H
Hallucination
False outputs, overconfidence, cascading errors across agent chains
AI systems produce false outputs with high confidence. In multi-agent systems, cascading hallucination occurs when one agent's false output becomes factual input for the next — amplifying the error across the pipeline in ways a single-model system cannot.
Threat Mappings
Threat
OWASP Mapping
Notes
Misinformation / Hallucination
Confidently false outputs causing harmful downstream decisions
LLM09
Primary OWASP coverage
Cascading Hallucination
False output from one agent propagates as fact through downstream agents
ASI06
Multi-agent amplification of errors; extends ASI06
A
Autonomy Failures
Excessive scope, missing HITL checkpoints, unconstrained planning
The threat here isn't an adversary doing something the system wasn't designed for — it's the system doing exactly what it was designed for, unsupervised, beyond the boundaries anyone intended. STRIDE has no category for this failure mode.
Threat Mappings
Threat
OWASP Mapping
Notes
Excessive Agency
Agent acts beyond intended scope without human oversight
LLM06ASI08
Core OWASP coverage for both lists
Tool Misuse
Agent invokes tools outside its intended use or chains tools destructively
ASI02
Agentic-specific; destructive tool chaining
Unconstrained Planning
Agent pursues goals beyond its mandate without HITL gates
ASI08ASI09
Missing kill-switch or scope boundary enforcement
N
Non-determinism
Stochastic behavior as a security property — not a threat, but the condition that changes everything
Non-determinism isn't an attack vector — it's the property that makes AI systems uniquely difficult to secure. Stochastic outputs invalidate deterministic threat models, break traditional testing, and make incident response unreliable. Statistical jailbreaking — repeating the same prompt until safety boundaries fail through sampling variance — is a documented exploit of this property. No existing framework names this concept.
Threat Mappings
Threat
OWASP Mapping
Notes
Statistical Jailbreaking
Exploiting sampling variance to bypass safety controls through repeated attempts
★ No OWASP equivalent
Not in OWASP, STRIDE, or MITRE ATLAS
Inconsistent Safety Behavior
Same prompt produces unsafe output under certain sampling conditions
★ No OWASP equivalent
Not named in any existing framework — this is the point
T
Trust & Supply Chain
Malicious base models, compromised MCP servers, marketplace agents, poisoned plugins
OWASP covers supply chain in one category; MAESTRO distributes it across four layers. PHANTOMRISE consolidates it as T — a single practitioner prompt: where does this system trust things it shouldn't?
Threat Mappings
Threat
OWASP Mapping
Notes
Compromised Base Model
Backdoored weights from malicious model provider or fine-tuning pipeline
LLM03ASI04
Supply chain entry point at the foundation layer
Malicious MCP Server / Plugin
Compromised tool server or plugin injecting malicious behavior into agent workflows
ASI04LLM03
Marketplace agent risk: not explicitly named in ASI04
O
Observability Gaps
Absent monitoring framed as a first-class security threat, not an ops problem
Absent from the OWASP LLM Top 10 entirely — and that absence is itself the problem. A goal-hijacked agent looks like a functioning system until something goes wrong downstream. You can't detect or respond to threats you can't see. PHANTOMRISE treats observability not as an operational nicety but as a first-class security control.
Threat Mappings
Threat
OWASP Mapping
Notes
Agent Trace Blind Spots
No causal tracing for multi-step autonomous decisions
ASI09
ASI09 partially covers; LLM Top 10 has no equivalent
Silent Failures in Pipelines
Agent takes harmful action with no anomaly signal — looks like normal operation
★ Novel framing
Treating absent monitoring as a security threat — not in any framework
M
Manipulation
Prompt injection, goal hijacking, intent drift, multimodal injection
The most well-documented AI attack surface. Intent drift — the gradual shift of an agent's objective across a long session through accumulating adversarial context — is distinct from a single-event goal hijack and deserves explicit attention in threat modeling sessions.
Threat Mappings
Threat
OWASP Mapping
Notes
Prompt Injection (Direct & Indirect)
Adversarial instructions overriding system prompt via user input or retrieved content
LLM01ASI01
Most prevalent AI attack; indirect via RAG retrieval
Goal Hijacking
Attacker redirects agent objective through adversarial context
ASI01ASI07
Single-event manipulation of agent goals
Intent Drift
Gradual shift of agent objective across long session through accumulating adversarial context
ASI07
Distinct from goal hijacking; slow and hard to detect
R
Resource Exhaustion
DoS, Denial of Wallet, multi-agent amplification loops
Denial of Wallet — where API costs become a financial attack surface — is an AI-specific threat with no STRIDE equivalent. Recursive tool calls between agents can multiply resource consumption beyond single-agent rate limits, bypassing controls designed for isolated systems.
Threat Mappings
Threat
OWASP Mapping
Notes
Denial of Wallet
API cost exploitation as a financial attack — triggering massive inference spend
LLM10
AI-specific financial DoS; no STRIDE equivalent
Multi-Agent Amplification Loops
Recursive tool calls between agents multiply resource consumption beyond rate limits
LLM10ASI10
Bypasses single-agent rate limiting controls
I
Identity & Privilege
NHI credentials, delegation chains, agent impersonation, inter-agent tampering
As AI agents proliferate, they acquire their own credentials, roles, and delegation chains — a non-human identity (NHI) attack surface that neither STRIDE's Elevation of Privilege nor the OWASP LLM Top 10 adequately addresses. Delegation chain attacks — where privilege escalates through a sequence of individually authorized agent-to-agent delegations — are invisible to STRIDE.
Threat Mappings
Threat
OWASP Mapping
Notes
NHI Credential Abuse
Agent credentials over-permissioned or misused across systems
ASI03
LLM Top 10 has no equivalent; agentic-specific
Delegation Chain Attack
Privilege escalates through legitimate agent-to-agent delegation sequence
ASI03ASI07
Each delegation individually authorized; invisible to STRIDE
S
Sharing & Isolation
Context window pollution, memory bleed, cross-tenant inference
Memory bleed — one session's content leaking into another — and cross-tenant inference — one customer's data influencing another customer's LLM responses in a multi-tenant SaaS — are named by neither OWASP list. STRIDE would flag a shared database; it has no model for inference-layer contamination. These are PHANTOMRISE originals.
Threat Mappings
Threat
OWASP Mapping
Notes
Memory Bleed
One session's content leaks into a different user's session via shared memory stores
★ Novel
Not named in any existing framework
Cross-Tenant Inference
One customer's data influences another customer's LLM responses in multi-tenant SaaS
★ Novel
Inference-layer contamination; STRIDE cannot model this
Context Window Pollution
Adversarial content injected into shared context affecting all downstream processing
ASI10
Partial OWASP coverage under shared resource misuse
E
Exposure & Output Handling
PII leakage, system prompt extraction, unsafe output piping
E consolidates three OWASP output-side risks into one practitioner prompt: what is this system putting out, and where is it going? Exfiltration via tool invocation — a manipulated agent using a legitimate tool call to leak data — sits at the intersection of E and M and represents one of the most concrete AI attack chains in practice.
Threat Mappings
Threat
OWASP Mapping
Notes
PII / Sensitive Data Leakage
Model outputs containing personal data, credentials, or confidential content
LLM02
Core OWASP coverage
System Prompt Extraction
Adversarial prompts revealing confidential system instructions
LLM07
Reveals security controls and proprietary instructions
Unsafe Output Piping
Unvalidated LLM output passed to downstream systems (shells, DBs, browsers)
LLM05
Output as attack vector for downstream injection
Each cell shows the PHANTOMRISE category covering that OWASP risk. ★ marks novel categories not in any existing framework.
Every OWASP item mapped to its PHANTOMRISE category. Full 20/20 coverage across both lists.
Practical mitigations for each PHANTOMRISE category. ★ marks novel categories not in any existing framework.