A structured, open threat model for adversarial AI — the attack surface that prompt injection, data poisoning, model extraction and agentic exploitation opened, and that conventional security frameworks were never built to describe. One common language to test it, score it, and defend it.
AI systems can be socially engineered — because they were trained to respond like humans.
It is the first technology where human manipulation translates directly into technical exploitation. The same playbook that works on a person — authority, urgency, framing, misdirection — works on the model trained to answer like one.
AATMF catalogues that surface the way ATT&CK catalogues enterprise intrusion: a complete taxonomy, stable identifiers, and concrete, reproducible procedures for finding, testing and defending against AI-specific attacks.
Same attack. Different substrate.
From prompt-level manipulation to infrastructure and the humans in the loop — fifteen tactics span the full adversarial lifecycle. Each links to its techniques, procedures and detections.
Risk = (L · I · E) / 6 × (D / 6) × R × C
Every technique cross-references the frameworks your program and your regulators already use — so AATMF slots into existing governance instead of replacing it.
AI Risk Management Framework — Govern, Map, Measure, Manage.
Adversarial Threat Landscape for AI Systems.
The canonical LLM application risk list.
Risk tiers and obligations for high-risk AI.
Plan and run structured adversarial-AI assessments with reproducible procedure IDs.
Build detections, harden defenses, and respond to AI-specific incidents.
Threat-model models, RAG and agents before they reach production.
Publish against a common taxonomy with collision-free identifiers.
Map AI risk to NIST AI RMF, the EU AI Act and OWASP.
Prioritise and communicate AI risk to the board with one score.
Same attack. Different substrate.
