Microsoft published STRIDE in 1999 as a mnemonic for six threat categories — Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege — and it has outlived nearly every framework that followed it because it describes properties of systems, not specific technologies. That durability is now being tested. OWASP's Top 10 for LLM Applications (2025 edition) lists risks STRIDE's original authors never had to consider: LLM01 Prompt Injection, LLM03 Supply Chain, LLM04 Data and Model Poisoning, LLM06 Excessive Agency, LLM07 System Prompt Leakage. Separately, MITRE ATLAS — the Adversarial Threat Landscape for AI Systems, launched with Microsoft in 2020 — now catalogs roughly 16 tactics and 84 techniques spanning reconnaissance through impact, and its 2025 updates added agentic-specific entries for context and memory poisoning and credential harvesting through tool calls. Meanwhile the supply-chain risk is concrete: Sonatype researchers found four separate bypasses in Hugging Face's own picklescan safety tool, and PyTorch's default pickle serialization format still executes arbitrary code on load. This piece walks through how to keep STRIDE's structure while adding the columns an AI-native architecture actually needs.
Does STRIDE still apply to LLM-powered systems?
Yes — STRIDE's categories still hold, but each one now has an AI-specific analogue that a code-only threat model misses entirely. Spoofing traditionally means impersonating a user or service; in an LLM system it also means a prompt injection payload impersonating a system instruction, since the model has no structural way to distinguish "trusted developer instruction" from "text that appeared in a retrieved document" once both are concatenated into the same context window. Tampering traditionally means modifying data in transit or at rest; for a model it also means data or model poisoning, where an attacker manipulates training or fine-tuning data so the model itself becomes the tampered asset. Elevation of Privilege traditionally means a user gaining admin rights; OWASP's LLM06 Excessive Agency describes the same failure mode when an agent is granted more tool permissions, autonomy, or unsupervised action than its task requires. The mapping exercise itself is the useful part — it forces a team to ask "what does Tampering mean for this specific model-serving pipeline" instead of treating AI risk as an unstructured, separate checklist.
What does prompt injection look like as a STRIDE-mapped threat?
Prompt injection maps most directly to Spoofing and, once an agent has tool access, to Elevation of Privilege. OWASP lists it as LLM01 for a reason: unlike SQL injection, there is no reliable syntactic boundary between "instruction" and "data" in a natural-language prompt, so a malicious instruction embedded in a webpage, PDF, email, or tool-call result can be interpreted by the model with the same authority as a instruction from the system prompt. Indirect prompt injection — where the payload arrives via retrieved content rather than direct user input — is the variant that matters most for agentic systems, because the attacker never touches the application's input field at all; they plant the payload in a document, ticket, or API response the agent is expected to read. Threat-modeling this requires tracing every source an agent reads from — not just the chat input — as an untrusted-input boundary, the same discipline applied to tainted data in classic web app threat models, just extended to include retrieved documents, tool outputs, and memory stores as attacker-reachable surfaces.
How should model and weight supply chain be threat-modeled?
Model weights should be threat-modeled as untrusted supply-chain artifacts, not as opaque configuration — the same category discipline applied to a package-lock.json or a container base image. PyTorch's default serialization format is Python's pickle, which executes arbitrary code when a file is deserialized; a malicious model uploaded to a public hub can carry a backdoor triggered on load, before a single inference request runs. Hugging Face ships picklescan to catch this, but Sonatype's research team documented four distinct techniques that bypass it, meaning a scan passing is not proof a weights file is safe. Malicious PyTorch models with embedded backdoors hosted on public model hubs have also been documented by threat-intelligence researchers at ReversingLabs. The STRIDE-relevant mapping is Tampering (the weights file itself was altered or was malicious from creation) and, if the payload executes attacker code on your infrastructure at load time, Elevation of Privilege. A threat model needs a line item for "what happens when this model is loaded" the same way it needs one for "what happens when this dependency's postinstall script runs."
Why do agent tool calls need their own threat category?
Agent tool calls need their own category because they collapse the distinction between "the model said something" and "something happened in the real world" — a boundary that classic application threat models don't have to cross. OWASP's LLM06 Excessive Agency captures the risk directly: an agent wired to a file-write tool, an email-send tool, or a payment API executes real side effects based on model output that may have been influenced by injected instructions or by the model simply hallucinating a plan. MITRE ATLAS's agentic-AI additions through 2025 give this concrete technique names — context and memory poisoning, where an attacker corrupts what an agent believes it already knows or has already done, and credential harvesting via tool calls, where an agent with excessive scope is manipulated into exposing or misusing credentials it holds for legitimate tool use. Threat-modeling this requires enumerating every tool an agent can invoke as a separate trust boundary with its own least-privilege scope, logging every invocation with the prompt that triggered it, and treating "unexpected but technically permitted" tool calls as a detection signal, not just an authorization pass/fail.
What belongs in an AI-native STRIDE worksheet that a standard one doesn't have?
An AI-native worksheet needs explicit rows for model provenance, context-window trust boundaries, and tool-call authorization — three things a standard application data-flow diagram doesn't represent at all. Model provenance covers where weights came from, whether they're signed, and what fine-tuning lineage they carry, mirroring how a software bill of materials tracks a dependency's origin. Context-window trust boundaries require diagramming every source that populates a prompt — user input, retrieved documents, prior tool outputs, long-term memory — and marking which ones are attacker-influenceable, since OWASP's LLM07 System Prompt Leakage and LLM01 Prompt Injection both live at this boundary. Tool-call authorization means mapping each declared tool to the minimum scope it needs and recording what happens if the model requests a tool outside that declared surface. None of this replaces STRIDE's six categories; it extends the data-flow diagram with the objects — models, prompts, tool schemas — that an AI-native architecture introduces alongside the servers and databases STRIDE was originally built to describe.
How Safeguard helps
Safeguard's AI-BOM treats model weights as first-class supply-chain artifacts rather than opaque binaries: it captures weight provenance and hash, signing status, and fine-tune lineage, and scans weights for embedded executable code so a pickle-based payload is flagged before a model ever reaches a load-time gate. Eagle runs statistical tests for model-weight backdoors — trojan triggers and class-level backdoors — and reports a likelihood score with contributing evidence rather than a bare pass/fail. Load-time policy enforcement can block any model whose weight hash doesn't match its attested signature or whose publisher isn't on an allow-list, closing the gap that a picklescan-only workflow leaves open. For the agent side of the threat model, Safeguard retains tool-call logs with prompt and response hashes, validates each call against a declared tool surface, and surfaces unexpected-but-permitted calls and scored prompt-injection attempts — giving a security team the concrete telemetry an AI-native STRIDE worksheet assumes exists but that most teams have never instrumented.