Attack Surfaces (Eight Categories)

The first stage of threat modelling scopes the system’s attack surface: every point where external input enters the system and every point where the system produces output that affects decisions. Eight categories are identified of attack surface relevant to high-risk AI systems.

Data ingestion APIs accept raw data from external sources and are vulnerable to data poisoning, schema manipulation, and injection attacks. Model serving endpoints accept inference requests and are vulnerable to adversarial inputs, model extraction, and denial of service. Operator interfaces present the human oversight layer and are vulnerable to session hijacking, privilege escalation, and interface manipulation. Administrative endpoints provide system management and are vulnerable to unauthorised access and configuration tampering.

Inter-service communication channels carry data between microservices and are vulnerable to man-in-the-middle attacks and data interception. Training pipelines process data into model artefacts and are vulnerable to data poisoning and code injection. Configuration stores hold thresholds, feature flags, and business rules, and are vulnerable to unauthorised modification. External integrations connect to third-party APIs, model providers, and data enrichment services, and are vulnerable to supply chain attacks and data exfiltration.

Each attack surface point is assessed against the combined STRIDE + ATLAS threat taxonomy, with identified threats scored and documented in the threat model.

Key outputs

• Eight-category attack surface inventory
• Per-surface threat enumeration using STRIDE + ATLAS
• Risk scoring per identified threat
• Module 9 AISDP documentation