# AI Defense Matrix — Framework Alignment

Crossmappings between AI Defense Matrix asset classes and 8 security frameworks and standards.

## NIST IR 8596

[https://csrc.nist.gov/pubs/ir/8596/iprd](https://csrc.nist.gov/pubs/ir/8596/iprd)

NIST IR 8596 identifies AI system components organizations should protect. Each concept below maps to a row in the AI Defense Matrix or to the Cyber Defense Matrix.

| Asset Class | NIST IR 8596 Concepts |
| --- | --- |
| ***AI-Workload Platforms*** | Containers, microservices, and libraries (AI-specific subset); inference endpoints (platform side) |
| ***AI Orchestration Tools*** | Agents as deployed artifacts; system prompts and templates |
| ***AI-Generated Code*** | (not explicitly named in IR 8596) |
| ***AI Gateways and Routers*** | AI data flows; APIs; inference endpoints (traffic side); model registries and dataset sources |
| ***AI Model*** | Models; Algorithms (model configuration) |
| ***Training Data*** | Training data |
| ***Runtime AI Data*** | Prompts (runtime); inference and RAG data |
| ***AI Agent Identities*** | Agents as autonomous principals; Keys; Integrations and permissions |
| ***Cyber Defense Matrix*** | Hardware and GPUs; generic containers and microservices (non-AI-specific) |

## CSA AI Controls Matrix

[https://cloudsecurityalliance.org/artifacts/ai-controls-matrix](https://cloudsecurityalliance.org/artifacts/ai-controls-matrix)

CSA AICM organizes AI security controls into 18 domains. The primary domain(s) for each asset class are listed below. Auditors using STAR for AI can use this mapping directly.

| Asset Class | CSA AICM Domains |
| --- | --- |
| ***AI-Workload Platforms*** | Infrastructure Security; Threat & Vulnerability Management |
| ***AI Orchestration Tools*** | Application and Interface Security; Supply Chain Management |
| ***AI-Generated Code*** | Application and Interface Security; Supply Chain Management |
| ***AI Gateways and Routers*** | Infrastructure Security; Interoperability and Portability |
| ***AI Model*** | Model Security; Governance, Risk and Compliance |
| ***Training Data*** | Data Security and Privacy Lifecycle Management; Model Security |
| ***Runtime AI Data*** | Data Security and Privacy Lifecycle Management; Application and Interface Security |
| ***AI Agent Identities*** | IAM; Governance, Risk and Compliance |
| ***Cyber Defense Matrix*** | IT & Cloud Security; Endpoint & Network Security; IAM (non-AI-specific domains) |

## ISO 42001

[https://www.iso.org/standard/42001](https://www.iso.org/standard/42001)

ISO 42001 Annex A defines controls for an AI management system. Each asset class maps to one or more Annex A clauses. Non-AI-specific controls fall under ISO/IEC 27001.

| Asset Class | ISO 42001 Annex A Clauses |
| --- | --- |
| ***AI-Workload Platforms*** | A.6 AI system life cycle; A.4 Resources for AI systems |
| ***AI Orchestration Tools*** | A.6 AI system life cycle; A.5 Assessing impacts of AI systems |
| ***AI-Generated Code*** | A.6 AI system life cycle |
| ***AI Gateways and Routers*** | A.8 Information for interested parties; A.9 Use of AI systems; A.10 Third-party and customer relationships |
| ***AI Model*** | A.6 AI system life cycle; A.10 Third-party and customer relationships; A.5 Assessing impacts of AI systems |
| ***Training Data*** | A.7 Data for AI systems |
| ***Runtime AI Data*** | A.7 Data for AI systems; A.8 Information for interested parties |
| ***AI Agent Identities*** | A.9 Use of AI systems; A.3 Internal organization; A.5 Assessing impacts of AI systems |
| ***Cyber Defense Matrix*** | ISO/IEC 27001 Annex A (general IT security controls) |

## Google SAIF

[https://saif.google/](https://saif.google/)

Google SAIF organizes AI security into six principles covering infrastructure, model, data, and application layers. Full coverage — and SAIF's Focus on Agents section maps directly to the AI Agent Identities row.

| Asset Class | SAIF Coverage |
| --- | --- |
| ***AI-Workload Platforms*** | Expand strong security foundations; secure and harden the AI deployment environment |
| ***AI Orchestration Tools*** | Secure the AI supply chain; application and pipeline security; agent orchestration controls |
| ***AI-Generated Code*** | Secure the AI pipeline; code provenance and supply chain integrity |
| ***AI Gateways and Routers*** | Harden and monitor infrastructure; network-level access and egress controls |
| ***AI Model*** | Protect the AI model; ensure model integrity, provenance, and weight security |
| ***Training Data*** | Secure training data; data-security foundations; dataset provenance and integrity |
| ***Runtime AI Data*** | Expand AI red-teaming; runtime input and output safety; prompt defense |
| ***AI Agent Identities*** | Focus on Agents (explicit SAIF section); identity, authorization, and delegation controls |
| ***Cyber Defense Matrix*** | Expand strong security foundations — non-AI-specific infrastructure, endpoint, and identity security |

## MITRE ATLAS

[https://atlas.mitre.org/](https://atlas.mitre.org/)

ATLAS tactics populate matrix cells (Identify, Protect, Detect columns) rather than rows. Techniques are listed here by the asset class most directly affected.

| Asset Class | Relevant Tactics and Techniques |
| --- | --- |
| ***AI-Workload Platforms*** | AML.T0010 ML Supply Chain Compromise; AML.T0012 Valid Accounts (platform credential abuse); container and inference-server exploits |
| ***AI Orchestration Tools*** | AML.T0051 LLM Prompt Injection; AML.T0054 LLM Jailbreak; AML.T0016 Obtain Capabilities (malicious plugins) |
| ***AI-Generated Code*** | AML.T0018 Backdoor ML Model (via training-poisoned code); hallucinated-package injection |
| ***AI Gateways and Routers*** | AML.T0057 LLM Meta Prompt Extraction; network-level exfiltration via AI egress channels |
| ***AI Model*** | AML.T0043 Craft Adversarial Data; AML.T0034 Model Inversion Attack; AML.T0006 Adversarial ML Attack; AML.T0024 Exfiltration via ML Inference API |
| ***Training Data*** | AML.T0020 Poison Training Data; AML.T0019 Publish Poisoned Datasets |
| ***Runtime AI Data*** | AML.T0051 LLM Prompt Injection; AML.T0054 LLM Jailbreak; AML.T0056 Embedding Inversion Attack |
| ***AI Agent Identities*** | AML.T0053 Compromised ML Software Dependencies; credential and delegation-chain abuse; unauthorized tool invocation |
| ***Cyber Defense Matrix*** | Standard MITRE ATT&CK techniques apply to underlying infrastructure (Initial Access, Persistence, Lateral Movement) |

## OWASP AI Exchange

[https://owaspai.org/](https://owaspai.org/)

OWASP AI Exchange classifies threats across development-time, input, and runtime phases. Each asset class sits primarily in one or two of those phases.

| Asset Class | Threat Categories |
| --- | --- |
| ***AI-Workload Platforms*** | Development-time threats — supply chain attacks, model-platform CVEs, container escape |
| ***AI Orchestration Tools*** | Development-time threats — agent framework supply chain; runtime threats — plugin abuse, prompt injection via tools |
| ***AI-Generated Code*** | Development-time threats — insecure code generation, license risk, hallucinated dependencies |
| ***AI Gateways and Routers*** | Runtime threats — data leakage via AI egress; network-level access control gaps |
| ***AI Model*** | Development-time and runtime model threats — model inversion, extraction, evasion, poisoning |
| ***Training Data*** | Development-time threats — data poisoning, backdoor injection, dataset integrity violations |
| ***Runtime AI Data*** | Input threats — prompt injection, adversarial inputs, evasion; runtime threats — RAG poisoning, memory tampering |
| ***AI Agent Identities*** | Runtime threats — unauthorized agent actions, capability abuse, delegation chain exploitation |
| ***Cyber Defense Matrix*** | Standard OWASP secure software development (SSDF) and application security practices |

## OWASP LLM Top 10

[https://genai.owasp.org/llm-top-10/](https://genai.owasp.org/llm-top-10/)

Each LLM risk maps to one or two rows. The table shows primary mapping; several risks span multiple asset classes.

| Asset Class | Applicable Risks |
| --- | --- |
| ***AI-Workload Platforms*** | LLM03 Supply Chain (compromised ML platform components); LLM04 Data and Model Poisoning (via platform) |
| ***AI Orchestration Tools*** | LLM01 Prompt Injection; LLM02 Insecure Output Handling; LLM07 System Prompt Leakage; LLM10 Unbounded Consumption |
| ***AI-Generated Code*** | LLM06 Excessive Agency (code execution); insecure or vulnerable code patterns inherited from training data |
| ***AI Gateways and Routers*** | LLM10 Unbounded Consumption (cost and rate control); shadow AI egress and output handling |
| ***AI Model*** | LLM03 Supply Chain; LLM04 Data and Model Poisoning; LLM09 Misinformation |
| ***Training Data*** | LLM04 Data and Model Poisoning; LLM03 Supply Chain (dataset provenance) |
| ***Runtime AI Data*** | LLM01 Prompt Injection; LLM08 Vector and Embedding Weaknesses; LLM05 Improper Output Handling |
| ***AI Agent Identities*** | LLM06 Excessive Agency; LLM05 Improper Output Handling; unauthorized actions by AI agents |
| ***Cyber Defense Matrix*** | Traditional OWASP Top 10 (injection, broken access control, etc.) applies to underlying web and API infrastructure |

## OWASP Agentic Security Top 10

[https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/](https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/)

OWASP ASI reinforces AI Agent Identities and AI Orchestration Tools as the primary rows. Memory and context poisoning touches Runtime AI Data; unexpected code execution touches AI-Generated Code.

| Asset Class | Applicable Issues |
| --- | --- |
| ***AI-Workload Platforms*** | ASI-06 Resource Oversubscription; platform-level agent execution environment risks |
| ***AI Orchestration Tools*** | ASI-01 Agent Goal and Instruction Manipulation; ASI-04 Excessive Autonomy; ASI-07 Prompt Injection; ASI-08 Misuse of Tool Calls |
| ***AI-Generated Code*** | ASI-09 Unexpected Code Execution; ASI-06 Resource Oversubscription via generated code |
| ***AI Gateways and Routers*** | ASI-03 Identity and Authorization Exploitation; API and tool invocation scope enforcement |
| ***AI Model*** | ASI-02 Compromised AI Model; model integrity and manipulation issues |
| ***Training Data*** | ASI-10 Trust Boundary Violations; malicious data injection affecting model behavior |
| ***Runtime AI Data*** | ASI-07 Prompt Injection Attacks; ASI-05 Context Manipulation and Memory Poisoning |
| ***AI Agent Identities*** | ASI-01 Agent Goal and Instruction Manipulation; ASI-03 Identity and Authorization Exploitation; ASI-08 Misuse of Tool Calls |
| ***Cyber Defense Matrix*** | Supporting identity, network, and endpoint controls that underpin agentic infrastructure |


---

**Source:** https://aidefensematrix.com

© 2026 by [Lenny Zeltser](https://zeltser.com) and [Sounil Yu](https://www.linkedin.com/in/sounil), licensed under [CC BY-SA 4.0](https://creativecommons.org/licenses/by-sa/4.0/).