AgentReadyHomeAgent Listing

← Kriyam AI

Kriyam AI — agentic threat model

7.9AIVSS 7.9 · High

Kriyam AI presents a high-risk profile primarily due to its handling of highly sensitive PII, biometric data, and digital signatures for KYC compliance, where model evasion or data exfiltration could lead to severe identity fraud and regulatory penalties.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.8AARS uplift 0.46Factor sum 3.8/10Threat ×1.0Mitigation ×0.85
Autonomy of Action
0.50
Goal-Driven Planning
0.40
Self-Modification
0.10
Dynamic Tool Use
0.60
Persistent Memory
0.50
Contextual Awareness
0.50
Dynamic Identity
0.20
Multi-Agent Interactions
0.10
Non-Determinism
0.40
Opacity & Reflexivity
0.50

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models✓ mapped

Uses specialized computer vision and facial recognition models for Video KYC. Primary threats include adversarial evasion attacks (e.g., deepfakes, presentation attacks) and document spoofing designed to bypass identity verification.

L2 · Data Operations✓ mapped

Processes highly sensitive identity documents, video streams, and digital signatures. Key threats include data exfiltration of PII, unauthorized access to stored verification records, and poisoning of verification reference databases.

L3 · Agent Frameworks✓ mapped

Orchestrates automated field investigation workflows and real-time document verification. Vulnerabilities include insecure tool integration where document parsing or signature capture APIs could be manipulated to bypass verification steps.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — as an open-source platform, deployment security depends heavily on the self-hosting environment. Threats include container escape, insecure API endpoints, and exposed database ports hosting sensitive KYC data.

L5 · Evaluation & Observability✓ mapped

Provides compliance dashboards and analytics. Threats include blind spots in detecting spoofing attempts, lack of robust logging for failed verification attempts, and drift in facial recognition accuracy over diverse demographics.

L6 · Security & Compliance (cross-cutting)✓ mapped

Focuses heavily on compliance and secure consent capture. Threats include weak authorization controls allowing unauthorized access to compliance reports, and cryptographic weaknesses in the digital signature implementation.

L7 · Agent Ecosystem⚠ not certain from listing

Not certain from the listing — there is no explicit mention of multi-agent orchestration or marketplace integrations. Threats would involve unauthorized third-party agents accessing the KYC verification pipeline.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).