Azure AI Foundry — agentic threat model
Azure AI Foundry acts as a high-value enterprise AI orchestration and development platform, presenting significant supply-chain and data-exposure risks if compromised, though mitigated by robust Azure governance and responsible AI guardrails.
OWASP AIVSS score rationale
| Autonomy of Action | 0.50 | |
| Goal-Driven Planning | 0.60 | |
| Self-Modification | 0.30 | |
| Dynamic Tool Use | 0.70 | |
| Persistent Memory | 0.50 | |
| Contextual Awareness | 0.80 | |
| Dynamic Identity | 0.40 | |
| Multi-Agent Interactions | 0.50 | |
| Non-Determinism | 0.70 | |
| Opacity & Reflexivity | 0.60 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
The platform hosts a diverse model catalog (foundation, open-source, industry-specific) and supports model customization, making it susceptible to model stealing, adversarial prompt injection, and backdoor vulnerabilities in customized models.
Supports secure data integration for model customization and RAG, presenting risks of training data poisoning, unauthorized data exfiltration, and downstream knowledge-base contamination.
Provides SDKs and APIs to build and manage AI applications and agents, exposing potential vulnerabilities in agent orchestration frameworks, insecure tool integration, and prompt-injection-based tool misuse.
As a deployment and management platform, infrastructure risks include container escape, lateral movement within Azure cloud environments, and unauthorized access to API endpoints hosting the models.
Features 'responsible AI' tools, which likely include guardrails and evaluation metrics, but remains vulnerable to guardrail bypass, evaluation gaming, and monitoring blind spots in complex agent behaviors.
Emphasizes 'enterprise-grade governance', which addresses identity, access control, and regulatory compliance, though misconfigurations in Azure IAM policies could lead to privilege escalation.
Not certain from the listing — while the platform simplifies the development of 'agents', the listing does not explicitly detail multi-agent orchestration protocols, agent-to-agent trust boundaries, or marketplace-driven cascading failures.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).