AMIE — agentic threat model
AMIE presents a high-consequence risk profile due to its medical diagnostic capabilities, where reasoning errors or adversarial manipulation of multimodal inputs (like ECGs or medical images) could lead to severe patient harm. However, its current status as a non-deployed research system mitigates immediate operational risk.
OWASP AIVSS score rationale
| Autonomy of Action | 0.20 | |
| Goal-Driven Planning | 0.50 | |
| Self-Modification | 0.10 | |
| Dynamic Tool Use | 0.30 | |
| Persistent Memory | 0.40 | |
| Contextual Awareness | 0.80 | |
| Dynamic Identity | 0.10 | |
| Multi-Agent Interactions | 0.10 | |
| Non-Determinism | 0.70 | |
| Opacity & Reflexivity | 0.70 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Built on Gemini 2.0 Flash. Highly vulnerable to adversarial examples in multimodal inputs (e.g., subtly altered skin photos or ECGs that trick the model into misdiagnosis) and prompt injection that could disrupt clinical reasoning.
Not certain from the listing — details on training data curation, RAG, or medical knowledge-base poisoning protections are not specified, but poisoning of reference clinical data represents a critical threat to diagnostic integrity.
Utilizes a state-aware reasoning framework to manage clinical dialogue. Threats include state-tracking manipulation where an attacker forces the agent into incorrect clinical assumptions or diagnostic dead-ends.
Not certain from the listing — hosting infrastructure details are not provided, though as a Google Research/DeepMind project, it likely leverages Google Cloud infrastructure. Threats include unauthorized access to sensitive, unencrypted diagnostic sessions.
Evaluated using Objective Structured Clinical Examinations (OSCEs). Threats include evaluation gaming where the model optimizes for OSCE metrics rather than real-world clinical safety, and a lack of real-time clinical drift monitoring.
Not certain from the listing — specific compliance frameworks (like HIPAA or GDPR) or patient data privacy controls are not detailed, which are critical requirements before any real-world clinical deployment.
Currently operates as a standalone diagnostic research system with no multi-agent or marketplace interactions described, minimizing ecosystem-level threats.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).