Threat model

V

Pillar V of V

AI Security

Defense-in-depth aligned to the OWASP Top 10 for LLM Applications. Every layer (input, model, output, runtime) assumes the layer above it failed.

Security for AI is not a separate discipline bolted onto application security. It is application security with two extra surfaces. The model itself, and the agent runtime around it. Pillar V exists because those two surfaces have failure modes our existing ISMS does not cover by default. Regulators, auditors, and enterprise buyers now expect you to name those failure modes in writing.

Context

The OWASP Top 10 for LLM Applications is the backbone of this pillar. Each of the next twelve sections takes a single OWASP risk class. Prompt injection, training data poisoning, sensitive information disclosure, and so on. Each one names what Bizzi does about it. Before any of that, you need a shared picture of who attacks our AI features, where they attack them, and how often we revisit the model.

Principle: The threat model rule

Every AI feature inherits Bizzi’s platform threat model and adds at least one AI-specific control per OWASP-LLM risk class in scope for the feature. Features without that mapping do not exit ADLC Stage 1.

STRIDE, adapted for AI

STRIDE stays useful. For AI features each category gains a new failure mode. The mapping below is the one squads use during ADLC Stage 1 design review.

STRIDE	AI-specific instance at Bizzi	Section
Spoofing	Attacker forges user identity, or injects content that impersonates the system prompt	§3, §9
Tampering	Training data or RAG corpus modified to plant a backdoor	§4, §5
Repudiation	User claims “the AI decided, I did not” to disown an action	Pillar III audit trail
Information disclosure	LLM leaks PII, system prompt, or cross-tenant data	§7
Denial of service	API quota or budget exhausted via expensive prompts	§10
Elevation of privilege	Agent operates with rights the user does not hold	§9

Threat actors we plan against

We model three groups and design controls against each. Naming them keeps the conversation concrete during red-team planning.

• External. Organised crime for fraud and exfiltration for resale. Nation-state APT for supply-chain or espionage. Researchers and bounty hunters. Competitors seeking customer lists or pricing.
• Insider. Malicious employees, compromised credentials, and (empirically the largest real-world risk) negligent insiders who paste production data into the wrong tool.
• Customer-side. Compromised customer tenants, and malicious vendors in a customer’s supply chain who inject content into invoices the customer then submits to us.

Attack surface on a Bizzi AI feature

The attack surface is broader than the LLM. For every feature, design review covers six surfaces.

• Input layer. Uploaded PDFs and images, chat messages, API requests.
• Model layer. Prompt injection, weights tampering for self-hosted models, training data corruption.
• Output layer. Leakage in responses, SQL injection in text-to-SQL, code or command injection.
• Agent runtime. Recursion, excessive agency, denial of wallet.
• Vendor surface. Vendor LLM compromise, sub-processor breach.
• Platform surface. Auth, network, infrastructure. Pillar V §13 inherits the ISMS controls.

Cadence

Threat models are not artefacts. They decay. We refresh them on three triggers.

• Quarterly. Re-baseline threat environment, threat-actor list, and attack-vector catalogue. Owned by the CoE Security Lead.
• At every new feature launch. Feature-specific threat assessment is a mandatory ADLC Stage 1 exit criterion (Pillar IV §6).
• After every SEV1 or SEV2 incident. The post-incident review updates the threat model before it closes.

Standards mapping

Standards Mapping

OWASP Top 10 for LLMs (entire). ISO/IEC 27005. Information security risk management. NIST AI RMF. MAP-1, MEASURE-1. ISO/IEC 42001. A.7.1 (Operational planning and control).