AATMF is not a replacement. Every technique is mapped to the frameworks your governance program already requires — OWASP LLM Top 10, OWASP ASI, MITRE ATLAS, NIST AI RMF, and the EU AI Act — so a single finding speaks every language.
The OWASP LLM Top 10 (2025) lists the most critical security risks in large-language-model applications. Every entry has a direct AATMF tactic and a set of techniques that operationalise it.
| OWASP ID | Risk | AATMF Tactic | Key Techniques | Severity |
|---|---|---|---|---|
LLM01 |
Prompt Injection | T1 · Prompt Manipulation | T1.001, T1.002, T1.003, T1.009 | Critical |
LLM02 |
Insecure Output Handling | T7 · Output Exploitation | T7.001, T7.002, T7.003 | High |
LLM03 |
Training Data Poisoning | T13 · Supply-Chain & Model Integrity | T13.001, T13.002, T13.003 | Critical |
LLM04 |
Model Denial of Service | T8 · Resource & Context Abuse | T8.001, T8.002, T8.004 | High |
LLM05 |
Supply Chain Vulnerabilities | T13 · Supply-Chain & Model Integrity | T13.004, T13.005, T13.006 | Critical |
LLM06 |
Sensitive Information Disclosure | T6 · Extraction & Data Exfiltration | T6.001, T6.002, T6.005 | High |
LLM07 |
Insecure Plugin Design | T5 · Agent & Tool Abuse | T5.003, T5.004, T5.007 | High |
LLM08 |
Excessive Agency | T4 · Agentic Exploitation | T4.001, T4.003, T4.006 | Critical |
LLM09 |
Overreliance | T15 · Human & Operator Manipulation | T15.002, T15.003, T15.004 | Medium |
LLM10 |
Model Theft | T6 · Extraction & Data Exfiltration | T6.006, T6.007, T6.008 | High |
The OWASP Agentic Security Initiative (ASI) 2026 extends the LLM Top 10 into multi-agent pipelines, autonomous systems, and MCP-connected toolchains — exactly the terrain AATMF's Advanced domain was built for.
Cross-agent injection via tool outputs, memory stores, and orchestrator channels. Maps to T1 + T4 + T5.
Crafted tool-call responses that redirect agent actions. ShadowMQ channel hijacking. Maps to T5 + T4.
Persistent adversarial content injected into vector stores and agent memory layers. Maps to T9 + T13.
Adversary-in-the-middle of LLM-to-LLM delegation chains. Targets trust boundaries in multi-agent systems.
Covert exfiltration through agent-invoked APIs, webhook callbacks, and DNS side channels. Maps to T6 + T5.
Malicious or compromised MCP servers granted excessive permissions. Tool-call scope escalation. Maps to T5 + T14.
MITRE ATLAS is the closest analogue to AATMF in the existing landscape. AATMF extends ATLAS with adversarial-specific scoring, agent-layer techniques, and 2025–26 research. Every ATLAS technique referenced in AATMF is cross-linked.
| ATLAS Tactic | ATLAS Techniques Covered | AATMF Tactic | Delta (AATMF-only) |
|---|---|---|---|
| Reconnaissance | AML.T0000–T0007 (8) | T10 · Reconnaissance & Targeting | +6 AI-specific |
| Resource Development | AML.T0008–T0014 (7) | T13 · Supply-Chain & Model Integrity | +9 supply-chain |
| Initial Access | AML.T0015–T0023 (9) | T1 · Prompt Manipulation | +11 injection types |
| ML Attack Staging | AML.T0024–T0033 (10) | T3 · Context & Memory Manipulation | +7 context attacks |
| Execution | AML.T0034–T0040 (7) | T4 · Agentic Exploitation | +12 agent primitives |
| Persistence | AML.T0041–T0046 (6) | T9 · Retrieval & RAG Poisoning | +5 RAG vectors |
| Defense Evasion | AML.T0047–T0057 (11) | T2 · Jailbreaking & Constraint Bypass | +8 bypass primitives |
| Discovery | AML.T0058–T0064 (7) | T10 · Reconnaissance & Targeting | +4 model fingerprint |
| Collection | AML.T0065–T0070 (6) | T6 · Extraction & Data Exfiltration | +6 exfil channels |
| Exfiltration | AML.T0071–T0075 (5) | T6 · Extraction & Data Exfiltration | +3 covert channels |
| Impact | AML.T0076–T0083 (8) | T7 · Output Exploitation, T8 · Resource Abuse | +5 impact variants |
AATMF covers 83 of 84 ATLAS techniques (98.8%) and adds 96 techniques with no ATLAS equivalent — primarily in agentic exploitation, MCP abuse, multimodal injection, and supply-chain poisoning.
NIST AI RMF 1.0 defines six core functions. AATMF's tactic structure and risk scores map directly to the Govern, Map, Measure, and Manage functions, providing the AI-security resolution the RMF leaves to implementers.
Organisational policies for AI risk. AATMF ethical use, tactic taxonomy, and risk-band definitions feed directly into GOVERN documentation requirements.
Context and risk identification. AATMF's 15-tactic surface provides the AI-threat catalogue that MAP requires for risk framing.
Quantified risk analysis. AATMF-R v3 scores (Critical/High/Medium/Low/Info) are directly usable as MEASURE outputs for each identified threat.
Prioritised response and treatment. AATMF's remediation bands (15 min / 1 hr / 4 hrs / weekly) define the MANAGE timelines for each risk tier.
The EU AI Act establishes risk tiers (Unacceptable, High, Limited, Minimal) and sets technical obligations for high-risk systems. AATMF risk bands map to Act tiers, and technique-level attack surface evidence satisfies Article 9 risk management requirements.
| EU AI Act Tier | AATMF Risk Band | Key Articles | AATMF Evidence |
|---|---|---|---|
| Unacceptable Risk | Critical (250+) | Art. 5 — Prohibited practices | T1–T4, T13 critical techniques |
| High Risk | High (150–249) | Art. 9 — Risk mgmt system Art. 10 — Data governance Art. 17 — QMS |
Full AATMF-R scores, mitigation controls |
| Limited Risk | Medium (75–149) | Art. 52 — Transparency obligations | Technique descriptions, detection patterns |
| Minimal Risk | Low / Info (<75) | Art. 69 — Codes of conduct | AATMF ethical use policy |
Article 9 of the EU AI Act requires providers of high-risk AI systems to establish, implement, document, and maintain a risk management system throughout the entire lifecycle. AATMF provides the adversarial-AI threat catalogue — the documented set of known attack techniques and their risk scores — that satisfies the identification and analysis phase of Article 9.
Risk treatment then follows: AATMF mitigation controls map to the residual risk reduction requirements, and AATMF detection signatures feed into the monitoring obligations under Article 9(7).
Every AATMF technique carries its full compliance fingerprint. The table below shows representative mappings for the highest-risk techniques across the full standard set.
| AATMF ID | Technique | OWASP LLM | ATLAS | NIST RMF | EU AI Act | Risk |
|---|---|---|---|---|---|---|
T1.001 |
Direct Prompt Injection | LLM01 | AML.T0051 | MEASURE 2.5 | Art. 9 | Critical |
T1.009 |
Indirect Prompt Injection | LLM01 | AML.T0054 | MEASURE 2.5 | Art. 9 | Critical |
T2.007 |
Policy Puppetry | LLM01 | AML.T0054 | MEASURE 2.6 | Art. 9 | Critical |
T4.001 |
Autonomous Goal Hijack | LLM08 | AML.T0034 | MANAGE 1.3 | Art. 9 | Critical |
T5.001 |
Tool Call Injection | LLM07 | AML.T0035 | MANAGE 1.3 | Art. 9 | Critical |
T9.001 |
PoisonedRAG | LLM03 | AML.T0024 | MEASURE 2.7 | Art. 10 | Critical |
T11.001 |
GTG-1002 Gradient Attack | LLM03 | AML.T0043 | MEASURE 2.7 | Art. 9 | Critical |
T13.001 |
Model Backdoor Insertion | LLM05 | AML.T0008 | GOVERN 6.2 | Art. 10, 17 | Critical |
T6.001 |
System Prompt Extraction | LLM06 | AML.T0065 | MEASURE 2.5 | Art. 52 | High |
T15.002 |
Operator Trust Manipulation | LLM09 | AML.T0081 | GOVERN 1.7 | Art. 52 | High |
Full mappings are embedded in every technique. No separate spreadsheet.
Open any technique in the browser and you will find its OWASP LLM, OWASP ASI, MITRE ATLAS, NIST RMF, and EU AI Act mapping inline — alongside the risk score, attack procedures, detection patterns, and chaining paths.
The compliance row in every technique drawer is machine-readable: technique IDs follow the schema T{n}.{nnn} and can be exported as JSON for ingestion into GRC tooling.
240 techniques. Five standards. One framework.
