The threats that target AI itself.
MITRE ATLAS catalogs adversary tactics and techniques used against machine-learning systems. Lattice indexes a curated, version-pinned slice and links each technique to candidate mitigations and to the risk-management functions that should respond.
Scope and editorial policy
ATLAS is a security-scoped reference, not an ethics or rights framework. Lattice version-pins ATLAS content; new techniques are promoted only after editorial review. Mitigations listed are candidates, not prescriptions.
AML.TA0002 Reconnaissance | AML.TA0003 Resource Development | AML.TA0004 ML Model Access | AML.TA0005 Execution | AML.TA0006 Persistence | AML.TA0007 Defense Evasion | AML.TA0010 Exfiltration | AML.TA0011 Impact |
|---|---|---|---|---|---|---|---|
Mitigation catalog
Candidate mitigations published in the pinned ATLAS release. Pair with NIST AI RMF MANAGE for selection and resourcing.
- Adversarial trainingAML.M0014
Train models on adversarial examples or with robust optimization to reduce sensitivity to crafted inputs.
model - Input restriction & validationAML.M0015
Restrict the format, length, and content of inputs; validate against schemas; reject anomalous inputs.
deployment - Restrict number of model queriesAML.M0004
Apply per-user or per-key rate limits and monitor for query-volume anomalies indicative of probing.
deployment - Output perturbationAML.M0006
Add noise or rounding to outputs (probabilities, scores) to reduce information leak.
deployment - Differential privacy trainingAML.M0010
Train with formal differential privacy guarantees to bound the influence of any single training record.
model - Validate training dataAML.M0007
Inspect training data for poisoning indicators; quarantine untrusted sources; statistical outlier checks.
data - Model and data provenanceAML.M0008
Cryptographically sign and verify training data, model weights, and updates across the supply chain.
datamodeldeployment - Model scanning for backdoorsAML.M0011
Run trigger-detection and behavior-analysis tools on models before deployment, especially for third-party models.
model - Prompt and content isolationAML.M0017
Separate untrusted retrieved content from instruction context; enforce structured tool-call boundaries.
deployment - Content filteringAML.M0018
Apply input and output filters for known unsafe categories, with monitoring of bypass attempts.
deploymentmonitoring - Tool-use allowlistingAML.M0019
Constrain agent tool calls to a vetted allowlist; require human approval for high-impact actions.
deployment - Disclosure disciplineAML.M0020
Limit publication of model architecture details, training data sources, and operational specifics that aid reconnaissance.
framingdeployment