Assessment questionnaire for measuring maturity. Answer each question honestly based on current, implemented practices.
Source of truth:
../practices/TA-Endpoints-OnePager.md|../HAIAMM-v3.0-Framing.md§8 (HAI TTPs), §10.1 (ATLAS), §14.5 (ATLAS tactic taxonomy)
Practice: Threat Assessment (TA) Domain: Endpoints Purpose: Assess organizational maturity in building and maintaining a reusable threat library for AI/HAI-enabled endpoints and user-facing AI interfaces the organization deploys, covering all seven endpoint AI archetypes mapped to HAI TTPs, ATLAS tactics (TA0001–TA0014), OWASP LLM/Agentic Top 10, OWASP Browser-Extension Security Top 10, and OWASP MASVS, with domain-specific threats: data egress to vendor via assistant, browser extension permission abuse, multi-modal injection, SaaS-AI silent enablement, mobile local-model integrity, and edge firmware attacks Scoring Model: Evidence + Outcome Metrics (see Scoring Methodology below)
| Score | Label | Criteria |
|---|---|---|
| 1.0 | Fully Mature | All evidence items present AND ≥3 outcome metrics meet targets |
| 0.67 | Implemented | All evidence items present AND 2 outcome metrics meet targets |
| 0.33 | Partial | Evidence partially complete OR fewer than 2 metrics meet targets |
| 0.0 | Not Implemented | No substantive evidence of the activity |
Level Score = average of the three question scores at that level Practice Score = weighted average: L1 × 0.5 + L2 × 0.3 + L3 × 0.2 (L2/L3 only scored if L1 = Fully Mature)
Objective: Build the AI/HAI endpoint archetype threat library, integrate a threat snapshot into every SM intake, and ensure every endpoint AI's threat surface is documented before deployment approval.
Q1.1: Does the organization have a published, versioned threat library containing one threat model per endpoint AI archetype, covering all seven archetypes (AI assistant/copilot on managed endpoint, browser-based AI tool, chatbot/conversational UI, multi-modal AI interface, AI-augmented productivity/SaaS-AI, mobile AI app, edge AI device), with each archetype's threats tagged to HAI TTPs (EA/AGH/TM/RA), ATLAS tactic IDs (TA0001–TA0014), applicable OWASP references (LLM/Agentic Top 10, MASVS, Browser-Extension Top 10), and the PC-Endpoints priority compliance map, owned by a named library steward with a documented quarterly refresh cadence?
Evidence Required: - [ ] Threat library document exists, is versioned, and names a single library steward responsible for quarterly refresh - [ ] All seven archetype models published: AI assistant/copilot on managed endpoint, browser-based AI tool, chatbot/conversational UI, multi-modal AI interface, AI-augmented productivity (SaaS-AI), mobile AI app, edge AI device - [ ] AI assistant/copilot archetype covers: confidential-data egress to vendor (EA/TA0011/AML.T0024/GDPR Arts. 28/44–49), prompt injection via opened files or browser content (AGH/AML.T0051/LLM01/TA0003), AGH via tool-using assistant manipulating local files (AGH+EA/TA0004/TA0007/LLM06), TM via assistant invoking endpoint tools maliciously (TM/TA0004/TA0006/LLM06); full ATLAS tactic walk TA0001/TA0003/TA0004/TA0006/TA0007/TA0008/TA0011/TA0014 - [ ] Browser-based AI tool archetype covers: extension permission abuse via all_urls host permission (EA/TA0009/TA0010/OWASP Browser-Extension Top 10), DOM injection via AI extension (TM/TA0004), data egress via extension to vendor (EA/TA0011), AGH via tainted page content (AGH/AML.T0051/TA0003); full ATLAS tactic walk TA0001/TA0002/TA0003/TA0004/TA0009/TA0010/TA0011/TA0014 - [ ] Chatbot/conversational UI archetype covers: prompt injection from user input (AGH/AML.T0051/LLM01/TA0003), jailbreak (TA0007/TA0008), data exfiltration via crafted prompts (AGH+TM/TA0009/TA0010/LLM07), Art. 50 disclosure suppression (EU AI Act Art. 50), brand-impact prompts (TA0014) - [ ] Multi-modal AI interface archetype covers: image/voice prompt injection (AGH/AML.T0051 multimodal variant/TA0003), steganography in images (TA0008), audio-channel injection (TA0003/TA0008), deepfake-content acceptance (RA/TA0040), biometric-input abuse (GDPR Art. 9/EU AI Act Art. 50) - [ ] SaaS-AI on endpoint archetype covers: silent feature-enablement inheriting full SaaS data scope (EA/TA0006), data scope inheritance enabling regulated data exposure (GDPR Arts. 6/28/EU AI Act Art. 26), regulated-data flow into vendor model (TA0011/AML.T0024) - [ ] Mobile AI app archetype covers: local-model integrity attacks via sideload/rooted device/OTA without cryptographic verification (RA/TA0005/TA0040), over-broad permissions for sensors (EA/TA0010/OWASP MASVS), mobile-specific exfiltration vectors (TA0011/MASVS), biometric/MFA bypass via AI image generation (TA0007/TA0040) - [ ] Edge AI device archetype covers: on-device model integrity via firmware attack or model swap (RA/TA0005/AML.T0010), physical-access attacks and debug interface extraction (TA0010), sensor-input injection (AGH/TA0040/TA0003), uplink data exfiltration (TA0011/TA0008); full ATLAS tactic walk TA0001/TA0002/TA0003/TA0005/TA0007/TA0008/TA0010/TA0011/TA0014 - [ ] Compliance linkage per archetype: EU AI Act Art. 50 (all customer-facing chatbots and conversational UIs), EU AI Act Art. 26 (deployer duties for high-risk uses), GDPR Arts. 6/9/22/28/44–49
Outcome Metrics: | Metric | Baseline | Current | Target | Met? | Notes | |--------|----------|---------|--------|------|-------| | % of endpoint AI deployments in SM inventory with a current-year threat snapshot | measure | % | 100% for Sanctioned; ≥90% for all | ☐ | | | Archetype coverage (endpoint archetypes with a published threat model) | 0 / 7 | ___ / 7 | 7 / 7 | ☐ | | | Median snapshot turnaround from SM intake to threat snapshot delivery | measure | ___ | ≤1 business day | ☐ | | | % of snapshot top-5 threats tagged to a HAI TTP and an ATLAS tactic ID | measure | % | 100% | ☐ | |
Metric Collection Guidance: - Snapshot coverage: Count endpoint AI deployments in SM inventory with a TA snapshot dated within the current calendar year divided by total active deployments. Source: SM inventory × TA snapshot registry - Archetype coverage: Count distinct published archetype models for the seven endpoint AI archetypes. Target is 7/7 before intake gates go live - Snapshot turnaround: Median elapsed time from SM endpoint AI intake registration to threat snapshot delivery. Source: intake workflow telemetry - TTP/tactic tagging rate: For each snapshot, confirm top-5 threats each carry both a HAI TTP tag and an ATLAS tactic ID. For mobile apps, also confirm OWASP MASVS reference; for browser extensions, OWASP Browser-Extension Top 10 reference. Source: snapshot metadata fields
Answer: - ☐ Fully Mature (Evidence complete + ≥3 metrics meet targets) - ☐ Implemented (Evidence complete + 2 metrics meet targets) - ☐ Partial (Evidence partially complete + <2 metrics meet targets) - ☐ Not Implemented (No evidence of endpoint AI archetype threat library)
Evidence Location: _____ Validation Date: ____ Notes: ______
Q2.1: Is a threat snapshot produced for every endpoint AI deployment registering in the SM inventory, delivered within one business day of intake for Sanctioned deployments, documenting the applicable archetype(s), deployment-specific deltas (SM-Endpoints tier, specific tool list or sensor access, data classes accessible, customer-data egress potential, user population, Art. 50 disclosure obligation), top-5 threats with HAI TTP tags, ATLAS tactic IDs, OWASP references, and compliance linkage, with 100% of newly Sanctioned deployments in the last 90 days carrying a snapshot before Sanctioned status is issued?
Evidence Required: - [ ] Snapshot gate is bound to the SM endpoint AI intake flow: Sanctioned status cannot be issued without a snapshot attached - [ ] Snapshot template includes: archetype(s), deployment-specific deltas (tier, tool list/sensor access, data classes accessible, customer-data egress potential, user population, Art. 50 disclosure obligation), top-5 threats with HAI TTP tags, ATLAS tactic IDs, OWASP references, compliance linkage, controls evident, gaps - [ ] Deployment-specific deltas populated per snapshot, reviewers adapt archetype content; tool list, permission scope, and data classes accessible are specifically documented - [ ] Composite archetype tagging supported: a deployment may be both AI-augmented productivity and browser-based AI tool; composite tagging is reflected in the snapshot - [ ] Snapshot expiry rules documented: re-snapshot triggers include new tool addition, permission scope change, model swap, data class change, user population expansion - [ ] 100% of newly Sanctioned endpoint AI deployments in the last 90 days have a snapshot attached (sample audit evidence on file) - [ ] ≥90% of all active deployments in the SM inventory carry a current-year snapshot
Outcome Metrics: | Metric | Baseline | Current | Target | Met? | Notes | |--------|----------|---------|--------|------|-------| | % of endpoint AI deployments in SM inventory with a current-year threat snapshot | measure | % | 100% for Sanctioned; ≥90% for all | ☐ | | | Median snapshot turnaround from SM intake to threat snapshot delivery | measure | ___ | ≤1 business day | ☐ | | | % of snapshot top-5 threats tagged to a HAI TTP and an ATLAS tactic ID | measure | % | 100% | ☐ | | | Snapshot-to-SR linkage rate (snapshots whose top-5 threats referenced by ≥1 SR-Endpoints requirement) | measure | ___% | ≥80% | ☐ | |
Metric Collection Guidance: - Snapshot coverage: Same measurement as Q1, current-year snapshots divided by active endpoint AI deployments - Turnaround: Median time from SM intake open to snapshot delivered; measure weekly - Tagging rate: Per-snapshot check, each of the top-5 threats must have TTP and ATLAS tactic ID fields populated; OWASP MASVS or Browser-Extension reference required for mobile and browser archetypes - SR linkage: After SR-Endpoints L1 is operational, cross-reference snapshot threat IDs against SR-Endpoints requirements. Track % of snapshots with ≥1 SR-Endpoints cross-reference
Answer: - ☐ Fully Mature (Evidence complete + ≥3 metrics meet targets) - ☐ Implemented (Evidence complete + 2 metrics meet targets) - ☐ Partial (Evidence partially complete + <2 metrics meet targets) - ☐ Not Implemented (No snapshot gate in SM endpoint AI intake)
Evidence Location: _____ Validation Date: ____ Notes: ______
Q3.1: Is there a published shadow-endpoint-AI threat view, reviewed by the program sponsor within the last 12 months, that documents entry vectors for unsanctioned endpoint AI (employees self-installing AI browser extensions with all_urls permissions, SaaS-AI features silently enabled by workspace admins, AI assistant apps on BYOD devices accessing org email, edge AI kiosks deployed without IT involvement), elevated threats for shadow deployments (no snapshot, no SR requirements pack, no no-train assertion verified, Art. 50 disclosure unreviewed, regulated data flowing without DPA), specific failure modes, and the L1 detections available (MDM/UEM telemetry, network egress monitoring, SaaS-admin audit logs, endpoint DLP alerts)?
Evidence Required: - [ ] "Shadow Endpoint AI, Threat View" document exists, is dated, and names the reviewer (program sponsor or delegate) - [ ] Document covers entry vectors: employees self-installing AI browser extensions with all_urls permissions on managed endpoints; SaaS-AI features silently enabled by workspace admins without security review; AI assistant apps installed via personal app stores on BYOD accessing org email; edge AI kiosks deployed by facilities teams without IT involvement - [ ] Elevated threats documented: no TA snapshot, no SR requirements pack, no no-train assertion verified, Art. 50 disclosure obligations unreviewed, regulated data flowing to vendor models without a documented DPA - [ ] Specific failure modes named: developer pasting customer PII into an unapproved AI assistant with training enabled; SaaS-AI feature with access to confidential documents enabled tenant-wide without intake; AI browser extension harvesting session cookies from internal applications - [ ] L1 detections documented: MDM/UEM telemetry (unauthorized app installs, extension installs on managed endpoints); network egress monitoring (outbound connections to AI provider domains from unregistered services); SaaS-admin audit logs (AI feature enablement events); endpoint DLP alerts on data patterns in AI API calls - [ ] Document feeds ML-Endpoints detection backlog and IM-Endpoints triage playbook (links on file) - [ ] Shadow-endpoint-AI threat view published and reviewed in last 12 months
Outcome Metrics: | Metric | Baseline | Current | Target | Met? | Notes | |--------|----------|---------|--------|------|-------| | Shadow-endpoint-AI threat view published and reviewed in last 12 months | n/a | Yes/No | Yes | ☐ | | | % of snapshot top-5 threats tagged to a HAI TTP and an ATLAS tactic ID | measure | % | 100% | ☐ | | | Archetype coverage (endpoint archetypes with a published threat model) | 0 / 7 | ___ / 7 | 7 / 7 | ☐ | | | Downstream reuse rate (SR, SA, ST artifacts citing snapshot threats vs. re-deriving) | measure | % | ≥80% | ☐ | |
Metric Collection Guidance: - Shadow threat view currency: Confirm document exists with review date within last 12 months and program-sponsor approval record - Tagging rate: Same measurement source as Q1/Q2 - Archetype coverage: Same 7/7 metric as Q1 - Downstream reuse: Sample 10 recent SR-Endpoints, SA-Endpoints, or ST-Endpoints artifacts and check whether threats trace back to snapshot top-5 entries
Answer: - ☐ Fully Mature (Evidence complete + ≥3 metrics meet targets) - ☐ Implemented (Evidence complete + 2 metrics meet targets) - ☐ Partial (Evidence partially complete + <2 metrics meet targets) - ☐ Not Implemented (No shadow-endpoint-AI threat view exists)
Evidence Location: _____ Validation Date: ____ Notes: ______
Objective: Layer per-deployment deep threat models on top of archetype snapshots for Critical-tier deployments, integrate external AI endpoint threat intelligence, and red-team the threat library quarterly against novel real-world attack patterns.
Q4.1: Does every Critical-tier endpoint AI deployment in the SM inventory have a current-year per-deployment deep threat model, not a recycled archetype snapshot, covering deployment-specific attack trees (per-capability abuse paths for tool list or sensor access, data-class exposure consequence analysis, user-population privilege analysis, Art. 50 disclosure-suppression risk), a named-adversary abuse-case catalog, EU AI Act Art. 26/Art. 50/GDPR Art. 22 deployer-duty mapping, and a full ATLAS tactic walk with technique-level specificity, with a semi-annual refresh cadence and change-driven updates on model swap, new tool/sensor, scope change, or user population expansion?
Evidence Required: - [ ] Per-deployment deep threat models exist for 100% of Critical-tier endpoint AI deployments; model age does not exceed 180 days for any Critical-tier deployment - [ ] Per-deployment models contain: deployment-specific tool list or sensor access with per-capability abuse paths; specific data classes accessible and their exposure consequence; specific user population and privilege levels; Art. 50 disclosure obligations and disclosure-suppression risk analysis - [ ] Abuse-case catalog names adversary archetypes (external attacker crafting adversarial inputs, malicious insider with access to the endpoint AI admin console, compromised SaaS-AI vendor, attacker with physical access to edge device) with concrete attack narratives for this specific deployment - [ ] Deployer-duty mapping covers: EU AI Act Art. 26 obligations, Art. 50 disclosure obligations, GDPR Art. 22 automated-decisioning safeguards where the chatbot or assistant drives decisions affecting individuals - [ ] Full ATLAS tactic walk: all 14 tactics enumerated; technique IDs assigned for this specific archetype, tool access, and data boundary; exclusions with rationale on record - [ ] High-tier deployments carry archetype snapshot + deployment-specific deltas + ATLAS tactic walk (no High-tier deployment on archetype snapshot alone) - [ ] Refresh cadence: Critical semi-annual + change-driven; High annual + change-driven; cadence compliance tracked
Outcome Metrics: | Metric | Baseline | Current | Target | Met? | Notes | |--------|----------|---------|--------|------|-------| | % Critical-tier deployments with current-year per-deployment deep threat model | measure | % | 100% | ☐ | | | % High-tier deployments with archetype snapshot + deployment-specific deltas + ATLAS tactic walk | measure | % | ≥90% | ☐ | | | External intel triage cadence met (quarterly) | measure | ___ / year | 4 / year | ☐ | | | Threat-library change lead time from intel signal to library update | measure | ___ days | ≤30 days for Critical-impact items | ☐ | |
Metric Collection Guidance: - Critical-tier coverage: Count Critical-tier endpoint AI deployments with a per-deployment deep model dated within 180 days divided by all Critical-tier deployments - High-tier coverage: Count High-tier deployments with archetype snapshot + deltas + ATLAS walk divided by all High-tier deployments - Intel triage cadence: Count completed quarterly intel triage sessions in last 12 months. Each session must produce a triage log artifact - Change lead time: For each Critical-impact item in the last four quarters, calculate days from receipt to library update. Compute median and P90
Answer: - ☐ Fully Mature (Evidence complete + ≥3 metrics meet targets) - ☐ Implemented (Evidence complete + 2 metrics meet targets) - ☐ Partial (Evidence partially complete + <2 metrics meet targets) - ☐ Not Implemented (No per-deployment deep models for Critical-tier endpoint AI deployments)
Evidence Location: _____ Validation Date: ____ Notes: ______
Q5.1: Is external AI endpoint threat intelligence, covering MITRE ATLAS technique updates relevant to endpoint AI archetypes, AVID new entries for chatbots/browser extensions/mobile AI/edge AI, OWASP LLM Top 10/Agentic Top 10 revisions and OWASP MASVS/Browser-Extension Top 10 updates, academic adversarial-ML venues (multimodal injection, model-integrity attacks, edge-device adversarial inputs), sector ISAC AI working groups, and CSA endpoint security working group outputs, subscribed to and operationalized with a quarterly triage cadence producing a documented change-log, with intel-to-library update ≤30 days on Critical-impact items?
Evidence Required: - [ ] Subscriptions active for all six intelligence source categories: MITRE ATLAS (endpoint AI technique focus), AVID, OWASP LLM/Agentic Top 10 + MASVS + Browser-Extension Top 10, academic adversarial-ML venues (multimodal and edge focus), sector ISAC AI working groups, CSA endpoint AI security working group - [ ] Quarterly triage cadence documented: triage session records showing date, intel items reviewed (including OWASP MASVS and Browser-Extension Top 10 revision items), triage decisions with library impact assessment - [ ] Documented change-log with entries keyed to intel source, item date, impact assessment, library update record, and steward sign-off - [ ] Change-log reviewed by the library steward and the IM backlog owner each quarter - [ ] Intel-to-library update lead time ≤30 days for Critical-impact items: evidence from change-log timestamps - [ ] No quarter in the last 12 months with zero library changes
Outcome Metrics: | Metric | Baseline | Current | Target | Met? | Notes | |--------|----------|---------|--------|------|-------| | External intel triage cadence met (quarterly) | measure | ___ / year | 4 / year | ☐ | | | Threat-library change lead time from intel signal to library update | measure | ___ days | ≤30 days for Critical-impact items | ☐ | | | Library gaps discovered per quarter (red-team exercises) | measure | tracked | trending down | ☐ | | | % Critical-tier deployments with current-year per-deployment deep threat model | measure | ___% | 100% | ☐ | |
Metric Collection Guidance: - Triage cadence: Count triage session records in the last 12 months. Each session must produce a triage log referencing ATLAS technique IDs, OWASP MASVS, and Browser-Extension Top 10 items reviewed - Change lead time: For each Critical-impact item in the last four quarters, calculate days from receipt to library update. Compute median and P90 - Library gaps: From red-team exercise output, count endpoint AI threats identified not present in the library for that archetype. Track per quarter - Critical-tier coverage: Same metric as Q4
Answer: - ☐ Fully Mature (Evidence complete + ≥3 metrics meet targets) - ☐ Implemented (Evidence complete + 2 metrics meet targets) - ☐ Partial (Evidence partially complete + <2 metrics meet targets) - ☐ Not Implemented (No external intel integration)
Evidence Location: _____ Validation Date: ____ Notes: ______
Q6.1: Does the organization run a quarterly red-team-the-library exercise, where ST-Endpoints probes an in-scope endpoint AI deployment using only threat scenarios documented in the library for that archetype, surfaces all unmatched findings as library gaps rather than passing results, and closes every gap with a named owner and expiry date (Critical gaps within 30 days, High within 60 days), with the gap rate trending down quarter over quarter?
Evidence Required: - [ ] Quarterly red-team-the-library exercise on file: exercise records show date, endpoint AI deployment probed, archetype used, library version, probe scenarios drawn exclusively from library, and unmatched findings enumerated - [ ] Gap log maintained: every unmatched finding becomes a ticket with a named owner and expiry date - [ ] Critical-tier gap closure SLA enforced: no Critical gap open past 30 days (audit evidence on file) - [ ] High-tier gap closure SLA: no High gap open past 60 days - [ ] Gap rate tracked per quarter and documented as trending down - [ ] Gaps reviewed for SR-Endpoints and ST-Endpoints update implications; multi-modal injection, browser extension permission abuse, and edge firmware attack patterns explicitly tested in probes
Outcome Metrics: | Metric | Baseline | Current | Target | Met? | Notes | |--------|----------|---------|--------|------|-------| | Library gaps discovered per quarter (red-team exercises) | measure | tracked | trending down | ☐ | | | % Critical-tier deployments with current-year per-deployment deep threat model | measure | % | 100% | ☐ | | | % High-tier deployments with archetype snapshot + deployment-specific deltas + ATLAS tactic walk | measure | % | ≥90% | ☐ | | | External intel triage cadence met (quarterly) | measure | ___ / year | 4 / year | ☐ | |
Metric Collection Guidance: - Library gap rate: Count library gaps logged per quarter from red-team exercises. Plot trend; expect initial rise then sustained decline - Gap closure SLA: Verify no Critical gap exceeded 30 days from creation to closure in the last four quarters - Critical-tier and High-tier coverage: Same metrics as Q4 - Intel triage cadence: Same metric as Q5
Answer: - ☐ Fully Mature (Evidence complete + ≥3 metrics meet targets) - ☐ Implemented (Evidence complete + 2 metrics meet targets) - ☐ Partial (Evidence partially complete + <2 metrics meet targets) - ☐ Not Implemented (No red-team-the-library exercise)
Evidence Location: _____ Validation Date: ____ Notes: ______
Objective: Automate threat-library maintenance from telemetry and external feeds, and contribute discovered endpoint AI TTPs back to MITRE ATLAS, AVID, OWASP MASVS/Browser-Extension Top 10, and CSA endpoint working groups.
Q7.1: Does the threat library auto-update from an integrated signal pipeline, consuming ML-Endpoints detection alert patterns, IM-Endpoints post-incident ATLAS tactic walks, ATLAS technique additions, AVID new entries, OWASP LLM/MASVS/Browser-Extension revision drafts, sector-ISAC AI-specific advisories, CSA endpoint AI security updates, and weekly academic adversarial-ML, multimodal-attack, and edge-AI-security paper digests, via human-curator approval workflow, with ≥60% of changes auto-proposed, ≤14-day lead time from signal to update, and a machine-readable change-log subscribed to by downstream SR and ST practices?
Evidence Required: - [ ] Auto-proposal pipeline operational: ML-Endpoints detections and IM-Endpoints incident ATLAS walks generate structured candidate threat entries surfaced to the curation queue - [ ] External feed ingestion active: ATLAS, AVID, OWASP LLM/MASVS/Browser-Extension revision drafts, sector-ISAC AI advisories, CSA endpoint AI security updates, academic publication digest (multimodal injection, edge-AI-security, browser extension security focus) all feeding the pipeline - [ ] Human-curator workflow implemented: curators approve, reject, or defer each auto-proposal with decision rationale on record - [ ] ≥60% of library changes in the last 12 months were auto-proposed - [ ] Change-log is machine-readable; downstream SR-Endpoints and ST-Endpoints practices subscribe and receive update-required notifications - [ ] Lead time from signal to library update ≤14 days: change-log timestamps support this claim
Outcome Metrics: | Metric | Baseline | Current | Target | Met? | Notes | |--------|----------|---------|--------|------|-------| | Library change lead time from telemetry / external signal to update | measure | ___ days | ≤14 days | ☐ | | | % of library changes auto-proposed vs. manually authored | measure | ___% | ≥60% auto-proposed | ☐ | | | Industry contributions per year (MITRE ATLAS / AVID / OWASP / CSA) | 0 | ___ | ≥4 | ☐ | | | External-recognized TTPs originating from the program | 0 | ___ | ≥2 / year | ☐ | |
Metric Collection Guidance: - Change lead time: Measure days from signal timestamp to library commit. Focus on OWASP MASVS/Browser-Extension revision items and academic multimodal-attack publications as the most endpoint-specific signal types. Compute median and P90 - Auto-proposal rate: Count changes with origin "auto-proposed" divided by all changes in last 12 months - Industry contributions: Count substantive technical artifacts submitted to ATLAS/AVID/OWASP/CSA. Novel multimodal injection patterns, edge-device model integrity attacks, browser-extension DOM-injection chains, SaaS-AI feature-scope-inheritance exploitation qualify - Recognized TTPs: Check ATLAS commit history, AVID entry list, OWASP MASVS/Browser-Extension Top 10 revision changelogs, CSA guidance for citations of the program
Answer: - ☐ Fully Mature (Evidence complete + ≥3 metrics meet targets) - ☐ Implemented (Evidence complete + 2 metrics meet targets) - ☐ Partial (Evidence partially complete + <2 metrics meet targets) - ☐ Not Implemented (No auto-proposal pipeline)
Evidence Location: _____ Validation Date: ____ Notes: ______
Q8.1: Does the program contribute at least four substantive, evidence-backed technical artifacts per year to MITRE ATLAS, AVID, OWASP MASVS/Browser-Extension Top 10, and CSA endpoint AI security working group, covering novel endpoint AI TTPs discovered in own-deployed interfaces (multimodal injection patterns, edge-device model integrity attacks, browser-extension DOM-injection chains, SaaS-AI feature-scope-inheritance exploitation) following ATLAS evidence-and-provenance requirements, with at least two contributions externally recognized in published advisories or standard revisions?
Evidence Required: - [ ] Contribution log maintained: each entry records target body (ATLAS/AVID/OWASP/CSA), submission date, artifact type, evidence package, anonymization review sign-off, and status - [ ] ≥4 substantive technical contributions submitted in the last 12 months, each is a technical artifact with evidence, not a cosmetic observer comment - [ ] ≥2 contributions externally recognized in the last 12 months (ATLAS technique merge, AVID entry published, OWASP MASVS/Browser-Extension Top 10 revision incorporating the submission, CSA guidance citing the program) - [ ] Submissions anonymized and legally vetted; review record on file for each submission - [ ] Contributions focus on endpoint-domain attack classes: multimodal injection (image/audio/video), edge firmware attacks, browser extension permission abuse, SaaS-AI silent enablement scope-inheritance, mobile local-model integrity attacks
Outcome Metrics: | Metric | Baseline | Current | Target | Met? | Notes | |--------|----------|---------|--------|------|-------| | Industry contributions per year (MITRE ATLAS / AVID / OWASP / CSA) | 0 | ___ | ≥4 | ☐ | | | External-recognized TTPs originating from the program | 0 | ___ | ≥2 / year | ☐ | | | Library change lead time from telemetry / external signal to update | measure | ___ days | ≤14 days | ☐ | | | % of library changes auto-proposed vs. manually authored | measure | ___% | ≥60% auto-proposed | ☐ | |
Metric Collection Guidance: - Contributions: Source is contribution log. Quality-grade: technical artifact with evidence = counts; comment without evidence = does not count - Recognized TTPs: Check ATLAS commit history, AVID entry list, OWASP MASVS/Browser-Extension Top 10 changelogs, CSA endpoint AI guidance for citations of the program - Change lead time and auto-proposal rate: Same as Q7
Answer: - ☐ Fully Mature (Evidence complete + ≥3 metrics meet targets) - ☐ Implemented (Evidence complete + 2 metrics meet targets) - ☐ Partial (Evidence partially complete + <2 metrics meet targets) - ☐ Not Implemented (No substantive industry contributions)
Evidence Location: _____ Validation Date: ____ Notes: ______
Q9.1: Are anonymized endpoint archetype threat models published under a permissive license with tracked peer-org adoption, and does the program host or co-host at least one industry tabletop per year (ATLAS practitioner table, OWASP AI chapter, CSA endpoint working group, or sector ISAC AI working group) tied to the library?
Evidence Required: - [ ] Anonymized endpoint archetype threat models published: public or consortium-accessible URL on file; license is permissive; org-specific tool names, deployment details, and sensor configurations scrubbed - [ ] Anonymization review record on file for each published model - [ ] Peer-org adoption tracked: download counts, fork counts, direct adoption notifications, or consortium usage reports - [ ] Industry tabletop hosted or co-hosted in last 12 months: event record with date, hosting org(s), topic tied to the endpoint AI threat library, and participant count - [ ] Published models maintained in sync with internal library: last internal update vs. last published update gap ≤90 days
Outcome Metrics: | Metric | Baseline | Current | Target | Met? | Notes | |--------|----------|---------|--------|------|-------| | Peer-org adoption of published archetype threat models | 0 | tracked | tracked | ☐ | | | External-recognized TTPs originating from the program | 0 | ___ | ≥2 / year | ☐ | | | Industry contributions per year (MITRE ATLAS / AVID / OWASP / CSA) | 0 | ___ | ≥4 | ☐ | | | % of library changes auto-proposed vs. manually authored | measure | ___% | ≥60% auto-proposed | ☐ | |
Metric Collection Guidance: - Peer-org adoption: Collect download/fork/adoption metrics from the publishing platform quarterly. Trend is the measure - Recognized TTPs: Same metric as Q8 - Contributions and auto-proposal rate: Same metrics as Q7/Q8
Answer: - ☐ Fully Mature (Evidence complete + ≥3 metrics meet targets) - ☐ Implemented (Evidence complete + 2 metrics meet targets) - ☐ Partial (Evidence partially complete + <2 metrics meet targets) - ☐ Not Implemented (No published shared artifacts or tabletops)
Evidence Location: _____ Validation Date: ____ Notes: ______
| Level | Q1 | Q2 | Q3 | Level Score | Gate Met? |
|---|---|---|---|---|---|
| L1 | ___ | ___ | ___ | ___ | ☐ |
| Level | Q4 | Q5 | Q6 | Level Score | Gate Met? |
|---|---|---|---|---|---|
| L2 | ___ | ___ | ___ | ___ | ☐ |
| Level | Q7 | Q8 | Q9 | Level Score | Gate Met? |
|---|---|---|---|---|---|
| L3 | ___ | ___ | ___ | ___ | ☐ |
Practice Maturity Score: ___ Assessed Maturity Level: ☐ L1 ☐ L2 ☐ L3
Practice Maturity Statement: The organization's TA-Endpoints practice is at Level ___ . The archetype threat library covers ___ / 7 endpoint AI archetypes mapped to HAI TTPs (EA/AGH/TM/RA), ATLAS tactic IDs (TA0001–TA0014), and applicable OWASP LLM/Agentic/MASVS/Browser-Extension references. Domain-specific threats cataloged include data egress to vendor via assistant, browser extension permission abuse, multi-modal injection, SaaS-AI silent feature enablement, mobile local-model integrity attacks, and edge firmware attacks. Threat snapshots are produced at SM intake for ___% of Sanctioned endpoint AI deployments. [Add narrative on gaps, next steps, and L2/L3 readiness.]
Document Version: HAIAMM v3.0 Practice: Threat Assessment (TA) Domain: Endpoints Last Updated: 2026-05-15 Author: Verifhai
Instructions: