LLM Threat Model Bubble Map

Mind map view of the 267-vector LLM threat checklist, with quorum and approval controls pulled into their own control-plane cluster.

Open checklist
267attack vectors
15threat domains
30quorum risks
10priority combos

Radial Bubble Map

Each outer bubble is a threat domain. The number shows how many detailed vectors are in that domain in the full checklist.

CORE SYSTEM LLM Threat Model 20 Prompt input manipulation LLM-001..020 20 RAG context and memory LLM-021..040 20 Privacy sensitive data LLM-041..060 30 Tools function calls and execution LLM-061..090 30 Quorum approval and gates LLM-091..120 15 Identity tenant boundaries 20 Supply Chain models and data LLM-136..155 19 Output downstream injection LLM-156..174 16 DoS cost and reliability 12 Extraction inference and evasion 13 Agents delegation 12 Files multimodal input 12 Humans UI and trust 13 Governance audit and IR 15 MCP plugins and servers
prompt and governance action control plane context and retrieval data and output

Quorum and Approval Risk Cloud

Quorum helps only when approval is independent, bound to exact action details, and fail-closed. These are the common failure bubbles to test.

RequestUser or agent proposes a privileged action with exact parameters.
Policy GateDeterministic policy checks identity, scope, tenant, impact, and action type.
Independent QuorumSeparate identities, evidence, model context, and approval channels.
Bound ExecutionApproval is tied to the exact recipient, amount, target, query, and scope.
Immutable AuditEvery vote, parameter, model, tool, and outcome is reconstructable.
One actor casts multiple votes
Shared poisoned context influences all voters
Timeout silently downgrades approval
Old approval replayed for a new action
Summary hides exact action parameters
Approver and executor are the same principal
Abstain or failure counts as approval
State changes between approval and execution

Zoomable Mind Map

This hierarchy is the workshop view. Use the controls in the top-right corner to zoom or reset the diagram.

mindmap
  root((LLM Threat Model))
    Prompt and Input
      Direct prompt injection
      Indirect prompt injection
      Jailbreaks
      Context stuffing
    RAG Context Memory
      RAG authorization bypass
      Cross tenant retrieval
      RAG poisoning
      Persistent memory poisoning
    Sensitive Data
      System prompt leakage
      PII disclosure
      Secret leakage
      Retention mismatch
    Tools and Execution
      Confused deputy
      Unsafe tool calls
      SSRF through fetch tools
      Destructive action abuse
    Quorum Approval
      Threshold misconfiguration
      Approval replay
      Non independent voters
      Race before execution
    Identity Boundaries
      Overprivileged service account
      Session mix up
      Weak delegation
    Supply Chain
      Backdoored weights
      Poisoned fine tune data
      Tool manifest tampering
    Output Handling
      XSS from generated HTML
      SQL from generated queries
      Formula injection
      Citation hallucination
    Cost and Reliability
      Token exhaustion
      Recursive loops
      Retry storms
      Budget drain
    Extraction and Evasion
      Model extraction
      Membership inference
      Guardrail probing
    Multi Agent
      Instruction laundering
      Rogue sub agents
      Evidence free consensus
    Multimodal Inputs
      Hidden OCR text
      Audio injection
      Metadata injection
    Human Factors
      Approval fatigue
      UI truncation
      Overreliance
    Monitoring Governance
      Missing audit trail
      No kill switch
      No red team regression
    MCP Plugins
      Rogue tool registration
      Tool shadowing
      Shadow MCP servers

Domain Bubbles With Example Leaves

Each cluster points back to the full vector list by ID range. The examples are deliberately short so the map stays usable.

Prompt and Input 20

  • Direct and indirect injection
  • Jailbreaks and roleplay
  • Delimiter and template confusion

RAG Context Memory 20

  • Cross tenant retrieval
  • Vector poisoning
  • Memory privilege mismatch

Sensitive Data 20

  • Prompt and secret leakage
  • PII disclosure
  • Log and trace exposure

Tools Execution 30

  • Confused deputy
  • Unsafe code execution
  • SSRF and destructive actions

Quorum Approval 30

  • Replay and fake approvals
  • Non independent voters
  • Fail open gates

Identity Boundaries 15

  • Overprivileged service accounts
  • Session mix-up
  • Tenant boundary failure

Supply Chain 20

  • Backdoored model weights
  • Poisoned datasets
  • Compromised dependencies

Output Handling 19

  • XSS and SQL injection
  • Formula injection
  • Unsafe auto-ingestion

DoS Cost Reliability 16

  • Token exhaustion
  • Recursive loops
  • Budget-drain attacks

Extraction Evasion 12

  • Model extraction
  • Prompt extraction
  • Guardrail probing

Multi-Agent 13

  • Instruction laundering
  • Rogue sub-agent registration
  • Evidence-free consensus

Multimodal Files 12

  • Hidden OCR text
  • Audio and video injection
  • Metadata injection

Human Factors 12

  • Approval fatigue
  • UI truncation
  • Overreliance

Monitoring Governance 13

  • Missing audit trail
  • No kill switch
  • Policy drift

MCP Plugins 15

  • Rogue tool registration
  • Tool shadowing
  • Shadow MCP servers