# The AI Defense Matrix is a structured framework for defending AI systems, aligned with NIST CSF 2.0 and extending the Cyber Defense Matrix. # Source: https://aidefensematrix.com # © 2026 by Lenny Zeltser and Sounil Yu, licensed under CC BY-SA 4.0. # https://creativecommons.org/licenses/by-sa/4.0/ # Framework Alignment — 8 frameworks crossmapped to AI Defense Matrix asset rows. # Each framework has 9 rows: 8 asset classes + a Cyber Defense Matrix catch-all # (isCdm: true → row represents assets that belong in the Cyber Defense Matrix, not here). - id: nist-ir-8596 name: NIST IR 8596 url: https://csrc.nist.gov/pubs/ir/8596/iprd descriptor: AI system components organizations should protect summary: NIST IR 8596 identifies AI system components organizations should protect. Each concept below maps to a row in the AI Defense Matrix or to the Cyber Defense Matrix. columnHeader: NIST IR 8596 Concepts rows: - asset: AI-Workload Platforms mapping: "Containers, microservices, and libraries (AI-specific subset); inference endpoints (platform side)" - asset: AI Orchestration Tools mapping: "Agents as deployed artifacts (orchestration view; see AI Agent Identities row for the principal view); system prompts and templates" - asset: AI-Generated Code mapping: "(not explicitly named in IR 8596)" - asset: AI Gateways and Routers mapping: "AI data flows; APIs; inference endpoints (traffic side); model registries and dataset sources" - asset: AI Model mapping: "Models; Algorithms (model configuration)" - asset: Training Data mapping: Training data - asset: Runtime AI Data mapping: "Prompts (runtime); inference data" - asset: AI Agent Identities mapping: "Agents as autonomous principals; Keys; Integrations and permissions" - asset: Cyber Defense Matrix mapping: "Hardware and GPUs; generic containers and microservices (non-AI-specific)" isCdm: true - id: csa-aicm name: CSA AI Controls Matrix url: https://cloudsecurityalliance.org/artifacts/ai-controls-matrix descriptor: 18 domains, 243 controls, five pillars summary: CSA AICM organizes AI security controls into 18 domains. The primary domain(s) for each asset class are listed below. Auditors using STAR for AI can use this mapping directly. columnHeader: CSA AICM Domains rows: - asset: AI-Workload Platforms mapping: "Infrastructure Security; Threat & Vulnerability Management" - asset: AI Orchestration Tools mapping: "Application and Interface Security; Supply Chain Management" - asset: AI-Generated Code mapping: "Application and Interface Security; Supply Chain Management" - asset: AI Gateways and Routers mapping: "Infrastructure Security; Interoperability and Portability" - asset: AI Model mapping: "Model Security; Governance, Risk and Compliance" - asset: Training Data mapping: "Data Security and Privacy Lifecycle Management; Model Security" - asset: Runtime AI Data mapping: "Data Security and Privacy Lifecycle Management; Application and Interface Security" - asset: AI Agent Identities mapping: "IAM; Governance, Risk and Compliance" - asset: Cyber Defense Matrix mapping: "IT & Cloud Security; Endpoint & Network Security; IAM (non-AI-specific domains)" isCdm: true - id: iso-42001 name: ISO 42001 url: https://www.iso.org/standard/42001 descriptor: AI management system standard, Annex A controls summary: ISO 42001 Annex A defines controls for an AI management system. Each asset class maps to one or more Annex A clauses. Non-AI-specific controls fall under ISO/IEC 27001. columnHeader: ISO 42001 Annex A Clauses rows: - asset: AI-Workload Platforms mapping: "A.6 AI system life cycle; A.4 Resources for AI systems" - asset: AI Orchestration Tools mapping: "A.6 AI system life cycle; A.5 Assessing impacts of AI systems" - asset: AI-Generated Code mapping: A.6 AI system life cycle - asset: AI Gateways and Routers mapping: "A.8 Information for interested parties; A.9 Use of AI systems; A.10 Third-party and customer relationships" - asset: AI Model mapping: "A.6 AI system life cycle; A.10 Third-party and customer relationships; A.5 Assessing impacts of AI systems" - asset: Training Data mapping: A.7 Data for AI systems - asset: Runtime AI Data mapping: "A.7 Data for AI systems; A.8 Information for interested parties" - asset: AI Agent Identities mapping: "A.9 Use of AI systems; A.3 Internal organization; A.5 Assessing impacts of AI systems" - asset: Cyber Defense Matrix mapping: ISO/IEC 27001 Annex A (general IT security controls) isCdm: true - id: google-saif name: Google SAIF url: https://saif.google/ descriptor: Secure AI Framework, six core principles summary: Google SAIF organizes AI security into six principles covering infrastructure, model, data, and application layers. SAIF's concepts all fit into the Matrix, with its Focus on Agents section mapping to the AI Agent Identities row. columnHeader: SAIF Coverage rows: - asset: AI-Workload Platforms mapping: "Expand strong security foundations; secure and harden the AI deployment environment" - asset: AI Orchestration Tools mapping: "Secure the AI supply chain; application and pipeline security; agent orchestration controls" - asset: AI-Generated Code mapping: "Secure the AI pipeline; code provenance and supply chain integrity" - asset: AI Gateways and Routers mapping: "Harden and monitor infrastructure; network-level access and egress controls" - asset: AI Model mapping: "Protect the AI model; ensure model integrity, provenance, and weight security" - asset: Training Data mapping: "Secure training data; data-security foundations; dataset provenance and integrity" - asset: Runtime AI Data mapping: "Expand AI red-teaming; runtime input and output safety; prompt defense" - asset: AI Agent Identities mapping: "Focus on Agents (explicit SAIF section); identity, authorization, and delegation controls" - asset: Cyber Defense Matrix mapping: "Expand strong security foundations: non-AI-specific infrastructure, endpoint, and identity security" isCdm: true - id: mitre-atlas name: MITRE ATLAS url: https://atlas.mitre.org/ descriptor: Adversarial AI tactics and techniques summary: ATLAS tactics populate matrix cells (Identify, Protect, Detect columns) rather than rows. Techniques are listed here by the asset class most directly affected. Technique names follow ATLAS v5.6.0. columnHeader: Relevant Tactics and Techniques rows: - asset: AI-Workload Platforms mapping: "AML.T0010 AI Supply Chain Compromise; AML.T0012 Valid Accounts (platform credential abuse); container and inference-server exploits" - asset: AI Orchestration Tools mapping: "AML.T0051 LLM Prompt Injection; AML.T0054 LLM Jailbreak; AML.T0016 Obtain Capabilities (malicious plugins)" - asset: AI-Generated Code mapping: "AML.T0010 AI Supply Chain Compromise (hallucinated dependencies and slopsquatting); AML.T0018 Manipulate AI Model (when models embed code-execution backdoors)" - asset: AI Gateways and Routers mapping: "AML.T0057 LLM Data Leakage; AML.T0024 Exfiltration via AI Inference API (network-side observation)" - asset: AI Model mapping: "AML.T0043 Craft Adversarial Data; AML.T0024 Exfiltration via AI Inference API (subtechniques: AML.T0024.001 Invert AI Model and AML.T0024.002 Extract AI Model); AML.T0018 Manipulate AI Model (integrity and backdoor)" - asset: Training Data mapping: "AML.T0020 Poison Training Data; AML.T0019 Publish Poisoned Datasets; AML.T0024.000 Infer Training Data Membership" - asset: Runtime AI Data mapping: "AML.T0051 LLM Prompt Injection; AML.T0054 LLM Jailbreak; AML.T0056 Extract LLM System Prompt" - asset: AI Agent Identities mapping: "AML.T0053 AI Agent Tool Invocation; credential and delegation-chain abuse" - asset: Cyber Defense Matrix mapping: "Standard MITRE ATT&CK techniques apply to underlying infrastructure (Initial Access, Persistence, Lateral Movement)" isCdm: true - id: owasp-ai-exchange name: OWASP AI Exchange url: https://owaspai.org/ descriptor: Threats across development-time, input, and runtime phases summary: OWASP AI Exchange classifies threats across development-time, input, and runtime phases. Each asset class sits primarily in one or two of those phases. columnHeader: Threat Categories rows: - asset: AI-Workload Platforms mapping: "Development-time threats: supply chain attacks, model-platform CVEs, container escape" - asset: AI Orchestration Tools mapping: "Development-time threats: agent framework supply chain; runtime threats: plugin abuse, prompt injection via tools" - asset: AI-Generated Code mapping: "Development-time threats: insecure code generation, license risk, hallucinated dependencies" - asset: AI Gateways and Routers mapping: "Runtime threats: data leakage via AI egress; network-level access control gaps" - asset: AI Model mapping: "Development-time and runtime model threats: model inversion, extraction, evasion, poisoning" - asset: Training Data mapping: "Development-time threats: data poisoning, backdoor injection, dataset integrity violations" - asset: Runtime AI Data mapping: "Input threats: prompt injection, adversarial inputs, evasion; runtime threats: RAG poisoning, memory tampering" - asset: AI Agent Identities mapping: "Runtime threats: unauthorized agent actions, capability abuse, delegation chain exploitation" - asset: Cyber Defense Matrix mapping: "Standard OWASP secure software development (SSDF) and application security practices" isCdm: true - id: owasp-llm-top10 name: OWASP LLM Top 10 url: https://genai.owasp.org/llm-top-10/ descriptor: Prompt injection, poisoning, supply chain, disclosure summary: Each LLM risk maps to one or two rows. The table shows primary mapping; several risks span multiple asset classes. Risk titles follow the 2025 release of the OWASP Top 10 for LLM Applications. columnHeader: Applicable Risks rows: - asset: AI-Workload Platforms mapping: "LLM03 Supply Chain (compromised AI platform components); LLM04 Data and Model Poisoning (via platform)" - asset: AI Orchestration Tools mapping: "LLM01 Prompt Injection; LLM05 Improper Output Handling; LLM07 System Prompt Leakage; LLM10 Unbounded Consumption" - asset: AI-Generated Code mapping: "LLM06 Excessive Agency (code execution); insecure or vulnerable code patterns inherited from training data" - asset: AI Gateways and Routers mapping: "LLM10 Unbounded Consumption (cost and rate control); shadow AI egress and output handling" - asset: AI Model mapping: "LLM03 Supply Chain; LLM04 Data and Model Poisoning; LLM09 Misinformation" - asset: Training Data mapping: "LLM04 Data and Model Poisoning; LLM03 Supply Chain (dataset provenance)" - asset: Runtime AI Data mapping: "LLM01 Prompt Injection; LLM02 Sensitive Information Disclosure; LLM08 Vector and Embedding Weaknesses; LLM05 Improper Output Handling" - asset: AI Agent Identities mapping: "LLM06 Excessive Agency; LLM05 Improper Output Handling; unauthorized actions by AI agents" - asset: Cyber Defense Matrix mapping: "Traditional OWASP Top 10 (injection, broken access control, etc.) applies to underlying web and API infrastructure" isCdm: true - id: owasp-asi name: OWASP Agentic Security Top 10 url: https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/ descriptor: Agent goal hijack, tool misuse, memory poisoning summary: OWASP ASI reinforces AI Agent Identities and AI Orchestration Tools as the primary rows. Memory and context poisoning touches Runtime AI Data; unexpected code execution touches AI-Generated Code. Mappings follow the December 2025 release of the OWASP Top 10 for Agentic Applications 2026. columnHeader: Applicable Issues rows: - asset: AI-Workload Platforms mapping: "ASI04 Agentic Supply Chain Vulnerabilities (model and tool-platform components); ASI08 Cascading Failures (platform fault propagation)" - asset: AI Orchestration Tools mapping: "ASI01 Agent Goal Hijack; ASI02 Tool Misuse and Exploitation; ASI05 Unexpected Code Execution (RCE); ASI07 Insecure Inter-Agent Communication; ASI08 Cascading Failures; ASI10 Rogue Agents" - asset: AI-Generated Code mapping: "ASI05 Unexpected Code Execution (RCE); ASI04 Agentic Supply Chain Vulnerabilities (hallucinated dependencies and vibe-coding artifacts)" - asset: AI Gateways and Routers mapping: "ASI07 Insecure Inter-Agent Communication; ASI02 Tool Misuse and Exploitation (egress and tool-invocation scope); ASI04 Agentic Supply Chain Vulnerabilities (MCP and tool-registry trust)" - asset: AI Model mapping: "ASI04 Agentic Supply Chain Vulnerabilities (model provenance, weights, and dynamic loading)" - asset: Training Data mapping: "ASI04 Agentic Supply Chain Vulnerabilities (dataset provenance and integrity)" - asset: Runtime AI Data mapping: "ASI06 Memory & Context Poisoning; ASI01 Agent Goal Hijack (via prompt injection in runtime inputs)" - asset: AI Agent Identities mapping: "ASI03 Identity and Privilege Abuse; ASI10 Rogue Agents; ASI09 Human-Agent Trust Exploitation; ASI02 Tool Misuse and Exploitation (when tied to agent permissions)" - asset: Cyber Defense Matrix mapping: Supporting identity, network, and endpoint controls that underpin agentic infrastructure isCdm: true