Pick a model type, deployment, and data mode. Get a STRIDE register of the AI-specific threats reviewers now expect to see enumerated · poisoning, evasion, extraction, inversion, prompt injection · mapped to FDA Feb 2026 cybersecurity guidance, IMDRF GMLP, and EU AI Act Article 15.
Scenario · Unauthorised actor impersonates a clinician account or device to obtain predictions on real patient data.
Mitigation · Mutual TLS or OIDC at inference endpoint, per-clinician identity binding, MFA, session attestation logs.
FDA Feb 2026 cyber §IV.C; HIPAA §164.312(d).
Scenario · Adversary injects mislabeled or backdoored samples into training or retraining data so the deployed model misclassifies a targeted input class.
Mitigation · Dataset provenance log, hash-anchored snapshots, statistical outlier detection on retraining batches, hold-out poison canaries, signed dataset releases.
FDA Feb 2026 cyber §V.D; GMLP #3, #4; EU AI Act Art. 15(4).
Scenario · Crafted input perturbations cause the model to flip its prediction without a clinician noticing the input is anomalous.
Mitigation · Adversarial robustness testing (PGD, AutoAttack) in V&V, input plausibility gates, confidence-calibrated rejection, periodic red-team round.
FDA AI/ML draft §V.C.4; EU AI Act Art. 15(5); IMDRF GMLP #8.
Scenario · Model weights, tokenizer, or post-processing code are modified in storage or transit, producing silent behaviour drift after deployment.
Mitigation · Sigstore / cosign signatures on model artifacts, integrity check at load time, immutable artifact registry, SBOM/AI-BOM coverage of weights.
FDA Feb 2026 cyber §IV.B (SBOM/AI-BOM); IMDRF/CYBER WG/N60.
Scenario · After a clinical incident, the manufacturer cannot reconstruct which model version produced which output for which input.
Mitigation · Append-only inference log: input hash, model version, weights digest, output, confidence, clinician ID, retention per local law.
FDA AI/ML draft §V.F; EU AI Act Art. 12 (logging); EU MDR Annex I §17.
Scenario · Query-based attack reconstructs decision boundaries or weights, enabling cloning or downstream evasion of the same model in the field.
Mitigation · Per-tenant query rate limits, anomaly detection on query distribution, response watermarking, restrict logit/confidence exposure.
FDA Feb 2026 cyber §V.F; NIST AI 100-2 §3.3.
Scenario · Attacker determines whether a specific patient record was in the training set, or recovers protected attributes from model outputs.
Mitigation · Differential-privacy training where feasible, output coarsening, audit of memorisation on canary records, suppress per-sample loss leakage.
FDA Feb 2026 cyber §V.F; HIPAA §164.514; NIST AI 100-2 §3.4.
Scenario · Attacker submits high-volume or maximally-expensive requests, starving clinical users or exhausting cloud spend.
Mitigation · Quotas per identity, asynchronous queue with priority for clinical traffic, anomaly throttling, billing alarms.
FDA Feb 2026 cyber §V.G; NIST SP 800-53 SC-5.
Scenario · Distribution shift in real-world data degrades accuracy below the cleared performance envelope without an explicit failure signal.
Mitigation · Live monitoring of subgroup AUROC/calibration, drift thresholds tied to PCCP, automatic field safety escalation if threshold breached.
FDA PCCP §V.C (Impact Assessment); GMLP #9; EU AI Act Art. 17 (post-market).