Education & Guidance (EG)
Endpoints Domain - HAIAMM v3.0
Practice Overview
Objective: Build the AI-assurance literacy every endpoint user needs when interacting with AI/HAI-enabled endpoint tools and the practitioner skills the smaller population performing endpoint AI reviews, customer-facing AI security assessments, mobile AI security testing, and edge AI threat modeling must have, with shadow AI on endpoints awareness as the primary L1 cultural outcome.
Description: EG-Endpoints covers three audiences. The first is the entire managed-endpoint user population, employees and contractors who use AI tools on laptops, mobile devices, and browsers, they need endpoint AI literacy: what the seven endpoint AI archetypes are, what the Endpoint AI AUP requires, what data must not go into AI tools, how to recognize that a productivity SaaS feature has quietly enabled AI capabilities, what AI browser extensions are sanctioned, and how to disclose AI tools they have already installed. The second is the practitioner population, endpoint security engineers, IT administrators managing AI-capable MDM and browser policies, product security engineers reviewing own-built chatbots and mobile AI apps, and edge/IoT engineers building on-device AI, who need deep, hands-on skills covering EDR detection of AI-specific data-egress patterns, browser-extension review methodology, customer-facing chatbot threat modeling, EU AI Act Art. 50 disclosure UX review, mobile AI permission scope assessment, and edge AI model-integrity verification. The third is the shadow-AI-on-endpoints awareness campaign, a sustained effort to surface AI tools employees and teams have already adopted outside governance. EG-Endpoints defines the outcomes the program must produce and how the organization measures whether those outcomes are actually reached.
Context: Endpoint AI literacy gaps are distinct from classic endpoint security training gaps. An employee who knows not to click suspicious email attachments will still paste customer PII into a productivity AI chatbot if no one has explained that the chat goes to a vendor AI model that may train on it. A browser-extension review that passes classic security checks (no malware signature, established publisher) will miss an AI extension that silently reads all form field content and sends it to an external AI API. A product security engineer trained in mobile OWASP will catch insecure storage and network issues but will not recognize the consent and disclosure gaps that make a mobile AI feature non-compliant with EU AI Act Art. 50. An IoT engineer who has hardened device firmware will not think about on-device model integrity unless someone has taught them to look for it. Without a deliberate EG practice targeted at these endpoint AI-specific gaps, endpoint AI risk surfaces late, at data-loss incident time, in regulatory enforcement, or in a customer complaint about an undisclosed AI interface.
Maturity Level 1
Objective: Deliver foundational endpoint AI literacy to ≥95% of managed-endpoint users and role-based practitioner training to 100% of the endpoint AI reviewer population, with an active shadow-AI-on-endpoints awareness campaign
At this level, the organization ensures that every managed-endpoint user understands what endpoint AI tools are sanctioned, what data must not flow through them, and how to surface tools they have already adopted, and that the practitioner population can perform consistent security reviews of endpoint AI assets across all seven archetypes.
Dependencies
- PC-Endpoints L1 (required): the three priority policies (Endpoint AI AUP, AI Browser-Extension Policy, Customer-Facing AI Endpoint Disclosure Policy) and the priority compliance map are the primary teaching object, training without published policies is hollow. EG-Endpoints L1 cannot precede PC-Endpoints L1.
- SM-Endpoints L1 (required): the AI/HAI endpoint inventory and archetype taxonomy define what the training is about and which archetypes users and practitioners encounter.
- Alignment (not a hard dependency): enterprise LMS and existing security-awareness program, extend rather than duplicate; all-hands cadence for shadow-AI-on-endpoints campaign launch; MDM / IT admin capability to push training to managed endpoints.
- Supports / unblocks: every downstream Endpoints-domain practice, practitioners who cannot distinguish a customer-facing chatbot from a developer coding assistant will not produce useful threat models (TA), requirements (SR), design reviews (DR), implementation reviews (IR), or security tests (ST).
Desired Outcomes
- Any managed-endpoint user can name the AI tools sanctioned for their role, cite the two or three AUP data-class restrictions most relevant to their work, recognize when a productivity SaaS has quietly enabled an AI feature, and submit an intake or disclosure in under 5 minutes.
- The practitioner population (endpoint security engineers, IT MDM/EDR admins, product security engineers for own-built surfaces, mobile/IoT engineers, endpoint-AI reviewers) produces consistent, evidence-backed reviews, two practitioners independently reviewing the same chatbot intake arrive at the same threat snapshot and the same SR gap list.
- Shadow AI disclosures increase in the first two quarters after the campaign launches (awareness working), then decrease as the sanctioned-archetype catalog grows and users reach for approved tools (adoption working).
- Deployer-duty and disclosure obligations under EU AI Act Art. 50 and Art. 26 are not abstract, every product security reviewer can map a customer-facing chatbot to the disclosure UX requirement, human-oversight assignment, and logging obligation it triggers.
- Training content is owned, dated, and updated within 30 days of any change to the AUP, browser-extension policy, disclosure policy, archetype list, or priority compliance map.
Activities
A) Ship endpoint user AI-assurance literacy training
A single short course (≤20 minutes) every managed-endpoint user takes at onboarding and refreshes annually, tied to the Endpoint AI AUP attestation from PC-Endpoints L1. This is not a comprehensive security awareness course, it is the minimum endpoint AI literacy needed to prevent accidental data exposure through AI tools and to surface shadow AI tools.
Content (minimum): - What the seven endpoint AI archetypes are, concrete examples from the org's own inventory for each: the coding assistant on the engineering laptop, the AI browser extension that summarizes pages, the customer support chatbot on the website, the voice AI interface in the mobile app, the M365 Copilot feature that just appeared in Teams, the mobile AI app the sales team is using, the kiosk running facial recognition at the front desk. - The Endpoint AI AUP in five rules, use sanctioned tools; no personal accounts for work AI; what data must not go into AI tools (regulated, customer-confidential, source code, internal financial, draft communications about individuals); how to request approval for a new AI tool; how to disclose a tool already in use. - AI browser extensions: safe and unsafe patterns, what makes an extension AI-capable and why that matters for data risk; how to check if an extension is on the allowlist; what to do with an extension that is not approved; why a "trusted publisher" extension with AI capabilities is not automatically safe. - Productivity AI quietly enabled in SaaS, how AI features appear in M365, Slack, Notion, Google Workspace without explicit user action (admin-enabled license changes, feature rollouts); how to recognize that Copilot or Gemini is now available and active; what data is accessible to the AI in each context (emails, calendar, files, chat history); how to flag unexpected AI feature activation to IT. - Mobile AI apps: what risks are specific to AI, why AI apps that request microphone/camera/location carry different risk than non-AI apps; what consent disclosures should look like; what to do if an org-issued mobile device has an AI app the user is unsure about. - How to disclose: the amnesty path, the intake form is accessible from the AUP, the intranet, and IT helpdesk; disclosure is encouraged; no penalty for surfacing tools already in use; what happens after disclosure (IT review, provisional approval for most tools within 10 BD).
Delivery: LMS module + 1-page reference card pinned in enterprise Slack/Teams and the IT helpdesk portal + brief at all-hands when the program launches. No role gating at the workforce level, every managed-endpoint user takes the same module.
B) Deliver role-based practitioner training for the endpoint AI reviewer population
A deeper module (~2 hours) for the practitioner population only. Completion is a prerequisite to approving endpoint AI intakes, not optional.
Content (minimum): - The seven endpoint AI archetypes in depth, for each archetype, the unique threat surface, the relevant HAI TTPs, the key SR requirements, and the signals that indicate elevated risk (e.g., a coding assistant with clipboard access to regulated-data directories; a browser extension with full page-content access on internal financial applications; a chatbot with action-taking capability on customer accounts; a voice AI interface without a disclosure UX; a mobile AI app requesting background microphone access without documented purpose). - EDR detection of AI-specific data-egress patterns, how modern EDR platforms surface AI tool network egress to provider domains; what process execution and DNS/SNI patterns indicate a new AI tool in use on managed endpoints; how to distinguish sanctioned AI tool egress from a shadow AI tool or an AI browser extension operating outside policy. - Browser-extension review methodology, how to evaluate a browser extension for AI capability (manifest.json permissions, content-script scope, background service worker network calls, declared API endpoints); what Chrome Enterprise reports provide; how to assess data-class risk per extension using the SM-Endpoints tier rubric. - Customer-facing chatbot threat modeling, applying the HAI TTP lens to own-built conversational AI: prompt injection via user input (AGH TTP); excessive agency when the chatbot has backend action capability (EA TTP); rogue agent drift in multi-turn conversations (RA TTP); tool misuse if the chatbot calls internal APIs (TM TTP); customer-data-egress risk when the chat sends user content to a vendor AI model; Art. 50 disclosure UX review methodology (what a compliant disclosure looks like vs. a buried-in-terms disclosure; accessibility check; sector overlay). - Mobile AI permission scope assessment, how to review a mobile AI app's permission manifest (iOS entitlements, Android manifest permissions) for over-privileged AI capabilities; what microphone/camera/location access means in the context of on-device vs. cloud-processed AI; how to test consent and disclosure UX against the Customer-Facing AI Endpoint Disclosure Policy requirements; OWASP MASVS mobile AI security requirements. - Edge AI model integrity and on-device inference threats, how on-device AI models can be replaced or poisoned (model substitution attack); how to verify on-device model identity and integrity (hash verification, signing); what a firmware update review should include when a model is bundled in firmware; edge device identity and authentication requirements. - Priority compliance map in practice, given an endpoint AI archetype, which requirements from PC's map apply; where the evidence lives in the go-live record; what a regulator will ask about an own-built customer-facing chatbot (Art. 50 disclosure artifacts, Art. 26 deployer-duty owner, logging baseline confirmation). - Calibration exercise, three sample endpoint AI intakes scored independently (e.g., a customer-facing chatbot with backend action capability, a productivity AI feature enabled for a regulated-data team, a developer coding assistant on an engineering laptop); facilitated debrief on tier assignment and SR gap list.
Delivery: instructor-led or recorded workshop + role-specific reference job aids (one per archetype: "what to look for in a [chatbot / mobile AI app / browser extension / edge device] intake") + quarterly calibration session. Completion gated on intake-approval permissions.
C) Run the shadow-AI-on-endpoints awareness campaign
An always-on communications program making it easy and comfortable for employees to surface AI tools they have installed or AI features that have appeared in their tools, and making it clear that unsanctioned endpoint AI creates real risk for the organization and for users.
Campaign elements: - Launch moment, executive sponsor message naming shadow AI on endpoints as a real, current risk; announcing the amnesty window; publishing the sanctioned-AI-tool catalog; explicit framing: the program is an enabler (most common AI tools are already sanctioned or fast-tracked), not a surveillance program. - Recurring short content, monthly one-paragraph pieces targeted at managed-endpoint users: a newly sanctioned AI tool and what it can be used for; a reminder of what data must not go into AI prompts; an anonymized story of a shadow AI disclosure that led to a fast approval (positive reinforcement); an external incident about AI browser extensions or productivity AI data-exposure reframed as "this is why we track this." - "Has your SaaS AI changed?" series, periodic call-outs when major SaaS vendors (Microsoft, Google, Slack, Notion) roll out new AI features; clear instruction on whether those features are already covered, require IT approval, or are in review; this prevents users from wondering whether the new Copilot feature that appeared in their Teams is sanctioned. - Shadow AI disclosure path visibility, the path to disclose an AI tool in use (intake form, IT helpdesk channel, direct MDM enrollment request) is linked from: the AUP document, the IT helpdesk portal, the engineering Slack/Teams channel pins, and the onboarding checklist. Disclosure must be as easy as the tool itself to install. - Feedback channel, a visible channel for employees to report AI tools they have seen in use, nominate AI tools for the sanctioned catalog, or ask whether a specific tool or extension is approved; nominations triaged and acknowledged within 5 BD. - Customer-facing AI disclosure awareness, targeted micro-content for product and engineering teams shipping own-built AI surfaces: what Art. 50 requires in plain language; what a compliant disclosure UX looks like vs. what auditors find non-compliant; how to submit a disclosure UX specification at intake.
Measurement: campaign channel links are tagged so attribution of intake submissions and shadow AI disclosures to campaign touchpoints is tracked.
Outcome Metrics (L1)
| Metric | Baseline | L1 Target | Source |
|---|---|---|---|
| % managed-endpoint users with current-year endpoint AI literacy completion | measure | ≥95% | LMS / HR attestation |
| % endpoint AI intake reviewers with completed practitioner training | measure | 100% | LMS + intake-approval permissions |
| Reviewer calibration drift (avg tier and TTP-identification delta across reviewers on shared samples) | measure | ≤1 tier step and ≤2 TTP misclassifications per sample | Quarterly calibration exercise |
| Shadow AI disclosures per quarter (amnesty path) | measure | rises Q1-Q2, then trends down | Intake queue tagged "amnesty" |
| Intake submissions attributable to campaign channels | measure | ≥30% of net-new intakes | Tagged campaign URLs / form referrer |
Process Metrics (leading)
- Workforce training content reviewed quarterly; updated within 30 days of any change to the AUP, browser-extension policy, disclosure policy, archetype list, or priority compliance map.
- New-hire and new-contractor coverage SLA, endpoint AI literacy completed within 30 days of start.
- Reviewer calibration cadence, at least once per quarter; drift trends reported to the program sponsor.
- Campaign content cadence, at least one piece of shadow-AI-on-endpoints content published per month.
Effectiveness Metrics (business value)
- Reviewer throughput, endpoint AI intakes closed per reviewer per week should rise after practitioner training without sacrificing calibration quality (drift stays in target).
- Sanctioned-tool adoption, % of new AI tool requests resolved via the sanctioned-tool catalog (already approved) vs. net-new intake; rising reuse signals the catalog together with literacy is reducing shadow AI.
- Avoided-incident stories, documented cases where practitioner training enabled a reviewer to catch an endpoint AI risk at intake that would otherwise have reached users (browser extension transmitting form-field content to an unvetted AI backend; own-built chatbot missing Art. 50 disclosure; mobile AI app with excessive microphone access without consent UX).
Success Criteria
- Workforce endpoint AI literacy module launched; ≥95% current-year completion sustained for managed-endpoint users.
- Practitioner training launched, completion gated on intake-approval permissions, covering all seven archetypes, calibration drift inside target for two consecutive quarters.
- Shadow-AI-on-endpoints awareness campaign running with at least monthly content cadence and measurable attribution of intake submissions and amnesty disclosures to campaign channels.
- Customer-facing AI disclosure awareness content deployed for every team shipping own-built AI surfaces in production.
- Training content owner named; content updated within 30 days of any change to policies, archetypes, or compliance map.
Maturity Level 2
Objective: Deepen practitioner skill through scenario-based training from real endpoint AI intake cases, deliver channel-specific tracks for developer endpoints, customer-support AI, mobile, and edge practitioners, and run seasonal shadow-AI-on-endpoints campaigns tied to SaaS release cycles and hiring periods
At this level, training stops being one-size-fits-all. Reviewer skill deepens through scenario-based exercises built from anonymized real endpoint AI intake cases. Practitioners working in specific channels (developer-endpoint AI, customer-support AI surfaces, mobile AI, edge AI) receive tracks aligned to the archetypes they actually review. Shadow-AI campaigns become behavior-driven and seasonal rather than standing background noise.
Dependencies
- EG-Endpoints L1 (required): workforce literacy and base practitioner training must be in place.
- SM-Endpoints L2 (required): the risk-tier rubric defines which archetypes go to which reviewer track depth and at what cadence.
- TA-Endpoints L2 (required for Critical-tier scenarios): per-asset deep threat models for customer-facing chatbots and mobile AI apps provide the scenario source material for Critical-tier reviewer exercises.
- Supports / unblocks: PC-Endpoints L2 (tier-calibrated reviewers enforce tier-specific policies and disclosure sign-off requirements); SA-Endpoints L2 (channel-track trainees learn the reference patterns they will review); DR-Endpoints L2 (scenario-trained reviewers produce faster, more consistent DR decisions for own-built AI surfaces).
Desired Outcomes
- Reviewer calibration on Critical-tier customer-facing chatbot and mobile AI app scenarios is visibly tighter than at L1, the practitioner investment is measurable.
- Channel-specific practitioners (developer-endpoint AI reviewers, customer-support AI product engineers, mobile AI engineers, edge/IoT AI engineers) can independently identify the archetype-specific HAI TTPs, relevant Art. 50 and Art. 26 obligations, and SR requirements for their channel, and defend design choices in a DR.
- Shadow-AI campaigns run on a behavior-driven, seasonal cadence (major SaaS AI-feature rollouts, M365 Copilot license expansions, new device provisioning cycles, hiring surges) with pre-measured behavior targets and post-campaign measurement.
- Training content refreshes from program telemetry, real calibration drifts, real intake anomalies, real shadow-AI discovery patterns, not from annual curriculum reviews.
Activities
A) Scenario-based reviewer training from real endpoint AI intakes
- Scenario library built from anonymized real endpoint AI intake cases: each scenario includes the as-submitted archetype description, original reviewer decisions (tier, TTP identifications, SR gaps, disclosure UX adequacy assessment), any reviewer disagreement, and the resolved outcome.
- Scenarios organized per archetype (chatbot scenarios, mobile AI app scenarios, browser-extension scenarios, productivity AI scenarios, edge AI scenarios) and per TTP cluster (AGH-heavy for chatbots, EA-heavy for action-taking AI, data-egress-heavy for browser extensions, Art. 50-gap-heavy for customer-facing surfaces).
- Paired calibration exercises: two reviewers independently score the same scenario; instructor-facilitated debrief on tier delta, TTP identification delta, and SR gap list differences; disclosure UX adequacy assessment compared.
- Tier-weighted curriculum: Critical-tier customer-facing chatbot and mobile AI scenarios dominate the advanced modules; Low-tier developer coding assistant scenarios streamlined to fast-track calibration.
- Capstone: practitioners graduate the advanced module by running three live endpoint AI intakes end-to-end with a senior-reviewer shadow and producing a passing TA snapshot, SR REM, and (for customer-facing surfaces) a disclosure UX assessment record.
B) Channel-specific practitioner tracks
Distinct training tracks for practitioners working in specific endpoint AI channels:
- Developer-endpoint AI track, coding assistant deployment, AI IDE extensions, AI-augmented build tools on developer laptops; data-class risk of source code and internal API keys entering AI backends; MDM policy enforcement for AI developer tools; EA and TM TTPs in agentic coding assistant contexts (tools that can write files, run commands, make API calls); SR requirements for developer-only vs. broader deployment scope.
- Customer-support AI track, own-built customer support chatbots and conversational UIs; AGH TTP via customer-supplied injection through chat input; Art. 50 disclosure UX review methodology; customer-data-egress risk when chat sends interaction to a vendor AI model; action capability in support AI (ticket creation, account lookup, refund initiation) and EA/TM TTP implications; customer-facing AI incident response patterns.
- Mobile AI track, own-built mobile app AI features, vendor mobile AI assistants on managed mobile; iOS/Android permission scope review for AI capabilities (microphone, camera, location, contacts, device files); OWASP MASVS mobile AI security requirements; on-device vs. cloud processing architectures; Art. 50 consent UX patterns for mobile; MDM mobile app governance for AI-capable apps; RA TTP in persistent on-device AI.
- Edge AI track, kiosks, IoT devices, embedded on-device inference; on-device model identity and integrity verification; model substitution attack patterns; edge device identity and authentication; firmware review methodology for AI model components; physical access threat surface for on-device inference; data-minimization by design for sensor and biometric-adjacent edge AI.
- Each track is paired with the SA reference pattern for the relevant archetype, the training teaches the "green path" practitioners will review and defend in DR.
- Required for any practitioner reviewing a Critical or High-tier endpoint AI asset in the applicable channel; target ≥1 trained practitioner per Critical/High-tier asset.
C) Seasonal, behavior-driven shadow-AI-on-endpoints campaigns
- Campaigns tied to observed shadow endpoint AI risk windows: major SaaS vendor AI feature rollouts (M365 Copilot for M365 E3 expansion, Google Workspace Gemini rollout, Slack AI general availability, these create sudden large-population AI enablement that bypasses existing intake); device provisioning cycles (new device deployment means new AI tool installs without prior IT review); hiring surges (new employees arrive with AI tools already on personal devices that transfer to managed enrollment); post-external-incident moments (a public browser-extension data-exposure or chatbot data-leak incident creates a teachable window).
- Each campaign has a pre-measured behavior target (e.g., "reduce unapproved AI browser extension presence on managed endpoints by 40% in Q2," "increase intake submissions before feature-flag launch by 25% in Q3") and a post-campaign measurement.
- Amnesty windows run alongside campaigns; disclosure volume and source attributed to campaign channels.
- Campaign effectiveness reviewed by the program sponsor; campaigns that miss behavior targets by >20% are redesigned.
Outcome Metrics (L2)
| Metric | Baseline | L2 Target | Source |
|---|---|---|---|
| Reviewer calibration drift on Critical-tier chatbot and mobile AI scenarios | measure | ≤1 tier step and ≤1 TTP misclassification per sample | Quarterly calibration exercise |
| % Critical/High-tier assets with ≥1 practitioner trained on the applicable channel track | measure | 100% | LMS x SM-Endpoints inventory |
| Shadow-AI-on-endpoints campaign behavior-target achievement rate | measure | ≥70% of campaigns hit behavior target | Campaign post-measurement |
| % training content refreshed in last 90 days | measure | ≥80% | Content change log |
| % workforce literacy completion maintained | measure | ≥95% | LMS |
Process Metrics (leading)
- Scenario library freshness, scenarios reviewed quarterly; retired when endpoint AI intake patterns make them obsolete.
- Channel-specific training attendance tracked per Critical/High-tier asset in the inventory monthly.
- Campaign pipeline, always ≥1 campaign in-flight tied to a measurable behavior target.
- Calibration debrief findings routed back to the scenario library within 30 days.
Effectiveness Metrics (business value)
- Reduction in intake submissions missing key TTPs or SR/disclosure gaps at first submission (caught earlier as reviewer skill rises, reviewers coach submitters before they reach the queue).
- Channel-track-trained practitioners' own-built AI surface reviews require fewer DR re-submissions vs. untrained teams.
- Sanctioned-tool catalog reuse rate for channel-track-trained teams rises vs. untrained teams.
Success Criteria
- Scenario library of ≥30 real-sourced endpoint AI intake cases across archetypes in use; reviewer calibration drift inside target for two consecutive quarters.
- Channel-specific training tracks (developer-endpoint AI, customer-support AI, mobile AI, edge AI) delivered; ≥1 trained practitioner per Critical/High-tier asset.
- ≥2 behavior-driven shadow-AI-on-endpoints campaigns run in the last 12 months with measured outcomes.
- Training content refresh cadence met; ≥80% of content updated in last 90 days.
Maturity Level 3
Objective: Operate continuous calibration at scale, externalize the endpoint AI curriculum and reviewer rubric as industry-shared artifacts, and contribute to emerging endpoint AI and mobile AI security certification pathways
At this level, the organization's training posture is visible outside its own walls. The practitioner curriculum, scenario library, and reviewer rubric are published externally through CSA AI Safety Initiative, OWASP MASVS, OASIS, or sector ISACs. The program contributes to emerging AI-engineering and AI-assurance certification pathways. Internally, calibration is continuous and live rather than quarterly.
Dependencies
- EG-Endpoints L2 (required): scenario library, channel-specific tracks, and behavior-driven campaigns must be in place.
- PC-Endpoints L3 (required for regulatory-track content): continuous attestation and policy-refresh infrastructure provides real compliance scenarios the external curriculum demonstrates.
- SM-Endpoints L3 (required): automated inventory and tier data feed continuous calibration exercises with current asset examples.
Desired Outcomes
- External practitioners recognize and use the program's endpoint AI curriculum and reviewer rubric; citations and adoption are tracked.
- Reviewer certification exists (internally aligned with external credentials where credentials have emerged, CSA AI Safety, ISACA AI, OWASP MASVS credentials) and is held by a majority of Critical-tier endpoint AI reviewers.
- Monthly live calibration, reviewers re-calibrated against anonymized real endpoint AI intake cases from the live queue each month; drift trends are a managed metric.
- Training content evolution is auditable and evidence-driven (IM-Endpoints and ML-Endpoints telemetry feeds the curriculum rather than annual scheduled reviews).
- MITRE ATLAS TTPs observed in own-built or consumed endpoint AI assets are contributed back as new technique candidates or confirmed technique instances.
Activities
A) Externalize the curriculum, scenario library, and reviewer rubric
- Publish the following under a permissive license or as a consortium deliverable through CSA AI Safety Initiative, OWASP MASVS, OASIS conversational AI, or applicable sector ISAC:
- Workforce endpoint AI literacy module (learning objectives, assessment questions, reference-card template covering the seven archetypes and shadow AI disclosure).
- Practitioner role-based training curriculum (module outlines, channel-track coverage matrix, per-archetype reviewer job aids for chatbot, mobile AI, browser extension, edge AI).
- Anonymized scenario library (scenario format, per-archetype examples including Art. 50 disclosure UX review scenarios, calibration debrief format).
- Reviewer rubric (tier-assignment criteria using the SM-Endpoints L2 rubric dimensions, TTP-identification scoring, SR-gap-list completeness scoring, disclosure UX adequacy assessment criteria).
- Community contributions accepted; changes to the external artifact flow back into internal content within 30 days.
- Adoption tracked: citations in external publications, forks, downloads, direct adoption acknowledgment.
B) Continuous live calibration
- Monthly calibration round: a current anonymized endpoint AI intake case sampled from the program's live queue is shared with the reviewer cohort; each reviewer independently scores tier, TTPs, SR gaps, and (for customer-facing surfaces) disclosure UX adequacy; drift reported to the program sponsor.
- Individual reviewer drift is a development signal, not a performance metric; reviewers with persistent drift on specific archetype channels (e.g., consistently under-scoring edge AI model-integrity findings) receive targeted coaching and additional scenario exposure.
- Calibration results feed the scenario library directly, new scenarios drawn from intakes where calibration revealed drift are added within 30 days.
C) Endpoint AI certification contribution
- Contribute to AI-engineering and endpoint AI security certification pathways as they emerge: CSA AI Safety, ISACA AI Audit / AI Risk, OWASP MASVS examinations, sector-specific ISAC credentials relevant to chatbot security and mobile AI security.
- Align the org's practitioner capstone with certification-grade rubrics where credentials exist; support reviewers pursuing external credentials.
- Contribute MITRE ATLAS new-technique candidates and confirmed-technique instances from own-built or consumed endpoint AI assets (e.g., novel browser-extension prompt-injection patterns, mobile AI over-privileged tool-use observations, edge device model-substitution technique instances), minimum 1 per year where novel observations exist.
- Target: ≥2 substantive contributions per year to industry endpoint AI curriculum or certification working groups.
Outcome Metrics (L3)
| Metric | Baseline | L3 Target | Source |
|---|---|---|---|
| External adoption, citations, forks, downloads of curriculum / scenario library / rubric artifacts | 0 | tracked, trending up | External telemetry |
| % Critical-tier endpoint AI reviewers holding an external AI-assurance or endpoint-AI credential | 0 | ≥50% by year 2 of L3 (where credential exists) | HR / credential registry |
| Monthly live calibration cadence met | measure | monthly, on calendar | Calibration log |
| ATLAS TTP contributions or confirmations per year | 0 | ≥1 where novel observations exist | ATLAS contribution log |
| Contributions to industry endpoint AI certification / curriculum working groups per year | 0 | ≥2 substantive | Contribution log |
Process Metrics (leading)
- Curriculum refresh pipeline: ≥1 change per quarter driven by IM/ML telemetry or external update (new SaaS AI-feature rollout, new browser-extension attack pattern, new MASVS revision, new Art. 50 implementing act).
- Reviewer certification pathway participation tracked per reviewer.
- External outreach: ≥2 conference or working-group engagements per year on endpoint AI security education topics.
- Calibration debrief findings fed to scenario library within 30 days.
Effectiveness Metrics (business value)
- Talent acquisition, the program is a named draw for endpoint security and product security practitioner hires who want to work on AI-specific risk.
- Reduced on-boarding time for new reviewers who arrive with external credentials.
- Industry recognition, program cited by regulators, standards bodies (CSA, OWASP, OASIS), or peer organizations as reference for endpoint AI security education.
- Internal re-submission rate for endpoint AI intakes continues to decline as external curriculum adoption provides pre-trained practitioners from outside the org.
Success Criteria
- Curriculum, scenario library, and reviewer rubric published externally (CSA / OWASP MASVS / OASIS / sector ISAC) with documented adoption.
- Monthly live calibration operating; drift inside target for two consecutive quarters.
- ≥50% of Critical-tier endpoint AI reviewers credentialed (where credentials exist).
- ≥2 substantive contributions to industry endpoint AI certification or curriculum per year.
- ≥1 MITRE ATLAS TTP contribution or confirmation per year where novel observations exist.
Key Success Indicators
Level 1: - Workforce endpoint AI literacy module launched; ≥95% current-year completion across managed-endpoint users; content tied to the Endpoint AI AUP attestation. - Practitioner role-based training launched, gated on intake-approval permissions, covering all seven endpoint AI archetypes, EDR detection of AI-specific egress, browser-extension review, customer-facing chatbot threat modeling (AGH/EA/TM/RA), Art. 50 disclosure UX review methodology, mobile AI permission scope assessment, and edge AI model-integrity verification. - Reviewer calibration drift inside target (≤1 tier step and ≤2 TTP misclassifications per sample) for two consecutive quarters. - Shadow-AI-on-endpoints awareness campaign running with monthly content cadence; amnesty disclosures attributable to campaign channels rising in Q1-Q2 then declining as the sanctioned-tool catalog grows. - Training content owner named; content updated within 30 days of any change to policies, archetypes, or compliance map.
Level 2: - Scenario library of ≥30 anonymized real endpoint AI intake cases powering reviewer training across archetypes; Critical-tier calibration drift inside target. - Channel-specific practitioner tracks (developer-endpoint AI, customer-support AI, mobile AI, edge AI) delivered; ≥1 trained practitioner per Critical/High-tier asset. - ≥2 behavior-driven shadow-AI-on-endpoints campaigns run in the last 12 months with measured outcomes; ≥70% of campaigns hit pre-set behavior target. - Training content refreshed in last 90 days for ≥80% of modules.
Level 3: - Curriculum, scenario library, and reviewer rubric published externally (CSA AI Safety Initiative / OWASP MASVS / OASIS / sector ISAC) with documented adoption or citation. - ≥50% of Critical-tier endpoint AI reviewers hold an external AI-assurance or endpoint-AI credential (where one exists). - Monthly live calibration operating with drift inside target; calibration results feeding the scenario library continuously. - ≥2 substantive contributions to industry endpoint AI certification or curriculum working groups per year; ≥1 MITRE ATLAS contribution or confirmation per year where novel observations exist.
Common Pitfalls
Level 1: - ❌ Workforce training covers classic "don't click suspicious links" but not the AI-specific endpoint risks (pasting regulated data into AI prompts, productivity AI quietly accessing sensitive files, browser extensions reading form content and sending it to external AI APIs), the endpoint AI literacy gap remains entirely open. - ❌ Practitioner training is a one-hour "AI security overview" rather than a hands-on module covering the seven endpoint archetypes, EDR-based AI-egress detection, browser-extension review methodology, chatbot threat modeling, mobile AI permission scope, and edge AI model integrity. - ❌ Reviewer training is optional, intake-approval permissions granted without training completion; calibration drift is never measured; two reviewers arrive at different tiers and different disclosure UX adequacy assessments for the same chatbot. - ❌ Shadow-AI-on-endpoints campaign launches once with a Slack message from IT, then goes silent, no monthly content, no attribution tracking, no amnesty path visibility; employees never hear about it again. - ❌ Training is archetype-agnostic, "AI security" without distinguishing between a customer-facing chatbot (AGH / EA / Art. 50 disclosure) and a developer coding assistant (data-class restriction / personal-account prohibition); practitioners apply the wrong review lens. - ❌ Customer-facing AI disclosure awareness content never ships for product teams, engineers shipping chatbots have no mental model for Art. 50 UX requirements at the implementation level; disclosures are invented per feature, inconsistent, and non-compliant. - ❌ Training content owner is unnamed, content goes stale within a quarter; employees find outdated AUP references; the module references a browser-extension allowlist that no longer exists as described.
Level 2: - ❌ Scenario library is built from invented examples rather than anonymized real intake cases, reviewers learn the shape of a "textbook chatbot intake" but not the actual edge cases that surface in the org's queue (the chatbot that also doubles as a customer authentication helper; the browser extension that is on the allowlist for general staff but not for the finance team; the mobile AI app that changed its permission scope in a minor update). - ❌ Channel-specific tracks are optional; endpoint AI practitioners skip them and then produce reviews that miss archetype-specific controls in DR, the mobile AI reviewer misses the MASVS consent UX requirement; the edge AI reviewer misses the model-integrity verification step. - ❌ Campaigns are launched without a pre-measured behavior target, "shadow AI awareness" claimed as a success without data on whether unapproved browser extension presence decreased or intake submissions increased. - ❌ Content "refreshes" are cosmetic, module covers updated, scenario descriptions wordsmithed, but the browser-extension review checklist is not updated after a major Chrome Enterprise Admin policy change; practitioners use outdated methodology. - ❌ Calibration drift is measured but not acted on, reviewers with persistent drift on edge AI model-integrity scenarios never receive targeted coaching; the calibration exercise becomes a quarterly box-check.
Level 3: - ❌ External publication without ongoing maintenance, other organizations find a scenario library that references outdated Art. 50 implementing acts and stop trusting the program; citations dry up. - ❌ Credentialing becomes performative, reviewers pursue credentials that do not map to the org's actual endpoint AI tier-treatment rubric; credential acquisition is celebrated but calibration drift on real intakes stays unchanged. - ❌ Live calibration becomes a gotcha rather than a development signal, reviewers game the monthly exercise and improve calibration scores without improving actual intake quality for novel archetype combinations. - ❌ Contributions to industry working groups do not loop back, what is published in the OWASP MASVS or CSA scenario library drifts from what reviewers use internally; practitioners cite the external artifact and contradict the internal rubric. - ❌ ATLAS contributions are aspirational but never actually submitted, the org observes novel browser-extension AI exfiltration or mobile AI over-privileged tool-use patterns but does not complete the ATLAS submission process.
Practice Maturity Questions
Level 1: 1. Have all managed-endpoint users completed a current-year endpoint AI literacy course covering the seven endpoint AI archetypes (with org-specific examples), the Endpoint AI AUP data-class restrictions (including personal-account prohibition, regulated data in AI prompts, productivity AI and browser extension hygiene), and the shadow AI disclosure path, with ≥95% completion and content updated within 30 days of any policy or archetype change? 2. Has the endpoint AI reviewer population (endpoint security engineers, IT MDM/EDR admins, product security engineers for own-built surfaces, mobile AI engineers, edge AI engineers) completed role-based training covering all seven endpoint archetypes, EDR AI-egress detection, browser-extension review methodology, chatbot threat modeling (AGH/EA/TM/RA TTPs and Art. 50 disclosure UX review), mobile AI permission scope assessment (OWASP MASVS), and edge AI model-integrity verification, with completion gated on intake-approval permissions and calibration drift ≤1 tier step and ≤2 TTP misclassifications per sample for two consecutive quarters? 3. Is a shadow-AI-on-endpoints awareness campaign running with at least monthly content, a visible amnesty path linked from the AUP and intake form, and measurable attribution of intake submissions and shadow AI disclosures to campaign channels, with disclosures rising in Q1-Q2 after launch then declining as the sanctioned-tool catalog grows?
Level 2: 1. Is there a scenario library of ≥30 anonymized real endpoint AI intake cases powering practitioner training across the org's in-scope archetypes, with paired calibration exercises showing Critical-tier drift ≤1 tier step and ≤1 TTP misclassification per sample for two consecutive quarters? 2. Have channel-specific practitioner tracks (developer-endpoint AI, customer-support AI, mobile AI, edge AI) been delivered to ≥1 practitioner per Critical/High-tier asset in each applicable channel, with team-level training coverage tracked in the SM-Endpoints inventory? 3. Are shadow-AI-on-endpoints campaigns running on a seasonal, behavior-driven cadence with pre-set behavior targets and post-campaign measurement, and is ≥70% of campaigns hitting their target, and is ≥80% of training content updated in the last 90 days?
Level 3: 1. Has the practitioner curriculum, anonymized scenario library, and reviewer rubric been published externally (CSA AI Safety Initiative, OWASP MASVS, OASIS, or sector ISAC) with documented adoption, citations, forks, or direct acknowledgment, and do contributions loop back into internal content within 30 days? 2. Is a monthly live calibration cadence operating (anonymized endpoint AI intake from the live queue, independent reviewer scoring, drift reported to sponsor), with calibration results feeding the scenario library within 30 days, and do ≥50% of Critical-tier endpoint AI reviewers hold an external AI-assurance or endpoint-AI credential where one exists? 3. Does the program contribute ≥2 substantive artifacts per year to industry endpoint AI certification or curriculum working groups, and ≥1 MITRE ATLAS TTP contribution or confirmation per year where novel endpoint AI observations exist?
Document Version: HAIAMM v3.0 Practice: Education & Guidance (EG) Domain: Endpoints Last Updated: 2026-05-14 Author: Verifhai
☑ Interactive Self-Assessment
Answer each question based on your current, implemented practices only. Progress saves automatically in your browser.