STRIDE-AI Threat Modeling Framework

Academic proposal (arXiv:2605.17163, CIIT 2026; Tsafac Nkombong Regine Cyrille, Franziska Schwarz) that adapts Microsoft’s STRIDE threat-modeling methodology to generative-AI systems. Its stated contribution is to bridge a high-level governance standard (NIST AI RMF) with a technical vulnerability taxonomy (OWASP LLM Top 10), the layer threat modeling for AI occupies between policy and concrete attack catalogs.

The paper argues that deterministic-system threat modeling does not account for the probabilistic behavior of models, which leaves attack vectors such as model inversion, data poisoning, and prompt injection unaddressed.

What it proposes

ElementDescription
Six-phase lifecycleAn assessment workflow from scoping through validation
Adapted STRIDEThe six STRIDE categories (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege) re-mapped onto AI assets — training data, model weights, the prompt/context window, inference endpoints
Web-based toolA purpose-built application to operationalize the assessment
Black-box validationA worked case study against a deployed LLM chatbot

Reported result

In a sandbox case study the framework reduced the chatbot’s attack success rate from 80% to 15%.1 This is a single self-reported case study, not an independent benchmark; the wiki treats the figure as illustrative rather than a general efficacy claim.

Where it fits

STRIDE-AI is the elicitation method in the threat-modeling spine’s five-step pass, and one concrete answer to its question of how to extend classical STRIDE-style modeling to model and agent assets. The Threat Taxonomy Reconciliation matrix records which catalog categories each STRIDE-AI category tends to surface. It maps to the same design-stage practice the wiki places in CMM domain D4 (Threat Modeling and Adversarial Defense). It is narrower than CSA MAESTRO’s seven-layer agentic decomposition, since it targets generative-AI applications generally rather than multi-agent ecosystems. It complements the attack catalogs (OWASP LLM Top 10, MITRE ATLAS) by supplying the elicitation method that walks an architecture against them.

See also

Footnotes

  1. §case study, arXiv:2605.17163. Single deployed-chatbot sandbox; no independent replication.