# AI Clinical Notes Scribe use-case 

---

## 🔍 Analysis of Use-Case

### **Business Goal**

* Reduce clinician administrative burden
* Improve accuracy of clinical documentation
* Ensure compliance with medical record-keeping requirements

### **System Decomposition**

1. **Speech-to-Text System**

   * Inputs: Audio from doctor–patient consultation
   * Risks: Data capture, PHI exposure, model bias
2. **Summarization & Structuring System (LLM layer)**

   * Inputs: Transcripts
   * Outputs: Structured clinical notes (SOAP, ICD-10/SNOMED tags)
   * Risks: Hallucinations, ontology misalignment, overfitting to sensitive corpora
   * *This is the main focus of the threat model.*
3. **Review & Approval Interface**

   * Inputs: Draft notes
   * Outputs: Clinician-reviewed records
   * Risks: Human error, insider threats, incomplete oversight
4. **Integration & Storage System**

   * Inputs: Approved notes
   * Outputs: EHR records with coding/indexing
   * Risks: Unauthorized access, improper integration, regulatory non-compliance

### **Lifecycle Scope (Development / Training)**

* Speech-to-Text: Acoustic/language model training on sensitive data
* Summarization: Fine-tuning on clinical corpora, ICD-10/SNOMED ontologies

### **Key Considerations**

* No autonomous diagnosis/treatment recommendations
* Strictly *summarization & structuring* role
* Regulatory compliance (HIPAA, HITECH, ONC rules)

---

## 📊 Mermaid Diagram (System Flow)

```mermaid
flowchart TD
    %% === Actors ===
    A[👩‍⚕️ Clinician] -->|Audio Input| B[🎙️ Speech-to-Text System]
    A -->|Review & Approve| D[🖥️ Review & Approval Interface]

    %% === Core System ===
    B -->|Transcript| C[🧠 Summarization & Structuring System<br>LLM Layer]
    C -->|Draft Notes| D
    D -->|Approved Notes| E[📂 Integration & Storage System<br>EHR, Coding, Indexing]

    %% === Boundaries ===
    subgraph Scope["🔒 In-Scope AI Lifecycle"]
        B
        C
    end

    subgraph OutOfScope["📋 Out-of-Scope Optional"]
        D
        E
    end
```

---

## ⚡ Next Step for Threat Modeling

* From this diagram, we can apply **threat model vectors**:

  * **STRIDE** (Spoofing, Tampering, Repudiation, Info Disclosure, DoS, Elevation of Privilege)
  * **DASF 2.0 Risks** (Data Poisoning, Prompt Injection, Model Misuse, EHR Integration Risks)
  * **MITRE ATLAS** / **MITRE ATT\&CK for AI** mapping

---

Here’s we're **AI Clinical Notes Scribe** flow reworked with a **cohesive color palette** applied to each subsystem. I used our palette mapping to distinguish actors, in-scope AI systems, and optional/out-of-scope components.

---

```mermaid
flowchart TD
    %% === Actors ===
    A1[👩‍⚕️ Clinician] -->|Audio Input| B1[🎙️ Speech-to-Text System]
    A1 -->|Review & Approve| D1[🖥️ Review & Approval Interface]

    %% === Core System ===
    B1 -->|Transcript| C1[🧠 Summarization & Structuring System<br>LLM Layer]
    C1 -->|Draft Notes| D1
    D1 -->|Approved Notes| D2[📂 Integration & Storage System<br>EHR, Coding, Indexing]

    %% === Boundaries ===
    subgraph Scope["🔒 In-Scope AI Lifecycle"]
        B1
        C1
    end

    subgraph OutOfScope["📋 Out-of-Scope Optional"]
        D1
        D2
    end

    %% === COLORS (from palette) ===
    style A1 fill:#80cbc4,stroke:#00695c,stroke-width:2px,color:#000  
    style B1 fill:#ef9a9a,stroke:#b71c1c,stroke-width:2px,color:#000 
    style C1 fill:#90caf9,stroke:#0d47a1,stroke-width:2px,color:#000 
    style D1 fill:#b39ddb,stroke:#4527a0,stroke-width:2px,color:#000 
    style D2 fill:#b39ddb,stroke:#4527a0,stroke-width:2px,color:#000
```

---

✅ Now each block has a distinct color family:

* **Teal (Clinician)** – human actors
* **Red (Speech-to-Text)** – raw data capture (risk-heavy)
* **Blue (LLM Summarization)** – main AI focus
* **Purple (Review & Integration)** – downstream systems

---



```mermaid
flowchart TD
    %% === Actors ===
    A1[👩‍⚕️ Clinician] -->|Audio Input| B1[🎙️ Speech-to-Text System]
    A1 -->|Review & Approve| D1[🖥️ Review & Approval Interface]

    %% === Core System ===
    B1 -->|Transcript| C1[🧠 Summarization & Structuring System<br>LLM Layer]
    C1 -->|Draft Notes| D1
    D1 -->|Approved Notes| D2[📂 Integration & Storage System<br>EHR, Coding, Indexing]

    %% === Boundaries ===
    subgraph Scope["🔒 In-Scope AI Lifecycle"]
        B1
        C1
    end

    subgraph OutOfScope["📋 Out-of-Scope Optional"]
        D1
        D2
    end

    %% === COLORS (from palette) ===
    style A1 fill:#80cbc4,stroke:#00695c,stroke-width:2px,color:#000  
    style B1 fill:#ef9a9a,stroke:#b71c1c,stroke-width:2px,color:#000 
    style C1 fill:#90caf9,stroke:#0d47a1,stroke-width:2px,color:#000 
    style D1 fill:#b39ddb,stroke:#4527a0,stroke-width:2px,color:#000 
    style D2 fill:#b39ddb,stroke:#4527a0,stroke-width:2px,color:#000
```

---

✨ Changes made:

* Removed all **parentheses**
* “LLM Layer” and “Out-of-Scope Optional” now display without `()`
* Kept consistent color palette for readability

---

Let’s add an **AI Safety Classifier agent** into the pipeline. This ensures that the system flags unsafe content, PHI mis-capture, or hallucinated diagnoses *before* notes reach the clinician. It becomes a **safety and assurance checkpoint** between the Summarization/Structuring system and the Review Interface.

Here’s the updated diagram with our palette, now including the **Safety Classifier**:

```mermaid
flowchart TD
    %% === Actors ===
    A1[👩‍⚕️ Clinician] -->|Audio Input| B1[🎙️ Speech-to-Text System]
    A1 -->|Review & Approve| D1[🖥️ Review & Approval Interface]

    %% === Core System ===
    B1 -->|Transcript| C1[🧠 Summarization & Structuring System<br>LLM Layer]
    C1 -->|Draft Notes| S1[🛡️ AI Safety Classifier<br>Bias & Risk Filter]
    S1 -->|Validated Notes| D1
    D1 -->|Approved Notes| D2[📂 Integration & Storage System<br>EHR, Coding, Indexing]

    %% === Boundaries ===
    subgraph Scope["🔒 In-Scope AI Lifecycle"]
        B1
        C1
        S1
    end

    subgraph OutOfScope["📋 Out-of-Scope Optional"]
        D1
        D2
    end

    %% === COLORS (from palette) ===
    style A1 fill:#80cbc4,stroke:#00695c,stroke-width:2px,color:#000  
    style B1 fill:#ef9a9a,stroke:#b71c1c,stroke-width:2px,color:#000 
    style C1 fill:#90caf9,stroke:#0d47a1,stroke-width:2px,color:#000 
    style S1 fill:#ffe082,stroke:#ff6f00,stroke-width:2px,color:#000 
    style D1 fill:#b39ddb,stroke:#4527a0,stroke-width:2px,color:#000 
    style D2 fill:#b39ddb,stroke:#4527a0,stroke-width:2px,color:#000
```

---

### 🔑 What Changed

* **New node**: 🛡️ **AI Safety Classifier**

  * Role: Detect hallucinations, ensure no diagnosis slips in, flag anomalies, enforce compliance (HIPAA, PHI redaction).
  * Positioned **between Summarization and Review**.
* **New palette color (Amber)** for safety layer → stands out as a trust/control checkpoint.

---

👉 Next, we can enrich this by adding:

* **Threat modeling overlay**: STRIDE + DASF mapped to each box.
* **Multiple agents**: e.g., a **Compliance Agent** (HIPAA auditor) alongside the Safety Classifier.

if we’re building toward a **threat model vector + governance framework**, we need to think in terms of the **AI lifecycle** and explicitly track **artifacts**:

* **Model Cards** → document the purpose, limitations, benchmarks, risks of each model
* **Dataset Cards** → describe sources, curation, bias, privacy, compliance metadata
* **Agent Cards** → capture decision roles, safety checks, audit functions across the pipeline

Here’s how that looks for our **AI Clinical Notes Scribe** use-case:

---

## 🔄 AI Lifecycle Mapped to Artifacts

### **1. Data Collection & Preprocessing**

* **Dataset Cards**:

  * Clinical audio (doctor–patient conversations)
  * Clinical text corpora (SOAP notes, ICD-10, SNOMED, medical ontologies)
  * Compliance metadata: HIPAA, de-identification process, annotation protocols

### **2. Model Development / Training**

* **Model Cards**:

  * **Speech-to-Text Model** – tuned on clinical audio, note accuracy/WER, risks of bias
  * **Summarization Model (LLM Layer)** – fine-tuned on SOAP structure, ICD/SNOMED
  * **Safety Classifier** – adversarially tested against hallucinations, unsafe completions

### **3. Deployment & Orchestration**

* **Agent Cards**:

  * **Safety Agent** 🛡️ – filters hallucinations, detects PHI miscapture
  * **Compliance Agent** 📜 – ensures HIPAA adherence, records audit logs
  * **Workflow Agent** 🔄 – orchestrates movement: Audio → Transcript → Notes → EHR

### **4. Human-in-the-Loop**

* Clinician review interface documented as **Agent Card** (Human Oversight Agent)
* Track clinician feedback loops for retraining → linked back to Dataset Cards

### **5. Monitoring & Governance**

* **Model Cards** updated with post-deployment metrics (accuracy drift, bias shifts)
* **Dataset Cards** track dataset lineage, refresh cycles, augmentation history
* **Agent Cards** ensure policy enforcement (RBAC, audit trails, explainability)

---

## 📊 Conceptual Diagram (Lifecycle + Cards)

```mermaid
flowchart TD

    subgraph Data["📂 Data Collection"]
        D1[Clinical Audio Dataset<br>Dataset Card]
        D2[Clinical Text Corpora<br>Dataset Card]
    end

    subgraph Models["🧠 Model Development"]
        M1[Speech-to-Text Model<br>Model Card]
        M2[Summarization Model<br>Model Card]
        M3[Safety Classifier Model<br>Model Card]
    end

    subgraph Agents["🤖 Agent Layer"]
        A1[Safety Agent<br>Agent Card]
        A2[Compliance Agent<br>Agent Card]
        A3[Workflow Agent<br>Agent Card]
        A4[Human Oversight Agent<br>Agent Card]
    end

    subgraph Deployment["🚀 Deployment & Integration"]
        UI[Review Interface]
        EHR[EHR Integration]
    end

    %% Flows
    D1 --> M1
    D2 --> M2
    M1 --> M2
    M2 --> A1
    A1 --> A2
    A2 --> UI
    UI --> A4
    A4 --> EHR
    A3 --> M1
    A3 --> M2
    A3 --> UI
```

---

## ✅ Why This Matters

* **Traceability**: Every model, dataset, and agent is explicitly documented (cards).
* **Governance**: Each phase maps to **assurance artifacts** wecan align to DASF, NIST AI RMF, HIPAA.
* **Threat Modeling**: We can overlay STRIDE/DASF threats **per card** (e.g., “Dataset Poisoning → Dataset Card”, “Prompt Injection → Summarization Model Card”).

---

the lifecycle diagram will pop more once we apply we're **color palette** consistently across **datasets, models, agents, and deployment nodes**. I’ll extend we're earlier palette and add new shades for variety:

* **Teal** → Data (datasets)
* **Red** → Models (AI components, core risk)
* **Blue** → Agents (safety, compliance, workflow, human oversight)
* **Purple** → Deployment & Integration

---

## 📊 Diagram with Color Palette

```mermaid
flowchart TD

    subgraph Data["📂 Data Collection"]
        D1[Clinical Audio Dataset<br>Dataset Card]
        D2[Clinical Text Corpora<br>Dataset Card]
    end

    subgraph Models["🧠 Model Development"]
        M1[Speech-to-Text Model<br>Model Card]
        M2[Summarization Model<br>Model Card]
        M3[Safety Classifier Model<br>Model Card]
    end

    subgraph Agents["🤖 Agent Layer"]
        A1[Safety Agent<br>Agent Card]
        A2[Compliance Agent<br>Agent Card]
        A3[Workflow Agent<br>Agent Card]
        A4[Human Oversight Agent<br>Agent Card]
    end

    subgraph Deployment["🚀 Deployment & Integration"]
        UI[Review Interface]
        EHR[EHR Integration]
    end

    %% Flows
    D1 --> M1
    D2 --> M2
    M1 --> M2
    M2 --> A1
    A1 --> A2
    A2 --> UI
    UI --> A4
    A4 --> EHR
    A3 --> M1
    A3 --> M2
    A3 --> UI

    %% === COLORS (palette applied) ===
    %% Data (Teal)
    style D1 fill:#80cbc4,stroke:#00695c,stroke-width:2px,color:#000
    style D2 fill:#80cbc4,stroke:#00695c,stroke-width:2px,color:#000

    %% Models (Red)
    style M1 fill:#ef9a9a,stroke:#b71c1c,stroke-width:2px,color:#000
    style M2 fill:#ef9a9a,stroke:#b71c1c,stroke-width:2px,color:#000
    style M3 fill:#ef9a9a,stroke:#b71c1c,stroke-width:2px,color:#000

    %% Agents (Blue)
    style A1 fill:#90caf9,stroke:#0d47a1,stroke-width:2px,color:#000
    style A2 fill:#90caf9,stroke:#0d47a1,stroke-width:2px,color:#000
    style A3 fill:#90caf9,stroke:#0d47a1,stroke-width:2px,color:#000
    style A4 fill:#90caf9,stroke:#0d47a1,stroke-width:2px,color:#000

    %% Deployment (Purple)
    style UI fill:#b39ddb,stroke:#4527a0,stroke-width:2px,color:#000
    style EHR fill:#b39ddb,stroke:#4527a0,stroke-width:2px,color:#000
```

---

✅ Now each layer has a **distinct, reusable color code**:

* **Teal** = Data sources & dataset cards
* **Red** = AI models (sensitive/risk surfaces)
* **Blue** = Agents (trust, safety, compliance)
* **Purple** = Deployment & integration endpoints

---







1. **User-Interaction Diagram** → shows how clinicians, patients, and the system interact step by step (front-end workflow).
2. **Systems Diagram** → shows how the backend runs on Linux Foundation infrastructure + open-source tools (aligned with we're Kubeflow/MLflow/DataOps stack style).

---

## 1. 👥 User-Interaction Diagram

This diagram traces how a clinician and system interact during a consultation.

```mermaid
sequenceDiagram
    participant P as 🧑‍⚕️ Clinician
    participant S as 🎙️ Speech-to-Text
    participant L as 🧠 Summarization (LLM)
    participant G as 🛡️ Safety Classifier
    participant R as 🖥️ Review Interface
    participant E as 📂 EHR System

    P->>S: Dictates consultation (audio)
    S->>L: Transcript text
    L->>G: Draft clinical notes
    G->>R: Validated notes (no hallucinations/unsafe output)
    R->>P: Clinician reviews/edits notes
    P->>E: Approves and saves to EHR
```

---

## 2. 🖧 Systems Diagram (Linux Foundation + Open Source)

Here’s how this could run on an **open-source control plane**, showing tools + integration points.

```mermaid
flowchart TD

    %% Data Layer
    subgraph DataOps["📂 DataOps Layer"]
        DA[Audio Storage<br>MinIO / S3]
        DT[Transcript DB<br>PostgreSQL + pgvector]
    end

    %% AI/ML Layer
    subgraph MLOps["🧠 MLOps Control Plane"]
        STT[Speech-to-Text<br>Kaldi / wav2vec2]
        SUM[Summarization LLM<br>KServe + Triton]
        SAFE[Safety Classifier<br>ONNX / HuggingFace]
    end

    %% Governance & Workflow
    subgraph Governance["🔒 Governance + Orchestration"]
        WF[Workflow Orchestration<br>Kubeflow Pipelines]
        LOG[Audit Logs<br>OpenSearch]
        POL[Policy Enforcement<br>OPA / Kyverno]
    end

    %% Endpoints
    subgraph Endpoints["🚀 Deployment & Integration"]
        UI[Review UI<br>Streamlit / Angular]
        EHR[EHR Integration<br>FHIR APIs]
    end

    %% Flows
    DA --> STT
    STT --> DT
    STT --> SUM
    SUM --> SAFE
    SAFE --> UI
    UI --> EHR
    WF --> STT
    WF --> SUM
    WF --> SAFE
    LOG --> POL
```

---

## 🎨 Color Palette 

To match our earlier diagrams:

* **Teal (#80cbc4)** → DataOps Layer (datasets, storage)
* **Red (#ef9a9a)** → Models (STT, LLM, Safety Classifier)
* **Blue (#90caf9)** → Agents / Orchestration
* **Purple (#b39ddb)** → Deployment / Integration

---

⚡ With these two diagrams, we now have:

* A **front-end view** (user-interaction sequence).
* A **back-end view** (Linux Foundation infra + OSS stack).

---



* A **threat model** identifies potential adversarial or failure risks.
* A **threat vector model** extends that by explicitly mapping **where and how attacks or failures can enter the system** (data paths, model layers, interfaces, integrations).
* In the AI/ML domain, this usually aligns with **STRIDE + AI-specific risk catalogs** (e.g., DASF 2.0, MITRE ATLAS).

---

# 🛡️ AI Threat Vector Model for Clinical Notes Scribe

I’ll map **risks + controls** across **data, model, agent, deployment** layers.

---

## 1. DataOps Layer (Data Collection & Processing)

**Threat Vectors:**

* **Data Poisoning** → adversarial inputs (malicious patient recordings, mislabeled transcripts).
* **PHI Exposure** → captured audio/transcripts leaked outside HIPAA boundaries.
* **Ontology Drift** → ICD-10/SNOMED taxonomy updates not reflected in training data.

**Controls:**

* ✅ **Dataset Cards** → document source, curation, PHI handling.
* ✅ **De-identification** → automated PHI scrubbing pipelines.
* ✅ **Access Control** → MinIO/S3 encryption, RBAC via Vault.
* ✅ **Data Validation** → schema checks, anomaly detection before ingestion.

---

## 2. Model Layer (STT, Summarization LLM, Safety Classifier)

**Threat Vectors:**

* **Model Poisoning** → training manipulation (e.g., biasing transcription against accents).
* **Prompt Injection** → malicious input instructions from transcribed speech.
* **Hallucination** → fabricated diagnoses in summaries.
* **Overfitting/Leaking** → memorization of PHI, risk of leakage.

**Controls:**

* ✅ **Model Cards** → risks, benchmarks, limitations.
* ✅ **Differential Privacy** → to prevent PHI memorization.
* ✅ **Prompt Guardrails** → input moderation before LLM.
* ✅ **Adversarial Testing** → simulate hostile queries, accent variance, ontology perturbations.
* ✅ **Ensemble Safety Classifier** → bias detection, hallucination detection.

---

## 3. Agent Layer (Safety, Compliance, Workflow, Human Oversight)

**Threat Vectors:**

* **Bypass Attacks** → attempts to skip moderation agents.
* **Insider Threats** → misuse of override controls by clinical staff.
* **Weak Auditability** → lack of traceability on agent decisions.

**Controls:**

* ✅ **Agent Cards** → document safety, compliance, workflow roles.
* ✅ **RBAC + MFA** → strict role-based permissions for overrides.
* ✅ **Audit Trails** → all decisions logged in OpenSearch.
* ✅ **Explainability Hooks** → classifier outputs must justify rejections/flags.

---

## 4. Deployment & Integration Layer (EHR + UI)

**Threat Vectors:**

* **Unauthorized Access** → exposed FHIR APIs.
* **Improper Integration** → data misaligned with EHR fields.
* **DoS Risks** → overloading API endpoints with queries.
* **Human Error** → clinician approving unsafe drafts.

**Controls:**

* ✅ **Zero Trust Access** → API authz with OAuth2 + mTLS.
* ✅ **EHR Validation** → schema conformance checks (FHIR validators).
* ✅ **Rate Limiting** → API gateways (Kong/Envoy).
* ✅ **Mandatory HITL Review** → clinician approval enforced, no auto-submission.

---

## 5. Governance & Monitoring

**Threat Vectors:**

* **Model Drift** → accuracy degrading silently.
* **Compliance Drift** → HIPAA/NIST/ONC rules change, system not updated.
* **Silent Failures** → logs not monitored, anomalies undetected.

**Controls:**

* ✅ **Continuous Monitoring** → MLflow/Kubeflow metrics, Grafana dashboards.
* ✅ **Policy Enforcement** → OPA/Kyverno for Kubernetes workloads.
* ✅ **Compliance Audits** → periodic HIPAA/NIST RMF alignment.
* ✅ **Red Teaming** → simulated adversarial misuse.

---

# 📊 Conceptual Threat Vector Overlay

```mermaid
flowchart TD
    D[📂 DataOps Layer] --> M[🧠 Models]
    M --> A[🤖 Agents]
    A --> U[🖥️ UI / EHR Integration]
    U --> G[🔒 Governance & Monitoring]

    %% Risks
    D -->|Risk: Data Poisoning, PHI Leakage| M
    M -->|Risk: Prompt Injection, Hallucination| A
    A -->|Risk: Bypass, Insider Threat| U
    U -->|Risk: Unauthorized Access, DoS| G
    G -->|Risk: Model/Compliance Drift| D

    %% Controls
    style D fill:#80cbc4,stroke:#00695c,stroke-width:2px
    style M fill:#ef9a9a,stroke:#b71c1c,stroke-width:2px
    style A fill:#90caf9,stroke:#0d47a1,stroke-width:2px
    style U fill:#b39ddb,stroke:#4527a0,stroke-width:2px
    style G fill:#ffe082,stroke:#ff6f00,stroke-width:2px
```

---

# ✅ Takeaway

* We**are** building an **AI Threat Vector Model** → it’s a **layered map** of risks + controls across **data, models, agents, deployment, governance**.
* This makes it possible to overlay **STRIDE**, **DASF 2.0**, and **MITRE ATLAS** to get a **full-spectrum risk catalog**.
* Next logical step:

  * Build a **risk-control matrix table** (Risk → Attack Vector → Control Mapping).
  * Assign **severity scores** (Likelihood × Impact) → prioritize mitigations.

---



Let’s build the **Risk–Control Matrix** for we're **AI Clinical Notes Scribe Threat Vector Model**.
This table captures **Risks → Attack Vectors → Recommended Controls → Severity (Likelihood × Impact)** so wecan prioritize mitigations.

---

# 🛡️ AI Clinical Notes Scribe – Threat Vector Risk–Control Matrix

| **Layer**      | **Risk / Threat Vector**       | **Attack Surface**              | **Controls (Mitigations)**                                                       | **Severity** |
| -------------- | ------------------------------ | ------------------------------- | -------------------------------------------------------------------------------- | ------------ |
| **DataOps**    | Data Poisoning                 | Malicious audio / transcripts   | Data validation pipelines, anomaly detection, schema enforcement, human curation | **High**     |
|                | PHI Leakage                    | Audio / transcript storage      | MinIO/S3 encryption, RBAC, Vault key mgmt, de-identification                     | **Critical** |
|                | Ontology Drift                 | ICD/SNOMED taxonomy changes     | Dataset versioning, ontology monitoring, retraining triggers                     | **Medium**   |
| **Models**     | Prompt Injection               | Transcript-to-LLM inputs        | Input guardrails, regex/pattern filters, adversarial prompt testing              | **High**     |
|                | Hallucination                  | Summarization outputs           | Safety classifier, grounding to ICD/SNOMED, RAG context enforcement              | **Critical** |
|                | Model Poisoning                | Fine-tuning pipeline            | Signed datasets, reproducible training, differential privacy                     | **High**     |
|                | Overfitting (PHI Memorization) | LLM embeddings                  | Differential privacy, regularization, red-teaming                                | **High**     |
| **Agents**     | Bypass Attacks                 | Safety/compliance agents        | Mandatory policy checkpoints, RBAC enforced pipelines                            | **Medium**   |
|                | Insider Threats                | Clinician/staff overrides       | RBAC + MFA, audit trails, least-privilege policies                               | **High**     |
|                | Weak Auditability              | Agent decisions not logged      | OpenSearch immutable audit logs, explainability hooks                            | **Medium**   |
| **Deployment** | Unauthorized Access            | FHIR/EHR APIs                   | OAuth2 + mTLS, zero trust networking, API gateways                               | **Critical** |
|                | Improper Integration           | EHR mapping                     | FHIR schema validators, integration tests, EHR conformance checks                | **High**     |
|                | DoS Attacks                    | API endpoints                   | Rate limiting, auto-scaling, WAF                                                 | **Medium**   |
|                | Human Error                    | Clinician approves unsafe draft | HITL enforced, UI risk flags, safety classifier explainability                   | **Medium**   |
| **Governance** | Model Drift                    | Accuracy degradation            | Continuous monitoring, retraining alerts, MLflow drift tracking                  | **High**     |
|                | Compliance Drift               | HIPAA/NIST/ONC changes          | Policy mapping to NIST AI RMF, regular compliance audits                         | **Critical** |
|                | Silent Failures                | Unmonitored logs/alerts         | Grafana dashboards, anomaly detection, alert routing                             | **High**     |

---

# 🔑 Observations

* **Critical Risks** → PHI leakage, hallucinations, unauthorized access, compliance drift.
  → These must have **multiple overlapping controls** (defense-in-depth).
* **High Risks** → Data poisoning, model poisoning, overfitting, drift.
  → Require continuous monitoring + strong MLOps discipline.
* **Medium Risks** → Ontology drift, bypass attacks, auditability gaps, DoS, human error.
  → Important, but secondary to Critical/High risks.

---

# 📊 Next Step

We can extend this into a **Threat Modeling Matrix** by explicitly **tagging each risk** with:

* **STRIDE** (Spoofing, Tampering, Repudiation, Info Disclosure, DoS, Elevation of Privilege)
* **DASF 2.0 Risks** (e.g., Data Poisoning, Prompt Injection, Model Misuse, EHR Integration Risk)
* **MITRE ATLAS Techniques** (e.g., TA0040 Model Evasion, TA0029 Data Manipulation)
* **[IBM AI Risk ATLAS](https://www.ibm.com/docs/en/watsonx/saas?topic=ai-risk-atlas)**

---




now we’ll **enrich we're Threat Vector Risk–Control Matrix** by mapping each risk to:

1. **STRIDE** → Classic software threat modeling categories.
2. **DASF 2.0** → AI/ML–specific risk families (Data poisoning, Prompt injection, Model misuse, etc.).
3. **MITRE ATLAS** → AI adversary tactics & techniques.
4. **NIST 800-53 Rev 5 (and 53B baselines)** → Security & privacy controls to enforce compliance.

This makes our **AI Clinical Notes Scribe Threat Model** fully aligned with **federal compliance, AI governance, and adversarial ML frameworks**.

---

# 🛡️ AI Clinical Notes Scribe – Threat Vector Matrix (with STRIDE, DASF, MITRE, NIST 800-53 Rev 5)

| **Layer**      | **Risk / Threat Vector**       | **STRIDE**                  | **DASF 2.0**                      | **MITRE ATLAS**                         | **NIST 800-53 Rev 5**                                                                        | **Controls**                                 |
| -------------- | ------------------------------ | --------------------------- | --------------------------------- | --------------------------------------- | -------------------------------------------------------------------------------------------- | -------------------------------------------- |
| **DataOps**    | Data Poisoning                 | Tampering                   | Data Integrity / Poisoning        | TA0029 – Data Manipulation              | SI-3 (Malicious Code Protection), SI-10 (Info Input Validation), SA-11 (Dev Testing)         | Data validation pipelines, anomaly detection |
|                | PHI Leakage                    | Info Disclosure             | Privacy Leakage                   | TA0040 – Model Evasion                  | AC-3 (Access Enforcement), SC-28 (Data at Rest Encryption), SC-13 (Cryptographic Protection) | Encryption, RBAC, de-ID                      |
|                | Ontology Drift                 | Tampering                   | Model Misalignment                | TA0022 – Supply Chain Manipulation      | SA-10 (Developer Config Mgmt), CM-2 (Baseline Config), CA-7 (Continuous Monitoring)          | Dataset versioning, retraining               |
| **Models**     | Prompt Injection               | Tampering                   | Prompt Injection                  | TA0010 – Evasion via Input Manipulation | SI-10 (Input Validation), SC-23 (Session Authenticity), RA-5 (Vulnerability Scanning)        | Guardrails, input filters                    |
|                | Hallucination                  | Tampering / Info Disclosure | Hallucination / Unsafe Generation | TA0042 – Model Output Manipulation      | SA-11 (Testing), SI-4 (Monitoring), SR-11 (Supply Chain Protection)                          | Safety classifier, ontology grounding        |
|                | Model Poisoning                | Tampering                   | Training Data Poisoning           | TA0029 – Data Manipulation              | SA-12 (Supply Chain Integrity), RA-5, SI-7 (Software Integrity)                              | Signed datasets, reproducible training       |
|                | Overfitting (PHI memorization) | Info Disclosure             | Privacy Leakage                   | TA0040 – Model Evasion                  | PL-8 (Privacy Records), SC-28, SI-12 (Information Handling)                                  | DP-SGD, regularization, red-teaming          |
| **Agents**     | Bypass Attacks                 | Elevation of Privilege      | Model Misuse / Policy Bypass      | TA0040 – Model Evasion                  | AC-6 (Least Privilege), IA-2 (MFA), AU-12 (Audit Logs)                                       | Enforced checkpoints, RBAC                   |
|                | Insider Threats                | Spoofing / Elevation        | Model Misuse                      | TA0017 – Insider Threat                 | AC-2 (Account Mgmt), PS-3 (Personnel Screening), AU-6 (Audit Review)                         | RBAC, MFA, least privilege                   |
|                | Weak Auditability              | Repudiation                 | Auditability Gap                  | TA0040 – Model Evasion                  | AU-2 (Event Logging), AU-8 (Timestamp), AU-12 (Audit Generation)                             | Immutable logs, explainability hooks         |
| **Deployment** | Unauthorized Access            | Spoofing / Elevation        | Unauthorized Access               | TA0001 – Initial Access                 | AC-3, AC-17 (Remote Access), SC-12 (Crypto Key Estab)                                        | OAuth2, mTLS, API gateways                   |
|                | Improper Integration           | Tampering                   | EHR Integration Risk              | TA0022 – Supply Chain                   | SA-10, SI-10, IA-5 (Authenticator Mgmt)                                                      | FHIR validators, integration testing         |
|                | DoS Attacks                    | DoS                         | Availability Attacks              | TA0041 – Resource Consumption           | SC-5 (Denial-of-Service Protection), SC-6 (Resource Priority)                                | Rate limiting, auto-scaling, WAF             |
|                | Human Error (unsafe approval)  | Repudiation                 | HITL Failure                      | TA0042 – Output Manipulation            | AT-2 (Awareness Training), AC-2, AU-12                                                       | HITL enforced, UI risk flags                 |
| **Governance** | Model Drift                    | Tampering                   | Model Misuse                      | TA0040 – Model Evasion                  | CA-7 (Monitoring), SA-11, PM-9 (Risk Mgmt Strategy)                                          | Drift detection, retraining                  |
|                | Compliance Drift               | Repudiation                 | Regulatory Non-Compliance         | TA0011 – Policy Bypass                  | PL-2 (Privacy Program), PL-8, CA-2 (Assessments), PM-9                                       | Regulatory mapping, audits                   |
|                | Silent Failures                | DoS / Repudiation           | Monitoring Gaps                   | TA0040 – Model Evasion                  | SI-4 (System Monitoring), IR-4 (Incident Handling), AU-6                                     | Grafana dashboards, anomaly detection        |

---

# 🔑 Key Insights

* **Critical intersections**:

  * **Hallucinations + PHI memorization** → map directly to **HIPAA violations** (PL-8, SC-28).
  * **Unauthorized Access** → maps to **Access Controls (AC family)**.
  * **Compliance Drift** → maps to **Program Management (PM, PL families)**, often ignored in ML pipelines.

* **Value of mapping**:

  * Wecan now **prove coverage** to auditors by saying: *“This hallucination risk maps to STRIDE Tampering, DASF Hallucination, MITRE ATLAS TA0042, and NIST SA-11 + SI-4.”*
  * This ties **AI threat modeling** directly to **federal compliance frameworks** (NIST RMF / FedRAMP).

---

✅ With this, we now have a **living AI Threat Vector Model** for we're Clinical Notes Scribe use case — cross-referenced to STRIDE, DASF 2.0, MITRE ATLAS, and NIST 800-53 Rev 5.



let’s turn the **Risk–Control Matrix** into a **visual Threat Vector Overlay Diagram**.
This way wecan walk auditors, engineers, and clinicians through the **entire threat landscape**, showing **where risks live**, which **STRIDE category** they fall under, and which **NIST 800-53 Rev 5 control family** mitigates them.

---

# 📊 Threat Vector Overlay

```mermaid
flowchart TD

    %% === Layers ===
    subgraph DataOps["📂 DataOps Layer"]
        D1[Data Poisoning<br>STRIDE: Tampering<br>NIST: SI, SA]
        D2[PHI Leakage<br>STRIDE: Info Disclosure<br>NIST: AC, SC, PL]
        D3[Ontology Drift<br>STRIDE: Tampering<br>NIST: CM, SA, CA]
    end

    subgraph Models["🧠 Models"]
        M1[Prompt Injection<br>STRIDE: Tampering<br>NIST: SI, SC, RA]
        M2[Hallucination<br>STRIDE: Tampering/Disclosure<br>NIST: SA, SI, SR]
        M3[Model Poisoning<br>STRIDE: Tampering<br>NIST: SA, SI]
        M4[Overfitting / PHI Mem.<br>STRIDE: Info Disclosure<br>NIST: PL, SC, SI]
    end

    subgraph Agents["🤖 Agent Layer"]
        A1[Bypass Attacks<br>STRIDE: Elevation<br>NIST: AC, IA]
        A2[Insider Threats<br>STRIDE: Spoofing/Elevation<br>NIST: AC, PS, AU]
        A3[Weak Auditability<br>STRIDE: Repudiation<br>NIST: AU]
    end

    subgraph Deployment["🚀 Deployment & Integration"]
        U1[Unauthorized Access<br>STRIDE: Spoofing/Elevation<br>NIST: AC, SC]
        U2[Improper Integration<br>STRIDE: Tampering<br>NIST: SA, SI, IA]
        U3[DoS Attacks<br>STRIDE: DoS<br>NIST: SC]
        U4[Human Error<br>STRIDE: Repudiation<br>NIST: AT, AC, AU]
    end

    subgraph Governance["🔒 Governance & Monitoring"]
        G1[Model Drift<br>STRIDE: Tampering<br>NIST: CA, SA, PM]
        G2[Compliance Drift<br>STRIDE: Repudiation<br>NIST: PL, CA, PM]
        G3[Silent Failures<br>STRIDE: DoS/Repudiation<br>NIST: SI, IR, AU]
    end

    %% === Flows ===
    D1 --> M1
    D2 --> M2
    D3 --> M3
    M1 --> A1
    M2 --> A2
    M3 --> A3
    A1 --> U1
    A2 --> U2
    A3 --> U4
    U1 --> G1
    U2 --> G2
    U3 --> G3
    U4 --> G1

    %% === Color Coding ===
    style D1 fill:#80cbc4,stroke:#00695c,stroke-width:2px,color:#000
    style D2 fill:#80cbc4,stroke:#00695c,stroke-width:2px,color:#000
    style D3 fill:#80cbc4,stroke:#00695c,stroke-width:2px,color:#000

    style M1 fill:#ef9a9a,stroke:#b71c1c,stroke-width:2px,color:#000
    style M2 fill:#ef9a9a,stroke:#b71c1c,stroke-width:2px,color:#000
    style M3 fill:#ef9a9a,stroke:#b71c1c,stroke-width:2px,color:#000
    style M4 fill:#ef9a9a,stroke:#b71c1c,stroke-width:2px,color:#000

    style A1 fill:#90caf9,stroke:#0d47a1,stroke-width:2px,color:#000
    style A2 fill:#90caf9,stroke:#0d47a1,stroke-width:2px,color:#000
    style A3 fill:#90caf9,stroke:#0d47a1,stroke-width:2px,color:#000

    style U1 fill:#b39ddb,stroke:#4527a0,stroke-width:2px,color:#000
    style U2 fill:#b39ddb,stroke:#4527a0,stroke-width:2px,color:#000
    style U3 fill:#b39ddb,stroke:#4527a0,stroke-width:2px,color:#000
    style U4 fill:#b39ddb,stroke:#4527a0,stroke-width:2px,color:#000

    style G1 fill:#ffe082,stroke:#ff6f00,stroke-width:2px,color:#000
    style G2 fill:#ffe082,stroke:#ff6f00,stroke-width:2px,color:#000
    style G3 fill:#ffe082,stroke:#ff6f00,stroke-width:2px,color:#000
```

---

# 🔑 How to Use

* Each **node** = Risk.
* Annotated with **STRIDE category** + **NIST family (AC, SC, SI, etc.)**.
* **Color palette** matches we're AI/MLOps diagrams:

  * Teal → DataOps
  * Red → Models
  * Blue → Agents
  * Purple → Deployment
  * Amber → Governance

This makes it clear for **engineers** (who see the stack) and **auditors** (who see the controls).

---

✅ Now we’ve got a **visual Threat Vector Overlay** for we're **AI Clinical Notes Scribe use case**, tied directly into **NIST 800-53 Rev 5 controls**, **STRIDE**, and **AI-specific risks**.




# Expanded master crosswalk to cover the full set of risks across all four frameworks:

* **STRIDE**
* **DASF 2.0**
* **MITRE ATLAS**
* **IBM AI Risk Atlas**
* **NIST 800-53 Rev 5**

so we now have a **complete catalog of risks** for we're Clinical Notes Scribe pipeline.

---

# 🛡️ Expanded Threat Vector Risk Catalog

### **A. DataOps Layer**

| **Risk**             | **STRIDE**      | **DASF**            | **MITRE ATLAS**                  | **IBM AI Risk Atlas**                      | **NIST 800-53 Rev 5** |
| -------------------- | --------------- | ------------------- | -------------------------------- | ------------------------------------------ | --------------------- |
| Data Poisoning       | Tampering       | Data Poisoning      | TA0029 Data Manipulation         | Data poisoning                             | SI-10, SA-11, SI-3    |
| PHI Leakage          | Info Disclosure | Privacy Leakage     | TA0040 Model Evasion             | Personal info exposure, Reidentification   | AC-3, SC-28, PL-8     |
| Ontology Drift       | Tampering       | Model Misalignment  | TA0022 Supply Chain Manipulation | Unrepresentative data, Improper retraining | SA-10, CM-2, CA-7     |
| Data Provenance Loss | Repudiation     | Data Integrity Risk | TA0022                           | Uncertain data provenance                  | AU-9, PL-8, SI-12     |
| Biased Training Data | Tampering       | Data Bias           | TA0029                           | Fairness (Discrimination)                  | RA-8, SA-11, PM-16    |

---

### **B. Model Layer**

| **Risk**                       | **STRIDE**           | **DASF**             | **MITRE ATLAS**            | **IBM AI Risk Atlas**               | **NIST**           |
| ------------------------------ | -------------------- | -------------------- | -------------------------- | ----------------------------------- | ------------------ |
| Prompt Injection               | Tampering            | Prompt Injection     | TA0010 Input Manipulation  | Prompt injection                    | SI-10, SC-23, RA-5 |
| Hallucination                  | Tampering/Disclosure | Unsafe Generation    | TA0042 Output Manipulation | Hallucination, Unexplainable output | SA-11, SI-4, SR-11 |
| Model Poisoning                | Tampering            | Training Poisoning   | TA0029                     | Data poisoning                      | SA-12, SI-7        |
| Overfitting / PHI Memorization | Disclosure           | Privacy Leakage      | TA0040 Model Evasion       | Membership inference, Data leakage  | PL-8, SC-28, SI-12 |
| Bias in Model Outputs          | Tampering            | Bias Amplification   | TA0042 Output Manipulation | Fairness, Discrimination            | RA-8, SA-11, PM-16 |
| Model Extraction               | Disclosure           | Model Theft          | TA0040                     | Extraction attack                   | SC-28, SI-4, SR-11 |
| Adversarial Inputs (Evasion)   | Tampering            | Adversarial Examples | TA0010                     | Evasion attack                      | SI-10, SC-23       |

---

### **C. Agent Layer**

| **Risk**                  | **STRIDE**         | **DASF**     | **MITRE ATLAS**       | **IBM AI Risk Atlas**                         | **NIST**          |
| ------------------------- | ------------------ | ------------ | --------------------- | --------------------------------------------- | ----------------- |
| Agent Bypass              | Elevation          | Model Misuse | TA0040                | Unauthorized use (Agent)                      | AC-6, IA-2        |
| Insider Threat            | Spoofing/Elevation | Misuse       | TA0017 Insider Threat | Accountability gap                            | AC-2, PS-3, AU-6  |
| Weak Auditability         | Repudiation        | Audit Gap    | TA0040                | Lack of transparency, Untraceable attribution | AU-2, AU-12       |
| Misaligned Agent Actions  | Tampering          | Agent Misuse | TA0042                | Value alignment gap                           | PL-2, SA-11, PM-9 |
| Over/Under-Reliance on AI | Repudiation        | HITL Failure | TA0042                | Over/under-reliance                           | AT-2, AC-2, AU-12 |

---

### **D. Deployment & Integration Layer**

| **Risk**             | **STRIDE**         | **DASF**             | **MITRE ATLAS**             | **IBM AI Risk Atlas**                   | **NIST**           |
| -------------------- | ------------------ | -------------------- | --------------------------- | --------------------------------------- | ------------------ |
| Unauthorized Access  | Spoofing/Elevation | Unauthorized Use     | TA0001 Initial Access       | Unauthorized use                        | AC-3, AC-17, SC-12 |
| Improper Integration | Tampering          | EHR Integration Risk | TA0022 Supply Chain         | Improper curation, Uncertain provenance | SA-10, SI-10, IA-5 |
| DoS Attack           | DoS                | Availability Attack  | TA0041 Resource Consumption | Computational inefficiency              | SC-5, SC-6         |
| Human Error          | Repudiation        | HITL Failure         | TA0042                      | Over/under-reliance                     | AT-2, AC-2, AU-12  |
| Insecure APIs        | Spoofing/Tampering | Integration Risk     | TA0001                      | API vulnerabilities                     | AC-3, SC-12, SI-10 |

---

### **E. Governance & Monitoring**

| **Risk**               | **STRIDE**      | **DASF**              | **MITRE ATLAS**      | **IBM AI Risk Atlas**                             | **NIST**           |
| ---------------------- | --------------- | --------------------- | -------------------- | ------------------------------------------------- | ------------------ |
| Model Drift            | Tampering       | Model Misuse          | TA0040               | Incomplete evaluation, Maintenance risk           | CA-7, SA-11, PM-9  |
| Compliance Drift       | Repudiation     | Reg. Non-Compliance   | TA0011 Policy Bypass | AI compliance gap                                 | PL-2, PL-8, CA-2   |
| Silent Failures        | DoS/Repudiation | Monitoring Gaps       | TA0040               | Lack of transparency, Incomplete usage definition | SI-4, IR-4, AU-6   |
| Lack of Explainability | Repudiation     | Interpretability Gaps | TA0042               | Explainability gap                                | SA-11, PL-8, PM-16 |
| Governance Failure     | Repudiation     | Policy Risk           | TA0011               | Governance, Accountability, Transparency          | PM-9, PL-2, CA-2   |

---

# 🔑 Observations

✅ Now all **critical AI risks** are captured across frameworks:

* **Data-level**: Poisoning, PHI, bias, provenance
* **Model-level**: Hallucination, extraction, adversarial inputs, memorization
* **Agent-level**: Bypass, insider misuse, misaligned actions
* **Deployment-level**: Unauthorized access, integration failures, insecure APIs, DoS, HITL risk
* **Governance-level**: Drift, compliance, explainability, monitoring gaps

✅ Each risk is mapped to:

* **STRIDE** → software threat type
* **DASF 2.0** → AI/ML risk lens
* **MITRE ATLAS** → adversary tactics
* **IBM AI Risk Atlas** → governance + generative/agent-specific lens
* **NIST 800-53 Rev 5** → compliance controls

---


In [3]:
import pandas as pd

# Expanded Threat Vector Risk Catalog as structured data
data = [
    # DataOps Layer
    ("DataOps", "Data Poisoning", "Tampering", "Data Poisoning", "TA0029 Data Manipulation", "Data poisoning", "SI-10, SA-11, SI-3"),
    ("DataOps", "PHI Leakage", "Info Disclosure", "Privacy Leakage", "TA0040 Model Evasion", "Personal info exposure, Reidentification", "AC-3, SC-28, PL-8"),
    ("DataOps", "Ontology Drift", "Tampering", "Model Misalignment", "TA0022 Supply Chain Manipulation", "Unrepresentative data, Improper retraining", "SA-10, CM-2, CA-7"),
    ("DataOps", "Data Provenance Loss", "Repudiation", "Data Integrity Risk", "TA0022", "Uncertain data provenance", "AU-9, PL-8, SI-12"),
    ("DataOps", "Biased Training Data", "Tampering", "Data Bias", "TA0029", "Fairness (Discrimination)", "RA-8, SA-11, PM-16"),
    
    # Model Layer
    ("Model", "Prompt Injection", "Tampering", "Prompt Injection", "TA0010 Input Manipulation", "Prompt injection", "SI-10, SC-23, RA-5"),
    ("Model", "Hallucination", "Tampering/Disclosure", "Unsafe Generation", "TA0042 Output Manipulation", "Hallucination, Unexplainable output", "SA-11, SI-4, SR-11"),
    ("Model", "Model Poisoning", "Tampering", "Training Poisoning", "TA0029", "Data poisoning", "SA-12, SI-7"),
    ("Model", "Overfitting / PHI Memorization", "Disclosure", "Privacy Leakage", "TA0040 Model Evasion", "Membership inference, Data leakage", "PL-8, SC-28, SI-12"),
    ("Model", "Bias in Model Outputs", "Tampering", "Bias Amplification", "TA0042 Output Manipulation", "Fairness, Discrimination", "RA-8, SA-11, PM-16"),
    ("Model", "Model Extraction", "Disclosure", "Model Theft", "TA0040", "Extraction attack", "SC-28, SI-4, SR-11"),
    ("Model", "Adversarial Inputs (Evasion)", "Tampering", "Adversarial Examples", "TA0010", "Evasion attack", "SI-10, SC-23"),
    
    # Agent Layer
    ("Agent", "Agent Bypass", "Elevation", "Model Misuse", "TA0040", "Unauthorized use (Agent)", "AC-6, IA-2"),
    ("Agent", "Insider Threat", "Spoofing/Elevation", "Misuse", "TA0017 Insider Threat", "Accountability gap", "AC-2, PS-3, AU-6"),
    ("Agent", "Weak Auditability", "Repudiation", "Audit Gap", "TA0040", "Lack of transparency, Untraceable attribution", "AU-2, AU-12"),
    ("Agent", "Misaligned Agent Actions", "Tampering", "Agent Misuse", "TA0042", "Value alignment gap", "PL-2, SA-11, PM-9"),
    ("Agent", "Over/Under-Reliance on AI", "Repudiation", "HITL Failure", "TA0042", "Over/under-reliance", "AT-2, AC-2, AU-12"),
    
    # Deployment Layer
    ("Deployment", "Unauthorized Access", "Spoofing/Elevation", "Unauthorized Use", "TA0001 Initial Access", "Unauthorized use", "AC-3, AC-17, SC-12"),
    ("Deployment", "Improper Integration", "Tampering", "EHR Integration Risk", "TA0022 Supply Chain", "Improper curation, Uncertain provenance", "SA-10, SI-10, IA-5"),
    ("Deployment", "DoS Attack", "DoS", "Availability Attack", "TA0041 Resource Consumption", "Computational inefficiency", "SC-5, SC-6"),
    ("Deployment", "Human Error", "Repudiation", "HITL Failure", "TA0042", "Over/under-reliance", "AT-2, AC-2, AU-12"),
    ("Deployment", "Insecure APIs", "Spoofing/Tampering", "Integration Risk", "TA0001", "API vulnerabilities", "AC-3, SC-12, SI-10"),
    
    # Governance Layer
    ("Governance", "Model Drift", "Tampering", "Model Misuse", "TA0040", "Incomplete evaluation, Maintenance risk", "CA-7, SA-11, PM-9"),
    ("Governance", "Compliance Drift", "Repudiation", "Regulatory Non-Compliance", "TA0011 Policy Bypass", "AI compliance gap", "PL-2, PL-8, CA-2"),
    ("Governance", "Silent Failures", "DoS/Repudiation", "Monitoring Gaps", "TA0040", "Lack of transparency, Incomplete usage definition", "SI-4, IR-4, AU-6"),
    ("Governance", "Lack of Explainability", "Repudiation", "Interpretability Gaps", "TA0042", "Explainability gap", "SA-11, PL-8, PM-16"),
    ("Governance", "Governance Failure", "Repudiation", "Policy Risk", "TA0011", "Governance, Accountability, Transparency", "PM-9, PL-2, CA-2")
]

# Create DataFrame
df = pd.DataFrame(data, columns=[
    "Layer", "Risk", "STRIDE", "DASF 2.0", "MITRE ATLAS", "IBM AI Risk Atlas", "NIST 800-53 Rev 5 Controls"
])

# Save CSV
csv_path = "AI_Threat_Vector_Crosswalk.csv"
df.to_csv(csv_path, index=False)

csv_path


'AI_Threat_Vector_Crosswalk.csv'

In [4]:
import matplotlib.pyplot as plt
import seaborn as sns

# We'll create two heatmaps:
# 1. Grouped by System Layer
# 2. Grouped by Framework Lens

# Assign severity values (Critical=4, High=3, Medium=2, Low=1)
# For simplicity, we'll map risks roughly by impact (could be tuned with SME input).
severity_map = {
    "Data Poisoning": 3,
    "PHI Leakage": 4,
    "Ontology Drift": 2,
    "Data Provenance Loss": 2,
    "Biased Training Data": 3,
    "Prompt Injection": 3,
    "Hallucination": 4,
    "Model Poisoning": 3,
    "Overfitting / PHI Memorization": 4,
    "Bias in Model Outputs": 3,
    "Model Extraction": 3,
    "Adversarial Inputs (Evasion)": 3,
    "Agent Bypass": 2,
    "Insider Threat": 4,
    "Weak Auditability": 2,
    "Misaligned Agent Actions": 3,
    "Over/Under-Reliance on AI": 2,
    "Unauthorized Access": 4,
    "Improper Integration": 3,
    "DoS Attack": 2,
    "Human Error": 2,
    "Insecure APIs": 3,
    "Model Drift": 3,
    "Compliance Drift": 4,
    "Silent Failures": 3,
    "Lack of Explainability": 3,
    "Governance Failure": 4
}

df["Severity"] = df["Risk"].map(severity_map)

# 1. Heatmap by System Layer (avg severity per risk under each layer)
layer_severity = df.groupby("Layer")["Severity"].mean().reset_index()

plt.figure(figsize=(8,4))
sns.heatmap(layer_severity.pivot_table(index="Layer", values="Severity"), annot=True, cmap="YlOrRd", cbar_kws={'label': 'Severity'})
plt.title("AI Clinical Notes Scribe - Heatmap by System Layer")
plt.tight_layout()
plt_path_layer = "heatmap_by_layer.png"
plt.savefig(plt_path_layer)
plt.close()

# 2. Heatmap by Framework Lens (count of risks mapped to each framework)
frameworks = ["STRIDE", "DASF 2.0", "MITRE ATLAS", "IBM AI Risk Atlas", "NIST 800-53 Rev 5 Controls"]
framework_counts = {fw: [] for fw in frameworks}

for fw in frameworks:
    for layer in df["Layer"].unique():
        count = df[df["Layer"] == layer][fw].nunique()
        framework_counts[fw].append(count)

framework_df = pd.DataFrame(framework_counts, index=df["Layer"].unique())

plt.figure(figsize=(12,6))
sns.heatmap(framework_df, annot=True, cmap="PuBuGn", cbar_kws={'label': 'Unique Risks Mapped'})
plt.title("AI Clinical Notes Scribe - Heatmap by Framework Lens per Layer")
plt.tight_layout()
plt_path_framework = "heatmap_by_framework.png"
plt.savefig(plt_path_framework)
plt.close()

plt_path_layer, plt_path_framework


('heatmap_by_layer.png', 'heatmap_by_framework.png')


# 👥 User Interaction Diagram with Risks + Controls

```mermaid
sequenceDiagram
    participant C as 👩‍⚕️ Clinician
    participant STT as 🎙️ Speech-to-Text
    participant LLM as 🧠 Summarization Model
    participant SAFE as 🛡️ Safety Classifier
    participant UI as 🖥️ Review Interface
    participant EHR as 📂 EHR System

    C->>STT: Provides audio input
    Note over STT: Risk: Data Poisoning / PHI Leakage<br>Control: Input validation, encryption, RBAC

    STT->>LLM: Sends transcript
    Note over LLM: Risk: Prompt Injection / Hallucination<br>Control: Guardrails, ontology grounding, adversarial testing

    LLM->>SAFE: Draft notes
    Note over SAFE: Risk: Model Bias / Unsafe Generation<br>Control: Bias detection, explainability, classifier

    SAFE->>UI: Validated notes
    Note over UI: Risk: Insider Threat / Human Error<br>Control: HITL enforced, audit trails, RBAC

    UI->>C: Clinician reviews & approves
    C->>EHR: Submits approved notes
    Note over EHR: Risk: Unauthorized Access / Improper Integration<br>Control: FHIR validation, OAuth2 + mTLS, schema checks
```

---

# 🔑 Explanation

* **Speech-to-Text (STT)** → where **Data Poisoning** & **PHI Leakage** risks occur. Mitigated with **input validation + secure storage**.
* **LLM Summarization** → biggest AI attack surface: **Prompt Injection** + **Hallucination**. Needs **guardrails + grounding + adversarial testing**.
* **Safety Classifier** → must mitigate **Bias** + **Unsafe Output** before clinician sees it.
* **Review Interface** → risk of **Insider Threat** (staff misusing overrides) + **Human Error** (approving unsafe notes). Needs **RBAC + audit trails**.
* **EHR Integration** → risk of **Unauthorized Access** or **Improper Mapping**. Needs **Zero Trust API security + schema validation**.

---



# 👥 User Interaction Diagram with Risks + Controls + Severity

```mermaid
sequenceDiagram
    participant C as 👩‍⚕️ Clinician
    participant STT as 🎙️ Speech-to-Text
    participant LLM as 🧠 Summarization Model
    participant SAFE as 🛡️ Safety Classifier
    participant UI as 🖥️ Review Interface
    participant EHR as 📂 EHR System

    C->>STT: Provides audio input
    Note over STT: ⚠️ Critical: PHI Leakage<br>🟥 High: Data Poisoning<br>Controls: Input validation, de-ID, RBAC, encryption

    STT->>LLM: Sends transcript
    Note over LLM: ⚠️ Critical: Hallucination<br>🟥 High: Prompt Injection<br>Controls: Guardrails, ontology grounding, adversarial testing

    LLM->>SAFE: Draft notes
    Note over SAFE: 🟥 High: Model Bias / Unsafe Generation<br>Controls: Bias detection, classifier, explainability hooks

    SAFE->>UI: Validated notes
    Note over UI: ⚠️ Critical: Insider Threat<br>🟧 Medium: Human Error<br>Controls: RBAC, MFA, audit trails, enforced HITL review

    UI->>C: Clinician reviews & approves
    C->>EHR: Submits approved notes
    Note over EHR: ⚠️ Critical: Unauthorized Access<br>🟥 High: Improper Integration<br>Controls: OAuth2 + mTLS, FHIR schema validation, API gateway
```

---

# 🔑 Severity Coding

* **⚠️ Critical** = must-have controls (e.g., PHI leakage, hallucination, insider threat, unauthorized access).
* **🟥 High** = strong mitigation needed, but with lower impact if contained (e.g., data poisoning, prompt injection, bias).
* **🟧 Medium** = important, but secondary to Critical/High (e.g., human error).

---


We can combine the **User Interaction Risk Diagram** with the **Multi-Layer Heatmap** into a **two-pane artifact**.

The idea is:

* **Left pane (sequence diagram)** → shows **where in the user workflow risks occur**, tagged with severity + controls.
* **Right pane (heatmap)** → shows **system-level risk concentration by layer** (DataOps, Model, Agent, Deployment, Governance).

---

# 📊 Combined Artifact (Workflow + Heatmap)

```mermaid
%% Left Pane: User Interaction with Severity
sequenceDiagram
    participant C as 👩‍⚕️ Clinician
    participant STT as 🎙️ Speech-to-Text
    participant LLM as 🧠 Summarization Model
    participant SAFE as 🛡️ Safety Classifier
    participant UI as 🖥️ Review Interface
    participant EHR as 📂 EHR System

    C->>STT: Provides audio input
    Note over STT: ⚠️ Critical: PHI Leakage<br>🟥 High: Data Poisoning<br>Controls: Input validation, de-ID, RBAC, encryption

    STT->>LLM: Sends transcript
    Note over LLM: ⚠️ Critical: Hallucination<br>🟥 High: Prompt Injection<br>Controls: Guardrails, ontology grounding, adversarial testing

    LLM->>SAFE: Draft notes
    Note over SAFE: 🟥 High: Model Bias / Unsafe Generation<br>Controls: Bias detection, classifier, explainability hooks

    SAFE->>UI: Validated notes
    Note over UI: ⚠️ Critical: Insider Threat<br>🟧 Medium: Human Error<br>Controls: RBAC, MFA, audit trails, enforced HITL review

    UI->>C: Clinician reviews & approves
    C->>EHR: Submits approved notes
    Note over EHR: ⚠️ Critical: Unauthorized Access<br>🟥 High: Improper Integration<br>Controls: OAuth2 + mTLS, FHIR schema validation, API gateway
```

---

### 🔥 Heatmap (Right Pane)

We already have this generated as an image — here’s the link:
📂 [Download Heatmap by Layer](heatmap_by_layer.png)

---

# 🔑 Present

* Use **two-pane slides or dashboard view**:

  * **Left (Workflow Threats)** → Shows clinicians where in their workflow risks are surfaced + what protections exist.
  * **Right (System Heatmap)** → Shows technical teams where the risk *concentration* lies in the architecture.

Together, this forms a **narrative**:

1. Risks emerge naturally in the clinician → AI → EHR workflow.
2. Heatmap confirms where wemust prioritize **controls & governance investments**.

---


