STRIDE-AI Threat Modeling Framework
Academic proposal (arXiv:2605.17163, CIIT 2026; Tsafac Nkombong Regine Cyrille, Franziska Schwarz) that adapts Microsoft’s STRIDE threat-modeling methodology to generative-AI systems. Its stated contribution is to bridge a high-level governance standard (NIST AI RMF) with a technical vulnerability taxonomy (OWASP LLM Top 10), the layer threat modeling for AI occupies between policy and concrete attack catalogs.
The paper argues that deterministic-system threat modeling does not account for the probabilistic behavior of models, which leaves attack vectors such as model inversion, data poisoning, and prompt injection unaddressed.
What it proposes
| Element | Description |
|---|---|
| Six-phase lifecycle | An assessment workflow from scoping through validation |
| Adapted STRIDE | The six STRIDE categories (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege) re-mapped onto AI assets — training data, model weights, the prompt/context window, inference endpoints |
| Web-based tool | A purpose-built application to operationalize the assessment |
| Black-box validation | A worked case study against a deployed LLM chatbot |
Reported result
In a sandbox case study the framework reduced the chatbot’s attack success rate from 80% to 15%.1 This is a single self-reported case study, not an independent benchmark; the wiki treats the figure as illustrative rather than a general efficacy claim.
Where it fits
STRIDE-AI is the elicitation method in the threat-modeling spine’s five-step pass, and one concrete answer to its question of how to extend classical STRIDE-style modeling to model and agent assets. The Threat Taxonomy Reconciliation matrix records which catalog categories each STRIDE-AI category tends to surface. It maps to the same design-stage practice the wiki places in CMM domain D4 (Threat Modeling and Adversarial Defense). It is narrower than CSA MAESTRO’s seven-layer agentic decomposition, since it targets generative-AI applications generally rather than multi-agent ecosystems. It complements the attack catalogs (OWASP LLM Top 10, MITRE ATLAS) by supplying the elicitation method that walks an architecture against them.
See also
- Threat Modeling for AI — the concept this operationalizes
- NIST AI RMF · OWASP LLM Top 10 — the two standards it bridges
- CSA MAESTRO — the layered agentic alternative
Footnotes
-
§case study, arXiv:2605.17163. Single deployed-chatbot sandbox; no independent replication. ↩