2.6 KiB
4.1 Appendix A: Rationale for Selecting SAIF as the Architectural Scope for AI Threat Modeling
We chose to use Google’s SAIF as the architectural scope for our AI threat modeling because it provides a clear decomposition of the system into data, model, application, and infrastructure layers, enabling structured testing and security control alignment.
While the OWASP AI Security Matrix is more threat-focused and organized around potential attack surfaces, SAIF is oriented toward defense and secure design. Both frameworks are highly complementary: SAIF helps define what to secure, while OWASP helps define what to secure against. Either can serve as a solid foundation, and in practice, aligning both strengthens threat coverage and architectural traceability.
We provide herein a side-by-side comparison of the AI architecture components defined in the OWASP AI Security Matrix versus those in Google’s SAIF (Secure AI Framework). This helps align threat modeling and security testing efforts by mapping shared focus areas and unique elements of each framework.
| OWASP AI Security Matrix vs. Google SAIF: Component Comparison | |||
|---|---|---|---|
| Component Category | OWASP AI Security Matrix | Google SAIF Architecture | Comment |
| Data | Training Data, Input Data, Output Data | Data (spans training, inference, transformation, ingestion) | Both include training and input data integrity; SAIF treats data lifecycle more holistically |
| Model | Model Architecture, Model Parameters, Model Artifacts, Model Outputs | Model (input handling, usage, output handling) | OWASP splits model into artifacts and architecture; SAIF emphasizes runtime and guardrails |
| Application | Prompt Interfaces, APIs, Plugins, Output Channels | Application, Agents/Plugins, User Input/Output | Strong alignment: OWASP “Prompt Interfaces” = SAIF “User Input”; plugins/components also align |
| Infrastructure | Model Deployment Environment, CI/CD Pipelines, Cloud Platform/Hosting | Infrastructure, Model Serving, Model Storage, Model Evaluation, Training infra | OWASP and SAIF both emphasize deployment and runtime environment; SAIF more granular |
| Security Governance | Monitoring, Logging, Access Control | Logging & Audit, Access Control, Identity & Auth | Both frameworks include governance components essential for testing, traceability, and control |
| External Dependencies | Third-Party Data Feeds, Pre-trained Models, APIs/LLMs | External Sources, Plugin Integrations | SAIF explicitly names trust boundaries; OWASP addresses third-party model risks |