Threat Model Document (Living)
The threat model document is the central artefact produced by the threat modelling exercise described above. It is a living document, version-controlled and reviewed whenever the system’s architecture, data sources, deployment context, or threat landscape changes materially. At minimum, the document is reviewed annually, aligned with the risk register review cadence.
The document should include the methodology used (STRIDE + ATLAS + OWASP LLM, within a PASTA framework or equivalent), the attack surface inventory, the threat actor profiles, the enumerated threats with risk scores, the mitigations for each threat above the risk acceptance threshold, and the residual risks for threats where full mitigation is not achievable. The threat model should be structured so that each identified threat maps to a specific control in the AISDP and to a specific test in the cybersecurity testing programme.
The Technical SME produces the threat model using structured tooling (IriusRisk, OWASP Threat Dragon, or equivalent) and stores it in the version control system. The threat model feeds directly into the cybersecurity testing programme: penetration testing and adversarial ML testing should exercise the threats identified in the model. The document is Module 9’s primary reference and is reviewed by the notified body or competent authority during conformity assessment.
Key outputs
- Structured threat model document (living, version-controlled)
- Methodology, attack surfaces, threat actors, threats, mitigations, residual risks
- Annual review schedule with change-triggered updates
- Module 9 AISDP evidence
Per-Threat Control Mapping
The per-threat control mapping is a structured table or matrix that links each identified threat from the threat model to the specific controls that mitigate it, the AISDP module that documents the control, and the test that verifies the control’s effectiveness. This mapping serves as the navigable index between the threat model and the rest of the AISDP.
The mapping enables an assessor to trace from any threat to its mitigations, from any mitigation to its documentation, and from any test to the threat it exercises. It also enables gap analysis: a threat without a mapped control is an unmitigated risk; a control without a mapped test is an unverified mitigation. The mapping should cover both traditional software threats (STRIDE-derived) and AI-specific threats (ATLAS and OWASP LLM-derived).
The mapping is maintained alongside the threat model and updated whenever threats, controls, or tests change. It feeds into the cybersecurity testing programme’s scope definition and the conformity assessment’s evidence trail. The per-threat control mapping is retained as Module 9 evidence.
Key outputs
- Threat-to-control-to-test mapping matrix
- Gap analysis for unmitigated threats and unverified controls
- Maintained alongside the threat model document
- Module 9 AISDP evidence
Bow-Tie Diagrams (Top 10 Risks)
Bow-tie diagrams provide a visual representation of the relationship between threats, barriers (preventive controls), the hazardous event, consequences, and recovery controls. For the top ten risks identified in the threat model, bow-tie diagrams present the risk management story in a format accessible to both technical and governance audiences.
Each diagram shows the threat sources on the left, the preventive barriers (controls that reduce the likelihood of the threat materialising), the central hazardous event, the consequence pathways on the right, and the recovery barriers (controls that reduce the impact if the event occurs). This structure makes the defence-in-depth strategy visible: an assessor can see how many independent barriers stand between each threat and its consequences, and what happens if one barrier fails.
The bow-tie diagrams complement the per-threat control mapping by providing a visual, narrative format that is more accessible for governance reviews and stakeholder communication. They are particularly useful for communicating risk management decisions to the AI Governance Lead, Legal and Regulatory Advisor, and senior stakeholders who may not engage with the full threat model detail. The diagrams are version-controlled and updated alongside the threat model.
Key outputs
- Bow-tie diagrams for the top ten risks from the threat model
- Visual mapping of preventive and recovery barriers per risk
- Governance-accessible format for risk communication
- Module 6 and Module 9 AISDP evidence