Frameworks & standards

Not interchangeable - some are threat taxonomies, some control frameworks, some governance systems, some certifiable standards. Use the right type for the conversation.

Framework	Type	Use for
NIST AI RMF (+ GenAI Profile)	Governance	Govern-Map-Measure-Manage; board language
NIST AI 100-2	Threat taxonomy	Standard attack names
MITRE ATLAS	Knowledge base	Tactics/techniques; red-team & threat-intel mapping
OWASP LLM / Agentic / ML Top 10	Risk lists	App-level prioritization; dev checklists
Google SAIF → CoSAI (OASIS)	Controls + risk map	Lifecycle controls over Data/Infra/Model/App; CoSAI Risk Map
IBM (securing GenAI)	Controls	Secure data/model/usage/infra; CoSAI co-chair
ISO/IEC 42001 (+27001)	Certifiable standard	Auditable AI management system; procurement

SAIF’s six elements and four-area risk map (Data, Infrastructure, Model, Application) were donated to the Coalition for Secure AI under OASIS in Sep 2025 (40+ members incl. Anthropic, IBM, Google, Microsoft, OpenAI, NVIDIA). Shortcut: threat-model with ATLAS+OWASP, control with SAIF/CoSAI or IBM, govern with NIST AI RMF or ISO 42001 - crosswalk once.

Using MITRE ATLAS as a kill-chain

MITRE ATLAS (Adversarial Threat Landscape for AI Systems) is the ATT&CK-style knowledge base for attacks on ML/AI - now on a monthly release cadence (v5.4.0, Feb 2026) it spans 16 tactics and 84+ techniques with 42+ real-world case studies, and agent-focused techniques have been added through 2026. Where OWASP’s LLM Top 10 (§7) is a priority checklist and NIST AI RMF (above) is governance, ATLAS is the operational layer: it lets a red team structure an engagement and map every finding to a technique ID. It mirrors ATT&CK but drops Lateral Movement and Command-and-Control (less relevant to model attacks) and adds two AI-native tactics - ML Model Access and ML Attack Staging. The canonical chain:

Tactic	AI-specific example
Reconnaissance	Identify the target’s model, framework, and public datasets
Resource Development	Acquire a shadow/surrogate model; gather data to craft attacks
Initial Access	Reach the model via API, app, or a poisoned supply-chain component
ML Model Access	Obtain query, white-box, or physical-environment access to the model
Execution	Trigger attacker code - e.g. a malicious model file on load (§5)
Persistence	Backdoor via poisoned fine-tuning or RAG data (§6)
Privilege Escalation	Abuse excessive agency / tool permissions to widen access (§13)
Defense Evasion	Craft inputs or “broken” artifacts that evade scanners and filters
Credential Access	Extract secrets or keys from prompts, context, or memory
Discovery	Probe model behaviour, system prompt, and connected tools
Collection	Aggregate sensitive outputs, training data, or context
ML Attack Staging	Build adversarial examples / proxy models offline before firing
Exfiltration	Extract model IP (extraction, §5) or stolen data via outputs
Impact	Evade, degrade, deny, or erode trust in the model’s decisions

For an engagement

• Plan coverage against ATLAS tactics so you can show what you tested and what you didn’t, not just what you found.
• Tag every finding with its ATLAS technique ID - it makes reports portable and lets a client track remediation against a shared taxonomy.
• Use the live matrix at atlas.mitre.org for current technique/sub-technique detail and case studies; the framework updates continuously.

Cross-walking the standards (so one control speaks all of them)

Control cross-walk (one finding -> many frameworks)

finding: "Agent acts on unverified tool output (no spotlighting)"
  -> OWASP LLM01 (prompt injection) / ASI01 (agent action)
  -> NIST AI RMF: MEASURE 2.7, MANAGE 2.2
  -> Google SAIF: validate inputs, constrain agent actions
  -> MITRE ATLAS: AML.T0051
# one gap mapped across the stack, so a single remediation closes many checklist items

An assessor is rarely asked about one framework. The practical skill is mapping a single control across the standards a client cares about, so a finding lands in whichever language the room speaks. The four that matter most fit together cleanly: NIST AI RMF (Govern / Map / Measure / Manage) is the operating cadence, ISO/IEC 42001 is the certifiable management system (its Annex A is the control catalogue), ISO/IEC 23894 is the risk process that runs inside it, and MITRE ATLAS / OWASP supply the adversary techniques and risk classes. Industry framings like EC-Council’s ADG (Adopt · Defend · Govern) sit on top, organizing the same primitives into pillars with their own crosswalk.

Example control	NIST AI RMF	ISO/IEC 42001	ATLAS / OWASP
AI asset inventory / AIBOM (§16, §28)	Map	Annex A - lifecycle & resources	-
Adversarial-input / injection testing (§22)	Measure	Annex A - verification & validation	ATLAS Evasion; OWASP LLM01
Tool/agent least privilege & egress (§10, §13)	Manage	Annex A - operational controls	OWASP LLM06 / Agentic; ATLAS Exfiltration
Model provenance & signing (§5, §16)	Map / Manage	Annex A - third-party & data	ATLAS supply-chain techniques
Governance body & accountability (§32)	Govern	Clauses 5-9 (the management system)	-

Why it pays off

The crosswalk lets you write a finding once and report it three ways: a “Measure gap” to the NIST-aligned engineering org, an “Annex A control not evidenced” to the ISO 42001 auditor, and “ATLAS Evasion untested” to the red team. One assessment, three audiences.