# AI Defense Matrix — Framework Alignment

Crossmappings between AI Defense Matrix asset classes and 8 security frameworks and standards.

## NIST IR 8596

[https://csrc.nist.gov/pubs/ir/8596/iprd](https://csrc.nist.gov/pubs/ir/8596/iprd)

NIST IR 8596 identifies AI system components organizations should protect. Each concept below maps to a row in the AI Defense Matrix or to the Cyber Defense Matrix.

| Asset Class | NIST IR 8596 Concepts |
| --- | --- |
| ***AI-Workload Platforms*** | Containers, microservices, and libraries (AI-specific subset); inference endpoints (platform side) |
| ***AI Orchestration Tools*** | Agents as deployed artifacts (orchestration view; see AI Agent Identities row for the principal view); system prompts and templates |
| ***AI-Generated Code*** | (not explicitly named in IR 8596) |
| ***AI Gateways and Routers*** | AI data flows; APIs; inference endpoints (traffic side); model registries and dataset sources |
| ***AI Model*** | Models; Algorithms (model configuration) |
| ***Training Data*** | Training data |
| ***Runtime AI Data*** | Prompts (runtime); inference data |
| ***AI Agent Identities*** | Agents as autonomous principals; Keys; Integrations and permissions |
| ***Cyber Defense Matrix*** | Hardware and GPUs; generic containers and microservices (non-AI-specific) |

## CSA AI Controls Matrix

[https://cloudsecurityalliance.org/artifacts/ai-controls-matrix](https://cloudsecurityalliance.org/artifacts/ai-controls-matrix)

CSA AICM organizes AI security controls into 18 domains. The primary domain(s) for each asset class are listed below. Auditors using STAR for AI can use this mapping directly.

| Asset Class | CSA AICM Domains |
| --- | --- |
| ***AI-Workload Platforms*** | Infrastructure Security; Threat & Vulnerability Management |
| ***AI Orchestration Tools*** | Application and Interface Security; Supply Chain Management |
| ***AI-Generated Code*** | Application and Interface Security; Supply Chain Management |
| ***AI Gateways and Routers*** | Infrastructure Security; Interoperability and Portability |
| ***AI Model*** | Model Security; Governance, Risk and Compliance |
| ***Training Data*** | Data Security and Privacy Lifecycle Management; Model Security |
| ***Runtime AI Data*** | Data Security and Privacy Lifecycle Management; Application and Interface Security |
| ***AI Agent Identities*** | IAM; Governance, Risk and Compliance |
| ***Cyber Defense Matrix*** | IT & Cloud Security; Endpoint & Network Security; IAM (non-AI-specific domains) |

## ISO 42001

[https://www.iso.org/standard/42001](https://www.iso.org/standard/42001)

ISO 42001 Annex A defines controls for an AI management system. Each asset class maps to one or more Annex A clauses. Non-AI-specific controls fall under ISO/IEC 27001.

| Asset Class | ISO 42001 Annex A Clauses |
| --- | --- |
| ***AI-Workload Platforms*** | A.6 AI system life cycle; A.4 Resources for AI systems |
| ***AI Orchestration Tools*** | A.6 AI system life cycle; A.5 Assessing impacts of AI systems |
| ***AI-Generated Code*** | A.6 AI system life cycle |
| ***AI Gateways and Routers*** | A.8 Information for interested parties; A.9 Use of AI systems; A.10 Third-party and customer relationships |
| ***AI Model*** | A.6 AI system life cycle; A.10 Third-party and customer relationships; A.5 Assessing impacts of AI systems |
| ***Training Data*** | A.7 Data for AI systems |
| ***Runtime AI Data*** | A.7 Data for AI systems; A.8 Information for interested parties |
| ***AI Agent Identities*** | A.9 Use of AI systems; A.3 Internal organization; A.5 Assessing impacts of AI systems |
| ***Cyber Defense Matrix*** | ISO/IEC 27001 Annex A (general IT security controls) |

## Google SAIF

[https://saif.google/](https://saif.google/)

Google SAIF organizes AI security into six principles covering infrastructure, model, data, and application layers. SAIF's concepts all fit into the Matrix, with its Focus on Agents section mapping to the AI Agent Identities row.

| Asset Class | SAIF Coverage |
| --- | --- |
| ***AI-Workload Platforms*** | Expand strong security foundations; secure and harden the AI deployment environment |
| ***AI Orchestration Tools*** | Secure the AI supply chain; application and pipeline security; agent orchestration controls |
| ***AI-Generated Code*** | Secure the AI pipeline; code provenance and supply chain integrity |
| ***AI Gateways and Routers*** | Harden and monitor infrastructure; network-level access and egress controls |
| ***AI Model*** | Protect the AI model; ensure model integrity, provenance, and weight security |
| ***Training Data*** | Secure training data; data-security foundations; dataset provenance and integrity |
| ***Runtime AI Data*** | Expand AI red-teaming; runtime input and output safety; prompt defense |
| ***AI Agent Identities*** | Focus on Agents (explicit SAIF section); identity, authorization, and delegation controls |
| ***Cyber Defense Matrix*** | Expand strong security foundations: non-AI-specific infrastructure, endpoint, and identity security |

## MITRE ATLAS

[https://atlas.mitre.org/](https://atlas.mitre.org/)

ATLAS tactics populate matrix cells (Identify, Protect, Detect columns) rather than rows. Techniques are listed here by the asset class most directly affected. Technique names follow ATLAS v5.6.0.

| Asset Class | Relevant Tactics and Techniques |
| --- | --- |
| ***AI-Workload Platforms*** | AML.T0010 AI Supply Chain Compromise; AML.T0012 Valid Accounts (platform credential abuse); container and inference-server exploits |
| ***AI Orchestration Tools*** | AML.T0051 LLM Prompt Injection; AML.T0054 LLM Jailbreak; AML.T0016 Obtain Capabilities (malicious plugins) |
| ***AI-Generated Code*** | AML.T0010 AI Supply Chain Compromise (hallucinated dependencies and slopsquatting); AML.T0018 Manipulate AI Model (when models embed code-execution backdoors) |
| ***AI Gateways and Routers*** | AML.T0057 LLM Data Leakage; AML.T0024 Exfiltration via AI Inference API (network-side observation) |
| ***AI Model*** | AML.T0043 Craft Adversarial Data; AML.T0024 Exfiltration via AI Inference API (subtechniques: AML.T0024.001 Invert AI Model and AML.T0024.002 Extract AI Model); AML.T0018 Manipulate AI Model (integrity and backdoor) |
| ***Training Data*** | AML.T0020 Poison Training Data; AML.T0019 Publish Poisoned Datasets; AML.T0024.000 Infer Training Data Membership |
| ***Runtime AI Data*** | AML.T0051 LLM Prompt Injection; AML.T0054 LLM Jailbreak; AML.T0056 Extract LLM System Prompt |
| ***AI Agent Identities*** | AML.T0053 AI Agent Tool Invocation; credential and delegation-chain abuse |
| ***Cyber Defense Matrix*** | Standard MITRE ATT&CK techniques apply to underlying infrastructure (Initial Access, Persistence, Lateral Movement) |

## OWASP AI Exchange

[https://owaspai.org/](https://owaspai.org/)

OWASP AI Exchange classifies threats across development-time, input, and runtime phases. Each asset class sits primarily in one or two of those phases.

| Asset Class | Threat Categories |
| --- | --- |
| ***AI-Workload Platforms*** | Development-time threats: supply chain attacks, model-platform CVEs, container escape |
| ***AI Orchestration Tools*** | Development-time threats: agent framework supply chain; runtime threats: plugin abuse, prompt injection via tools |
| ***AI-Generated Code*** | Development-time threats: insecure code generation, license risk, hallucinated dependencies |
| ***AI Gateways and Routers*** | Runtime threats: data leakage via AI egress; network-level access control gaps |
| ***AI Model*** | Development-time and runtime model threats: model inversion, extraction, evasion, poisoning |
| ***Training Data*** | Development-time threats: data poisoning, backdoor injection, dataset integrity violations |
| ***Runtime AI Data*** | Input threats: prompt injection, adversarial inputs, evasion; runtime threats: RAG poisoning, memory tampering |
| ***AI Agent Identities*** | Runtime threats: unauthorized agent actions, capability abuse, delegation chain exploitation |
| ***Cyber Defense Matrix*** | Standard OWASP secure software development (SSDF) and application security practices |

## OWASP LLM Top 10

[https://genai.owasp.org/llm-top-10/](https://genai.owasp.org/llm-top-10/)

Each LLM risk maps to one or two rows. The table shows primary mapping; several risks span multiple asset classes. Risk titles follow the 2025 release of the OWASP Top 10 for LLM Applications.

| Asset Class | Applicable Risks |
| --- | --- |
| ***AI-Workload Platforms*** | LLM03 Supply Chain (compromised AI platform components); LLM04 Data and Model Poisoning (via platform) |
| ***AI Orchestration Tools*** | LLM01 Prompt Injection; LLM05 Improper Output Handling; LLM07 System Prompt Leakage; LLM10 Unbounded Consumption |
| ***AI-Generated Code*** | LLM06 Excessive Agency (code execution); insecure or vulnerable code patterns inherited from training data |
| ***AI Gateways and Routers*** | LLM10 Unbounded Consumption (cost and rate control); shadow AI egress and output handling |
| ***AI Model*** | LLM03 Supply Chain; LLM04 Data and Model Poisoning; LLM09 Misinformation |
| ***Training Data*** | LLM04 Data and Model Poisoning; LLM03 Supply Chain (dataset provenance) |
| ***Runtime AI Data*** | LLM01 Prompt Injection; LLM02 Sensitive Information Disclosure; LLM08 Vector and Embedding Weaknesses; LLM05 Improper Output Handling |
| ***AI Agent Identities*** | LLM06 Excessive Agency; LLM05 Improper Output Handling; unauthorized actions by AI agents |
| ***Cyber Defense Matrix*** | Traditional OWASP Top 10 (injection, broken access control, etc.) applies to underlying web and API infrastructure |

## OWASP Agentic Security Top 10

[https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/](https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/)

OWASP ASI reinforces AI Agent Identities and AI Orchestration Tools as the primary rows. Memory and context poisoning touches Runtime AI Data; unexpected code execution touches AI-Generated Code. Mappings follow the December 2025 release of the OWASP Top 10 for Agentic Applications 2026.

| Asset Class | Applicable Issues |
| --- | --- |
| ***AI-Workload Platforms*** | ASI04 Agentic Supply Chain Vulnerabilities (model and tool-platform components); ASI08 Cascading Failures (platform fault propagation) |
| ***AI Orchestration Tools*** | ASI01 Agent Goal Hijack; ASI02 Tool Misuse and Exploitation; ASI05 Unexpected Code Execution (RCE); ASI07 Insecure Inter-Agent Communication; ASI08 Cascading Failures; ASI10 Rogue Agents |
| ***AI-Generated Code*** | ASI05 Unexpected Code Execution (RCE); ASI04 Agentic Supply Chain Vulnerabilities (hallucinated dependencies and vibe-coding artifacts) |
| ***AI Gateways and Routers*** | ASI07 Insecure Inter-Agent Communication; ASI02 Tool Misuse and Exploitation (egress and tool-invocation scope); ASI04 Agentic Supply Chain Vulnerabilities (MCP and tool-registry trust) |
| ***AI Model*** | ASI04 Agentic Supply Chain Vulnerabilities (model provenance, weights, and dynamic loading) |
| ***Training Data*** | ASI04 Agentic Supply Chain Vulnerabilities (dataset provenance and integrity) |
| ***Runtime AI Data*** | ASI06 Memory & Context Poisoning; ASI01 Agent Goal Hijack (via prompt injection in runtime inputs) |
| ***AI Agent Identities*** | ASI03 Identity and Privilege Abuse; ASI10 Rogue Agents; ASI09 Human-Agent Trust Exploitation; ASI02 Tool Misuse and Exploitation (when tied to agent permissions) |
| ***Cyber Defense Matrix*** | Supporting identity, network, and endpoint controls that underpin agentic infrastructure |


---

**Source:** https://aidefensematrix.com

© 2026 by [Lenny Zeltser](https://zeltser.com) and [Sounil Yu](https://www.linkedin.com/in/sounil), licensed under [CC BY-SA 4.0](https://creativecommons.org/licenses/by-sa/4.0/).