The Hidden Surface

Good news, everyone! In AS-201b we built threat models using STRIDE and PIPE. Threat modeling tells you what could go wrong. Attack surface mapping tells you where it could go wrong. The distinction matters because threat models are theoretical — they analyze categories of risk. Attack surface maps are empirical — they enumerate every actual component, interface, and data flow that an attacker could target. A threat model without a surface map is a risk analysis of a system you do not fully understand.

AI systems have hidden attack surfaces that traditional asset inventories miss. The model itself is an asset — with a version, a configuration, a set of capabilities, and a set of vulnerabilities specific to that version. The system prompt is an asset — it defines the model's behavior and is a target for extraction and manipulation. The context window is an asset — a dynamic data store that contains different sensitive information in every session. The tool registry is an asset — it defines what the model can do in the world beyond generating text. None of these appear in a traditional infrastructure inventory.

1. Infrastructure Layer Enumerate every server, container, network endpoint, database, storage system, and API gateway that supports the AI agent ecosystem. This is the traditional attack surface — the foundation that everything else runs on. Automated scanners (Nmap, cloud security posture tools) handle the bulk of this discovery.
2. Model Layer Document every model in use: version, provider, deployment configuration, system prompt, capabilities, tool access, and update schedule. Each model is a separate attack surface with its own vulnerability profile. A model updated last week has different vulnerabilities than the same model from three months ago.
3. Integration Layer Map every connection between the AI system and external services: APIs, databases, email systems, file storage, third-party tools. Each integration is a potential attack path — both inward (supply chain compromise) and outward (exfiltration channel). The integration map is where the most overlooked attack surfaces live.