Security and Privacy

Private-Wealth AI Threat Model

Threat modeling turns “keep it private” into specific questions about data flow, access, model behavior, agent authority, and recovery.

Steel vault doors representing private-wealth AI trust boundaries

Photo: wutthichai charoenburi / Pexels

A private-wealth AI threat model identifies what a family office needs to protect, who or what could cause harm, where trust boundaries exist, and which preventive, detective, and recovery controls reduce each credible risk.

Scope

Protect more than documents.

Family-office systems can contain financial records, entity structures, tax and legal material, personal correspondence, security information, household operations, medical details, and the relationships between them. An AI system can also infer facts that were not written in one place.

The assets include source data, embeddings, prompts, outputs, model configurations, identities, access tokens, audit logs, and the operating knowledge required to maintain the system. Map each before choosing controls.

OWASP’s current LLM risk categories cover issues such as prompt injection, sensitive information disclosure, supply-chain risk, improper output handling, excessive agency, and system prompt leakage. The family-office context adds concentrated privacy, physical-security, succession, and reputational consequences.

Threat and control map

Test the failure, not just the feature.

ThreatPrimary controlVerification
Shadow AI and disclosureApproved tools, data rules, blocked destinations where appropriate, and staff training tied to real examples.Attempt prohibited uploads; review tool inventory and network or application logs.
Prompt injectionTreat retrieved and external content as untrusted; isolate instructions from data; restrict tools and destinations.Seed malicious instructions in documents and webpages; confirm the system ignores or contains them.
Excessive agencyMinimum permissions, transaction limits, human approval, dual control, and revocable credentials.Try actions outside scope and above limits; confirm denial and an intelligible audit trail.
Improper output handlingValidate and sanitize model output before it reaches email, databases, code, or downstream tools.Use malformed and adversarial output; confirm downstream systems treat it as data, not instruction.
Vendor or administrator accessContractual limits, technical isolation, named support access, approval, time bounds, and customer-visible logs.Run a support-access exercise and verify revocation plus retained evidence.
Retention and derived dataDocument retention for prompts, outputs, embeddings, backups, and logs. Apply deletion and export processes.Delete a test record and trace copies; run an export and restore test.
Model or integration changeVersion control, evaluations, staged rollout, change approval, and rollback.Compare a fixed evaluation set before and after change; confirm rollback works.
Provider exit or outagePortable data and configurations, documented dependencies, alternate workflows, and recovery priorities.Run a tabletop exercise with the provider unavailable.
Trust boundaries

Draw every place control changes hands.

  • Between a person and the AI interface.
  • Between the interface and family-controlled data sources.
  • Between retrieval services and embeddings or indexes.
  • Between the control layer and each model provider.
  • Between an agent and the tools it can call.
  • Between the environment and administrators, support staff, backups, or monitoring providers.
  • Between the current generation’s permissions and successor access.

For each line, record who authenticates, what crosses, where it is retained, who can inspect it, and how access is revoked. A diagram that omits administrators and backups is incomplete.

A local model can still create external risk.

Local processing reduces some provider exposure. It does not fix broad internal permissions, compromised endpoints, unsafe integrations, weak backups, unreviewed agent actions, or missing incident procedures.

Readiness tests

Run five exercises before production.

  1. Wrong person. Confirm that a user cannot retrieve another role’s records through direct or indirect prompts.
  2. Poisoned source. Place hostile instructions in a permitted document and observe the model and agent response.
  3. Wrong answer. Give the system conflicting sources and confirm it exposes uncertainty and provenance.
  4. Wrong action. Ask an agent to exceed its authority, bypass approval, or send data to an unapproved destination.
  5. Provider unavailable. Confirm the office can identify dependencies, preserve records, and continue the priority workflow.

Convert the selected controls into the family office AI governance framework. Deployment choices are covered in Private AI for Family Offices.

Common questions

Questions family offices ask before deciding.

What is the biggest AI risk for a family office?

There is no single universal risk. Sensitive disclosure, over-broad access, unreviewed agent actions, and false outputs can each be severe. Rank them against the office’s actual data and workflows.

What is prompt injection?

It is an attempt to make a model follow hostile instructions contained in user input, retrieved documents, webpages, or tool output. Restricting data and tools limits the damage a successful injection can cause.

Are embeddings sensitive data?

They can encode information derived from source records and should be classified, retained, backed up, exported, and deleted according to the data they represent and the retrieval risk they create.

Can audit logs create privacy risk?

Yes. Logs can contain prompts, outputs, identities, source references, and action details. Limit access, define retention, protect integrity, and avoid collecting content that is not needed.

What should an AI incident plan include?

Named contacts, containment steps, credential revocation, affected systems and data, evidence preservation, vendor escalation, legal and communications review, recovery, and a post-incident control change.

Sources

References used for this guide.

Published 2026-07-12. Review product terms, legal duties, and security requirements against the family office’s current facts before implementation.

Define the boundary before choosing the tool.

A private briefing starts with the family’s information, risk, team, and first practical use case.

Request a private briefing