Threat Assessment (TA)
Data Domain - HAIAMM v3.0
Quick-Load Slice (L1 essentials)
If you are constructing a per-intake snapshot and need only L1 essentials, load this section plus the per-archetype block(s) that apply to your asset.
L1 archetype list
- Training corpus / training dataset
- Inference input stream
- Retrieval store
- Prompt/completion log corpus
- Embedding store
- Fine-tuning dataset
- Evaluation / test set
L1 snapshot template
- Archetype(s) applied, list with one-line rationale per archetype.
- Asset-specific deltas, classification tier, lineage/provenance, volume, cross-border flows + transfer mechanism, decision-affecting use, DSAR exposure.
- Top-5 threats, table with: threat, HAI TTP (EA/AGH/TM/RA), ATLAS tactic, ATLAS technique (AML.T###), OWASP LLM 2025 ref, compliance ref, severity, control status.
- ATLAS tactic walk, TA0001 through TA0014 plus TA0040; mark applicable techniques or excluded-with-rationale.
- Compliance linkage, GDPR / EU AI Act / ISO 42001 articles per activating threat.
- Hand-off bullets, SR, SA, ST, ML, IM.
- Library gap candidates, threats observed but not in the library.
L1 tag schema (every threat must carry all five)
HAI TTP + ATLAS tactic + ATLAS technique (where applicable) + OWASP LLM 2025 + compliance article.
L1 expiry triggers
New data source, classification change, pipeline scope change, material volume change; otherwise 12 months.
Practice Overview
Objective: Build and maintain a reusable threat library for the data flowing into and out of AI/HAI systems, one archetype-level threat model per data-asset type, so every data asset entering or produced by an AI system carries a documented threat view before it is ingested, routed, logged, or published.
Description: TA-Data catalogs the threats specific to AI/HAI data assets the organization ingests, processes, stores, or emits, not generic database or data-lake threats, but the failure modes specific to AI's fuel and exhaust. At L1 the library covers one threat model per data archetype (training corpus, inference input stream, retrieval store, prompt/completion log corpus, embedding store, fine-tuning dataset, evaluation/test set) mapped to HAIAMM's HAI-specific TTPs (EA, AGH, TM, RA), to MITRE ATLAS tactics (TA0001–TA0014) and data-specific techniques (AML.T0019, AML.T0020, AML.T0024, AML.T0025, AML.T0010, AML.T0029, AML.T0048), and to the OWASP LLM Top 10 (2025). Each data asset registered in SM's inventory generates a threat snapshot by pulling the archetype model and adding asset-specific deltas. L2 layers per-asset deep models for Critical-tier data assets and red-teams the library quarterly. L3 contributes discovered TTPs back to MITRE ATLAS, AVID, and OWASP.
Context: Classic data-security threat modeling was not designed to enumerate AI-specific failure modes, training-data poisoning that degrades model behavior, embedding inversion that reconstructs source text from vector representations, indirect prompt injection delivered through a retrieved document, eval-set contamination that invalidates safety benchmarks. These are first-party data risks owned by the teams that ingest, curate, and serve the data that feeds AI systems. TA-Data closes the gap by making data-asset-specific threats a first-class library that threat modelers pull from at every intake, tied to ATLAS tactic IDs so the walk from attacker capability to data asset exposure is concrete.
Maturity Level 1
Objective: Build the AI/HAI data archetype threat library, integrate a threat snapshot into every data-asset intake, and ensure every data asset's threat surface is documented before it enters an AI pipeline
At this level, every threat modeler and data engineer reviewing a new data asset for AI system use has a reusable, archetype-keyed library that maps AI/HAI data failure modes to HAI TTPs and ATLAS tactics. No data asset enters a training, retrieval, inference, or logging pipeline without a documented threat view.
Dependencies
- SM-Data L1 (required): the data asset inventory defines which archetypes exist and which assets need threat models; without it, TA operates on guesswork about scope.
- PC-Data L1 (required): the priority compliance map identifies which regulatory obligations (GDPR Arts. 6, 9, 22, 28, 32, 44–49; EU AI Act Art. 10 training data; ISO/IEC 42001) must be reflected in the threat library.
- EG-Data L1 (required for reviewer activity): reviewers must recognize AI/HAI-specific data archetypes and TTPs before they can produce a credible snapshot.
- Supports / unblocks: SR-Data L1 (requirements derive from archetype threats), SA-Data L1 (reference patterns address archetype threat surfaces), ST-Data L1 (test battery targets archetype threats), ML-Data L1 (detections prioritized from threat library), IM-Data L1 (incident classifications derive from the threat library).
Desired Outcomes
- Every AI/HAI data asset reaching SM intake gets a threat snapshot within one business day, pulled from the archetype library and adapted to the specific asset's classification, lineage, volume, cross-border flows, and decision-affecting use.
- HAIAMM's HAI-specific TTPs, EA (Excessive Agency), AGH (Agent Goal Hijack), TM (Tool Misuse), RA (Rogue Agents), are tagged to each archetype's threats; reviewers can explain the tag and its data-specific implications.
- MITRE ATLAS tactics (TA0001 Reconnaissance through TA0014 Impact) are walked for each archetype at intake; a tactic with no relevant technique is an explicit exclusion, not a gap.
- The threat library is versioned, owned, and refreshed on a documented cadence, it does not rot as new AI data-attack research emerges.
- Downstream practices (SR, SA, ST, ML, IM) inherit the library rather than re-deriving threats per asset.
Activities
A) Build the AI/HAI data archetype threat library
Author one threat model per AI/HAI data archetype. Each archetype model is concise (target ≤2 pages), explicitly scoped to data assets that flow into or out of AI/HAI systems, and maps threats to HAI TTPs, ATLAS tactic IDs and technique IDs, OWASP LLM Top 10 (2025) references, and the PC-Data priority compliance map.
Archetypes to cover at L1 (from SM-Data's inventory schema):
- Training corpus / training dataset, curated data used to train or pre-train a model; may contain text, images, structured records, or mixed-modal content.
- Inference input stream, real-time or batch data submitted to an AI model as prompt, context, or feature vector; includes user-provided content, API call payloads, and automated pipeline inputs.
- Retrieval store, a corpus (vector store, document index, database) from which content is retrieved and injected into an AI prompt or context window; the substrate for RAG patterns.
- Prompt/completion log corpus, retained records of prompt and completion events produced by an inference endpoint; may also include tool-call arguments and return values.
- Embedding store, a vector index of embeddings derived from source content; used for similarity search, retrieval, and classification tasks.
- Fine-tuning dataset, a labeled or curated dataset used to adapt a pre-trained model to a specific task or domain.
- Evaluation / test set, labeled examples and scoring corpora used to measure model quality, safety, and alignment; critical for model promotion gates.
Per-archetype threat content (minimum):
Training corpus / fine-tuning dataset: - AML.T0020 Poison Training Data, adversarial examples inserted into the corpus to degrade accuracy, backdoor the model, or flip labels on safety-critical classes. Severity: Critical. HAI-TTP: RA (model behavior drifts from intended goal). - AML.T0019 Publish Poisoned Datasets, upstream public datasets (Hugging Face, Common Crawl derivatives, domain-specific corpora) intentionally adulterated before publication. HAI-TTP: RA. ATLAS: TA0002 Resource Development. - AML.T0010 ML Supply Chain Compromise, compromise of the data pipeline (ingestion scripts, labeling vendor, annotation platform) to inject hostile examples at curation time. HAI-TTP: RA. ATLAS: TA0003 Initial Access. - Unconsented data inclusion, personal data included in training outside its original consent scope or without a documented GDPR Art. 6 lawful basis; triggers DSAR obligations and potential Art. 17 deletion duty. Compliance: GDPR Arts. 6, 9, 17. - Regulated-data leakage at training time, model memorizes and can regurgitate regulated data (PII, PHI, financial account data) from the training corpus; extractable via targeted generation queries. ATLAS: TA0011 Exfiltration; OWASP LLM: LLM06 Sensitive Information Disclosure. - Label-flip attacks, targeted manipulation of a subset of training labels (e.g., labeling toxic content as benign) to corrupt model safety behavior. HAI-TTP: RA. ATLAS: TA0040 ML Attack Staging. - Backdoor-trigger insertion, a trigger pattern embedded in training data causes specific misbehavior when the trigger appears in inference inputs. ATLAS: TA0005 Persistence; AML.T0020.
Inference input stream: - Direct prompt injection, user-supplied prompt overrides system instructions or safety guardrails; drives policy-violating output or information disclosure. HAI-TTP: AGH. ATLAS: AML.T0051 LLM Prompt Injection; TA0003 Initial Access. OWASP LLM: LLM01. - Abuse / denial-of-inference, high-volume or specially crafted inference requests exhaust API quota, GPU capacity, or rate limits. ATLAS: TA0014 Impact. OWASP LLM: LLM10 Unbounded Consumption. - Regulated-data leakage to vendor LLMs via prompts, users or automated pipelines submit confidential, PII, or PHI content to vendor-hosted LLM APIs; data crosses an organizational boundary without a documented lawful basis or transfer mechanism. Compliance: GDPR Arts. 28, 44–49. - Sensitive-information disclosure via prompts, crafted prompts extract system-prompt content, internal knowledge, or other user's context from the model. ATLAS: TA0009 Discovery; TA0010 Collection. OWASP LLM: LLM07 System Prompt Leakage.
Retrieval store: - Retrieval poisoning, attacker inserts a hostile document into the indexed corpus; on retrieval the injected content reaches the model as context. HAI-TTP: AGH. ATLAS: AML.T0020; TA0006 Persistence. - Retrieval extraction / corpus exfiltration, crafted queries systematically retrieve corpus content, reconstructing confidential documents that the query issuer should not access. ATLAS: AML.T0024 Exfiltration via ML Inference API; TA0010 Collection. - Classification-label bypass, per-source classification metadata is missing or ignored at retrieval time; queries return confidential or regulated content to lower-privilege consumers. Compliance: GDPR Art. 32. - Indirect prompt injection via retrieved content (AGH), a document in the retrieval store contains embedded instructions that the model executes when retrieved into the context window. HAI-TTP: AGH. ATLAS: AML.T0051; TA0003. OWASP LLM: LLM01 (indirect).
Prompt/completion log corpus: - Retention-policy violation, prompt/completion logs retained beyond the period needed, or retained without a lawful basis; creates cumulative exposure of user personal data. Compliance: GDPR Art. 5(1)(e). - Regulated-data persistence in logs, PII, PHI, or financial data submitted in prompts or returned in completions is retained unredacted in log storage. Compliance: GDPR Arts. 32, 35. - Unauthorized log export, log corpus exported for analysis, training, or model improvement without consent verification or lawful basis; triggers Art. 6 re-use conditions. ATLAS: AML.T0025 Exfiltration via Cyber Means; TA0011. - Log-mining for training without consent, prompt/completion logs used as fine-tuning data without verifying the original consent basis covers that secondary use. Compliance: GDPR Art. 6; EU AI Act Art. 10.
Embedding store: - Embedding inversion, vector embeddings are inverted or approximately reconstructed to recover the source text; particularly effective for short or repetitive content. ATLAS: AML.T0024; TA0010 Collection. Severity: High. - Nearest-neighbor extraction, systematic similarity queries enumerate corpus content item by item; effectively exfiltrates the indexed corpus. ATLAS: AML.T0024; TA0010. HAI-TTP: TM (tool used for extraction beyond intended purpose). - Retrieval poisoning at the embedding layer, malicious content is embedded and indexed so its embedding is proximate to legitimate query embeddings; retrieval surfaces the hostile content reliably. HAI-TTP: AGH. ATLAS: AML.T0020.
Evaluation / test set: - Eval contamination, test-set examples leak into training or fine-tuning data; benchmark scores no longer reflect real-world generalization; safety benchmarks become invalid. ATLAS: TA0040 ML Attack Staging; AML.T0048 (if adversarial contamination). - Eval gaming, the model is selectively optimized against the specific test set rather than the capability it represents; evaluation scores inflate while real-world performance degrades. HAI-TTP: RA. ATLAS: TA0008 Defense Evasion. - Eval suppression, test-set runs are skipped or results are not surfaced to promotion gates; models with degraded safety or accuracy properties are promoted without evidence. ATLAS: TA0008.
ATLAS tactic walk per archetype: For each archetype, walk the full ATLAS tactic sequence and document which techniques apply and which are excluded with rationale: - TA0001 Reconnaissance, adversary identifies dataset sources, retrieval endpoints, embedding store interfaces, log export mechanisms. - TA0002 Resource Development, staging poisoned datasets (AML.T0019), crafting adversarial fine-tuning corpora. - TA0003 Initial Access, prompt injection (AML.T0051) as primary initial access for inference inputs and retrieval stores; supply-chain compromise (AML.T0010) for training and fine-tuning datasets. - TA0004 Execution, query execution against retrieval or embedding store; inference endpoint invocation with adversarial inputs. - TA0005 Persistence, backdoor in training corpus (AML.T0020) surviving model promotion; poisoned document in retrieval store persisting across index refreshes. - TA0006 Privilege Escalation, classification-label bypass enabling cross-tenant retrieval; RBAC gap on log corpus enabling unauthorized export. - TA0007 Defense Evasion, obfuscated injection payloads in documents; eval gaming to evade safety promotion gates. - TA0008 Defense Evasion (ML-specific), adversarial examples designed to evade DLP over inference inputs. - TA0009 Discovery, probing retrieval store structure; enumerating log corpus schema. - TA0010 Collection, corpus exfiltration via retrieval queries (AML.T0024); embedding inversion for source reconstruction. - TA0040 ML Attack Staging, adversarial training data assembly; label-flip preparation; eval contamination. - TA0011 Exfiltration, AML.T0024 Exfiltration via ML Inference API; AML.T0025 Exfiltration via Cyber Means (log export); embedding inversion. - TA0014 Impact, model behavior degradation from poisoning; PII exposure from log exfiltration; safety benchmark invalidation from eval contamination.
Compliance linkage per archetype: tag each threat to the PC-Data priority compliance item it activates, GDPR Arts. 6, 9, 17, 22, 28, 32, 35, 44–49; EU AI Act Arts. 10, 26; ISO/IEC 42001 AIMS data controls.
Owner: named TA-Data library steward; cadence: reviewed quarterly; versioned in a single location linked from the SM inventory record for every data asset.
B) Produce a per-intake threat snapshot for every SM data-asset registration
Bind TA into the SM intake flow, every new data-asset registration emits a threat snapshot before the asset is approved for use in an AI pipeline.
Snapshot contents (designed to fit one screen):
- Which archetype(s) apply (an asset may be composite, e.g., prompt/completion logs repurposed as fine-tuning data are both prompt/completion log corpus and fine-tuning dataset).
- Asset-specific deltas over the archetype model: data classification tier (Critical / High / Medium / Low); lineage and provenance status; volume and criticality; cross-border flows and applicable transfer mechanisms; decision-affecting use; subject-access-rights exposure.
- Top-5 threats for this asset, each with: HAI TTP tag, ATLAS tactic ID and technique ID where applicable, OWASP reference, and compliance linkage.
- Controls already evident from the existing pipeline or architecture vs. gaps for SR/SA follow-up.
- Reviewer, date, expiry (re-snapshot on new data source, classification change, pipeline scope change, or material volume change).
Time target: ≤1 business day per intake with the library available.
C) Author the shadow-data-for-AI threat view
Unsanctioned data-sharing with AI services, developers pasting production data into consumer GenAI tools, automated pipelines routing regulated data to vendor LLMs without a DPA, has its own threat surface distinct from sanctioned data assets. Author a standalone shadow-data-for-AI threat document covering:
- Entry vectors: developers submitting production PII to consumer GenAI; automated pipelines calling LLM APIs without no-train verification; canary-tagged datasets flowing to unapproved retrieval stores; prompt/completion logs exported for analysis without consent review.
- Elevated threats for shadow data: no threat snapshot; no SR requirements; no transfer mechanism documented; no data processor agreement in place; GDPR Art. 28 obligations unmet.
- Specific failure modes: regulated PII reaching a vendor LLM with training enabled; health data submitted without Art. 9 special-category condition documented; customer data flowing cross-border without an adequacy decision or SCC in place.
- Detections available at L1: DLP signals on outbound calls to AI provider domains; egress telemetry for LLM API calls from data pipeline infrastructure; canary-document detection in external AI completions.
Output: a "Shadow Data for AI, Threat View" one-pager reviewed by the program sponsor and feeding the ML-Data detection backlog and the IM-Data triage playbook.
Outcome Metrics (L1)
| Metric | Baseline | L1 Target | Source |
|---|---|---|---|
| % of AI/HAI data assets in SM inventory with a current-year threat snapshot | measure | 100% for approved assets; ≥90% for all | Inventory × TA snapshot artifacts |
| Archetype coverage (data archetypes with a published threat model) | 0 / 7 | 7 / 7 | TA library |
| Median snapshot turnaround from SM intake to threat snapshot delivery | measure | ≤1 business day | Intake telemetry |
| % of snapshot top-5 threats tagged to a HAI TTP and an ATLAS tactic or technique ID | measure | 100% | TA snapshot metadata |
| Shadow-data-for-AI threat view published and reviewed in last 12 months | n/a | Yes | Document registry |
Process Metrics (leading)
- Threat library review cadence, quarterly archetype refresh recorded; no quarter with zero updates.
- New-archetype lead time, from "first intake in new data category" to "archetype model published" ≤30 days.
- Snapshot-to-SR linkage, % of snapshots whose top-5 threats are referenced by at least one downstream SR-Data requirement.
- Library steward named and active, single owner, not a committee.
Effectiveness Metrics (business value)
- Threats that converted to prevented pipeline issues, documented cases where a snapshot-identified threat caused a control to be added before the asset entered an AI pipeline (e.g., consent verification added after fine-tuning dataset snapshot flagged unconsented data; retrieval-source classification added after retrieval-store snapshot flagged label bypass).
- Downstream reuse, SR, SA, ST artifacts cite snapshot threats in ≥80% of cases rather than re-deriving independently.
- Regulatory readiness, snapshot threat-and-compliance linkage answers GDPR Art. 30 record-of-processing questions without re-collection.
Success Criteria
- Seven archetype threat models published (training corpus, inference input stream, retrieval store, prompt/completion log corpus, embedding store, fine-tuning dataset, evaluation/test set), each tagged to HAI TTPs, ATLAS tactic IDs and technique IDs (AML.T0019, T0020, T0024, T0025, T0010 where applicable), OWASP LLM Top 10 (2025) references, and the PC-Data priority compliance map.
- Threat snapshot gate live in the SM intake flow, 100% of newly approved AI/HAI data assets in the last 90 days have a snapshot attached.
- Shadow-data-for-AI threat view published, reviewed by the program sponsor, and feeding the ML-Data detection backlog.
- Named library steward and quarterly refresh cadence operating.
- ≥90% of active AI/HAI data assets in the inventory carry a current-year snapshot.
Maturity Level 2
Objective: Layer per-asset deep threat models for Critical-tier data assets, integrate external AI-data-attack threat intelligence, and red-team the threat library quarterly against novel real-world attack patterns
At this level, threat assessment stops being "snapshot plus go" for high-stakes data assets. Critical-tier data assets (per SM L2's risk-tier rubric for data, classification, lineage, volume/criticality, cross-border flows, decision-affecting use, subject-access-rights exposure) receive full per-asset deep threat models with adversarial-ML overlays. External threat intel (MITRE ATLAS updates, AVID submissions, OWASP LLM revisions, academic adversarial-ML research) is wired in and triaged quarterly. The library is stress-tested by running a quarterly red-team probe against real in-scope data pipelines to surface what the library catches and what it misses.
Dependencies
- TA-Data L1 (required): archetype threat library and per-intake snapshot gate.
- SM-Data L2 (required): the risk-tier rubric determines where per-asset deep modeling is required (Critical) vs. archetype-only (Medium/Low).
- ST-Data L2 (required for red-team-the-library activity): the red-team capability to probe real data pipelines comes from ST.
- Supports / unblocks: SR-Data L2 (per-tier threat depth drives per-tier requirements), SA-Data L2 (threat depth drives pattern complexity), DR-Data L2 (scenario-based design reviews need per-asset models), ML-Data L2 (detections tuned to per-asset threats).
Desired Outcomes
- Every Critical-tier data asset has a current-year per-asset deep threat model, not a recycled archetype snapshot.
- High-tier data assets receive archetype snapshot plus asset-specific deltas and an ATLAS full tactic walk; no High-tier asset on archetype-only.
- External AI-data-attack threat intel is routinely consumed and reflected in the library; the library is not frozen at publication time.
- The library is proved against reality, quarterly red-team exercises show what it catches and misses; gaps are closed with owners and expiry dates.
- Per-tier threat-assessment depth is visibly differentiated, matching the SM L2 tier-treatment matrix for data assets.
Activities
A) Per-asset deep threat modeling for Critical-tier data assets
For every Critical-tier data asset in the SM inventory, produce a full per-asset threat model covering:
- Attack trees beyond the archetype snapshot: asset-specific lineage and provenance chain with each link's compromise surface; specific regulatory data classes present with exposure consequence analysis; specific cross-border flows with transfer-mechanism gaps; specific downstream AI systems that consume the asset and the blast radius of each threat.
- Abuse-case catalog: named adversary archetypes (external attacker, malicious insider, compromised data vendor, compromised annotation/labeling platform, upstream supply-chain compromise) with concrete attack narratives for this specific data asset.
- Compliance-duty mapping: GDPR Art. 32 security requirements, Art. 35 DPIA triggers, EU AI Act Art. 10 training-data requirements, and sector obligations mapped to the threat-control chain specific to this asset.
- ATLAS full tactic walk for the asset: all 14 ATLAS tactics enumerated; techniques selected from the AI-Attack-Taxonomy for this specific archetype, data classes, and pipeline position; exclusions explicit with rationale.
- Refresh cadence: Critical semi-annual plus change-driven (new data source, classification change, pipeline scope change, material volume change); High annual plus change-driven.
B) External AI-data-attack threat intelligence integration
Subscribe to and operationalize: - MITRE ATLAS updates, new technique additions (especially data-attack techniques: AML.T0019, T0020, T0024, T0025, T0010, and any new data-specific entries). - AVID (AI Vulnerability Database), new entries for data-attack techniques relevant to the org's data archetypes. - OWASP LLM Top 10 and Agentic Top 10 revisions, new items addressing data handling, prompt leakage, and training-data risks. - Academic adversarial-ML venues, early signal on novel embedding inversion, membership inference, and corpus poisoning attack classes. - Sector ISAC AI working groups, operationally-observed data-attack patterns relevant to the org's industry.
Quarterly triage cadence: which new intel items change the archetype library, change per-asset models, or change the SR or ST artifacts that depend on the library. Changes are change-logged; reviewed by the library steward and the IM backlog owner.
C) Red-team the threat library itself
Each quarter, ST-Data runs an adversarial probe against an in-scope AI/HAI data pipeline using ONLY the threat scenarios documented in the library for that archetype. Threats the red-team exercise identifies that are NOT in the library are library gaps, not passing findings.
Gap closure is a governance activity: every gap becomes a ticket with a named owner and an expiry date; Critical-tier gaps close within 30 days; High-tier gaps within 60 days. The gap rate per quarter trends down as the library matures.
Outcome Metrics (L2)
| Metric | Baseline | L2 Target | Source |
|---|---|---|---|
| % Critical-tier data assets with current-year per-asset deep threat model | measure | 100% | TA library × SM inventory |
| % High-tier data assets with archetype snapshot + asset-specific deltas + ATLAS tactic walk | measure | ≥90% | TA library × SM inventory |
| External intel triage cadence met (quarterly) | measure | 4 / year | Intel triage log |
| Library gaps discovered per quarter (red-team exercises) | measure | tracked; trending down | Red-team library exercise output |
| Threat-library change lead time from intel signal to library update | measure | ≤30 days for Critical-impact items | Intel → library telemetry |
Process Metrics (leading)
- Library change-log cadence, no quarter with zero changes.
- Per-asset deep model age, no Critical model older than 180 days; no High model with archetype snapshot alone.
- Red-team-the-library exercise cadence, at least quarterly; exercise artifact on file.
- Gap closure SLA tracked; no Critical gap open past 30 days.
Effectiveness Metrics (business value)
- Incidents caught by pre-existing library entries vs. library gaps, ratio trends toward pre-existing over time.
- Downstream reuse at tier, SR, SA, DR, ST artifacts for Critical-tier assets cite per-asset threats in ≥80% of cases rather than generic archetype content.
- Library becomes a named internal resource, data engineering and MLOps teams consult it before adding new data sources to AI pipelines, reducing DR send-backs.
Success Criteria
- Per-asset deep threat models live for 100% of Critical-tier and ≥90% of High-tier data assets, with refresh cadence met.
- External threat intel integrated with quarterly triage and documented change-log.
- Quarterly red-team-the-library exercise operating; gaps closed with named owners and expiry dates.
- Intel-to-library update lead time ≤30 days on Critical-impact items.
Maturity Level 3
Objective: Automate threat-library maintenance from telemetry and external feeds, and contribute discovered AI/HAI data-attack TTPs back to MITRE ATLAS, AVID, and OWASP
At this level, the threat library is self-updating. Telemetry from ML-Data detections and incident patterns from IM-Data, combined with external signal feeds (ATLAS, AVID, OWASP revision pipelines), auto-propose library updates; human curators review and approve. The program contributes emerging first-party-observed TTPs, data-attack patterns discovered in own-operated AI data pipelines, to MITRE ATLAS, AVID, and OWASP, making the org a net contributor to the industry's AI data-threat knowledge base.
Dependencies
- TA-Data L2 (required): per-asset models and external intel integration must be operational before automation is trustworthy.
- ML-Data L2+ (required): detection telemetry that proposes library updates comes from the monitoring pipeline.
- IM-Data L2+ (required): incident pattern data feeds update proposals for threat actors, TTPs, and impact scenarios.
Desired Outcomes
- Library staleness is measured in weeks, not quarters, material new data-attack patterns reach the library within 14 days of first observation in external feeds or internal telemetry.
- Program-sourced TTPs appear in MITRE ATLAS, AVID, and OWASP LLM revisions, the org is cited as a practitioner contributor.
- External threat-landscape shifts are reflected in the library before most peers who lack an automated signal pipeline.
- The org becomes a trusted node in AI-data-security threat sharing (sector ISACs, ATLAS practitioner network, OWASP working groups).
Activities
A) Telemetry-driven library updates
Wire the following signal sources into an auto-proposal pipeline: - ML-Data detections, alert patterns that do not map to any existing library entry are surfaced as candidate new threats. - IM-Data incident records, post-incident review records generate structured threat updates; the incident's ATLAS tactic walk is auto-ingested. - External feeds, ATLAS technique additions, AVID new entries, OWASP LLM/Agentic revision drafts, sector-ISAC AI-specific advisories. - Academic publication scanning, weekly digest of adversarial-ML and privacy-attack papers; new attack classes auto-tagged for human curator review.
Human curators approve, reject, or defer each auto-proposal. Change-log is machine-readable; downstream SR, SA, ST artifacts subscribe to the change feed and receive update-required notifications when a threat they reference changes.
B) Industry contribution
Contribute to: - MITRE ATLAS, new techniques observed in own-operated AI data pipelines (novel corpus poisoning mechanics, new embedding inversion approaches, supply-chain compromise patterns specific to dataset curation tools); submissions follow ATLAS evidence-and-provenance requirements. - OWASP LLM Top 10 / Agentic Top 10, substantive comments and real-world telemetry evidence submitted during revision cycles; focus on data-handling, training-data, and retrieval-store entries. - AVID, structured disclosure submissions for newly discovered vulnerabilities in data pipeline components or upstream data sources (coordinated disclosure where third-party components are involved). - NIST AI RMF Playbook successor editions, practitioner input grounded in program experience with data-domain threat modeling.
Target: minimum 4 substantive contributions per year; quality-graded and legally vetted before submission; every contribution anonymized.
C) Shared threat-model artifacts
Publish anonymized data archetype threat models (scrubbed of org-specific data source names and classification details) under a permissive license for peer-org adoption. Host or co-host at least one industry tabletop per year tied to the library (ATLAS practitioner table, OWASP AI chapter, sector ISAC AI working group).
Outcome Metrics (L3)
| Metric | Baseline | L3 Target | Source |
|---|---|---|---|
| Library change lead time from telemetry / external signal to update | measure | ≤14 days | Library telemetry |
| Industry contributions per year (MITRE ATLAS / AVID / OWASP) | 0 | ≥4 | Contribution log |
| External-recognized TTPs originating from the program | 0 | ≥2 / year | External artifact citations |
| Peer-org adoption of published archetype threat models | 0 | tracked | External telemetry |
| % of library changes auto-proposed vs. manually authored | measure | ≥60% auto-proposed | Curation telemetry |
Process Metrics (leading)
- Auto-proposal pipeline health, ≥1 actionable auto-proposal per week; staleness alert if feed silent for 7 days.
- Contribution pipeline always ≥2 in-flight (draft, in-review, or being prepared).
- External tabletop cadence, at least 1 per year.
- Library change-log machine-readable and consumed by at least one downstream practice (SR or ST) for auto-update notifications.
Effectiveness Metrics (business value)
- Program cited in industry advisories as a practitioner contributor to ATLAS / OWASP / AVID on data-attack techniques.
- Time-to-defend shrinks for library-sourced threats, controls are in place before incidents because the library leads external disclosure timelines.
- Talent signal, adversarial-ML and data-security engineering talent attracted by the program's external profile and contribution record.
Success Criteria
- Library auto-update pipeline operating with ≤14-day lead time from signal to update.
- ≥4 industry contributions per year; ≥2 recognized in external artifacts (ATLAS merge, AVID entry, OWASP revision).
- Anonymized archetype threat models published under permissive license with tracked adoption.
- Industry tabletop hosted or co-hosted in last 12 months.
Key Success Indicators
Level 1: - Seven archetype threat models published (training corpus, inference input stream, retrieval store, prompt/completion log corpus, embedding store, fine-tuning dataset, evaluation/test set), each tagged to HAI TTPs (EA/AGH/TM/RA), ATLAS tactic IDs and data-specific technique IDs (AML.T0019, T0020, T0024, T0025, T0010 where applicable), OWASP LLM Top 10 (2025) references, and the PC-Data priority compliance map. - Threat snapshot gate live in the SM intake flow, 100% of newly approved AI/HAI data assets in the last 90 days have a snapshot attached before pipeline approval is issued. - Each snapshot documents: archetype(s), asset-specific deltas (classification, lineage, cross-border flows, decision-affecting use), top-5 threats with HAI TTP tags and ATLAS tactic/technique IDs, controls evident, and gaps for SR/SA follow-up. - Shadow-data-for-AI threat view published, reviewed by the program sponsor, and linked to the ML-Data detection backlog and the IM-Data triage playbook. - Named library steward, quarterly refresh cadence, and ≥90% of active AI/HAI data assets carrying a current-year snapshot.
Level 2: - Per-asset deep threat models live for 100% of Critical-tier data assets and ≥90% of High-tier data assets, with refresh cadence (Critical semi-annual, High annual) met. - External AI-data-attack threat intel (ATLAS, AVID, OWASP LLM/Agentic, academic venues, sector ISACs) integrated with quarterly triage and a documented change-log; intel-to-library update ≤30 days for Critical-impact items. - Quarterly red-team-the-library exercise operating; every gap closed with a named owner and expiry date; Critical gaps ≤30 days, High gaps ≤60 days.
Level 3: - Library auto-update pipeline operating with ≤14-day lead time; ≥60% of changes auto-proposed; change-log machine-readable and consumed by downstream SR and ST practices. - ≥4 substantive industry contributions per year to MITRE ATLAS / AVID / OWASP LLM / Agentic Top 10, with ≥2 externally recognized. - Anonymized archetype threat models published under permissive license with tracked peer-org adoption; at least one industry tabletop hosted or co-hosted annually.
Common Pitfalls
Level 1: - ❌ Threat models catalog generic data-security risks (SQL injection, misconfigured S3 buckets) rather than AI/HAI-specific data failure modes, the library ends up covering what any data-security program addresses rather than what is unique to AI data assets. - ❌ Archetype library covers training corpora and fine-tuning datasets but omits retrieval stores, embedding stores, and prompt/completion log corpora, the three archetypes most directly exposed to indirect prompt injection and embedding inversion remain without threat models. - ❌ Threat snapshot is completed at ingestion time and never refreshed, a training corpus that gains new regulated-data classes or a retrieval store that adds new indexed sources does not trigger a re-snapshot; the snapshot drifts from the actual asset within weeks. - ❌ ATLAS tactic walk is performed for narrative completeness but no ATLAS technique IDs (AML.T0019, T0020, T0024, T0025, T0010) are assigned, the walk produces prose, not structured references that ST and IR can act on. - ❌ HAI TTPs (EA/AGH/TM/RA) are listed in the library header but not tagged per-threat, reviewers cannot triage which threats matter for a specific data archetype's failure modes. - ❌ Library steward is unnamed, "the data team owns it", so the quarterly refresh calendar item is no one's job and the library drifts from current attack research within two quarters.
Level 2: - ❌ "Per-asset deep model" is the archetype snapshot with the asset name swapped in, no asset-specific lineage analysis, no data-class exposure consequence, no cross-border flow gap enumeration; the depth is cosmetic. - ❌ External intel is subscribed but never triaged, ATLAS update notifications pile up unread; the library is frozen at L1 publication while new AML.T techniques are published. - ❌ Red-team-the-library exercise is a threat-hunting session that adds entries to a finding log but never cross-checks findings against the library, gaps are never surfaced because the comparison was never made. - ❌ Critical-tier accepted gaps from the library red-team lack owners or expiry dates, gap backlog grows without accountability. - ❌ Deep modeling stops at Critical; High-tier data assets remain on archetype-only snapshots despite carrying regulated personal data or feeding decision-affecting models.
Level 3: - ❌ Auto-proposal pipeline accepts signals without curation, false-positive detections from ML-Data pollute the library with phantom threats; downstream SR and ST artifacts generate incorrect requirements and tests. - ❌ "Contributions" to MITRE/AVID/OWASP are observer submissions (comments, conference talks) rather than technical artifacts with evidence, they appear in the contribution log but produce no substantive change. - ❌ Published anonymized archetype models are not maintained after release, external adopters build on a stale version while the internal library has advanced; the gap becomes an embarrassment when discrepancies are cited. - ❌ Telemetry-driven update loop fires on every minor pipeline configuration change, overwhelming the curation queue, data engineering teams disable telemetry to stop the noise rather than tune signal sensitivity.
Practice Maturity Questions
Level 1: 1. Are there published, versioned threat models for all seven AI/HAI data archetypes (training corpus, inference input stream, retrieval store, prompt/completion log corpus, embedding store, fine-tuning dataset, evaluation/test set), each mapping archetype-specific threats to HAI TTPs (EA/AGH/TM/RA), ATLAS tactic IDs and data-specific technique IDs (AML.T0019, T0020, T0024, T0025, T0010 where applicable), OWASP LLM Top 10 references, and PC-Data compliance items, with a named library steward and a documented quarterly refresh cadence? 2. Does every AI/HAI data asset entering the SM inventory receive a threat snapshot (delivered within one business day of intake) that documents: the applicable archetype(s), asset-specific deltas (classification, lineage, cross-border flows, decision-affecting use, subject-access-rights exposure), top-5 threats with HAI TTP tags and ATLAS tactic/technique IDs, and gaps for SR/SA follow-up, with 100% of newly approved assets carrying a snapshot in the last 90 days? 3. Is there a published shadow-data-for-AI threat view, reviewed by the program sponsor in the last 12 months, that documents entry vectors, elevated threat scenarios for unsanctioned data-sharing with AI services, and the specific detections (from SM discovery sources) used to surface them?
Level 2: 1. Does every Critical-tier AI/HAI data asset have a current-year per-asset deep threat model (not an archetype snapshot) covering asset-specific attack trees, an abuse-case catalog by adversary archetype, compliance-duty mapping, and a full ATLAS tactic walk with technique-level specificity, with a semi-annual refresh cadence and change-driven updates on new data sources, classification changes, or pipeline scope changes? 2. Is external AI-data-attack threat intel (MITRE ATLAS updates including AML.T0019/T0020/T0024/T0025/T0010, AVID, OWASP LLM Top 10 revisions, sector ISACs, academic adversarial-ML venues) integrated with a quarterly triage cadence and a documented change-log, with intel-to-library update ≤30 days on Critical-impact items? 3. Do you run a quarterly red-team-the-library exercise that probes an in-scope AI/HAI data pipeline using only library threats and surfaces misses as library gaps, with every gap carrying a named owner and an expiry date, Critical gaps closing within 30 days, and the gap rate trending down quarter over quarter?
Level 3: 1. Does the threat library auto-update from telemetry (ML-Data detections, IM-Data incidents) and external feeds (ATLAS, AVID, OWASP, academic) via a human-curated auto-proposal pipeline, with ≥60% of changes auto-proposed, a ≤14-day lead time from signal to update, and a machine-readable change-log consumed by downstream SR and ST practices? 2. Does the program contribute at least four substantive, evidence-backed technical artifacts per year to MITRE ATLAS / AVID / OWASP LLM/Agentic Top 10, with at least two externally recognized in published advisory or standard revisions? 3. Are anonymized data archetype threat models published under a permissive license with tracked peer-org adoption, and does the program host or co-host at least one industry tabletop per year (ATLAS practitioner table, OWASP AI chapter, or sector ISAC AI working group) tied to the library?
Document Version: HAIAMM v3.0 Practice: Threat Assessment (TA) Domain: Data Last Updated: 2026-05-13 Author: Verifhai
☑ Interactive Self-Assessment
Answer each question based on your current, implemented practices only. Progress saves automatically in your browser.