F08 — Security & Compliance
Phase 8 — AI Security Threat Model & Risk Acceptance
Sección titulada «Phase 8 — AI Security Threat Model & Risk Acceptance»Objetivo
Sección titulada «Objetivo»Aplicar controles de seguridad proporcionales al riesgo, con mapping explicito a OWASP LLM Top 10 + OWASP Agentic Top 10 (ASI). Toda decision de riesgo residual requiere aceptacion documentada.
1. Threat Model — STRIDE + AI Extension
Sección titulada «1. Threat Model — STRIDE + AI Extension»Para sistemas AI-First, extender STRIDE con categorias AI-specific:
| STRIDE | AI Extension | Ejemplo | Mitigacion |
|---|---|---|---|
| Spoofing | Agent identity abuse (ASI03) | Agente hereda privilegios de admin | JIT ephemeral tokens, NHI management |
| Tampering | Data/model poisoning (LLM04, ASI06) | Documento malicioso en RAG corpus | Cryptographic provenance, input validation |
| Repudiation | Untraceable agent actions (ASI10) | Agente ejecuta accion sin audit trail | Full trace logging con agent_id |
| Info Disclosure | PII leakage (LLM02) | Modelo revela datos de otro tenant | DLP pipelines, namespace segregation |
| Denial of Service | Unbounded consumption (LLM10, ASI08) | Loop de agente genera $10K en tokens | Cost guards, circuit breakers, rate limits |
| Elevation | Prompt injection (LLM01, ASI01) | Input malicioso escala privilegios | Semantic firewall, least privilege tools |
2. OWASP ASI (Agentic) Checklist
Sección titulada «2. OWASP ASI (Agentic) Checklist»Completar para cada agente del sistema:
agent_name: "Customer Support Agent"assessment_date: "2026-03-21"assessor: "Security Lead"
checks: ASI01_goal_hijack: status: "mitigated" # mitigated | accepted | not_applicable | open controls: - "System prompt hardened contra instruction override" - "Semantic firewall en input pipeline" - "HITL para cambios de objetivo" residual_risk: "low"
ASI02_tool_misuse: status: "mitigated" controls: - "Tool permissions via JSON Schema strict validation" - "Write operations require HITL confirmation" - "Tool allowlist (no dynamic tool discovery)" residual_risk: "low"
ASI03_privilege_abuse: status: "mitigated" controls: - "JIT ephemeral tokens per tool call" - "Agent runs as NHI with minimal permissions" - "No shared credentials between agents" residual_risk: "low"
ASI04_supply_chain: status: "mitigated" controls: - "MCP servers allowlisted in mcp_config.json" - "Dependencies pinned by hash" - "SBOM generated in CI" residual_risk: "medium"
ASI05_code_execution: status: "not_applicable" reason: "Agent does not generate or execute code"
ASI06_memory_poisoning: status: "mitigated" controls: - "RAG corpus reviewed monthly" - "Conversation memory expires after 90 days" - "Tenant isolation in vector DB" residual_risk: "low"
ASI07_insecure_inter_agent: status: "not_applicable" reason: "Single agent system, no inter-agent communication"
ASI08_cascading_failures: status: "mitigated" controls: - "Circuit breaker: max 10 tool calls per session" - "Cost guard: max $1 per conversation" - "Timeout: 60 seconds per LLM call" residual_risk: "low"
ASI09_human_trust_exploitation: status: "mitigated" controls: - "Confidence score displayed to user" - "Irreversible actions require step-up auth outside chat" - "Agent identifies itself as AI in every interaction" residual_risk: "low"
ASI10_rogue_agent: status: "mitigated" controls: - "Behavior baseline monitored (tool call patterns)" - "Objective drift detection via eval suite" - "Emergency kill switch accessible to ops team" residual_risk: "low"
overall_risk_posture: "acceptable"next_review_date: "2026-06-21"3. Risk Acceptance Template
Sección titulada «3. Risk Acceptance Template»Cuando el riesgo residual se acepta (no se puede mitigar mas):
acceptances: - risk_id: "RISK-ASI04-001" description: "MCP server de tercero no provee signed manifests" residual_risk: "medium" business_justification: "Unica integracion disponible con CRM, contractualmente obligados" compensating_controls: - "Monthly security review of MCP server responses" - "Allowlist of permitted tool calls" - "Output validation on all MCP responses" accepted_by: "Security Lead" accepted_date: "2026-03-21" review_date: "2026-06-21" expiry: "2026-09-21" # Must re-evaluate after 6 months4. EU AI Act — Compliance Mapping
Sección titulada «4. EU AI Act — Compliance Mapping»| EU AI Act Article | Framework Phase | Artefacto | Status |
|---|---|---|---|
| Art. 9 — Risk Management | F01, F08 | risk_register.yaml, owasp_asi_checklist.yaml | |
| Art. 10 — Data Governance | F03, F05 | data_classification.yaml, data_dictionary.yaml | |
| Art. 11 — Technical Docs | F04, F05 | ADRs, OpenAPI specs, ai_partition_map.yaml | |
| Art. 12 — Record Keeping | F09 | Observability traces, audit logs | |
| Art. 13 — Transparency | F06 (UX) | User-facing AI disclosure | |
| Art. 14 — Human Oversight | F00, F08 | HITL config, human_agent_responsibility.yaml | |
| Art. 15 — Accuracy/Robustness | F07 | evaluation_scorecard.yaml, golden_dataset.yaml |
5. ISO 42001 AIMS Mapping
Sección titulada «5. ISO 42001 AIMS Mapping»| ISO 42001 Clause | Framework Equivalent |
|---|---|
| 4. Context of the Organization | F01 Strategy, F02 Domain |
| 5. Leadership | F00 Roles RACI, Sponsor role |
| 6. Planning (Risk) | F01 Risk Register, F08 Threat Model |
| 7. Support (Resources/Competence) | F00 Multi-Track, Maturity Model |
| 8. Operation | F03-F06 (Design through Build) |
| 9. Performance Evaluation | F07 TEVV, F09 Observability |
| 10. Improvement | F10 Learn & Evolve |
6. Checklist de Salida — Gate 8
Sección titulada «6. Checklist de Salida — Gate 8»- Threat model completado (STRIDE + AI extension)
- OWASP ASI checklist completado para cada agente
- OWASP LLM Top 10 revisado
- Compliance matrix actualizada
- Residual risks documentados con aceptacion formal
- Data classification completada
- Secret scan passing en CI (no hardcoded keys)
- EU AI Act mapping (si high-risk)
- Pen test scheduled (si Full track)
Entregables minimos por track
Sección titulada «Entregables minimos por track»| Artefacto | Solo | Lean | Full |
|---|---|---|---|
| Threat model | No formal | STRIDE basico | STRIDE + AI completo |
| OWASP ASI checklist | No requerido | Top 5 risks | Completo (10/10) |
| Risk acceptance | No formal | Para risks altos | Formal con signatures |
| Compliance matrix | No requerido | Basica | Completa + EU AI Act |
| ISO 42001 mapping | No requerido | No requerido | Tabla de correspondencia |
Referencias
Sección titulada «Referencias»CORE_F08_Backup_DR_Database_Auth.md— backup, DR, autenticacionCORE_F08_Compliance_Regulacion_ISO_SLA.md— compliance y regulacionCORE_F08_Desarrollo_AI_Gobernanza.md— gobernanza de desarrollo AIframework/guides/OWASP_Agentic_Security_Guide.md— guia detalladaframework/guides/Data_Governance_AI_Guide.md— data governance- Skill:
/f08_security
AI-First Engineering Framework v6.5 — Phase 8: Security, Compliance & Governance