L2.2.1 — Mapping the AI attack surface: the five planes¶
Type: Theory · Duration: ~4 min · Status: Mandatory Module: Module 2 — AI Security Foundations Framework tags: foundational — maps to MITRE ATLAS tactics; supports NIST AI RMF Map 1.1
Learning objectives¶
By the end of this lesson, the learner can: 1. Name the five attack-surface planes of an AI system: model, data, infrastructure, application, supply chain. 2. State why "AI attack surface" is bigger than "LLM attack surface" — even an LLM-only product has all five planes.
Core content¶
When people say "AI attack surface," they often mean "the model's input/output interface." That's one plane. A complete map has five.
┌──────────────────────┐
│ Application plane │ ← user, agent, tools, UI
└──────────┬───────────┘
│
┌──────────▼───────────┐
│ Model plane │ ← weights, tokenizer, decoding
└──────────┬───────────┘
│
┌──────────▼───────────┐
│ Data plane │ ← training, fine-tune, retrieval
└──────────┬───────────┘
│
┌──────────▼───────────┐
│ Infrastructure plane │ ← compute, network, secrets
└──────────┬───────────┘
│
┌──────────▼───────────┐
│ Supply chain plane │ ← libs, weights, datasets, vendors
└──────────────────────┘
The five planes:
- Model plane. The trained weights, tokenizer, decoding configuration. Attacks here include adversarial examples, model extraction, prompt injection (at the inference interface), backdoor triggers in weights.
- Data plane. Training data, fine-tune data, the retrieval corpus, embeddings stored in a vector DB, evaluation data, preference data. Attacks: poisoning, label flipping, retrieval-corpus injection, embedding-DB exfiltration.
- Infrastructure plane. Compute (GPUs, training clusters), the network the model runs on, secret stores for API keys, container runtime. Same surface as classical infra — compromise here gives you everything above.
- Application plane. The product wrapped around the model: user interface, prompt templates, tool definitions, guardrails, output renderers. Most OWASP LLM Top 10 entries live here.
- Supply chain plane. Every external artifact the system depends on — base model weights, fine-tune datasets, embedding models, Python packages, vector DB binaries, agent frameworks. Compromise here also affects everything above; OWASP LLM05.
Every AI system has all five — even a single-page LLM-only product. The model came from somewhere (supply chain), the prompts came from somewhere (application), the API key sits somewhere (infrastructure), the model talks to user input (data), and the model itself is the model (model). When you walk into a new project, name the planes first; gaps become visible immediately.
Real-world example¶
EchoLeak in M365 Copilot (2025) touched four planes in one chain: the application plane (Copilot UI accepted untrusted email content), the data plane (email content reached the prompt via retrieval), the model plane (the LLM followed the injected instructions), and the application plane again (Copilot's tools executed the action and rendered markdown that exfiltrated data). Defending only "the model" would have caught zero of these.
Key terms¶
- Plane — a coherent layer of the AI system, distinguished by who controls it and which attacks live there.
- Cross-plane chain — an attack that traverses multiple planes; the realistic shape of production AI incidents.
References¶
- MITRE ATLAS — https://atlas.mitre.org/ (tactics decompose to plane-aware techniques)
- OWASP Top 10 for LLM Applications — https://owasp.org/www-project-top-10-for-large-language-model-applications/
Quiz items¶
- Q: Name the five attack-surface planes. A: Model, data, infrastructure, application, supply chain.
- Q: Why is "AI attack surface" larger than "LLM input/output"? A: Because the model is only one of five planes; data, infra, app, and supply-chain attacks all affect the LLM system even when the model itself is unchanged.
Video script (~440 words, ~3.5 min)¶
[SLIDE 1 — Title]
Four minutes. When people say "AI attack surface," they often mean "the model's input/output interface." That's one plane. A complete map has five. By the end of this lesson, you'll be able to walk into any AI project and name all five planes.
[SLIDE 2 — The five planes stack]
Picture five stacked planes. From the user down: application plane — the UI, agent, tools, prompt templates. Model plane — the trained weights, tokenizer, decoding. Data plane — the training data, fine-tune data, retrieval corpus, vector DB. Infrastructure plane — the compute, the network, the secrets. Supply chain plane — every external artifact the system depends on. Five planes. Always.
[SLIDE 3 — Application plane]
Application plane attacks. Most of the OWASP LLM Top 10 lives here. Prompt injection at the user input. Insecure output handling at the renderer. Excessive agency at the tool layer. This is the plane your application team owns end-to-end.
[SLIDE 4 — Model plane]
Model plane attacks. Adversarial examples. Model extraction via API queries. Backdoor triggers planted in the weights you don't see. Prompt injection at the inference interface, treated as a model-plane phenomenon when you study the mechanism, even though it's exploited at the application plane.
[SLIDE 5 — Data plane]
Data plane attacks. Poisoning of training data. Label flipping. Retrieval-corpus injection — the indirect prompt injection vector. Vector DB exfiltration with embedding-leak attacks. If your application uses RAG, the data plane is enormous.
[SLIDE 6 — Infrastructure plane]
Infrastructure plane. Same surface as classical infra — compromise here gives you everything above. GPUs, training clusters, the K8s namespace your model serves out of, the secret store with your API keys. Don't reinvent classical infrasec; do remember to scope it to include the AI artifacts.
[SLIDE 7 — Supply chain plane]
Supply chain plane. Every external artifact: base model weights, fine-tune datasets, embedding models, Python packages, vector DB binaries, agent frameworks. Compromise here also affects everything above. OWASP LLM05 lives here. Module 4 is about this plane.
[SLIDE 8 — Every AI system has all five]
Every AI system has all five planes. Even a single-page LLM-only product. The model came from somewhere — supply chain. The prompts came from somewhere — application. The API key sits somewhere — infrastructure. The model talks to user input — data. And the model itself is the model. When you walk into a new project, name the planes first. Gaps become visible immediately.
[SLIDE 9 — EchoLeak walk-through]
EchoLeak in M365 Copilot, 2025, touched four planes in one chain. App — Copilot UI accepted untrusted email. Data — content reached the prompt via retrieval. Model — the LLM followed injected instructions. App again — tools executed the action and rendered markdown that exfiltrated. Defending only "the model" would have caught zero of these.
[SLIDE 10 — Up next]
Next two lessons we go deep on each plane. See you there.
Slide outline¶
- Title — "Mapping the AI attack surface: the five planes".
- Five planes stack — the diagram from the lesson body.
- Application plane — small slide, sample attacks listed.
- Model plane — same shape.
- Data plane — same shape, RAG architecture sketch as backdrop.
- Infrastructure plane — classical infra icons + AI-specific callouts.
- Supply chain plane — dep-tree visual with attacker nodes.
- Every AI system has all five — single-page LLM product, all five planes annotated.
- EchoLeak walk-through — incident sketch with four planes color-coded.
- Up next — "L2.2.2 — Model & data planes in depth, ~5 min."
Production notes¶
- Recording: ~3.5 min target. Hard cap 5.
- Slide 2 (the stack) is the visual the rest of the course will reference. Make it clean enough to reuse.