riskcomplianceML

Model Risk Assessment Template for On-Device and Desktop Agents

UUnknown

2026-02-19

10 min read

Reusable MRA template for on-device and desktop agents with threat scenarios, controls and remediation steps—built for UK compliance in 2026.

Hook: Rapid on-device model adoption increases value—and risk

By 2026, many organisations are racing to deploy powerful AI where it matters most: on employees' desktops and edge devices. That lowers latency and reduces cloud costs, but it also creates a new class of operational and security risks. If your team lacks an MRA specifically designed for on-device models and desktop agents, you’re exposed to data leakage, model theft, and dangerous autonomous behaviours—and you may fail UK regulatory requirements.

Executive summary: What this template delivers

This article provides a reusable Model Risk Assessment (MRA) template tailored to desktop and edge deployments. You’ll get:

A compact, repeatable MRA structure you can apply across agents and devices.
Common threat scenarios for on-device and desktop agents (with likelihood & impact guidance).
Concrete remediation steps and controls mapped to each threat.
Scoring methodology and prioritisation advice for constrained IT teams.
Operational checks, monitoring, and incident playbooks suitable for UK compliance.

The 2026 context: why desktop and edge MRAs are urgent now

Late 2025 and early 2026 accelerated two trends that change the threat model for on-device AI:

Desktop agents with file-system access and local orchestration (examples like Anthropic's 2026 preview of autonomous desktop assistants) are becoming mainstream. These agents can read and modify local files, increasing the attack surface.
Affordable AI hardware for edge devices—HAT modules for single-board computers and consumer-class NPUs—means models and data no longer sit only in the cloud. Devices like the updated Raspberry Pi HAT offerings in late 2025 unlocked widespread on-device inference at scale.

These shifts require MRAs that consider device OS, peripherals, network behaviour, and hardware-backed protections—not just model accuracy and bias.

How to use this MRA template (quick guide)

Copy the template for the model / agent instance you’re assessing (per device image, app version, or SKU).
Populate context fields: model family, developer, version, hardware, OS image, presence of secure enclave, and data types processed.
Walk through the threat scenarios and mark applicable ones. Prioritise by business impact and exploitability.
Select controls from the remediation catalogue and assign owners and deadlines.
Integrate the assessment into CI/CD or MLOps pipelines: treat MRA as a gated artefact for releases.

Model Risk Assessment (MRA) template: structure

Below is the canonical template. You can add columns for local policy IDs or compliance frameworks (UK GDPR, NCSC guidance).

1. Identification & context

Model / Agent name
Version / build
Deployment target (OS/desktop image, device model, CPU/NPU)
Data processed (sensitive PII, contact lists, documents, telemetry)
Access scope (filesystem, camera, network, USB, system APIs)
Owner / contact (development, security, product)

2. Asset & dependency inventory

Model artefacts (weights, vocabularies, configuration files)
Runtime libraries and native binaries
Third-party plugins, models or libs (supply chain)
Hardware features (TPM, Secure Boot, SEV, ARM TrustZone)

3. Threat scenarios

Each scenario entry should include: description, attack vector, likelihood (Low/Medium/High), impact (Low/Medium/High), controls, residual risk, test cases.

4. Risk scoring & prioritisation

Use a simple matrix: Risk Score = Likelihood (1–3) × Impact (1–3). Score >6 = urgent. Map to remediation SLAs.

5. Controls & remediation

Map each scenario to preventative, detective, and corrective controls, with owners.

6. Monitoring & validation

List telemetry, alert thresholds, periodic red-team tests, and drift checks.

7. Approval & sign-off

Security lead, Data Protection Officer, Product owner—signed and dated.

Common threat scenarios for on-device models and desktop agents

Below are high-priority scenarios we see repeatedly in real-world desktop/edge deployments.

Scenario A — Local data exfiltration by an autonomous agent

Description: An agent with file-system and network access reads sensitive documents and uploads them to an external endpoint.

Attack vector: Legitimate agent feature misused or model prompt injection causes it to exfiltrate.
Likelihood: Medium–High (desktop agents increasingly request file access by design).
Impact: High (PII, IP loss, regulatory penalties).

Controls and remediation:

Apply the principle of least privilege: run agents with a dedicated user account and restrict filesystem scope via OS-level ACLs.
Block or tightly proxy outbound connections; enforce allow-lists and decrypt traffic in controlled inspection zones only for managed devices.
Require explicit, auditable user consent for file access; log any automated file reads with hash of file and purpose annotation.
Use content filtering and DLP on the endpoint to detect sensitive data leaving the device.
Test with red-team prompts that intentionally try to coax an agent into exfiltration and run those tests in CI before release.

Scenario B — Model theft / IP extraction from device

Description: A threat actor copies model weights or a small embedded model from an edge device to pirate or reverse-engineer it.

Attack vector: Unprotected model files on disk, insecure update channels, or side-channel extraction on consumer NPUs.
Likelihood: Medium (increased by cheaper hardware and local storage of weights).
Impact: Medium–High (loss of proprietary IP, competitive harm).

Controls and remediation:

Encrypt model artefacts at rest using hardware-backed keys (TPM, Secure Enclave). Avoid plaintext storage of weights.
Use code signing and model signing; verify signatures at load time.
Enable secure boot and attestation; if hardware supports it, require enclave execution for sensitive models.
Design models to be less attractive targets (model partitioning, server-side critical layers, distilled local models with reduced capability).
Monitor for unexpected model exports and anomalous file access patterns.

Scenario C — Prompt injection or instruction poisoning

Description: Malicious input from local files, clipboard, or connected apps causes the agent to perform unauthorized actions.

Attack vector: User-supplied files, drag-and-drop content, or compromised browser pages passed to the agent.
Likelihood: High for agents that consume arbitrary local content.
Impact: Medium–High depending on actions allowed.

Controls and remediation:

Adopt a robust input sanitisation pipeline: treat any user-supplied content as untrusted and normalise it before use.
Implement instruction-filtering layers and allow-list permitted operations; require explicit user confirmation for high-risk tasks (upload, delete, send).
Limit the agent’s ability to execute system commands; separate planning from execution and require an approval step for actions with side effects.
Run adversarial test-cases in CI that simulate prompt injection.

Scenario D — Poisoning via local training or personalization

Description: Local fine-tuning or personalization data poisoned to bias model behaviour or cause backdoor triggers.

Attack vector: User-provided content, synced documents, or malicious USB devices introducing adversarial examples.
Likelihood: Medium if local tuning is enabled.
Impact: High for models used to make business decisions or produce outputs without human review.

Controls and remediation:

Disable automatic local re-training by default. Require secure, authenticated channels and isolated compute for any personalization.
Apply data provenance checks and validation pipelines before applying personalised updates.
Use differential privacy techniques or restrict what gradients can change in local fine-tuning.

Scenario E — Supply chain compromise (third-party plugins or model components)

Description: A compromised third-party library or model component introduces malicious behaviours at runtime.

Attack vector: Malicious dependency, unsigned binary, or tampered update server.
Likelihood: Medium–High given dependency complexity.
Impact: High (wide distribution of compromised agents).

Controls and remediation:

Maintain SBOMs (Software Bill Of Materials) for agents and models and scan for known vulnerabilities periodically.
Verify code and model signatures on install and update. Lock down update channels to authenticated servers.
Conduct regular supply-chain audits and require suppliers to follow secure coding and release practices.

Risk scoring rubric (practical)

Use this simple numeric rubric to make prioritisation decisions fast in operational teams.

Likelihood: Low=1, Medium=2, High=3
Impact: Low=1, Medium=2, High=3
Risk Score = Likelihood × Impact (1–9)

Prioritise:

7–9: Immediate remediation (SLA 7 days)
4–6: Plan and remediate (SLA 30 days)
1–3: Accept with monitoring

Sample MRA entry (filled) — quick reference

Model: Document-summariser v1.2 (desktop agent preview build)

Context: Runs on Windows 11 corporate-managed devices, requires folder access to "Documents" and network to update knowledge.
Threat: Local data exfiltration (Scenario A)
Likelihood: 2 (Medium). Impact: 3 (High). Score: 6.
Controls: Restrict folder access to sandboxed virtual FS; require user confirmation for any file upload; outbound traffic forced through corporate proxy; DLP policy inspects outgoing packets for keywords and hashes.
Residual risk: Medium. Monitoring: Alerts on >3 uploads in 1 hour; weekly attestation of installed agent builds.
Owner: Security Engineering. SLA: 30 days to close major gaps; immediate mitigations deployed within 48hrs.

Operationalising the MRA: integration and automation

To make this MRA practical for product teams, integrate it into release artefacts and automation:

Include the MRA as a required document in your release checklist within your ticketing system.
Automate static checks: SBOM validation, signature verification, and simple policy tests as part of CI.
Deploy runtime detections to EDR and SIEM tools; feed alarms back into the MRA as new findings.
Schedule regular re-assessments: at each model or agent update, major OS updates, or significant change in hardware.

Testing and validation playbook

Follow these steps to validate controls before production rollout:

Static verification: confirm model and binary signatures, check SBOM entries.
Unit & integration tests: simulate malicious inputs (prompt injection vectors), enforce execution boundaries in test harness.
Red-team and adversarial testing: emulate device compromise, local USB attack, and model extraction attempts.
Pentest the update channel and supply chain servers for tampering vulnerabilities.
Post-deploy monitoring: instrument the agent to emit tamper-evident logs and verify those logs are ingested centrally.

UK regulatory considerations (practical notes for compliance)

As UK organisations adopt on-device AI, consider:

UK GDPR: document lawful basis for processing personal data locally, perform DPIAs where risk is high, record processing activities.
NCSC guidance: adopt fundamental cyber hygiene (Secure Boot, patching, principle of least privilege).
Data residency and transfer: if local logging or backups are forwarded to cloud services, ensure lawful transfer mechanisms are in place.
Keep a record of model provenance and data used in training to support explainability and potential regulatory queries.

Advanced controls and 2026 best practices

For sensitive deployments, implement advanced protections that have matured in early 2026:

Hardware attestation and enclaves: run sensitive model layers inside secure enclaves (TPM-backed or ARM TrustZone) to prevent weights extraction.
Model partitioning: keep critical decision logic server-side; deploy reduced-capability local models for latency-sensitive tasks.
Continuous assurance: drift detection, periodic integrity checks of model artefacts, and automated retraining safety gates.
Federated telemetry: aggregate anonymised signals from devices to detect coordinated attacks without moving raw data off-device.
Contractual and procurement hardening: require vendors to produce SBOMs, attestations, and a vulnerability disclosure policy.

"On-device AI unlocks efficiency—and new attack surfaces. A focused MRA saves time and reduces costly remediation later."

Actionable takeaways (start today)

Embed an MRA requirement into your release process and treat it as a living document.
Prioritise controls that limit data exfiltration (sandboxing, proxying, DLP) and protect model artefacts (encryption, signing).
Invest in test automation that includes prompt-injection and extraction scenarios in CI.
Apply hardware-backed protections for high-value models and consider model partitioning where feasible.
Keep compliance documentation (DPIAs, SBOMs, attestation logs) ready to satisfy UK regulators and internal auditors.

Closing: a path to secure on-device and desktop agent deployment

On-device models and desktop agents are now an essential part of modern AI stacks. In 2026, the difference between a secure rollout and a costly breach often comes down to disciplined risk assessment tailored to local constraints. Use the template in this article as a starting point—customise it for your device fleet, embed it in your SDLC, and automate the checks that matter most.

Call to action

If you want a packaged, editable MRA (spreadsheet + JSON schema + CI checks) tailored to desktop agents and edge devices, request the TrainMyAI on-device MRA bundle or book a 90-minute workshop with our engineers. We'll help you map the template to your fleet and produce a remediation roadmap with assigned owners and SLAs.

Unknown

Contributor

Senior editor and content strategist. Writing about technology, design, and the future of digital media. Follow along for deep dives into the industry's moving parts.