Glean — agentic threat model

7.5AIVSS 7.5 · High

Glean presents a high-risk profile due to its role as a centralized enterprise knowledge aggregator with deep access to diverse company data sources. While its permissions-aware architecture mitigates some unauthorized access, a compromise of the platform or its custom agents could lead to widespread data exfiltration and privilege escalation.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM

CVSS base 8.5AARS uplift 0.9Factor sum 6.0/10Threat ×1.0Mitigation ×0.8

Autonomy of Action		0.60
Goal-Driven Planning		0.50
Self-Modification		0.10
Dynamic Tool Use		0.70
Persistent Memory		0.80
Contextual Awareness		0.90
Dynamic Identity		0.60
Multi-Agent Interactions		0.50
Non-Determinism		0.60
Opacity & Reflexivity		0.70

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — Glean uses generative AI capabilities but does not specify the underlying foundation models (e.g., GPT-4, Claude, or proprietary models). Potential threats include model misalignment, prompt injection, and adversarial inputs affecting search/generation.

L2 · Data Operations✓ mapped

Glean builds a comprehensive enterprise knowledge graph across various company data sources. Key threats include data poisoning of the knowledge graph, embedding inversion, and unauthorized data exfiltration if data pipeline integrity is compromised.

L3 · Agent Frameworks✓ mapped

Supports custom AI apps and agents to automate work processes. Threats include insecure tool integration, prompt injection leading to unauthorized tool execution, and memory poisoning within custom agent workflows.

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — The hosting infrastructure (SaaS vs. VPC deployment) is not detailed. Standard threats include container compromise, lateral movement within the enterprise network, and insecure API endpoints connecting to data sources.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — No specific evaluation, monitoring, or observability frameworks are mentioned. Gaps here could lead to undetected prompt injection, data drift, or silent failures in search accuracy.

L6 · Security & Compliance (cross-cutting)✓ mapped

Glean explicitly features 'permissions-aware access' to respect enterprise data boundaries. The primary threat is authorization bypass or privilege escalation, where a user accesses sensitive data via LLM synthesis that they cannot access directly.

L7 · Agent Ecosystem✓ mapped

Allows creation of custom AI apps and agents. Threats include rogue or compromised custom agents interacting with the broader enterprise knowledge graph, leading to cascading data leaks or unauthorized actions across connected systems.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).