Threat Taxonomy for Agentic AI
STRIKE defines six threat categories specific to autonomous AI systems: Spoofing, Tampering, Reflection Abuse, Information Leakage, Kill Chain Extension, and Emergence. Each category maps to ACR controls, detection mechanisms, response actions, and evidence artifacts.
Spoofing
Identity falsification, credential theft, agent impersonation.
Control Layer
Identity and Purpose
Controls
Identity validation, cryptographic proof, anti-replay protection, executor verification
Detection
Identity validation failure, token verification failure, replay detection
Response
Deny execution, refuse authority, activate safe-state if configured
Evidence
Agent record, identity-validation log, executor rejection log
Tampering
Payload alteration, authorization manipulation, audit chain disruption.
Control Layer
Policy Enforcement; Observability
Controls
Payload binding, authorization integrity validation, tamper-evident logging
Detection
Payload hash mismatch, signature failure, audit-chain break detection
Response
Deny execution, preserve evidence, activate containment if repeated or severe
Evidence
Execution authorization record, verification-failure log, integrity-verification record
Reflection Abuse
Prompt injection, jailbreak, input manipulation reflected into execution.
Control Layer
Policy Enforcement; Drift Detection
Controls
Input validation, injection detection, output and action constraints
Detection
Injection alert, repeated denial pattern, prompt-manipulation indicator
Response
Deny or modify action, escalate if threshold exceeded, restrict agent if persistent
Evidence
Input-validation log, policy decision record, drift or anomaly record
Information Leakage
Unauthorized data exposure, sensitive content in outputs, access scope violations.
Control Layer
Policy Enforcement; Observability
Controls
Data access scoping, output filtering, redaction, destination restriction
Detection
Output filter match, sensitive-data detection alert, unauthorized data-access attempt
Response
Modify or deny output, deny access, escalate or isolate if repeated
Evidence
Output-filter log, policy decision record, access-control log
Kill Chain Extension
Multi-step attack progression, unauthorized chaining, lateral movement through agents.
Control Layer
Policy Enforcement; Containment
Controls
Sequence-aware policy, destination restriction, network isolation, graduated containment
Detection
Novel sequence detection, unauthorized destination attempt, anomalous chaining indicator
Response
Restrict, isolate, or kill according to documented severity thresholds
Evidence
Drift record, sequence-analysis record, containment log
Emergence
Novel unexpected behaviors, out-of-purpose actions, capability drift beyond approved scope.
Control Layer
Drift Detection; Human Authority
Controls
Purpose binding, drift detection, approval gating, containment thresholds
Detection
Drift-threshold crossing, novel behavior detection, out-of-purpose action attempt
Response
Escalate, restrict, isolate, or kill according to documented response tiers
Evidence
Drift baseline, drift alert record, approval record, containment log
STRIKE categories mapped to ACR control layers.
| Threat | Control Layer | Required Control | Detection | Response | Evidence |
|---|---|---|---|---|---|
| Spoofing | Identity and Purpose | Identity validation, cryptographic proof, anti-replay protection, executor verification | Identity validation failure, token verification failure, replay detection | Deny execution, refuse authority, activate safe-state if configured | Agent record, identity-validation log, executor rejection log |
| Tampering | Policy Enforcement; Observability | Payload binding, authorization integrity validation, tamper-evident logging | Payload hash mismatch, signature failure, audit-chain break detection | Deny execution, preserve evidence, activate containment if repeated or severe | Execution authorization record, verification-failure log, integrity-verification record |
| Reflection Abuse | Policy Enforcement; Drift Detection | Input validation, injection detection, output and action constraints | Injection alert, repeated denial pattern, prompt-manipulation indicator | Deny or modify action, escalate if threshold exceeded, restrict agent if persistent | Input-validation log, policy decision record, drift or anomaly record |
| Information Leakage | Policy Enforcement; Observability | Data access scoping, output filtering, redaction, destination restriction | Output filter match, sensitive-data detection alert, unauthorized data-access attempt | Modify or deny output, deny access, escalate or isolate if repeated | Output-filter log, policy decision record, access-control log |
| Kill Chain Extension | Policy Enforcement; Containment | Sequence-aware policy, destination restriction, network isolation, graduated containment | Novel sequence detection, unauthorized destination attempt, anomalous chaining indicator | Restrict, isolate, or kill according to documented severity thresholds | Drift record, sequence-analysis record, containment log |
| Emergence | Drift Detection; Human Authority | Purpose binding, drift detection, approval gating, containment thresholds | Drift-threshold crossing, novel behavior detection, out-of-purpose action attempt | Escalate, restrict, isolate, or kill according to documented response tiers | Drift baseline, drift alert record, approval record, containment log |