Owner: Security team. Input: Agent Card complete. Sub-steps:
- Required for all Medium- and High-risk agents. Optional for Low-risk (CoE Lead decides).
- Apply Microsoft CAF's Discover phase (
framework.md§25.1):- Threat-model the agent. Use STRIDE; supplement with MITRE ATLAS and OWASP Generative AI risk lists.
- Walk through: prompt injection paths, data poisoning paths, model inversion, jailbreak paths, data exfiltration paths.
- Check data boundaries. Where does sensitive data flow? Where does it stop? Does the agent need every field it's been granted, or can scope be narrowed?
- Plan adversarial testing. What red-team scenarios will run before pilot?
- Plan DLP (data loss prevention): what content filters are needed on inputs/outputs?
- Confirm communication-channel security: managed identities, private endpoints, secured MCP server endpoints.
Output / gate criteria: Security signs off on a documented threat model + planned mitigations + planned red-team scenarios.
Decision branches:
- Security finds a blocker (e.g., agent would access regulated data without DLP) → back to Step 5 to revise the Agent Card.
Skip-this-step risk: Prompt injection lands in production; PII flows somewhere it shouldn't; an attacker turns the agent into an insider.