ORCID

Shiu-Kai Chin: 0009-007-5318-923X

Jae Oh: 0000-0002-5842-5189

Document Type

Article

Date

Summer 6-20-2026

Keywords

Mission assurance, Systems security engineering (SSE), STORM-AI, Commander's intent, STPA-Sec, Trustworthiness, Access-Control Logic (ACL), HOL4 theorem proving, AI Risk Management Framework (AI RMF), PAGE

Language

English

Funder(s)

National Security Agency

Funding ID

CON06350

Disciplines

Electrical and Computer Engineering

Description/Abstract

A STORM-AI Primer with an Operationally Representative Example presents the Systems-Theoretic Technical and Operational Risk Management with Artificial Intelligence (STORM-AI) methodology, a transdisciplinary framework for establishing the trustworthiness of mission systems that may incorporate AI components. The core value proposition of STORM-AI is mission assurance—ensuring that mission systems behave with the predictability and proportionality required by senior leadership and demanded by international humanitarian law. STORM-AI achieves this by faithfully preserving commander's intent from high-level mission descriptions down to hardware-level behavioral specifications through a structured sequence of four formally grounded models: a Mission Model, a Protection (Loss Control) Model, a Security (Secure State Machine) Model, and a Behavior Model (High-Level State Machine). Each model pair is accompanied by a trustworthiness context that provides stakeholders with the evidence necessary to make informed decisions about residual risk. The framework integrates NIST SP 800-160v1 systems security engineering principles, STPA-Sec hazard analysis, Access-Control Logic (ACL), Certified Security by Design (CSBD), and the NIST AI Risk Management Framework, with all security properties formally verified in the HOL4 theorem prover. STORM-AI further incorporates the PAGE (Percepts, Actions, Goals, Environment) framework for the principled design and evaluation of AI agents. An operationally representative example applies STORM-AI to a fictitious collaborative combat aircraft, the FQ-X, situated within a Taiwan Strait scenario drawn from the Hudson Institute's Taiwan Bulwark Activation Force concept. The appendices supply the syntax, semantics, and inference rules of the Access-Control Logic and the complete set of HOL4-verified FQ-X theories.

Creative Commons License

Creative Commons Attribution 4.0 International License
This work is licensed under a Creative Commons Attribution 4.0 International License.

Share

COinS