Knowledge Center / MITRE ATLAS
MITRE · Global

MITRE ATLAS (AI/ML Threats)

A knowledge base of adversarial threats to AI and machine-learning systems.

1. Introduction

MITRE ATLAS (Adversarial Threat Landscape for Artificial-Intelligence Systems) is a globally recognised, community-curated knowledge base that catalogues the tactics, techniques and case studies adversaries use to attack machine-learning (ML) and artificial-intelligence (AI) enabled systems. Modelled on the widely adopted MITRE ATT&CK framework, ATLAS extends the familiar attacker's kill-chain vocabulary into the AI-specific problem space, giving security teams, ML engineers, red teams and auditors a common language to describe, hunt for and defend against threats that target data pipelines, model training, model deployment and generative-AI applications.

As enterprises rush to embed large language models (LLMs), computer-vision models, recommendation engines and predictive analytics into products, regulatory expectations and customer scrutiny of AI security are rising sharply. ATLAS has become the de-facto reference used to structure AI red-team engagements, threat models, secure-development requirements and assurance reports. This guide provides an auditor-grade, end-to-end treatment of ATLAS: what it is, who should adopt it, its full structure of tactics and techniques, a master assessment checklist covering every tactic column, scoping guidance, a phased implementation approach, a maturity model, an audit methodology, evidence expectations, roles, KPIs and cross-framework mappings so that a security programme can be measured against it rigorously and repeatably.

Copyright and licensing note
MITRE ATLAS is developed and maintained by The MITRE Corporation and released to the community, typically under permissive terms (the ATLAS data and website content are made available for public use, with ATT&CK-derived material under the ATT&CK terms of use). 'ATT&CK' and 'ATLAS' and associated marks are trademarks of The MITRE Corporation. This CyberSigma guide is original explanatory and assessment material; it paraphrases and interprets ATLAS concepts and does not reproduce MITRE's copyrighted text verbatim. Always consult the official ATLAS matrix at atlas.mitre.org for authoritative technique identifiers, definitions and case studies, and observe MITRE's terms of use when redistributing derived content.

2. What is MITRE ATLAS

MITRE ATLAS is a structured, matrix-based knowledge base describing how adversaries compromise AI-enabled systems across the full lifecycle, from reconnaissance of a target model to exfiltration of data or intellectual property and the resulting business impact. It is not a compliance standard with mandatory controls or a certification scheme; rather it is a threat-informed reference framework. Its power lies in providing a shared taxonomy that connects real-world attack observations to defensive and detective measures, enabling threat modelling, adversary emulation, gap analysis and coverage measurement for AI systems.

ATLAS mirrors the ATT&CK structure of tactics (the adversary's objective, the 'why') and techniques (the method used to achieve that objective, the 'how'), with many sub-techniques and detailed procedure examples drawn from documented incidents and published research. Because AI systems share much of their surrounding infrastructure with conventional enterprise IT, ATLAS deliberately reuses relevant ATT&CK Enterprise tactics and techniques and adds AI-specific ones, so an ATLAS-informed assessment naturally spans both traditional and AI-native attack surfaces.

Alongside the matrix, ATLAS publishes case studies documenting real and realistic attacks on production AI systems, a set of mitigations mapped to techniques, and community tooling such as adversary-emulation resources. The framework is continuously updated to keep pace with the fast-moving generative-AI threat landscape, including techniques specific to LLMs such as prompt injection, jailbreaks, and retrieval-augmented-generation (RAG) poisoning.

Key characteristics

  • Threat-informed: organised around observed adversary behaviour rather than abstract control catalogues.
  • Lifecycle-spanning: covers data collection, model training, deployment, inference and downstream impact.
  • ATT&CK-aligned: reuses ATT&CK tactic names and IDs where behaviour is shared, easing integration with existing SOC and red-team practice.
  • Evidence-rich: backed by curated case studies and academic references for each technique.
  • Vendor-neutral and free: publicly available, supporting internal use, red teaming and assurance reporting.

3. Who must comply / who should adopt ATLAS

ATLAS imposes no legal mandate, but it is rapidly becoming an expected reference for any organisation that builds, deploys, procures or assures AI/ML systems. Regulators, customers and internal risk functions increasingly ask for AI threat models and red-team results expressed in ATLAS terms. The following stakeholders benefit most from adopting it.

Stakeholder / roleWhy ATLAS applies to them
AI/ML product teams and MLOps engineersBuild and operate models; ATLAS informs secure-by-design requirements across the ML pipeline.
Security architects and threat modellersUse ATLAS tactics/techniques to enumerate AI-specific attack paths and design mitigations.
Red teams and AI penetration testersUse ATLAS as the emulation library to plan and report adversarial AI assessments.
SOC / blue teams and detection engineersMap detections and telemetry to ATLAS techniques to measure and improve coverage.
CISOs and AI governance / risk leadersReport AI threat coverage and residual risk to boards, aligned to a recognised framework.
Procurement and third-party risk teamsRequire vendors to evidence AI security testing mapped to ATLAS techniques.
Compliance and internal auditAssess whether AI security controls address known adversarial techniques.
Regulated sectors (BFSI, healthcare, defence, critical infrastructure)Face rising AI-assurance expectations (e.g., EU AI Act, sectoral guidance) that ATLAS helps operationalise.

4. Structure of MITRE ATLAS

ATLAS is organised as a matrix of tactics (columns) and techniques (cells), supplemented by sub-techniques, mitigations and case studies. Tactics represent the adversary's tactical goal at a stage of the attack; techniques are the observable means of achieving it. Some tactics and techniques are AI-specific and unique to ATLAS, while others are adapted from ATT&CK Enterprise because they apply equally to the IT estate surrounding an AI system. The tactic set spans the AI attack lifecycle as summarised below (technique counts are indicative and evolve with each ATLAS release; always verify against the live matrix).

ATLAS tacticAdversary objectiveRepresentative AI-specific techniques
ReconnaissanceGather information to plan an attack on the AI systemSearch for victim's publicly available research materials; search for publicly available adversarial-vulnerability analysis; active scanning of ML artefacts
Resource DevelopmentEstablish resources to support operationsAcquire public ML artefacts (datasets, models); obtain capabilities (adversarial ML tools); develop capabilities; poison training data; establish accounts
Initial AccessGain a foothold in the AI system or supply chainML supply-chain compromise; valid accounts; exploit public-facing application; phishing; evade ML model; LLM prompt injection
ML Model AccessObtain a level of access to the ML model or its interfaceML model inference API access; ML-enabled product or service; physical environment access; full ML model access
ExecutionRun adversary-controlled code or instructionsUser execution (unsafe ML artefacts); command and scripting interpreter; LLM plugin compromise; LLM prompt injection to trigger actions
PersistenceMaintain access across restarts and retrainingPoison training data; backdoor ML model; LLM prompt injection (persistent); manipulate ML artefacts
Privilege EscalationGain higher-level permissionsLLM prompt injection; LLM jailbreak; exploit application/plugin permissions
Defense EvasionAvoid detection of malicious AI activityEvade ML model; LLM prompt injection; LLM jailbreak; masquerading of ML artefacts
Credential AccessSteal credentials, keys or secretsUnsecured credentials; LLM meta-prompt extraction; secrets embedded in prompts or model context
DiscoveryLearn about the AI environment and modelDiscover ML model ontology; discover ML model family; discover ML artefacts; LLM meta-prompt extraction
CollectionGather data of interest for the objectiveML artefact collection; data from information repositories; collect inference-API responses
ML Attack StagingPrepare an attack tailored to the target modelCreate proxy ML model; backdoor ML model; craft adversarial data; verify attack; poison training data
Command and ControlCommunicate with compromised AI componentsReverse shell; use of covert channels via ML services (reused ATT&CK behaviour)
ExfiltrationSteal models, data or IPExfiltration via ML inference API; extract ML model (model stealing); exfiltration via cyber means; membership-inference / data extraction
ImpactDisrupt, degrade or manipulate the AI system or businessEvade ML model; erode ML model integrity; denial of ML service; spamming ML system with chaff; cost harvesting; external harms (reputational, financial, safety)

Each technique record in ATLAS provides a description, associated sub-techniques where relevant, procedure examples, mitigations, and links to case studies. Mitigations (prefixed AML.M in ATLAS identifiers) are countermeasures such as validating ML artefacts, sanitising training data, restricting model API access, adversarial-robustness training and guardrails for LLM inputs and outputs. Case studies (prefixed AML.CS) narrate documented incidents that exercised chains of techniques end to end.

5. Master assessment checklist

This is the core of the guide. It enumerates every ATLAS tactic as an assessment group. For each tactic, the table sets out what an assessor should verify (the control or capability that reduces exposure to techniques in that tactic) and the typical evidence that demonstrates it. Assessors should confirm, for each technique within a tactic, that relevant mitigations are designed, implemented and operating, and that detective coverage exists. No tactic column should be skipped, because adversaries chain techniques across tactics.

5.1 Reconnaissance

What to verifyTypical evidence
Public exposure of model details, research papers, datasets, architecture and endpoints is minimised and reviewedOSINT / attack-surface review report; inventory of publicly disclosed AI assets; disclosure-review policy
Model and API metadata do not leak family, version or ontology unnecessarilyAPI response inspection; header and error-message review; documentation redaction records
Monitoring exists for scanning and enumeration of AI endpointsWAF / API-gateway logs; rate-limit and anomaly-detection configuration; alert samples

5.2 Resource Development

What to verifyTypical evidence
Third-party datasets, pre-trained models and ML libraries are sourced from trusted, verified originsProvenance records; checksums / signatures; approved-source list; SBOM/AI-BOM
Controls detect poisoning or tampering of externally acquired training dataData-validation pipeline config; anomaly and outlier detection results; dataset review sign-off
Accounts and infrastructure used for AI development are hardened against misuseIAM policy; MFA enforcement; hardened build-environment baselines

5.3 Initial Access

What to verifyTypical evidence
ML supply chain (models, datasets, containers, dependencies) is integrity-verified before useSignature verification logs; dependency-scanning reports; artefact-registry policies
Public-facing AI applications are hardened and patched; input surfaces are constrainedVulnerability-scan / pen-test reports; patch records; secure config baselines
LLM prompt-injection and unsafe-input vectors at entry points are mitigatedInput-validation and guardrail configuration; prompt-injection test cases and results
Authentication to model interfaces and consoles is strong and least-privilegeIAM and MFA evidence; access-review records

5.4 ML Model Access

What to verifyTypical evidence
Inference APIs enforce authentication, authorisation, rate limiting and quotasAPI-gateway config; auth policies; throttling rules; usage logs
Full-model access (weights, files) is restricted to authorised roles and auditedAccess-control matrix; storage-bucket policies; access logs
Physical and embedded model access (edge devices) is controlled where applicableDevice-hardening evidence; secure-boot / secure-enclave records; physical-access controls

5.5 Execution

What to verifyTypical evidence
Serialized ML artefacts (e.g., pickled models) are scanned and loaded in sandboxed contextsArtefact-scanning results; safe-loading policy; sandbox/container configuration
LLM tool/plugin invocation is constrained, authorised and cannot execute arbitrary actionsTool/plugin allow-list; permission scoping; action-confirmation controls; test evidence
Command execution paths reachable via AI inputs are prevented or containedCode-review findings; injection test results; runtime-protection configuration

5.6 Persistence

What to verifyTypical evidence
Training-data and retraining pipelines are protected against poisoning that would persist backdoorsPipeline access controls; data-integrity checks; retraining approval workflow
Model integrity is verified across the lifecycle to detect backdoored or manipulated weightsModel-signing / hashing records; integrity-check jobs; backdoor-detection testing
Persistent prompt-injection vectors (stored prompts, RAG stores) are sanitised and monitoredRAG-content validation; stored-prompt review; monitoring alerts

5.7 Privilege Escalation

What to verifyTypical evidence
LLM applications enforce least privilege so injected instructions cannot elevate capabilityPermission model; system-prompt hardening; privilege-boundary test cases
Jailbreak and guardrail-bypass attempts do not grant restricted functionsJailbreak test results; guardrail configuration; refusal/override logs
Downstream connectors and plugins run with scoped, minimal permissionsIAM scoping evidence; connector permission review

5.8 Defense Evasion

What to verifyTypical evidence
Adversarial-example detection and input sanitisation reduce model evasionAdversarial-robustness testing; input-preprocessing config; detection metrics
Guardrails resist obfuscated, encoded or multi-turn evasion of policyRed-team evasion results; guardrail rule set; content-filter logs
ML artefacts are validated against masquerading and tamperingArtefact provenance and signature checks; registry integrity logs

5.9 Credential Access

What to verifyTypical evidence
Secrets, keys and credentials are never embedded in prompts, system messages or model contextSecret-scanning results; prompt/config review; secrets-manager usage evidence
Meta-prompt / system-prompt extraction does not reveal sensitive instructions or keysPrompt-extraction test results; system-prompt content review; output-filter config
Credential stores accessed by AI workloads are hardened and rotatedSecrets-manager policy; rotation logs; least-privilege bindings

5.10 Discovery

What to verifyTypical evidence
Model responses do not disclose ontology, family, version or internal artefacts unnecessarilyAPI/output review; error-handling standards; information-leakage test results
Enumeration of ML artefacts and repositories is restricted and loggedRepository access controls; discovery-attempt alerts; logging evidence
System-prompt and configuration discovery via crafted inputs is mitigatedMeta-prompt protection tests; output guardrail configuration

5.11 Collection

What to verifyTypical evidence
Access to ML artefacts, datasets and information repositories is least-privilege and monitoredAccess-control matrix; data-repository logs; DLP configuration
Bulk collection of inference-API outputs is rate-limited and detectedAPI usage analytics; anomaly-detection alerts; throttling evidence
Sensitive data used by models is classified and access-governedData-classification records; governance policy; access reviews

5.12 ML Attack Staging

What to verifyTypical evidence
Controls limit an adversary's ability to build proxy/surrogate models from API accessQuery-pattern monitoring; rate limits; output-perturbation or watermarking config
Training pipelines detect crafted adversarial or poisoned data used to stage attacksData-validation and outlier-detection results; poisoning-detection testing
Model backdooring during staging is prevented via integrity and review controlsModel-review workflow; integrity checks; change-control records

5.13 Command and Control

What to verifyTypical evidence
Egress from AI/ML workloads is restricted and monitored for covert channelsEgress-filtering / firewall rules; network-monitoring alerts; segmentation evidence
Compromised AI components cannot establish outbound C2 to attacker infrastructureEDR/NDR logs; DNS and proxy monitoring; deny-by-default network policy

5.14 Exfiltration

What to verifyTypical evidence
Model-stealing via inference APIs is deterred (rate limits, query monitoring, watermarking)Query-anomaly detection; rate-limit config; watermarking / fingerprinting evidence
Membership-inference and training-data extraction risks are mitigatedPrivacy testing (e.g., differential privacy) records; output-filtering evidence
Model files, weights and datasets are protected against direct exfiltrationEncryption-at-rest evidence; DLP alerts; egress controls; access logs

5.15 Impact

What to verifyTypical evidence
Model evasion and integrity erosion are detected and their business impact boundedPerformance/integrity monitoring; drift and accuracy dashboards; incident records
Denial-of-ML-service and chaff/cost-harvesting attacks are throttled and cost-cappedRate-limiting and cost-guardrail config; capacity monitoring; alerting evidence
Downstream harms (safety, financial, reputational) are risk-assessed with response plansAI risk assessment; human-in-the-loop controls; incident-response runbooks

6. Scoping

Because ATLAS is a threat framework rather than a fixed control set, scoping determines which tactics, techniques and mitigations are relevant to a given AI system and where assessment effort is concentrated. Effective scoping ensures the assessment reflects the actual attack surface and the organisation's risk appetite.

Scoping dimensions

  • AI system inventory: enumerate models, datasets, pipelines, inference endpoints, LLM applications, agents and their business criticality.
  • Model type: classifier, regressor, computer-vision, generative/LLM, recommendation — each attracts different ATLAS techniques (e.g., prompt injection applies to LLMs).
  • Deployment model: cloud-hosted, on-premises, edge/embedded, third-party API — determines access and supply-chain exposure.
  • Data sensitivity: presence of personal, regulated or proprietary data raises exfiltration and privacy relevance.
  • Access exposure: internet-facing vs internal; authenticated vs anonymous inference access.
  • Supply-chain reliance: use of external pre-trained models, datasets, plugins and MLOps tooling.
  • Autonomy and integrations: agentic systems with tool/plugin execution expand Execution and Privilege Escalation scope.
Scoping tip
Start by mapping each in-scope AI system onto the ATLAS matrix and marking which techniques are plausible given its architecture. Exclude techniques that are architecturally impossible (documenting the rationale), and prioritise assessment of tactics with the highest likelihood-times-impact. This produces a defensible, right-sized assessment scope rather than an unbounded review of every technique.

7. Implementation approach

Operationalising ATLAS is best delivered in phases, moving from understanding the AI estate to embedding continuous, threat-informed defence. Each phase has defined activities and deliverables.

Phase 1 — Discover and inventory

  • Activities: build an AI/ML asset inventory (models, datasets, pipelines, endpoints, LLM apps, agents); classify by criticality and data sensitivity; identify supply-chain dependencies.
  • Deliverables: AI system register; AI-BOM; data-flow and architecture diagrams for each system.

Phase 2 — Threat model against ATLAS

  • Activities: for each system, map plausible ATLAS tactics/techniques; identify likely attack chains; prioritise by risk.
  • Deliverables: per-system ATLAS threat model; prioritised technique/attack-path register; risk ratings.

Phase 3 — Assess coverage and gaps

  • Activities: evaluate existing mitigations and detections against prioritised techniques using the master checklist; conduct AI red-team / adversarial testing.
  • Deliverables: coverage heat-map over the ATLAS matrix; gap analysis; red-team findings mapped to techniques.

Phase 4 — Remediate and harden

  • Activities: implement ATLAS mitigations (artefact validation, data sanitisation, API restriction, guardrails, robustness training); fix red-team findings.
  • Deliverables: remediation plan with owners and dates; updated secure-by-design requirements; hardened configurations.

Phase 5 — Detect and respond

  • Activities: build detections and telemetry for high-priority techniques; integrate AI events into SOC; create AI-incident playbooks.
  • Deliverables: detection rules mapped to ATLAS; monitoring dashboards; AI incident-response runbooks.

Phase 6 — Operate and improve

  • Activities: run periodic adversary emulation; update threat models as ATLAS evolves and systems change; report coverage and residual risk.
  • Deliverables: continuous-improvement backlog; recurring assurance reports; refreshed coverage heat-maps.

8. Maturity / capability model

ATLAS does not define an official maturity scale, so CyberSigma applies a five-level capability model to benchmark how thoroughly an organisation understands and defends against ATLAS techniques. This enables consistent scoring and roadmap planning.

LevelNameCharacteristics
1InitialNo AI-specific threat modelling; ATLAS not used; ad-hoc, reactive AI security; no AI asset inventory.
2DevelopingAI assets partially inventoried; ATLAS awareness exists; some threat modelling for critical systems; limited mitigations.
3DefinedATLAS threat models exist for all critical AI systems; mitigations mapped to techniques; periodic AI red teaming; documented processes.
4ManagedCoverage measured across the matrix; detections mapped to techniques and monitored; metrics reported; supply-chain and data integrity controlled.
5OptimisingContinuous adversary emulation; automated integrity/robustness testing in CI/CD; threat intel drives updates; residual AI risk actively managed and board-reported.

9. Assessment and audit approach

An ATLAS-based assessment combines document review, technical validation and adversarial testing to determine whether an organisation's AI systems are defended against known adversarial techniques. The following ordered methodology yields repeatable, evidence-backed conclusions.

  1. Define scope: confirm in-scope AI systems, environments and objectives with stakeholders, using the scoping dimensions.
  2. Gather documentation: collect the AI inventory, architecture diagrams, data flows, threat models, policies and prior test reports.
  3. Build or validate the threat model: map each system to plausible ATLAS tactics and techniques and prioritise by risk.
  4. Assess mitigations: using the master checklist, verify design, implementation and operating effectiveness of controls per tactic.
  5. Assess detections: evaluate telemetry and detection coverage mapped to high-priority techniques.
  6. Perform adversarial testing: emulate prioritised techniques (e.g., prompt injection, evasion, model extraction) safely against test or controlled environments.
  7. Analyse gaps: compare observed coverage against the prioritised technique set and rate residual risk.
  8. Score maturity: place the programme on the capability model with justification.
  9. Report and remediate: deliver findings mapped to ATLAS techniques with prioritised, owned remediation actions.
  10. Re-test and monitor: validate fixes and establish periodic reassessment aligned to ATLAS updates.

10. Evidence request list

The assessor should request the following categorised evidence to substantiate coverage of ATLAS techniques and mitigations.

  • Governance and inventory: AI system register; AI-BOM; data-classification records; AI security policy and standards.
  • Architecture and design: architecture diagrams; data-flow diagrams; threat models; secure-by-design requirements.
  • Supply chain and provenance: approved-source lists; model/dataset provenance and signatures; dependency and container scan reports.
  • Access and identity: IAM policies; MFA enforcement; API-gateway auth, rate-limit and quota configuration; access-review records.
  • Data pipeline integrity: data-validation and poisoning-detection configuration and results; retraining approval workflows.
  • Model integrity: model-signing/hashing records; integrity-check jobs; backdoor-detection testing.
  • LLM-specific controls: guardrail and input/output-filter configuration; system-prompt hardening; prompt-injection and jailbreak test cases and results.
  • Secrets and credentials: secret-scanning results; secrets-manager usage and rotation logs.
  • Detection and monitoring: detection rules mapped to ATLAS; SIEM/EDR/NDR logs; anomaly-detection and cost-guardrail configuration; alert samples.
  • Testing and assurance: AI red-team / adversarial-robustness reports; privacy (membership-inference) testing; penetration-test reports.
  • Incident response: AI incident-response runbooks; incident records and post-incident reviews.

11. Roles and responsibilities

RoleResponsibilities under an ATLAS programme
CISO / AI security leadOwns AI security strategy; sponsors ATLAS adoption; reports coverage and residual risk to leadership.
AI governance / risk managerMaintains AI risk register; ensures threat models and assessments are current; aligns with regulatory obligations.
Security architect / threat modellerProduces per-system ATLAS threat models and secure-design requirements.
ML engineers / MLOpsImplement pipeline integrity, artefact validation, guardrails and model-security controls.
Red team / AI pen testersEmulate ATLAS techniques and report findings mapped to the matrix.
SOC / detection engineersBuild and operate detections mapped to techniques; investigate AI-related alerts.
Data owners / stewardsClassify and govern training and inference data; approve dataset sources.
Internal audit / assuranceIndependently verify that controls address prioritised ATLAS techniques.

12. KPIs to track

  • Percentage of AI systems with a current, approved ATLAS threat model.
  • ATLAS matrix coverage: proportion of prioritised techniques with implemented mitigations and detections.
  • Number and severity of AI red-team findings, and mean time to remediate them.
  • Percentage of ML artefacts and datasets with verified provenance and integrity.
  • Detection coverage: proportion of high-priority techniques with validated detection rules.
  • Adversarial-robustness and prompt-injection/jailbreak test pass rates over time.
  • Time to detect and respond to AI-specific incidents.
  • Percentage of AI supply-chain components scanned and approved.
  • Capability-maturity level trend across the AI estate.
  • Cost-guardrail breaches / denial-of-ML-service events detected and contained.

13. Readiness checklist

  • A complete inventory of AI/ML systems, datasets, pipelines and endpoints exists and is maintained.
  • Each critical AI system has an approved threat model mapped to ATLAS tactics and techniques.
  • ML supply-chain artefacts are provenance-verified and integrity-checked before use.
  • Inference APIs enforce authentication, authorisation, rate limiting and quotas.
  • Training and retraining pipelines have data-integrity and poisoning-detection controls.
  • Model integrity (signing/hashing, backdoor detection) is verified across the lifecycle.
  • LLM guardrails mitigate prompt injection, jailbreaks and sensitive-output leakage, and are tested.
  • Secrets and credentials are never embedded in prompts or model context and are managed centrally.
  • Detections mapped to high-priority ATLAS techniques are deployed and monitored in the SOC.
  • AI red-team / adversarial testing is performed periodically with findings tracked to closure.
  • AI-specific incident-response runbooks exist and have been exercised.
  • Coverage, findings and maturity are reported to governance on a regular cadence.

14. Common gaps

  • No AI asset inventory, so the attack surface and ATLAS scope are unknown.
  • AI systems excluded from enterprise threat modelling and SOC monitoring.
  • Unverified third-party models and datasets used without provenance or integrity checks.
  • Inference APIs lacking rate limiting, enabling model extraction and cost-harvesting attacks.
  • LLM applications with weak or untested guardrails, vulnerable to prompt injection and jailbreaks.
  • Secrets embedded in system prompts or retrievable via meta-prompt extraction.
  • Agentic tools/plugins granted excessive privileges, enabling injected-instruction abuse.
  • Training pipelines lacking poisoning detection, allowing persistent backdoors.
  • No adversarial-robustness or membership-inference testing before production release.
  • Detections not mapped to AI techniques, leaving blind spots in the AI kill-chain.
  • No AI-specific incident-response playbooks or defined ownership.
  • One-off assessments that are never refreshed as ATLAS and the systems evolve.

15. MITRE ATLAS mapped to other frameworks

ATLAS complements, rather than replaces, broader AI-security and governance frameworks. It supplies the adversary-behaviour layer that operationalises higher-level control and risk requirements. The indicative mapping below shows how ATLAS relates to widely used references.

FrameworkRelationship to MITRE ATLAS
MITRE ATT&CK (Enterprise)Parent methodology; ATLAS reuses shared tactics/techniques and adds AI-specific ones for the surrounding IT estate.
NIST AI Risk Management Framework (AI RMF 100-1)ATLAS provides concrete adversarial-threat content that informs the Map and Manage functions of AI RMF.
OWASP Top 10 for LLM ApplicationsOverlaps strongly on LLM threats (prompt injection, data leakage); ATLAS provides the broader lifecycle tactic structure.
OWASP Machine Learning Security Top 10Covers ML-specific risks (data poisoning, model theft) that map to ATLAS Resource Development, Staging and Exfiltration.
ISO/IEC 42001 (AI management system)Governance-level management-system standard; ATLAS operationalises AI security-risk treatment within it.
ISO/IEC 27001 / 27002Information-security controls provide the control baseline; ATLAS informs AI-specific threat treatment and testing.
NIST SP 800-53 / CSFEnterprise control catalogues; ATLAS techniques justify and prioritise AI-relevant control selection.
EU AI ActRegulatory obligations for high-risk AI (robustness, security); ATLAS supports evidence of adversarial-security testing.
NIST Adversarial ML taxonomy (AI 100-2)Shares terminology for attacks on ML; ATLAS operationalises it into a tactic/technique matrix with mitigations.

16. How CyberSigma helps

How CyberSigma helps
CyberSigma helps organisations turn MITRE ATLAS from a reference matrix into a working AI-security programme. Our CERT-In empanelled and PCI QSA led team builds your AI asset inventory and AI-BOM, produces ATLAS-mapped threat models for every critical model and LLM application, and runs adversarial red-team engagements covering prompt injection, model evasion, data poisoning, model extraction and membership inference. We assess mitigation and detection coverage across the full matrix, deliver a prioritised remediation roadmap, engineer guardrails and pipeline-integrity controls, integrate AI telemetry and detections into your SOC, and establish continuous adversary emulation. The outcome is measurable, board-reportable assurance that your AI systems are defended against the adversarial techniques that matter, aligned to ATLAS and mapped to your wider NIST, ISO and regulatory obligations. Contact CyberSigma to benchmark your AI estate against MITRE ATLAS and build lasting AI resilience.

Frequently asked questions

How is ATLAS different from ATT&CK?
ATT&CK covers general enterprise attacker techniques; ATLAS focuses specifically on adversarial threats to AI and machine-learning systems, in a compatible structure.
Official documents

Need help with MITRE ATLAS?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.