-log, with intel-to-library update ≤30 days on Critical-impact items? 3. Do you run a quarterly red-team-the-library exercise that probes an in-scope AI/HAI-embedded workflow using only library threats and surfaces misses as library gaps, with every gap carrying a named owner and expiry date, Critical gaps closing within 30 days, and the gap rate trending down quarter over quarter?

Level 3: 1. Does the threat library auto-update from telemetry (ML-Processes detections, IM-Processes incidents) and external feeds (ATLAS, AVID, sector ISACs, regulatory actions) via a human-curated auto-proposal pipeline, with ≥60% of changes auto-proposed, a ≤14-day lead time from signal to update, and a machine-readable change-log consumed by downstream SR and ST practices? 2. Does the program contribute at least four substantive, evidence-backed technical artifacts per year to MITRE ATLAS / AVID / sector ISACs / ISO/OECD AI, with at least two externally recognized in published advisory, standard revision, or ATLAS merge? 3. Are anonymized workflow archetype threat models published under a permissive license with tracked peer-org adoption, and does the program host or co-host at least one industry tabletop per year (ATLAS practitioner table, sector ISAC AI working group, or OWASP AI chapter) tied to the library?


Document Version: HAIAMM v3.0 Practice: Threat Assessment (TA) Domain: Processes Last Updated: 2026-05-14 Author: Verifhai

☑ Interactive Self-Assessment

Answer each question based on your current, implemented practices only. Progress saves automatically in your browser.