AgentReadyHomeAgent Listing

← Power Automate

Power Automate — agentic threat model

7.5AIVSS 7.5 · High

Power Automate presents a high agentic risk due to its extensive integration capabilities across enterprise systems and its ability to execute automated, multi-step actions. A compromise or prompt injection in an AI-driven flow could lead to unauthorized data exfiltration, privilege escalation, or unintended transactions across connected platforms.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.5AARS uplift 0.86Factor sum 5.7/10Threat ×1.0Mitigation ×0.8
Autonomy of Action
0.80
Goal-Driven Planning
0.60
Self-Modification
0.10
Dynamic Tool Use
0.90
Persistent Memory
0.50
Contextual Awareness
0.70
Dynamic Identity
0.80
Multi-Agent Interactions
0.40
Non-Determinism
0.50
Opacity & Reflexivity
0.40

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — Power Automate utilizes Microsoft's AI Builder (likely Azure OpenAI or proprietary models). Threats include adversarial prompt injection via processed forms or emails, leading to misaligned outputs, unauthorized flow execution, or model reprogramming.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — The platform processes diverse enterprise data (forms, text, objects) across multiple platforms. Threats include data exfiltration via malicious flows, training data poisoning of custom AI models, and lack of data lineage across third-party connectors.

L3 · Agent Frameworks✓ mapped

Power Automate relies on a low-code workflow orchestration framework ('flows') integrated with AI Builder. Threats include insecure tool integration (connecting to malicious APIs), tool misuse (unintended execution of powerful connectors), and logic bypass via manipulated AI inputs.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — Hosted on Microsoft Azure cloud infrastructure. Threats include credential exposure within flow connections, lateral movement across connected enterprise systems, and sandbox escapes via custom connectors.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — Likely relies on Azure and Power Platform monitoring and run history. Threats include blind spots in complex multi-step flows, insufficient logging of AI-driven decision paths, and difficulty detecting anomalous flow executions.

L6 · Security & Compliance (cross-cutting)⚠ not certain from listing

Not certain from the listing — Inherits Microsoft Power Platform enterprise security, Data Loss Prevention (DLP) policies, and compliance standards. Threats include misconfigured DLP policies that allow sensitive data to leak between business and non-business connectors.

L7 · Agent Ecosystem✓ mapped

Power Automate operates within a massive ecosystem of prebuilt and custom connectors, enabling multi-service interactions. Threats include compromised third-party connectors, cascading failures across chained flows, and unauthorized agent-to-agent trust abuse when interacting with other Copilots.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).