Why Regular Threat Modeling Doesn’t Work with Agentic AI

Threat Modeling needs to evolve with Agentic AI

Last week I talked about how Autonomy and Hallucinations are a deadly combination in Agentic AI

Read about it here

The danger of AI agents is they don't just respond to prompts; they pursue goals, interact with environments, and adapt over time.

They can plan multi-step workflows, coordinate with other agents, and invoke external tools to achieve complex objectives.

But this leap in capability comes with a corresponding leap in risk — and unfortunately, our traditional security toolkits are not ready.

Traditional Threat Modeling: A Quick Recap

Threat modeling is a foundational discipline in cybersecurity.

It helps organizations anticipate and mitigate security risks during system design.

Over the years, several established frameworks have guided security architects:

• STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege)

• PASTA (Process for Attack Simulation and Threat Analysis)

These methods are excellent for systems with predictable behavior, static workflows, and clearly defined user roles and interactions.

They help identify what could go wrong when users interact with applications, data flows cross trust boundaries, or adversaries attempt to manipulate infrastructure.

But Agentic AI doesn’t fit this mold.

Here’s why.

The Problem: Agentic AI Defies Traditional Models

1. Autonomy Changes Everything

Traditional threat modeling assumes that systems do what they’re programmed to do.

But Agentic AI does what it decides to do — based on its interpretation of goals, context, and past experiences.

This introduces new risks:

• Goal misalignment (agent optimizes for the wrong outcome)

• Unpredictable decision-making

• Autonomous escalation of actions

You can’t simply model inputs, outputs, and data flows anymore.

You have to model intent and emergent behavior — which most traditional frameworks do not address.

2. Agents Learn, Adapt, and Evolve

Agentic systems are not static. They learn continuously, adapt to new information, and adjust their strategies over time.

This invalidates a key assumption of regular threat modeling: that once you map the system and its components, the model is accurate until a version change.

In an Agentic system:

• An agent’s behavior today may differ from its behavior tomorrow

• Memory and reasoning chains change dynamically

• Threat surfaces shift as the agent learns or is updated

Threat models need to evolve in real-time, not just during design phases.

3. Multi-Agent Systems Multiply the Risk

Many deployments of Agentic AI involve multiple interacting agents. These agents may collaborate, compete, or influence each other.

Traditional frameworks don’t account for:

• Collusion: Agents coordinating to achieve unintended goals

• Competition: Resource contention or malicious behavior between agents

• Cascading failure: One agent’s error propagating through the system

These systems require threat modeling at the ecosystem level, not just the component level.

4. Goal Misinterpretation is a Threat Vector

In a traditional system, errors come from inputs or bad logic.

In Agentic AI, entire classes of risk arise from goal misinterpretation.

For example:

• An AI tasked with “minimizing costs” may shut down critical infrastructure.

• A support agent told to “reduce ticket volume” might auto-close unresolved cases.

These are not “bugs” or “attacks” in the traditional sense — they’re design oversights with security implications.

Regular frameworks don’t model this type of value hacking or misaligned optimization.

5. Tool Use Expands the Attack Surface

Agentic AI often includes access to tools: browsers, file systems, APIs, cloud services. It can use these tools without immediate human approval.

This introduces risks like:

• Tool hijacking

• Privilege escalation through chains of tools

• Prompt injection that causes agents to execute unintended actions

Traditional frameworks don’t cover how autonomous agents select and invoke tools — or how an attacker might influence that process.

6. Memory and Long-Term State Become Vulnerabilities

Agents often maintain persistent memory to track goals, conversations, or user preferences.

This memory is modifiable, which opens the door to:

• Memory poisoning

• Data leakage

• Replay attacks

Legacy frameworks are focused on protecting databases or files — not understanding how dynamic memory influences future AI behavior.

7. Explainability and Auditability Are Missing Links

When something goes wrong in a traditional system, logs and code paths can help you trace the issue.

With Agentic AI, the reasoning chain may span hundreds of actions and decisions — some opaque, some emergent.

Standard threat modeling doesn’t account for:

• Auditability of decision-making

• Explainability of agent behavior

• Postmortems on AI actions

Security failures could happen without any clear trace — and traditional models don’t prepare you for that.

What’s Needed Instead: A New Kind of Threat Modeling

Frameworks like STRIDE, PASTA, and LINDDUN still have value, but they require augmentation to keep up with the autonomy, learning, and unpredictability of agentic systems.

Let’s break down the core enhancements needed — and how they can be layered into existing models.

Security teams need threat modeling that’s:

• Layered — accounts for AI model behavior, memory, decision logic, tool use, and user interaction

• Dynamic — continuously updated as agents learn and evolve

• Agent-aware — models both individual agent behavior and multi-agent ecosystem

• Goal-centric — focused on misalignment, optimization traps, and value corruption

• Explainable — builds in mechanisms for tracing decisions and behaviors

How To Apply This In Practise ?

Rather than reinventing threat modeling from scratch, organizations can augment their existing approaches like STRIDE with the following additions:

• Perform layer-by-layer analysis: Apply STRIDE to each functional component of the agentic system — model, memory, planning, tools, interfaces.

• Include goal and value alignment checks in the threat enumeration phase.

• Add categories for autonomous behavior risks, such as unsupervised loops or tool abuse.

• Integrate continuous threat model updating as part of the AI development lifecycle.

• Use STRIDE’s tampering and spoofing categories to model prompt injection and memory poisoning attacks.

• Extend repudiation to cover decision transparency and explainability concerns.

By adapting familiar tools and adding AI-specific layers and threat types, organizations can evolve their threat modeling practices to meet the demands of the Agentic Era — without starting from zero.

Agentic AI is not a futuristic dream.

It’s already here — in customer support systems, security operations, DevOps automation, and even personal productivity apps.

But too many organizations are treating it like regular software or traditional AI.

They’re relying on outdated threat models that can’t anticipate or contain the risks posed by autonomous, learning, tool-using agents.

To keep up, security teams need to shift from protecting static systems to governing dynamic intelligence.

The sooner we stop treating Agentic AI like just another tech upgrade — and start treating it like the paradigm shift it is — the safer, more reliable, and more trustworthy our systems will be.