← Back to AI/LLM Security

Security Frameworks & Standards

15 min read

Overview

As AI systems move from research prototypes to critical infrastructure, a growing ecosystem of frameworks, standards, and regulations has emerged to address the security and governance challenges they introduce. These range from voluntary technical taxonomies (MITRE ATLAS) to enforceable law (EU AI Act), and understanding the landscape is essential for any organization deploying or developing AI.

This page covers the major frameworks and standards relevant to AI security practitioners, their scope, how they interrelate, and their current adoption status.

Framework Comparison

Before diving into the details, the following table provides a high-level comparison of the major frameworks and standards covered on this page.

FrameworkOrganizationScopeMandatory / VoluntaryPrimary Focus
MITRE ATLASMITRE CorporationAdversarial ML threat modelingVoluntaryAttack techniques & tactics
NIST AI RMF 1.0NISTAI risk management lifecycleVoluntary (US federal guidance)Risk governance & management
NIST AI 100-2NISTAdversarial ML taxonomyVoluntaryThreat categorization
OWASP Top 10 for LLMsOWASPLLM application securityVoluntaryVulnerability identification
OWASP LLMSVSOWASPLLM security verificationVoluntarySecurity requirements & testing
OWASP AI Governance ChecklistOWASPAI governanceVoluntaryOrganizational governance
EU AI ActEuropean UnionAI regulation (EU market)Mandatory (EU)Risk-based regulation
ISO/IEC 42001ISO/IECAI management systemsVoluntary (certifiable)Management system standard
US EO 14110 (Biden)US Executive BranchFederal AI safetyDirective (revoked)Safety, security, trustworthiness
US EO (Trump, Dec 2025)US Executive BranchNational AI frameworkDirectiveNational AI strategy

1. MITRE ATLAS

ATLAS (Adversarial Threat Landscape for Artificial Intelligence Systems) is a knowledge base of adversarial tactics, techniques, and procedures (TTPs) targeting AI systems. It is modeled after and explicitly aligned with the MITRE ATT&CK framework, making it familiar to security teams already using ATT&CK for threat modeling and detection engineering.

Structure

As of the October 2025 update, ATLAS contains:

  • 15 tactics — high-level adversarial objectives (the “why” of an attack)
  • 66 techniques — specific methods to achieve tactics (the “how”)
  • 46 sub-techniques — more granular variations of techniques

Relationship to ATT&CK

ATLAS deliberately mirrors ATT&CK’s structure and taxonomy conventions. Several ATLAS tactics are direct analogs of ATT&CK tactics (Reconnaissance, Resource Development, Initial Access, etc.), while others are AI-specific (ML Attack Staging, ML Model Access). This allows security teams to integrate AI threat modeling into existing ATT&CK-based workflows and detection frameworks.

ATLAS uses a parallel ID scheme (AML prefix instead of ATT&CK’s T prefix) to distinguish AI-specific techniques while maintaining structural compatibility.

Key Tactics

Tactic IDTactic NameDescription
AML.TA0000ReconnaissanceGathering information about the target AI system
AML.TA0001Resource DevelopmentEstablishing resources to support AI attacks
AML.TA0002Initial AccessGaining initial access to the AI system
AML.TA0003ML Attack StagingPreparing artifacts and infrastructure for ML-specific attacks
AML.TA0004ML Model AccessGaining access to the target ML model
AML.TA0005ExecutionRunning adversarial techniques against the AI system
AML.TA0006PersistenceMaintaining access to the AI system over time
AML.TA0007Privilege EscalationGaining elevated permissions within the AI system
AML.TA0008Defense EvasionAvoiding detection by AI security controls
AML.TA0009DiscoveryLearning about the AI system’s environment and capabilities
AML.TA0010CollectionGathering data from the AI system
AML.TA0011ML AttackExecuting the core ML-specific attack
AML.TA0012ExfiltrationExtracting data or model information
AML.TA0013ImpactDisrupting, degrading, or destroying the AI system
AML.TA0014AI Agent ActionsTactics specific to autonomous AI agents

Key Techniques

Technique IDNameDescription
AML.T0020Poison Training DataCorrupting training data to embed backdoors or degrade performance
AML.T0040ML Model Inference API AccessAccessing the model through its inference API
AML.T0042Verify AttackConfirming that an adversarial attack was successful
AML.T0043Craft Adversarial DataCreating inputs designed to cause model failure
AML.T0044Full ML Model AccessObtaining complete access to model weights and architecture
AML.T0047ML-Enabled Product or ServiceTargeting a product or service that uses ML
AML.T0048Search for Victim’s AI AssetsIdentifying AI systems owned by the target
AML.T0051LLM Prompt InjectionInjecting malicious instructions into LLM prompts
AML.T0054LLM JailbreakBypassing LLM safety alignment
AML.T0056LLM Plugin CompromiseCompromising plugins or tools connected to an LLM
AML.T0058AI Agent Context PoisoningManipulating the context available to an AI agent
AML.T0059AI Agent Goal ManipulationAltering an AI agent’s objectives

October 2025 Update: AI Agent Techniques

The October 2025 ATLAS update added 14 new techniques specifically addressing threats to AI agents — autonomous systems that can take actions in the real world through tool use, API calls, and multi-step reasoning. Key additions include:

  • AI Agent Context Poisoning (AML.T0058) — Manipulating the information available to an agent to influence its decisions
  • AI Agent Goal Manipulation (AML.T0059) — Subverting an agent’s objectives through prompt injection or context manipulation
  • AI Agent Tool Misuse — Causing an agent to use its tools in unintended ways
  • AI Agent Identity Spoofing — Impersonating trusted agents in multi-agent systems
  • AI Agent Memory Manipulation — Corrupting an agent’s persistent memory or state

These additions reflect the rapid deployment of AI agents in production environments and the corresponding emergence of agent-specific attack techniques.

Using ATLAS in Practice

Security teams can use ATLAS to:

  1. Threat model AI deployments — Map potential adversary paths through ATLAS tactics
  2. Assess red team coverage — Identify which ATLAS techniques have been tested
  3. Build detection rules — Create detections mapped to specific ATLAS technique IDs
  4. Communicate risk — Use a shared taxonomy when discussing AI threats with stakeholders
  5. Track threat intelligence — Map real-world AI incidents to ATLAS techniques

2. NIST AI Risk Management Framework (AI RMF 1.0)

Published in January 2023 by the National Institute of Standards and Technology, the AI RMF provides a structured approach to managing risks throughout the AI lifecycle. It is voluntary and intended to be adaptable across sectors, organization sizes, and AI system types.

Four Core Functions

The AI RMF is organized around four core functions, each containing categories and subcategories of activities:

Govern

The Govern function establishes the organizational context, policies, and processes for AI risk management. It is cross-cutting — its activities inform and are informed by the other three functions.

Key activities:

  • Establish AI risk management policies and procedures
  • Define roles, responsibilities, and accountability structures
  • Ensure organizational commitment to trustworthy AI principles
  • Integrate AI risk management into existing enterprise risk frameworks
  • Establish mechanisms for stakeholder engagement and feedback
  • Create documentation and record-keeping practices

Govern is unique among the four functions in that it is always active and provides the foundation for the other three.

Map

The Map function identifies and documents the context in which the AI system operates, including its intended purpose, stakeholders, potential impacts, and the technical environment.

Key activities:

  • Define the intended purpose and scope of the AI system
  • Identify stakeholders and affected populations
  • Assess potential benefits and harms
  • Document assumptions and limitations
  • Evaluate the AI system’s operational environment
  • Identify applicable legal and regulatory requirements

Measure

The Measure function assesses, analyzes, and tracks identified AI risks using quantitative and qualitative methods.

Key activities:

  • Develop metrics and benchmarks for AI system performance and risk
  • Test for bias, fairness, robustness, and security
  • Conduct adversarial testing and red teaming
  • Monitor AI system behavior in production
  • Track risk indicators over time
  • Evaluate third-party AI components and data sources

Manage

The Manage function allocates resources and implements plans to respond to and mitigate identified risks.

Key activities:

  • Prioritize risks based on impact and likelihood
  • Develop and implement risk mitigation strategies
  • Establish incident response procedures for AI failures
  • Define criteria for AI system deployment, monitoring, and decommissioning
  • Communicate risk decisions to stakeholders
  • Plan for model updates, retraining, and retirement

Adoption Status

The AI RMF has been widely referenced in US federal guidance and is increasingly cited in industry best practices. The framework is:

  • Referenced by multiple US federal agencies for AI procurement and deployment
  • Used as a foundation for sector-specific AI risk guidance
  • Adopted by several international standards bodies as a reference framework
  • Integrated into AI governance programs at major technology companies

However, as a voluntary framework, adoption depth varies significantly. Many organizations reference the AI RMF in policy documents but have not fully operationalized all categories and subcategories.

3. NIST AI 100-2 (Adversarial Machine Learning Taxonomy)

NIST Special Publication AI 100-2, titled “Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations,” provides a comprehensive categorization of attacks against AI systems. The 2025 edition significantly expanded coverage to include generative AI and LLM-specific threats.

Categorization Dimensions

The taxonomy categorizes adversarial ML attacks along four dimensions:

By Lifecycle Stage:

StageAttack Examples
Data collectionData poisoning, label manipulation
Model trainingBackdoor insertion, training-time trojans
Model deploymentAdversarial examples, model extraction
InferencePrompt injection, evasion attacks
MaintenanceConcept drift exploitation, update poisoning

By Attacker Goal:

  • Confidentiality — Extract training data, model parameters, or proprietary information
  • Integrity — Cause the model to produce incorrect outputs on targeted inputs
  • Availability — Degrade model performance or render it unusable
  • Abuse — Use the model to generate harmful content or take harmful actions

By Attacker Capabilities:

  • Access level (black-box, gray-box, white-box)
  • Computational resources available
  • Ability to manipulate training data
  • Number of queries permitted

By Attacker Knowledge:

  • Knowledge of model architecture
  • Knowledge of training data
  • Knowledge of training procedure
  • Knowledge of defense mechanisms

2025 GenAI Additions

The 2025 edition added extensive coverage of generative AI threats including:

  • Prompt injection (direct and indirect)
  • Jailbreaking and safety bypass techniques
  • Training data extraction from generative models
  • Deepfake generation and detection evasion
  • AI agent-specific threats
  • Supply chain attacks on foundation models

4. OWASP Resources

OWASP has produced several complementary resources addressing AI and LLM security.

OWASP Top 10 for LLM Applications

The most widely referenced OWASP AI resource, the Top 10 for LLM Applications identifies the most critical security risks in LLM-powered applications. The 2025 version includes:

  1. LLM01: Prompt Injection — Direct and indirect prompt injection attacks
  2. LLM02: Sensitive Information Disclosure — Unintended exposure of confidential data
  3. LLM03: Supply Chain Vulnerabilities — Risks from third-party models, data, and plugins
  4. LLM04: Data and Model Poisoning — Corruption of training data or fine-tuning data
  5. LLM05: Improper Output Handling — Failure to validate, sanitize, or constrain model outputs
  6. LLM06: Excessive Agency — Granting LLMs too many permissions or capabilities
  7. LLM07: System Prompt Leakage — Exposure of system-level instructions
  8. LLM08: Vector and Embedding Weaknesses — Vulnerabilities in RAG and embedding systems
  9. LLM09: Misinformation — Generation of false or misleading content
  10. LLM10: Unbounded Consumption — Resource exhaustion through crafted inputs

OWASP AI Security Testing Guide

The AI Security Testing Guide provides hands-on methodology for security testing of AI systems, including specific test procedures for each vulnerability class, tools, and example payloads. It is intended to complement the Top 10 list with actionable testing procedures.

LLM Security Verification Standard (LLMSVS)

The LLMSVS provides a comprehensive set of security requirements for LLM applications, organized into verification levels analogous to the OWASP Application Security Verification Standard (ASVS). It covers:

  • Input validation and prompt security
  • Output handling and content filtering
  • Model access control and authentication
  • Data protection and privacy
  • Logging, monitoring, and incident response
  • Supply chain security for model artifacts

The LLMSVS is designed to be used as a checklist for security reviews, a requirements specification for development teams, and a benchmark for security assessments.

AI Cybersecurity and Governance Checklist

This checklist provides a governance-level overview for organizations deploying AI systems, covering:

  • AI inventory and asset management
  • Risk assessment and classification
  • Data governance for AI training and inference
  • Third-party AI vendor management
  • Incident response for AI-specific failures
  • Compliance mapping to applicable regulations

5. EU AI Act

The EU Artificial Intelligence Act is the world’s first comprehensive AI regulation. Adopted by the European Parliament in March 2024, it establishes a risk-based regulatory framework for AI systems placed on the EU market or affecting individuals within the EU.

Risk-Based Classification

The EU AI Act classifies AI systems into four risk tiers, with regulatory requirements proportional to the assessed risk:

Unacceptable Risk (Prohibited)

AI systems that pose an unacceptable threat to fundamental rights are banned entirely:

  • Social scoring systems by public authorities
  • Real-time remote biometric identification in public spaces (with narrow exceptions for law enforcement)
  • Emotion recognition in workplaces and educational institutions
  • AI systems that exploit vulnerabilities of specific groups (age, disability)
  • Untargeted scraping of facial images from the internet or CCTV for facial recognition databases

High Risk

AI systems in critical domains must meet stringent requirements including risk management, data governance, transparency, human oversight, accuracy, robustness, and cybersecurity. High-risk categories include:

  • Biometric identification and categorization
  • Critical infrastructure management (energy, water, transport)
  • Education and vocational training (admissions, assessment)
  • Employment (recruitment, performance evaluation, termination)
  • Access to essential services (credit scoring, insurance, social benefits)
  • Law enforcement (predictive policing, evidence evaluation)
  • Migration and border control
  • Administration of justice

Limited Risk

AI systems with limited risk are subject to transparency obligations. Users must be informed they are interacting with an AI system. This applies to:

  • Chatbots and conversational AI
  • Emotion recognition systems (where not prohibited)
  • AI-generated or manipulated content (deepfakes)

Minimal Risk

AI systems posing minimal risk (e.g., spam filters, AI-enabled video games) face no specific regulatory requirements, though providers are encouraged to follow voluntary codes of conduct.

General-Purpose AI (GPAI) Requirements

The EU AI Act includes specific provisions for General-Purpose AI models, which include most foundation models and LLMs:

All GPAI models must:

  • Maintain technical documentation
  • Provide information and documentation to downstream deployers
  • Comply with EU copyright law
  • Publish a sufficiently detailed summary of training data

GPAI models with systemic risk (>10^25 FLOPs training compute or designated by the European Commission) must additionally:

  • Perform model evaluations including adversarial testing
  • Assess and mitigate systemic risks
  • Report serious incidents to the AI Office
  • Ensure adequate cybersecurity protections

Key Compliance Deadlines

DateMilestone
August 2024AI Act entered into force
February 2025Prohibitions on unacceptable-risk AI apply
August 2025GPAI model requirements apply; Governance structure operational
August 2026High-risk AI system requirements apply (for systems in Annex III)
August 2027Requirements for high-risk AI systems embedded in regulated products

Penalties

Non-compliance penalties are structured as percentages of global annual turnover:

  • Prohibited AI practices: up to 35 million EUR or 7% of global turnover
  • High-risk AI non-compliance: up to 15 million EUR or 3% of global turnover
  • Incorrect information to authorities: up to 7.5 million EUR or 1.5% of global turnover

For SMEs and startups, the lower of the two amounts (fixed sum vs. percentage) applies.

6. ISO/IEC 42001

ISO/IEC 42001:2023 (Information Technology — Artificial Intelligence — Management System) is the first international standard for AI management systems. Published in December 2023, it provides a framework for organizations to establish, implement, maintain, and continually improve an AI management system (AIMS).

Structure

ISO/IEC 42001 follows the Harmonized Structure (HS) common to all ISO management system standards (ISO 27001, ISO 9001, etc.), making it integrable with existing management systems. Key clauses include:

  • Clause 4: Context of the organization — Understanding the organization’s AI landscape, stakeholder needs, and scope of the AIMS
  • Clause 5: Leadership — Top management commitment, AI policy, organizational roles
  • Clause 6: Planning — Addressing risks and opportunities, AI objectives, planning for changes
  • Clause 7: Support — Resources, competence, awareness, communication, documented information
  • Clause 8: Operation — AI system lifecycle planning, AI risk assessment, AI system impact assessment
  • Clause 9: Performance evaluation — Monitoring, measurement, analysis, internal audit, management review
  • Clause 10: Improvement — Nonconformity, corrective action, continual improvement

Annex Controls

ISO/IEC 42001 includes an Annex A with controls specific to AI, covering:

  • AI policies and governance
  • AI system lifecycle management
  • Data management for AI
  • AI system documentation and transparency
  • Third-party and supply chain management for AI
  • AI system monitoring and performance evaluation

Certification

Organizations can be certified against ISO/IEC 42001 through accredited certification bodies. Certification demonstrates to customers, regulators, and partners that the organization has implemented a systematic approach to AI governance. Several certification bodies began offering ISO/IEC 42001 audits in 2024, and adoption is accelerating particularly among organizations seeking to demonstrate EU AI Act compliance.

Relationship to Other Standards

StandardRelationship to ISO/IEC 42001
ISO/IEC 27001Complementary — 27001 covers information security; 42001 extends to AI-specific risks
ISO/IEC 27701Complementary — 27701 covers privacy; 42001 addresses AI-specific privacy concerns
ISO/IEC 2389442001 operationalizes the AI risk management guidance from 23894
ISO/IEC 3850742001 implements the AI governance principles from 38507
NIST AI RMFAligned but different scope — AI RMF is a risk framework; 42001 is a certifiable management system

7. US Executive Orders on AI

US AI policy has evolved through a series of executive orders reflecting changing administration priorities.

Biden EO 14110 (October 2023)

Executive Order 14110, “Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence,” was the most comprehensive US federal AI policy action at the time of its signing. Key provisions included:

Safety and Security Requirements:

  • Companies developing foundation models with training compute above a threshold (~10^26 FLOPs) must report to the federal government
  • Red teaming results for high-capability models must be shared with the government
  • NIST directed to develop standards for AI red teaming and evaluation
  • Guidance for AI use in critical infrastructure

Additional Directives:

  • Directed agencies to address AI-enabled threats to cybersecurity
  • Required watermarking and content authentication for AI-generated content
  • Established reporting requirements for compute providers
  • Directed development of guidelines for AI in federal government use
  • Addressed AI implications for labor, immigration, and civil rights

Trump Revocation (January 2025)

In January 2025, the incoming Trump administration revoked EO 14110 as part of a broader deregulatory approach to AI policy. The revocation:

  • Eliminated the reporting requirements for foundation model developers
  • Removed the red teaming disclosure obligations
  • Rescinded the compute threshold-based regulatory triggers
  • Signaled a shift toward industry self-regulation

The revocation did not affect NIST’s ongoing work on AI standards and frameworks (AI RMF, AI 100-2), which continue as voluntary guidance independent of executive order mandates.

December 2025 Executive Order on National AI Framework

In December 2025, a new executive order established a national framework for AI development and deployment with a different emphasis than EO 14110:

  • Prioritized US competitiveness and AI leadership over prescriptive safety requirements
  • Established streamlined approval processes for federal AI procurement
  • Directed agencies to reduce barriers to AI adoption
  • Maintained national security-focused AI safety provisions
  • Created an interagency coordination mechanism for AI policy

Implications for Security Practitioners

The shifting US executive order landscape means that:

  1. Voluntary frameworks matter more — With reduced mandatory requirements, NIST AI RMF and ATLAS become the primary US reference points for AI security
  2. State-level regulation is emerging — Several US states are developing AI-specific legislation to fill perceived federal gaps
  3. EU AI Act has extraterritorial reach — US organizations serving EU customers must comply regardless of US federal policy
  4. Industry self-regulation is the current US posture — Organizations should adopt robust AI governance proactively rather than waiting for mandates

Choosing and Combining Frameworks

No single framework covers all aspects of AI security and governance. Practitioners should combine frameworks based on their organization’s needs:

For threat modeling and red teaming:

  • Start with MITRE ATLAS for structured adversarial threat identification
  • Use NIST AI 100-2 for comprehensive attack categorization
  • Apply OWASP Top 10 for LLMs for application-layer risk prioritization

For organizational governance:

  • Implement NIST AI RMF as a risk management process
  • Certify against ISO/IEC 42001 for demonstrable governance maturity
  • Use the OWASP AI Governance Checklist for practical implementation guidance

For regulatory compliance:

  • Map EU AI Act requirements to technical controls
  • Use ISO/IEC 42001 as an implementation framework for regulatory obligations
  • Reference NIST AI RMF to demonstrate due diligence in risk management

For security testing:

  • Apply the OWASP AI Security Testing Guide for structured testing methodology
  • Use LLMSVS for security verification requirements
  • Map findings to MITRE ATLAS technique IDs for consistent reporting

References