{"query":"all","count":20,"threats":[{"threat_name":"Loss of Models","atlas_id":"AML.T0031","description":"Malicious destruction or corruption of AI models. Key consideration is access control and write access.","controls_by_system_element":{"Environment":["AC-03-00","AC-06-00","CM-07-00","SC-37-00"],"AI Platform":["AC-03-00","AC-05-00","AC-06-00","AU-02-00","CM-05-00"],"AI Models":["AC-03-00","AC-05-00","AC-06-00","AU-02-00","AU-03-00","CM-05-00","CM-07-00","SC-24-00","SI-20-00"],"AI Data":["AC-06-00"]},"residual_risk":"Insider threats not addressed by access control. Model corruption could occur undetected."},{"threat_name":"Model Poisoning","atlas_id":"AML.T0020","description":"Attacks that modify code, objective functions, model parameters, or training data to undermine reliability, integrity and availability.","controls_by_system_element":{"AI Platform":["SR-03-00"]},"residual_risk":"Insider threats remain. Attack surface is very large and not completely known."},{"threat_name":"Insecure APIs","atlas_id":"AML.T0040","description":"Insecure APIs allow unauthorized access, malicious inputs, or AI system disruption. Inference APIs are particularly vulnerable.","controls_by_system_element":{"Environment":["RA-05-00","SC-05-00","SC-23-00","SR-09-00"],"AI Platform":["AC-24-00","SR-03-00","SR-11-00"],"AI Models":["SR-03-00"]},"residual_risk":"Authorized users may abuse access. Open-source recon gives adversaries opportunity to find zero-day exploits."},{"threat_name":"Data Poisoning","atlas_id":"AML.T0020","description":"Poisoned data compromises AI decision-making and biases outputs. Can embed backdoor triggers activated by designated input.","controls_by_system_element":{"Environment":["SC-07-00","SC-08-00"],"AI Platform":["SC-08-00"],"AI Data":["AC-14-00","CM-07-00","SC-08-00","SI-04-00","SI-10-00"]},"residual_risk":"Ground truth baseline for validation could be incomplete or unrepresentative."},{"threat_name":"Model Exposure","atlas_id":"AML.T0024","description":"Attackers extract trained models or collect enough info to create functional copies. Models should be treated as sensitive assets.","controls_by_system_element":{"Environment":["AC-03-00","AC-06-00","AC-20-00","AC-24-00","CM-07-00","SC-04-00","SC-08-00","SC-28-00","SC-39-00"],"AI Platform":["AC-03-00","AC-06-00","AC-20-00","AC-24-00","AU-02-00","CM-05-00","SC-04-00","SC-08-00","SC-39-00"],"AI Models":["AC-03-00","AC-05-00","AC-06-00","AC-20-00","AU-02-00","AU-03-00","CM-05-00","CM-07-00","SC-04-00","SC-12-00","SC-28-00","SI-20-00"],"AI Data":["AC-03-00","AC-06-00","AC-20-00","SC-04-00","SC-08-00","SC-28-00"]},"residual_risk":"Model knowledge could be disclosed through public documents or inadvertent authorized channels."},{"threat_name":"Sensitive Data Exposure","atlas_id":"AML.T0048","description":"Unauthorized access to sensitive data during development, testing, and deployment of AI systems.","controls_by_system_element":{"Environment":["PM-12-00","SC-04-00","SC-08-00","SC-28-00"],"AI Platform":["PM-12-00","SA-17-00","SC-04-00","SC-08-00","SC-28-00"],"AI Models":["SC-04-00","SC-08-00","SC-28-00"],"AI Data":["SC-04-00","SC-08-00","SC-13-00","SC-28-00"]},"residual_risk":"Insider threats and third-party components may expose sensitive data."},{"threat_name":"Sensitive Information Disclosure","atlas_id":"AML.T0048","description":"AI inadvertently discloses sensitive info through responses, memorization during training, or crafted prompts inducing leaks.","controls_by_system_element":{"Environment":["AC-04-00","AC-04-25","AC-06-00","AC-21-00","AC-24-00","PL-08-00","PM-07-00","PM-18-00"],"AI Platform":["AC-04-00","AC-04-25","AC-06-00","AC-21-00","AC-23-00","AC-24-00","AU-06-00","SC-28-00","SI-07-00"],"AI Models":["AC-04-00","AC-04-25","AC-06-00","SC-04-00","SC-08-00","SC-28-00","SI-07-00","SI-20-00"],"AI Data":["AC-04-00","AC-04-25","AC-06-00","AC-21-00","SC-04-00","SC-08-00","SC-28-00","SI-07-00","SI-20-00"]},"residual_risk":"Complex AI systems make it difficult to identify all disclosure pathways."},{"threat_name":"Supply Chain - Models","atlas_id":"AML.T0010.003","description":"Pre-trained models from external sources may contain malicious code or backdoors. Change management critically important.","controls_by_system_element":{"Environment":["SR-01-00","SR-03-00","SR-04-00","SR-05-00","SR-06-00","SR-08-00","SR-11-00"],"AI Platform":["SR-01-00","SR-02-00","SR-03-00","SR-04-00","SR-05-00","SR-06-00","SR-08-00","PM-30-00"],"AI Models":["SR-01-00","SR-02-00","SR-03-00","SR-06-00","SR-08-00"]},"residual_risk":"Trusted external sources may be unknowingly compromised."},{"threat_name":"Supply Chain - Data","atlas_id":"AML.T0010.002","description":"External data sources may be compromised. Provenance documentation is critical.","controls_by_system_element":{"Environment":["SR-01-00","SR-04-00","SR-09-00"],"AI Platform":["AT-03-00","SR-01-00","SR-04-00","SR-05-00"],"AI Data":["AT-03-00","SR-01-00","SR-04-00","SR-05-00"]},"residual_risk":"Data supply chain may be too large for controls to detect all threats."},{"threat_name":"Supply Chain - Tools/Platforms","atlas_id":"AML.T0010.001","description":"AI tools and platforms from external sources may have vulnerabilities. SBOMs and AIBOMs are critical.","controls_by_system_element":{"Environment":["SR-03-00"],"AI Platform":["SR-03-00","SR-04-00","SR-05-00","SR-11-00"]},"residual_risk":"Supply chain is so large that SBOMs may not sufficiently mitigate all threats."},{"threat_name":"Direct Prompt Injection","atlas_id":"AML.T0051","description":"Adversaries craft malicious prompts to manipulate AI to generate harmful content, bypass controls, or execute privileged commands.","controls_by_system_element":{"Environment":["AC-03-00"],"AI Platform":["AC-03-00","SI-03-00","SI-04-00","SI-10-00"]},"residual_risk":"Prompts may be injected from any uncontrolled source. AI logic lacks transparency of traditional software."},{"threat_name":"Indirect Prompt Injection","atlas_id":"AML.T0051","description":"Malicious prompts ingested from separate data sources during normal operation. Users may never be aware of the injection.","controls_by_system_element":{"AI Platform":["AC-06-00","AU-06-00","CM-05-00","SI-03-00","SI-04-00","SI-10-00"]},"residual_risk":"Prompts may be injected from any uncontrolled data source. Unknown logic flaws may be exploited."},{"threat_name":"Insider Threats","atlas_id":"AML.T0012","description":"Insiders exploit access privileges for data theft or sabotage. AI development practices often lack traditional process controls.","controls_by_system_element":{"Environment":["AC-05-00","AC-06-00","AC-24-00","CM-11-00","IA-02-00","IA-08-00","MA-05-00","PM-12-00","SC-28-00","SI-03-00","SI-04-00","SR-09-00"],"AI Platform":["AC-05-00","AC-06-00","AC-24-00","CM-11-00","IA-02-00","IA-08-00","MA-05-00","PM-12-00","SC-28-00","SI-03-00","SI-04-00","SR-09-00"],"AI Models":["PM-12-00","SC-28-00","SI-04-00","SI-20-00"],"AI Data":["PM-12-00","SC-28-00","SI-04-00","SI-20-00"]},"residual_risk":"Controls make unauthorized activities harder but cannot completely eliminate risk."},{"threat_name":"Excessive Agency","atlas_id":"AML.T0050","description":"AI components with capabilities beyond what is necessary. Excessive permissions and unchecked autonomy cause unintended behaviors.","controls_by_system_element":{"Environment":["AC-06-00","CM-07-00"],"AI Platform":["AC-05-00","AC-06-00","CM-07-00"],"AI Models":["CM-07-00"]},"residual_risk":"Unfettered access to authorized capabilities may lead to unintended consequences."},{"threat_name":"Insecure Plugin Design","atlas_id":"AML.T0053","description":"Plugins with insufficient access controls or input validation allow data exfiltration, remote code execution, and privilege escalation.","controls_by_system_element":{"Environment":["AC-06-00","CM-07-00","SC-08-00"],"AI Platform":["AC-06-00","AC-24-00","CM-05-00","CM-07-00","CM-13-00","SA-08-00","SC-39-00","SI-03-00","SI-10-00"]},"residual_risk":"Plugins introduce plugin-specific risks that may be difficult to fully identify."},{"threat_name":"AI Bias","atlas_id":"AML.T0020","description":"Biases in data and models lead to inaccurate outcomes or discriminatory treatment. Scale and complexity make bias management challenging.","controls_by_system_element":{"Environment":["CA-02-00","CM-02-00","PL-02-00","PL-04-00","SA-10-00"],"AI Platform":["CA-02-00","CM-02-00","PL-02-00","PL-04-00","SA-10-00"],"AI Data":["CA-02-00","CM-02-00","PL-02-00","PL-04-00","SA-10-00","SR-04-00"]},"residual_risk":"Some input sources may not be sufficiently controlled. Data drift can cause biased outcomes."},{"threat_name":"Identity Spoofing","atlas_id":"AML.T0052","description":"Deep fakes, synthetic identities, and AI-generated content threaten authentication systems including voice spoofing and biometrics.","controls_by_system_element":{"Environment":["AC-07-00","AC-14-00","IA-02-00","IA-02-01","IA-02-02","IA-08-00","IA-12-00"],"AI Platform":["AC-07-00","AC-14-00","IA-02-00","IA-02-01","IA-02-02","IA-08-00","IA-12-00"]},"residual_risk":"Fake-detectors lag fake-generators, creating vulnerability windows."},{"threat_name":"Cost Harvesting","atlas_id":"AML.T0034","description":"Adversaries maliciously increase costs by flooding with useless queries or crafting computationally expensive inputs.","controls_by_system_element":{"Environment":["AU-06-05","SC-05-00","SC-06-00"],"AI Platform":["AU-06-05","SC-05-00","SC-06-00"]},"residual_risk":"Some cost burden or service quality degradation cannot be compensated for."},{"threat_name":"Zero-day Exploits","atlas_id":"AML.T0001","description":"AI systems have failure modes that are difficult to characterize and poorly understood. Continuous monitoring and red teaming critical.","controls_by_system_element":{"Environment":["CA-08-00","SI-02-00","SI-03-00"],"AI Platform":["CA-08-00","SI-02-00","SI-03-00"],"AI Models":["SI-20-00"],"AI Data":["SI-20-00"]},"residual_risk":"Given prevalence of unknown failure modes, no mitigation can eliminate all zero-day risk."},{"threat_name":"Denial of Service","atlas_id":"AML.T0034","description":"AI systems with expensive compute requirements are vulnerable to overloading. Adversaries flood with inputs or craft heavy queries.","controls_by_system_element":{"Environment":["SC-05-00","SC-37-00"],"AI Platform":["SR-03-00","SR-11-00"],"AI Models":["SR-03-00"]},"residual_risk":"Some cost burden or service quality degradation cannot be compensated for."}],"source":"MITRE SAFE-AI Framework (MP250397, April 2025)"}