Ben Okonkwo: Jonathan, good to be back — I spent part of this week reading about Wes Eklund's threat boundary model and I genuinely could not find an institution behind it. Like, who is this person?
Jonathan Ingles: That's the tell. That's the whole thing in one detail.
Ben Okonkwo: Meaning what, exactly?
Jonathan Ingles: Meaning we are building AI security governance on top of what might be a single practitioner's GitHub thinking — and nobody stopped to ask whether that's institutional knowledge or just a very good markdown file. Which, actually, is a perfect segue, because a markdown file is also what beat every security model these enterprises thought they had. One GitHub issue, no credentials, no code exploit — an AI agent handed over private repository contents because a markdown prompt told it to.
Ben Okonkwo: Wait — no vulnerability in the code at all?
Jonathan Ingles: None. That's what STRIDE can't see. Microsoft designed STRIDE for deterministic systems — Spoofing, Tampering, the six categories, fixed trust boundaries you draw before the system runs. Prompt injection doesn't live in any of those boxes cleanly. Preamble first disclosed this class of attack to OpenAI in May 2022 and it's only gotten more hybrid since — XSS layered on top, CSRF, multi-vector. The frameworks chasing it — ASTRIDE, STRIDE-AI, Eklund's four boundaries — they're all arriving after the fact.
Ben Okonkwo: So your argument is the framework race is documentation, not defense.
Jonathan Ingles: I'm saying it's deniability. There's a difference.
Ben Okonkwo: Okay but — I want to push on that, because calling it deniability implies the frameworks are worthless, and I'm not sure that holds. Because Eklund's four boundaries actually name surfaces that classical STRIDE literally cannot see. Not 'sees poorly.' Cannot see.
Jonathan Ingles: Walk me through it.
Ben Okonkwo: Think of it this way. Classical security checks the locks on your doors. Eklund's insight is that in agentic AI, the building itself decides which rooms count as 'outside' each time someone walks through. So no static lock list ever covers it — the perimeter is being redrawn at runtime, every inference cycle.
Jonathan Ingles: That's the RAG-to-context boundary.
Ben Okonkwo: Exactly — and here's why it matters mechanically. A poisoned document in your retrieval pipeline manipulates the model without touching a single line of code. No exploit, no credential theft. You just... corrupt what gets retrieved, and the model reasons on tainted context. That's context poisoning, and classical STRIDE has no category for it because classical STRIDE assumes the data in your system arrived through a boundary you already drew.
Jonathan Ingles: And the model-output-to-tools boundary is the one that actually terrifies me more.
Ben Okonkwo: Right — because there, the model's own inference decides which tool gets called and with what parameters. Not a policy file. Not an access-control list. A probability distribution. No deterministic ACL was ever designed to govern that decision point, so 'block unauthorized access' doesn't even parse as a meaningful instruction.
Jonathan Ingles: So is it actually solvable or are we just drawing better maps of a territory we can't control?
Ben Okonkwo: Now, this is where I'd actually push back on the fatalism — because there's a real data point. A healthcare technology company deployed nine autonomous AI agents in production under HIPAA with a six-domain zero-trust architecture. Meaning every agent, every boundary, continuous verification. It worked. But the catch — and this is load-bearing — they architected for it before shipping. Not patched in. Built in from day one.
Jonathan Ingles: Built in from day one — and that's actually where the prompt injection timeline becomes damning, because Preamble disclosed this whole attack class to OpenAI in May 2022. That was three years ago. So every agentic deployment that shipped without that architecture baked in had no excuse.
Ben Okonkwo: Right, but — okay, what changed between 2022 and now isn't just maturity. It's the attack surface itself. What Preamble found was essentially a single-vector problem. What we have now is Prompt Injection 2.0 — XSS fused with LLM manipulation, CSRF layered on top. Multi-vector by design.
Jonathan Ingles: And that combination is specifically what evades traditional controls. Because your WAF is looking for malformed HTML, not a sentence that tells an agent to reinterpret its own instructions.
Ben Okonkwo: Exactly — and agentic systems make the blast radius genuinely different. One injected instruction doesn't stay local. It propagates. Tool call to tool call, then across agent-to-agent communication. The thing that started as one poisoned input is now... I mean, it's reshaping what every downstream agent thinks its context is.
Jonathan Ingles: Which is precisely why ASTRIDE invented a whole new letter.
Ben Okonkwo: The 'A' category. And it's not decorative — instruction manipulation, unsafe reasoning-driven tool use, misuse of agent memory, opaque agent-to-agent communication. That's ASTRIDE saying: these four failure modes did not exist in classical STRIDE's universe at all. Published formally at the International Conference on Wireless Communications and Mobile Computing, 2025.
Jonathan Ingles: And STRIDE-AI lands in the same place from a completely different angle — it's bridging NIST AI RMF with OWASP LLM Top 10 because neither one alone can hold the threat. Three independent frameworks, same structural conclusion.
Ben Okonkwo: That convergence is actually the kernel. That's your partial win, frankly.
Jonathan Ingles: The gap in classical STRIDE is real. I'll take it. The part I'd still push on — and we'll get to this — is whether any of that convergence matters when a majority of organizations deploying AI still have no dedicated security strategy at all.
Ben Okonkwo: Three frameworks documenting the same problem, and none of them are actually running anywhere. Yeah. That's the part that doesn't resolve.
Jonathan Ingles: And here's what that actually means — not 'the frameworks aren't deployed yet.' It means the incident record is the current state of the art. Not ASTRIDE. Not STRIDE-AI. What happened. What got logged. What got quietly patched in a healthcare system or a trading desk and never disclosed.
Ben Okonkwo: That's — yeah. That's the defensible version of your deniability argument, actually.
Jonathan Ingles: Because three independent frameworks — ASTRIDE, STRIDE-AI, Eklund's four boundaries — they all converge on the same structural diagnosis. That's not fragmentation anymore. That's consensus. And yet a majority of organizations running AI in production have no dedicated security strategy. So the knowledge gap closed. The implementation gap is the thing that's widening.
Ben Okonkwo: Now — I want to be precise about what 'implementation gap' means, because I don't think it's just inertia. The meaningful human control problem is structural. In a multi-agent chain, by the time a human could intervene, the downstream agents have already acted on tainted context. You can't verify in advance what you can't predict.
Jonathan Ingles: Finance, healthcare, critical infrastructure — those aren't pilots. Those are live.
Ben Okonkwo: Right — and that's actually where I'd commit to the stronger claim. Not 'the frameworks might converge eventually.' The calibrated take is this: three simultaneous, independent extensions of STRIDE correctly diagnosed the problem, none achieved institutional adoption, and the systems they were meant to govern are already in production. So — yeah — the incident record is doing the work the frameworks were supposed to do.
Jonathan Ingles: The patient is already in surgery and we're still arguing over which scalpel is correct.
Ben Okonkwo: And no authoritative body has adjudicated which decomposition is right. Not NIST, not OWASP, not anyone. That's the verdict — comprehensive diagnosis, zero agreed treatment, and the ThreatGPT-style tools enabling non-experts to threat-model systems they don't fully understand yet. We've democratized the map. We haven't agreed on the territory.
Jonathan Ingles: Frankly, the most honest thing I can say at the end of this is — the frameworks aren't pure deniability. That's too harsh. They're probably the most coherent thing the industry has produced. Which is exactly the problem. The most coherent response we have to agentic AI in healthcare and finance is a model that might be one practitioner's GitHub repo.
Ben Okonkwo: Half-conceding, though. That matters.
Jonathan Ingles: Sure. But the question that doesn't get asked — and no one wants to ask it — is whether deploying agentic systems in finance and healthcare before any framework achieves institutional traction is actually a technical decision. Because I don't think it is. I think it's a liability calculation. And right now the only honest answer to 'is this safe' is: check the incident record.
Ben Okonkwo: Yeah. That's — I think that's where we actually landed. Not which framework wins. Whether the deployment decision precedes the answer to that question. And it does. Every time.
Jonathan Ingles: Good place to stop. Genuinely.