🛡️ AI Threat Modeling Isn’t Optional Anymore: Understanding STRIDE, MITRE ATLAS, and OWASP LLM…

Artificial Intelligence is rapidly becoming part of modern applications, from chatbots and recommendation engines to fraud detection systems and autonomous AI agents. As organizations rush to integrate AI into their products, many are discovering a hard truth:

Traditional threat modeling is no longer enough.

For years, security teams focused on protecting assets like databases, source code, credentials, and APIs. While those assets still matter, AI introduces an entirely new set of targets that attackers can exploit.

Training datasets can be poisoned. Models can be stolen. System prompts can leak sensitive business logic. Vector databases can be manipulated to influence AI responses.

The result is a much larger and more complex attack surface than most organizations realize.

In this article, I'll explore how AI changes threat modeling and how three powerful frameworks — STRIDE, MITRE ATLAS, and the OWASP LLM Top 10 — can be combined to build a practical security strategy for AI systems.

AI Introduces New Assets That Need Protection

When we think about security assets, most people immediately think of databases, source code repositories, API keys, or cloud infrastructure.

AI systems introduce entirely new assets that deserve the same level of protection.

Training data is one of the most valuable examples. Since models learn from this data, poisoning it can change how a model behaves long after the attack has occurred.

Model weights are equally important. Unlike a leaked password, a stolen model cannot simply be rotated or reset. If an attacker obtains a copy of the weights, they effectively possess a copy of the organization's AI capability.

Other important assets include embedding vectors used by retrieval systems, system prompts that define model behavior, feature stores that provide model inputs, and model registries that store deployable AI artifacts.

What makes these assets particularly dangerous is that attacks against them often remain invisible until much later. A poisoned dataset may not reveal its effects until the next retraining cycle. A compromised model registry may silently distribute backdoored models across an entire organization.

This delayed impact is one of the reasons AI security is so challenging.

Why AI Systems Behave Differently From Traditional Applications

Traditional software is generally deterministic.

If you enter the same input into a calculator twice, you get the same answer twice.

AI systems don't work that way.

A language model can produce slightly different responses even when given the exact same prompt. This probabilistic behavior makes testing, auditing, and incident investigations significantly harder.

There's also the famous "black box" problem.

With traditional applications, developers can usually trace a decision back to specific code paths. With modern AI models, decisions emerge from millions or billions of learned parameters. Investigators often see the input and the output without fully understanding what happened in between.

For defenders, this means threat modeling must focus not only on code and infrastructure, but also on model behavior, data flows, and failure modes.

The AI Supply Chain Is Bigger Than Most People Think

Most security professionals are familiar with software supply chain attacks.

Compromised packages, malicious dependencies, and vulnerable containers have become common attack vectors.

AI systems introduce a second supply chain: the data supply chain.

Every AI model passes through a series of stages before reaching production. Data is collected, cleaned, labeled, used for training, validated, packaged, and eventually deployed for inference.

Each stage creates opportunities for attackers.

Imagine a company called MegaCorp that retrains its fraud detection model every month. An attacker slowly injects crafted fraudulent transactions into the training dataset. Nothing appears suspicious at first.

Months later, the newly trained model begins treating those fraudulent transactions as legitimate behavior.

The attack succeeds not because the attacker breached the production environment, but because they manipulated the data that shaped the model's understanding of reality.

This is why securing AI requires protecting both the software supply chain and the data supply chain.

Why STRIDE Needs an AI Upgrade

Most cybersecurity professionals are familiar with STRIDE.

It's one of the most widely used threat modeling frameworks and helps answer a simple question:

What can go wrong?

For traditional systems, STRIDE works extremely well. However, AI introduces threats that don't fit neatly into its original categories.

Consider data poisoning.

Technically, it falls under Tampering because attackers are modifying data. But unlike traditional tampering attacks, the effects may not appear until a future retraining cycle. The damage can remain hidden for weeks or months.

Similarly, model extraction technically falls under Information Disclosure. Yet stealing a model is far more damaging than leaking a document because it gives attackers a copy of years of intellectual property and development effort.

STRIDE remains useful, but AI requires additional context and specialized threat intelligence.

That's where MITRE ATLAS enters the picture.

MITRE ATLAS: Understanding How AI Attacks Actually Work

While STRIDE identifies threat categories, MITRE ATLAS focuses on attack techniques.

Think of it as the AI equivalent of MITRE ATT&CK.

Instead of simply identifying a Tampering risk, ATLAS explains exactly how attackers perform actions such as:

• Data poisoning
• Model extraction
• Prompt injection
• Adversarial manipulation
• Backdoor model creation

For example, a STRIDE assessment might reveal that MegaCorp's training pipeline is vulnerable to tampering.

ATLAS helps transform that generic finding into a concrete risk:

Data Poisoning (AML.T0020)

It then provides attack details, prerequisites, detection ideas, and mitigation strategies.

This makes threat modeling significantly more actionable.

Rather than saying, "Someone could tamper with the system," security teams can describe exactly how an adversary would perform the attack and how defenders should respond.

The OWASP LLM Top 10 Answers a Different Question

STRIDE tells us what can go wrong.

ATLAS tells us how attackers do it.

OWASP LLM Top 10 answers something equally important:

Where does the risk actually exist?

This framework focuses specifically on AI and Large Language Model security.

Prompt Injection, Sensitive Information Disclosure, Excessive Agency, System Prompt Leakage, Data Poisoning, and Unbounded Consumption are all mapped to the parts of an AI architecture where they are most likely to occur.

This is particularly useful when assessing new AI components.

For example, if an organization introduces a Retrieval-Augmented Generation (RAG) pipeline, the OWASP framework immediately highlights risks such as indirect prompt injection, vector database weaknesses, and misinformation.

Instead of starting security reviews from scratch, teams can begin with a known set of risks associated with that component.

The Most Dangerous Part of an AI System

One of the most interesting observations from the OWASP LLM Top 10 is that the highest concentration of risk typically exists at the LLM inference endpoint itself.

This single component is often exposed to:

• Prompt injection attacks
• Sensitive data exposure
• Prompt leakage
• Excessive permissions
• Misinformation
• Cost abuse attacks
• Unsafe output handling

In many environments, the model endpoint becomes the most attractive target for attackers.

Meanwhile, vector databases introduce retrieval-specific risks, while training pipelines remain highly exposed to supply chain and poisoning attacks.

Understanding these risk concentrations helps organizations prioritize security investments where they matter most.

Real AI Attacks Are Already Happening

One of the biggest mistakes defenders make is treating AI threats as theoretical.

They're not.

The ShadowRay incident demonstrated how attackers could target AI infrastructure built on the Ray framework.

Researchers also demonstrated the Morris II Worm, a self-replicating prompt injection attack capable of spreading through AI-powered workflows and retrieval systems while extracting sensitive information.

These incidents highlight an important reality:

Attackers are no longer experimenting with AI systems.

They're actively targeting them.

As AI adoption increases, these attacks will only become more common.

Bringing Everything Together

No single framework provides complete coverage for AI security.

STRIDE helps identify what can go wrong.

MITRE ATLAS explains how attackers perform those actions.

OWASP LLM Top 10 shows where the risks exist inside the architecture.

Together, they create a practical approach for threat modeling modern AI systems.

When evaluating an AI application, the process becomes surprisingly simple:

Start with STRIDE to identify threats.

Use MITRE ATLAS to understand attack techniques.

Apply OWASP LLM Top 10 to determine which components are affected and what controls should be prioritized.

This layered approach transforms AI threat modeling from an abstract exercise into a practical security process.

Final Thoughts

AI systems are not simply traditional applications with a chatbot attached.

They introduce new assets, new attack surfaces, new supply chains, and entirely new classes of security risks.

Training data, model weights, system prompts, vector databases, and AI agents all require protection. Threats such as data poisoning, prompt injection, model extraction, and excessive agency have become real concerns for organizations deploying AI at scale.

As defenders, we need to move beyond traditional application security thinking and start treating AI as its own security domain.

The organizations that succeed will be the ones that understand not only what can go wrong, but also how attackers exploit AI systems and where those risks live within the architecture.

That's exactly why STRIDE, MITRE ATLAS, and the OWASP LLM Top 10 are becoming essential tools for every modern security professional.