Threat Assessment (TA) - Processes Assessment

Assessment questionnaire for measuring maturity. Answer each question honestly based on current, implemented practices.

Source of truth: ../practices/TA-Processes-OnePager.md | ../HAIAMM-v3.0-Framing.md §8 (HAI TTPs), §10.1 (ATLAS), §14.5 (ATLAS tactic taxonomy)


Threat Assessment (TA) - Processes Domain

HAIAMM Assessment Questionnaire v3.0

Practice: Threat Assessment (TA) Domain: Processes Purpose: Assess organizational maturity in building and maintaining a reusable threat library for the business workflows that embed AI/HAI, covering all seven workflow archetypes mapped to HAI TTPs, ATLAS tactics (TA0001–TA0014), and OWASP LLM/Agentic Top 10, with domain-specific threats: decision-bypass, decision-laundering, silent-decision-drift, rubber-stamp HITL, reviewer overload, content-generation propagating without review, RAG-poisoning of internal corpus, and knowledge-management retrieval-extraction Scoring Model: Evidence + Outcome Metrics (see Scoring Methodology below)


Instructions

  • Answer each question honestly based on current, implemented practices (not plans or aspirations)
  • Each question has two components: Evidence (what you did) and Outcome Metrics (how well it worked)
  • Scoring uses 4 tiers: Fully Mature (1.0), Implemented (0.67), Partial (0.33), Not Implemented (0.0)
  • Answer progressively, complete all Level 1 questions before Level 2
  • Level progression, achieve ALL questions at lower level before advancing
  • Baseline first, record current metric values before setting targets
  • Subject framing, the AI-embedded workflow is the subject being assessed; the threat library describes what threatens the workflow, not what the workflow does for security

Scoring Methodology

Score Label Criteria
1.0 Fully Mature All evidence items present AND ≥3 outcome metrics meet targets
0.67 Implemented All evidence items present AND 2 outcome metrics meet targets
0.33 Partial Evidence partially complete OR fewer than 2 metrics meet targets
0.0 Not Implemented No substantive evidence of the activity

Level Score = average of the three question scores at that level Practice Score = weighted average: L1 × 0.5 + L2 × 0.3 + L3 × 0.2 (L2/L3 only scored if L1 = Fully Mature)


Maturity Level 1

Objective: Build the AI/HAI workflow archetype threat library, integrate a threat snapshot into every workflow intake, and ensure every workflow's threat surface is documented before AI embedding is sanctioned.


Question 1: Build the AI/HAI workflow archetype threat library

Q1.1: Does the organization have a published, versioned threat library containing one threat model per AI/HAI workflow archetype, covering all seven archetypes (decision pipeline, customer-facing flow, human-AI collaboration chain, back-office augmentation, approval/review workflow, content-generation workflow, knowledge-management workflow), with each archetype's threats tagged to HAI TTPs (EA/AGH/TM/RA), ATLAS tactic IDs (TA0001–TA0014), OWASP LLM/Agentic Top 10 references, and the PC-Processes priority compliance map, owned by a named library steward with a documented quarterly refresh cadence?

Evidence Required: - [ ] Threat library document exists, is versioned, and names a single library steward responsible for quarterly refresh - [ ] All seven archetype models published: decision pipeline, customer-facing flow, human-AI collaboration chain (HITL chain), back-office augmentation, approval/review workflow, content-generation workflow, knowledge-management workflow - [ ] Decision pipeline archetype covers: decision-bypass (EA/TA0008), decision-laundering (GDPR Art. 22), silent-decision-drift (RA/EU AI Act Art. 9), adversarial-input-against-decision (TA0040/TA0014), class-shift on protected groups (EEOC/FCRA/NYC LL 144/CO SB-21-169) - [ ] Customer-facing flow archetype covers: AI hallucination reaching customer (LLM09/TA0014), Art. 50 disclosure failure (EU AI Act Art. 50), prompt-injection via customer input reaching downstream systems (AGH/LLM01/TA0003/TA0004), brand/reputation impact via AI output failure - [ ] HITL chain archetype covers: rubber-stamp HITL (RA/TA0008), reviewer overload eliminating human oversight (TA0014), reviewer-side prompt injection (AGH/LLM01/TA0004), override audit trail gap (EU AI Act Arts. 14/26) - [ ] Back-office augmentation archetype covers: confidential-data egress to AI assistant (TM/TA0011), AI-output incorporated into decisions without review (EA/TA0014), AI-suggestion bias affecting back-office outcomes (RA) - [ ] Approval/review workflow archetype covers: AI-screen poisoning (TA0040/TA0014), approval-bypass via AI-classifier exploit (TA0007/TA0008), class-shift on approvals (EEOC/FCRA compliance) - [ ] Content-generation workflow archetype covers: generated content propagating without review (LLM09/TA0014), copyright/legal liability, brand-voice failure, injection-via-generated-content into downstream systems (AGH/LLM02/TA0004) - [ ] Knowledge-management workflow archetype covers: RAG-poisoning of internal corpus (AGH/LLM08/TA0002/TA0005), retrieval-extraction by malicious insiders (TM/TA0010/TA0011), misinformation propagation through knowledge base (TA0014) - [ ] ATLAS tactic walk documented per archetype; OWASP LLM/Agentic Top 10 cross-references per archetype; compliance linkage per threat (EU AI Act Arts. 14/26/50, GDPR Arts. 22/35, FCRA, EEOC, NYC LL 144)

Outcome Metrics: | Metric | Baseline | Current | Target | Met? | Notes | |--------|----------|---------|--------|------|-------| | % of AI/HAI-embedded workflows in SM inventory with a current-year threat snapshot | measure | % | 100% for Sanctioned; ≥90% for all | ☐ | | | Archetype coverage (workflow archetypes with a published threat model) | 0 / 7 | ___ / 7 | 7 / 7 | ☐ | | | Median snapshot turnaround from SM intake to threat snapshot delivery | measure | ___ | ≤1 business day | ☐ | | | % of snapshot top-5 threats tagged to a HAI TTP and an ATLAS tactic ID | measure | % | 100% | ☐ | |

Metric Collection Guidance: - Snapshot coverage: Count AI-embedded workflows in SM inventory with a TA snapshot dated within the current calendar year divided by total active workflows. Source: SM inventory × TA snapshot registry - Archetype coverage: Count distinct published archetype models for the seven workflow archetypes. Target is 7/7 before intake gates go live - Snapshot turnaround: Median elapsed time from SM workflow intake registration to threat snapshot delivery. Source: intake workflow telemetry - TTP/tactic tagging rate: For each snapshot, confirm top-5 threats each carry both a HAI TTP tag and an ATLAS tactic ID. Source: snapshot metadata fields

Answer: - ☐ Fully Mature (Evidence complete + ≥3 metrics meet targets) - ☐ Implemented (Evidence complete + 2 metrics meet targets) - ☐ Partial (Evidence partially complete + <2 metrics meet targets) - ☐ Not Implemented (No evidence of workflow archetype threat library)

Evidence Location: _____ Validation Date: ____ Notes: ______


Question 2: Produce a per-intake threat snapshot for every SM workflow registration

Q2.1: Is a threat snapshot produced for every AI/HAI-embedded workflow registering in the SM inventory, delivered within one business day of intake for Sanctioned workflows, documenting the applicable archetype(s), workflow-specific deltas (decision stakes, customer reach, HITL placement and depth, data classes, regulatory exposure, downstream systems receiving AI output), top-5 threats with HAI TTP tags, ATLAS tactic IDs, OWASP references, and compliance linkage, with 100% of newly Sanctioned workflows in the last 90 days carrying a snapshot before Sanctioned status is issued?

Evidence Required: - [ ] Snapshot gate is bound to the SM workflow intake flow: Sanctioned status cannot be issued without a snapshot attached - [ ] Snapshot template includes: archetype(s), workflow-specific deltas (decision stakes, HITL placement/depth, data classes, regulatory exposure including Annex III trigger and Art. 22 lawful basis, downstream systems), top-5 threats with HAI TTP tags, ATLAS tactic IDs, OWASP references, compliance linkage, controls evident, gaps - [ ] Workflow-specific deltas populated per snapshot, reviewers adapt archetype content; HITL placement and decision stakes are specifically documented - [ ] Snapshot expiry rules documented: re-snapshot triggers include scope change, new data classes, AI model swap, material HITL restructuring, regulatory change - [ ] 100% of newly Sanctioned AI/HAI-embedded workflows in the last 90 days have a snapshot attached (sample audit evidence on file) - [ ] ≥90% of all active workflows in the SM inventory carry a current-year snapshot

Outcome Metrics: | Metric | Baseline | Current | Target | Met? | Notes | |--------|----------|---------|--------|------|-------| | % of AI/HAI-embedded workflows in SM inventory with a current-year threat snapshot | measure | % | 100% for Sanctioned; ≥90% for all | ☐ | | | Median snapshot turnaround from SM intake to threat snapshot delivery | measure | ___ | ≤1 business day | ☐ | | | % of snapshot top-5 threats tagged to a HAI TTP and an ATLAS tactic ID | measure | % | 100% | ☐ | | | Snapshot-to-SR linkage rate (snapshots whose top-5 threats referenced by ≥1 SR-Processes requirement) | measure | ___% | ≥80% | ☐ | |

Metric Collection Guidance: - Snapshot coverage: Same measurement as Q1, current-year snapshots divided by active workflows - Turnaround: Median time from SM intake open to snapshot delivered; measure weekly - Tagging rate: Per-snapshot check, each of the top-5 threats must have TTP and ATLAS tactic ID fields populated - SR linkage: After SR-Processes L1 is operational, cross-reference snapshot threat IDs against SR requirements. Track % of snapshots with ≥1 SR-Processes cross-reference

Answer: - ☐ Fully Mature (Evidence complete + ≥3 metrics meet targets) - ☐ Implemented (Evidence complete + 2 metrics meet targets) - ☐ Partial (Evidence partially complete + <2 metrics meet targets) - ☐ Not Implemented (No snapshot gate in SM workflow intake)

Evidence Location: _____ Validation Date: ____ Notes: ______


Question 3: Author the shadow-AI-in-processes threat view

Q3.1: Is there a published shadow-AI-in-processes threat view, reviewed by the program sponsor within the last 12 months, that documents entry vectors for unsanctioned AI-embedded workflows, elevated threats for shadow workflows (no threat model, no SR requirements, no disclosure/oversight design, EU AI Act Art. 26 deployer duties unmet), specific failure modes (customer PII to unsanctioned AI provider, AI-generated decisions affecting persons without Art. 22 lawful basis, regulated content flowing to AI tools without DPA coverage), and the L1 detections available (DLP signals for AI provider domains, SaaS admin console reports of newly enabled AI features, staff survey discovery, expense/billing signals)?

Evidence Required: - [ ] "Shadow AI in Processes, Threat View" document exists, is dated, and names the reviewer (program sponsor or delegate) - [ ] Document covers entry vectors: staff copying customer data into consumer GenAI; departmental SaaS tools with AI features enabled without IT/security review; business units building lightweight automation with AI APIs outside the intake process; AI-embedded features in approved SaaS silently enabled without workflow governance - [ ] Elevated threats documented: no threat snapshot applied, no SR requirements pack, no disclosure or oversight design, EU AI Act Art. 26 unmet, Art. 22 lawful basis absent for decision-affecting workflows - [ ] Specific failure modes named: customer PII reaching an unsanctioned AI provider via staff copy-paste; AI-generated decisions affecting persons without Art. 22 lawful basis or override path; regulated content (PHI, financial data) flowing to AI tools without DPA coverage - [ ] L1 detections documented: DLP signals for AI provider domains in egress; SaaS admin console reports of newly enabled AI features; staff survey discovery; expense/billing signals for consumer AI subscriptions - [ ] Document feeds ML-Processes detection backlog and IM-Processes triage playbook (links on file) - [ ] Shadow-AI-in-processes threat view published and reviewed in last 12 months

Outcome Metrics: | Metric | Baseline | Current | Target | Met? | Notes | |--------|----------|---------|--------|------|-------| | Shadow-AI-in-processes threat view published and reviewed in last 12 months | n/a | Yes/No | Yes | ☐ | | | % of snapshot top-5 threats tagged to a HAI TTP and an ATLAS tactic ID | measure | % | 100% | ☐ | | | Archetype coverage (workflow archetypes with a published threat model) | 0 / 7 | ___ / 7 | 7 / 7 | ☐ | | | Downstream reuse rate (SR, SA, ST artifacts citing snapshot threats vs. re-deriving) | measure | % | ≥80% | ☐ | |

Metric Collection Guidance: - Shadow threat view currency: Confirm document exists with review date within last 12 months and program-sponsor approval record - Tagging rate: Same measurement source as Q1/Q2 - Archetype coverage: Same 7/7 metric as Q1 - Downstream reuse: Sample 10 recent SR-Processes, SA-Processes, or ST-Processes artifacts and check whether threats trace back to snapshot top-5 entries

Answer: - ☐ Fully Mature (Evidence complete + ≥3 metrics meet targets) - ☐ Implemented (Evidence complete + 2 metrics meet targets) - ☐ Partial (Evidence partially complete + <2 metrics meet targets) - ☐ Not Implemented (No shadow-AI-in-processes threat view exists)

Evidence Location: _____ Validation Date: ____ Notes: ______


Maturity Level 2

Objective: Layer per-workflow deep threat models on top of archetype snapshots for Critical-tier workflows, integrate external threat intelligence, and red-team the library quarterly against real in-scope workflows.


Question 4: Per-workflow deep threat modeling for Critical-tier workflows

Q4.1: Does every Critical-tier AI/HAI-embedded workflow in the SM inventory have a current-year per-workflow deep threat model, not a recycled archetype snapshot, covering workflow-specific attack trees (per-stakeholder abuse paths for decision stakes, HITL failure modes per gate, data-class exfiltration and misuse paths, downstream system propagation risks), a named-adversary abuse-case catalog, EU AI Act Art. 26 deployer-duty mapping, and a full ATLAS tactic walk with technique-level specificity, with a semi-annual refresh cadence and change-driven updates on HITL restructuring, AI model swap, scope expansion, or regulatory change?

Evidence Required: - [ ] Per-workflow deep threat models exist for 100% of Critical-tier workflows; model age does not exceed 180 days for any Critical-tier workflow - [ ] Per-workflow models contain: workflow-specific decision stakes with per-stakeholder abuse paths; specific HITL placement with failure modes at each gate; specific data classes with exfiltration and misuse paths; specific downstream system dependencies with propagation risks - [ ] Abuse-case catalog names adversary archetypes (affected persons gaming the system, malicious insiders, compromised AI vendor, external attacker via customer input channel) with concrete attack narratives for this specific workflow - [ ] EU AI Act Art. 26 deployer-duty mapping covers: Art. 15 accuracy/robustness, Art. 14 human oversight, Art. 13 documentation; sector-specific obligations (FCRA, EEOC, FINRA, sector rules) mapped where applicable - [ ] Full ATLAS tactic walk: all 14 tactics enumerated; techniques from the Processes-domain threat context selected; exclusions with rationale on record; TA0008 Defense Evasion explicitly addressed for rubber-stamp HITL and decision-laundering patterns - [ ] High-tier workflows carry archetype snapshot + workflow-specific deltas + ATLAS tactic walk (no High-tier workflow on archetype snapshot alone) - [ ] Refresh cadence: Critical semi-annual + change-driven; High annual + change-driven; cadence compliance tracked

Outcome Metrics: | Metric | Baseline | Current | Target | Met? | Notes | |--------|----------|---------|--------|------|-------| | % Critical-tier workflows with current-year per-workflow deep threat model | measure | % | 100% | ☐ | | | % High-tier workflows with archetype snapshot + workflow-specific deltas + ATLAS tactic walk | measure | % | ≥90% | ☐ | | | External intel triage cadence met (quarterly) | measure | ___ / year | 4 / year | ☐ | | | Threat-library change lead time from intel signal to library update | measure | ___ days | ≤30 days for Critical-impact items | ☐ | |

Metric Collection Guidance: - Critical-tier coverage: Count Critical-tier workflows with a per-workflow deep model dated within 180 days divided by all Critical-tier workflows - High-tier coverage: Count High-tier workflows with archetype snapshot + deltas + ATLAS walk divided by all High-tier workflows - Intel triage cadence: Count completed quarterly intel triage sessions in last 12 months. Each session must produce a triage log artifact - Change lead time: For each Critical-impact item in the last four quarters, calculate days from receipt to library update. Compute median and P90

Answer: - ☐ Fully Mature (Evidence complete + ≥3 metrics meet targets) - ☐ Implemented (Evidence complete + 2 metrics meet targets) - ☐ Partial (Evidence partially complete + <2 metrics meet targets) - ☐ Not Implemented (No per-workflow deep models for Critical-tier workflows)

Evidence Location: _____ Validation Date: ____ Notes: ______


Question 5: External AI-security threat intelligence integration

Q5.1: Is external AI-security threat intelligence, covering MITRE ATLAS updates relevant to process-level techniques, AVID process-domain abuse pattern entries, sector ISACs with AI working groups (HR-AI/FinAI/ClinAI), and regulatory enforcement actions and supervisory guidance touching AI-in-processes (FTC/CFPB/EEOC/EU AI Act Annex III enforcement), subscribed to and operationalized with a quarterly triage cadence producing a documented change-log, with intel-to-library update ≤30 days on Critical-impact items?

Evidence Required: - [ ] Subscriptions active for all four intelligence source categories: MITRE ATLAS (process-level technique focus), AVID, sector ISAC AI working groups (HR-AI, FinAI, ClinAI as applicable), regulatory enforcement actions and supervisory AI guidance - [ ] Quarterly triage cadence documented: triage session records showing date, intel items reviewed (including regulatory enforcement actions and sector ISAC advisories), triage decisions with library impact assessment - [ ] Documented change-log with entries keyed to intel source, item date, impact assessment, library update record, and steward sign-off - [ ] Change-log reviewed by the library steward and the IM backlog owner each quarter - [ ] Intel-to-library update lead time ≤30 days for Critical-impact items: evidence from change-log timestamps - [ ] No quarter in the last 12 months with zero library changes

Outcome Metrics: | Metric | Baseline | Current | Target | Met? | Notes | |--------|----------|---------|--------|------|-------| | External intel triage cadence met (quarterly) | measure | ___ / year | 4 / year | ☐ | | | Threat-library change lead time from intel signal to library update | measure | ___ days | ≤30 days for Critical-impact items | ☐ | | | Library gaps discovered per quarter (red-team exercises) | measure | tracked | trending down | ☐ | | | % Critical-tier workflows with current-year per-workflow deep threat model | measure | ___% | 100% | ☐ | |

Metric Collection Guidance: - Triage cadence: Count triage session records in the last 12 months. Each session must produce a triage log referencing ATLAS process-technique IDs and regulatory enforcement items reviewed - Change lead time: For each Critical-impact item in the last four quarters, calculate days from receipt to library update. Compute median and P90 - Library gaps: From red-team exercise output, count workflow threats identified not present in the library for that archetype. Track per quarter - Critical-tier coverage: Same metric as Q4

Answer: - ☐ Fully Mature (Evidence complete + ≥3 metrics meet targets) - ☐ Implemented (Evidence complete + 2 metrics meet targets) - ☐ Partial (Evidence partially complete + <2 metrics meet targets) - ☐ Not Implemented (No external intel integration)

Evidence Location: _____ Validation Date: ____ Notes: ______


Question 6: Red-team the threat library itself

Q6.1: Does the organization run a quarterly red-team-the-library exercise, where ST-Processes probes an in-scope AI/HAI-embedded workflow using only threat scenarios documented in the library for that archetype, surfaces all unmatched findings as library gaps rather than passing results, and closes every gap with a named owner and expiry date (Critical gaps within 30 days, High within 60 days), with the gap rate trending down quarter over quarter?

Evidence Required: - [ ] Quarterly red-team-the-library exercise on file: exercise records show date, workflow probed, archetype used, library version, probe scenarios drawn exclusively from library, and unmatched findings enumerated - [ ] Gap log maintained: every unmatched finding becomes a ticket with a named owner and expiry date - [ ] Critical-tier gap closure SLA enforced: no Critical gap open past 30 days (audit evidence on file) - [ ] High-tier gap closure SLA: no High gap open past 60 days - [ ] Gap rate tracked per quarter and documented as trending down - [ ] Gaps reviewed for SR-Processes and ST-Processes update implications; decision-laundering and rubber-stamp HITL patterns explicitly tested in probes

Outcome Metrics: | Metric | Baseline | Current | Target | Met? | Notes | |--------|----------|---------|--------|------|-------| | Library gaps discovered per quarter (red-team exercises) | measure | tracked | trending down | ☐ | | | % Critical-tier workflows with current-year per-workflow deep threat model | measure | % | 100% | ☐ | | | % High-tier workflows with archetype snapshot + workflow-specific deltas + ATLAS tactic walk | measure | % | ≥90% | ☐ | | | External intel triage cadence met (quarterly) | measure | ___ / year | 4 / year | ☐ | |

Metric Collection Guidance: - Library gap rate: Count library gaps logged per quarter from red-team exercises. Plot trend; expect initial rise then sustained decline - Gap closure SLA: Verify no Critical gap exceeded 30 days from creation to closure in the last four quarters - Critical-tier and High-tier coverage: Same metrics as Q4 - Intel triage cadence: Same metric as Q5

Answer: - ☐ Fully Mature (Evidence complete + ≥3 metrics meet targets) - ☐ Implemented (Evidence complete + 2 metrics meet targets) - ☐ Partial (Evidence partially complete + <2 metrics meet targets) - ☐ Not Implemented (No red-team-the-library exercise)

Evidence Location: _____ Validation Date: ____ Notes: ______


Maturity Level 3

Objective: Automate threat-library maintenance from telemetry and external feeds; contribute discovered process-level AI/HAI TTPs back to MITRE ATLAS, AVID, and sector ISACs.


Question 7: Telemetry-driven library updates

Q7.1: Does the threat library auto-update from an integrated signal pipeline, consuming ML-Processes detection alert patterns, IM-Processes post-incident ATLAS tactic walks, ATLAS technique additions relevant to process-level abuse, AVID new entries, sector ISAC AI advisories, and regulatory enforcement actions, via human-curator approval workflow, with ≥60% of changes auto-proposed, ≤14-day lead time from signal to update, and a machine-readable change-log subscribed to by downstream SR and ST practices?

Evidence Required: - [ ] Auto-proposal pipeline operational: ML-Processes detections and IM-Processes incident ATLAS walks generate structured candidate threat entries surfaced to the curation queue - [ ] External feed ingestion active: ATLAS, AVID, sector ISAC AI advisories, regulatory enforcement actions all feeding the pipeline - [ ] Human-curator workflow implemented: curators approve, reject, or defer each auto-proposal with decision rationale on record - [ ] ≥60% of library changes in the last 12 months were auto-proposed - [ ] Change-log is machine-readable; downstream SR-Processes and ST-Processes practices subscribe and receive update-required notifications - [ ] Lead time from signal to library update ≤14 days: change-log timestamps support this claim

Outcome Metrics: | Metric | Baseline | Current | Target | Met? | Notes | |--------|----------|---------|--------|------|-------| | Library change lead time from telemetry / external signal to update | measure | ___ days | ≤14 days | ☐ | | | % of library changes auto-proposed vs. manually authored | measure | ___% | ≥60% auto-proposed | ☐ | | | Industry contributions per year (MITRE ATLAS / AVID / sector ISACs) | 0 | ___ | ≥4 | ☐ | | | External-recognized TTPs originating from the program | 0 | ___ | ≥2 / year | ☐ | |

Metric Collection Guidance: - Change lead time: Measure days from signal timestamp to library commit. Focus on regulatory enforcement actions and sector ISAC advisories as the most workflow-specific signal types. Compute median and P90 - Auto-proposal rate: Count changes with origin "auto-proposed" divided by all changes in last 12 months - Industry contributions: Count substantive technical artifacts submitted to ATLAS/AVID/sector ISACs. Decision-laundering as a Defense Evasion technique, rubber-stamp HITL as a Persistence-of-effect technique, silent-decision-drift as an Impact technique qualify - Recognized TTPs: Check ATLAS commit history, AVID entry list, sector ISAC advisories for citations of the program

Answer: - ☐ Fully Mature (Evidence complete + ≥3 metrics meet targets) - ☐ Implemented (Evidence complete + 2 metrics meet targets) - ☐ Partial (Evidence partially complete + <2 metrics meet targets) - ☐ Not Implemented (No auto-proposal pipeline)

Evidence Location: _____ Validation Date: ____ Notes: ______


Question 8: Industry contribution of discovered process-level AI/HAI TTPs

Q8.1: Does the program contribute at least four substantive, evidence-backed technical artifacts per year to MITRE ATLAS, AVID, sector ISACs (HR-AI, FinAI, ClinAI), and ISO/IEC 42005/OECD AI, covering novel process-level TTPs discovered in AI-embedded workflows (decision-laundering as Defense Evasion, rubber-stamp HITL as Persistence-of-effect, silent-decision-drift as Impact, RAG-poisoning of internal corpus patterns), with at least two contributions externally recognized in published advisory, standard revision, or ATLAS merge?

Evidence Required: - [ ] Contribution log maintained: each entry records target body (ATLAS/AVID/sector ISAC/ISO/OECD), submission date, artifact type, evidence package, anonymization review sign-off, and status - [ ] ≥4 substantive technical contributions submitted in the last 12 months, each is a technical artifact with evidence, not a cosmetic observer comment - [ ] ≥2 contributions externally recognized in the last 12 months (ATLAS technique merge, AVID entry published, sector ISAC advisory citing the program, ISO/OECD input incorporated) - [ ] Submissions anonymized and legally vetted; review record on file for each submission - [ ] Contributions focus on process-domain attack classes: decision-laundering, rubber-stamp HITL exploitation, silent-decision-drift, RAG-poisoning of internal corpus, retrieval-extraction patterns, content-generation propagating without review

Outcome Metrics: | Metric | Baseline | Current | Target | Met? | Notes | |--------|----------|---------|--------|------|-------| | Industry contributions per year (MITRE ATLAS / AVID / sector ISACs) | 0 | ___ | ≥4 | ☐ | | | External-recognized TTPs originating from the program | 0 | ___ | ≥2 / year | ☐ | | | Library change lead time from telemetry / external signal to update | measure | ___ days | ≤14 days | ☐ | | | % of library changes auto-proposed vs. manually authored | measure | ___% | ≥60% auto-proposed | ☐ | |

Metric Collection Guidance: - Contributions: Source is contribution log. Quality-grade: technical artifact with evidence = counts; comment without evidence = does not count - Recognized TTPs: Check ATLAS commit history, AVID entry list, sector ISAC advisories, ISO/OECD publication records for citations - Change lead time and auto-proposal rate: Same as Q7

Answer: - ☐ Fully Mature (Evidence complete + ≥3 metrics meet targets) - ☐ Implemented (Evidence complete + 2 metrics meet targets) - ☐ Partial (Evidence partially complete + <2 metrics meet targets) - ☐ Not Implemented (No substantive industry contributions)

Evidence Location: _____ Validation Date: ____ Notes: ______


Question 9: Shared threat-model artifacts and industry tabletops

Q9.1: Are anonymized workflow archetype threat models published under a permissive license with tracked peer-org adoption, and does the program host or co-host at least one industry tabletop per year (ATLAS practitioner table, sector ISAC AI working group, or OWASP AI chapter) tied to the library?

Evidence Required: - [ ] Anonymized workflow archetype threat models published: public or consortium-accessible URL on file; license is permissive; org-specific workflow names, decision stakes, and data classes scrubbed - [ ] Anonymization review record on file for each published model - [ ] Peer-org adoption tracked: download counts, fork counts, direct adoption notifications, or consortium usage reports - [ ] Industry tabletop hosted or co-hosted in last 12 months: event record with date, hosting org(s), topic tied to the process threat library, and participant count - [ ] Published models maintained in sync with internal library: last internal update vs. last published update gap ≤90 days

Outcome Metrics: | Metric | Baseline | Current | Target | Met? | Notes | |--------|----------|---------|--------|------|-------| | Peer-org adoption of published archetype threat models | 0 | tracked | tracked | ☐ | | | External-recognized TTPs originating from the program | 0 | ___ | ≥2 / year | ☐ | | | Industry contributions per year (MITRE ATLAS / AVID / sector ISACs) | 0 | ___ | ≥4 | ☐ | | | % of library changes auto-proposed vs. manually authored | measure | ___% | ≥60% auto-proposed | ☐ | |

Metric Collection Guidance: - Peer-org adoption: Collect download/fork/adoption metrics from the publishing platform quarterly. Trend is the measure - Recognized TTPs: Same metric as Q8 - Contributions and auto-proposal rate: Same metrics as Q7/Q8

Answer: - ☐ Fully Mature (Evidence complete + ≥3 metrics meet targets) - ☐ Implemented (Evidence complete + 2 metrics meet targets) - ☐ Partial (Evidence partially complete + <2 metrics meet targets) - ☐ Not Implemented (No published shared artifacts or tabletops)

Evidence Location: _____ Validation Date: ____ Notes: ______


Summary Scorecard

Level Q1 Q2 Q3 Level Score Gate Met?
L1 ___ ___ ___ ___
Level Q4 Q5 Q6 Level Score Gate Met?
L2 ___ ___ ___ ___
Level Q7 Q8 Q9 Level Score Gate Met?
L3 ___ ___ ___ ___

Practice Maturity Score: ___ Assessed Maturity Level: ☐ L1 ☐ L2 ☐ L3

Practice Maturity Statement: The organization's TA-Processes practice is at Level ___ . The archetype threat library covers ___ / 7 workflow archetypes mapped to HAI TTPs (EA/AGH/TM/RA), ATLAS tactic IDs (TA0001–TA0014), and OWASP LLM/Agentic Top 10 references. Domain-specific threats cataloged include decision-bypass, decision-laundering, silent-decision-drift, rubber-stamp HITL, reviewer overload, content-generation propagating without review, RAG-poisoning of internal corpus, and knowledge-management retrieval-extraction. Threat snapshots are produced at SM intake for ___% of Sanctioned workflows. [Add narrative on gaps, next steps, and L2/L3 readiness.]


Document Version: HAIAMM v3.0 Practice: Threat Assessment (TA) Domain: Processes Last Updated: 2026-05-15 Author: Verifhai

Instructions:

  • Answer based on current practices, not plans
  • “Yes” requires documented evidence
  • Complete all Level 1 questions before Level 2
  • Partial implementation = “No”

↓ Download as Markdown