Blog 2.3 Agentic Risks: Threat Modeling

Armed with a robust understanding of the risks to a system (what can go wrong?), organizations are prepared to start the important work of threat modeling that system to determine “what we can do about” managing those risks. Traditional threat modeling frameworks like STRIDE, PASTA, and OCTAVE are extremely useful for traditional applications and legacy systems, but Agentic AI, especially multi-agent systems (MAS), requires models that capture the autonomy, memory, and tool use that define the agentic threat surface. That is where MAESTRO steps in.

MAESTRO Explained

Created by AI security leader Ken Huang, MAESTRO (Multi-Agent Environment, Security, Threat, Risk, and Outcome) is the first threat modeling framework purpose-built for Agentic AI. Where older methodologies map threats to static application components, MAESTRO looks at the seven architectural layers of agentic systems: from the foundation models themselves, to the data pipelines they consume, to the agent frameworks, deployment infrastructure, observability, compliance guardrails, and finally the broader ecosystem where agents interact with humans and each other.

It emphasizes how multi-agent systems interact not only with one another but also with their broader environment, like a self-driving car adjusting for other vehicles, pedestrians, and weather conditions. Security is treated as a property of every layer of the agentic architecture rather than a single barrier. The framework accounts for uniquely AI-driven threats like adversarial machine learning and autonomy risks, while prioritizing them based on likelihood and impact within the agent’s operational context. And because agentic systems change as they learn, MAESTRO recognizes that threat models cannot be static; they must be revisited continuously as agents adapt and roles evolve. The ever changing nature of agentic is one reason MAESTRO calls for continuous monitoring, intelligence-driven adaptation, and iterative model updates so that defenses keep pace with the dynamic nature of agentic systems.

MAESTRO’s 7 Layers

MAESTRO decomposes the agentic AI architecture into 7 layers. Threat modeling is performed for each layer and then at the intersection points of the layers. Layer 1 is the foundation models that supply reasoning, generation, and multimodal capabilities. Layer 2 handles data operations, managing pipelines, vector databases, and retrieval. Layer 3 introduces the frameworks and tools used to create functioning intelligent agents. Layer 4 addresses infrastructure and deployment requirements, using cloud platforms, orchestration, and CI/CD pipelines to run agents at scale. Layer 5 is the evaluation and observability layer and includes monitoring, logging, and auditability. Layer 6 covers security and compliance and runs through every other layer. And Layer 7 is the agent ecosystem including agentic marketplaces and external tools.

While it’s important to understand risks at each layer, one of the very helpful aspects of MAESTRO is the focus on cross-layer threats because vulnerabilities in one part of the agent architecture can propagate across the whole system. For example a supply chain compromise, like a malicious library in an agent framework, can cascade upward into business applications. Lateral movement allows attackers who breach one layer, like development tools, to pivot into others such as data operations. And goal misalignment cascades, where a poisoned dataset can distort one agent’s objectives and then spread through the ecosystem as agents interact. Together, these scenarios illustrate why defense-in-depth and continuous monitoring are essential to contain failures before they escalate system-wide.