# The AI Defense Matrix is a structured framework for defending AI systems, aligned with NIST CSF 2.0 and extending the Cyber Defense Matrix. # Source: https://aidefensematrix.com # © 2026 by Lenny Zeltser and Sounil Yu, licensed under CC BY-SA 4.0. # https://creativecommons.org/licenses/by-sa/4.0/ # Framework Alignment — 8 frameworks crossmapped to AI Defense Matrix asset rows. # Each framework has 9 rows: 8 asset classes + a Cyber Defense Matrix catch-all # (isCdm: true → row represents assets that belong in the Cyber Defense Matrix, not here). - id: nist-ir-8596 name: NIST IR 8596 url: https://csrc.nist.gov/pubs/ir/8596/iprd descriptor: AI system components organizations should protect summary: NIST IR 8596 identifies AI system components organizations should protect. Each concept below maps to a row in the AI Defense Matrix or to the Cyber Defense Matrix. columnHeader: NIST IR 8596 Concepts rows: - asset: AI-Workload Platforms mapping: "Containers, microservices, and libraries (AI-specific subset); inference endpoints (platform side)" - asset: AI Orchestration Tools mapping: "Agents as deployed artifacts; system prompts and templates" - asset: AI-Generated Code mapping: "(not explicitly named in IR 8596)" - asset: AI Gateways and Routers mapping: "AI data flows; APIs; inference endpoints (traffic side); model registries and dataset sources" - asset: AI Model mapping: "Models; Algorithms (model configuration)" - asset: Training Data mapping: Training data - asset: Runtime AI Data mapping: "Prompts (runtime); inference and RAG data" - asset: AI Agent Identities mapping: "Agents as autonomous principals; Keys; Integrations and permissions" - asset: Cyber Defense Matrix mapping: "Hardware and GPUs; generic containers and microservices (non-AI-specific)" isCdm: true - id: csa-aicm name: CSA AI Controls Matrix url: https://cloudsecurityalliance.org/artifacts/ai-controls-matrix descriptor: 18 domains, 243 controls, five pillars summary: CSA AICM organizes AI security controls into 18 domains. The primary domain(s) for each asset class are listed below. Auditors using STAR for AI can use this mapping directly. columnHeader: CSA AICM Domains rows: - asset: AI-Workload Platforms mapping: "Infrastructure Security; Threat & Vulnerability Management" - asset: AI Orchestration Tools mapping: "Application and Interface Security; Supply Chain Management" - asset: AI-Generated Code mapping: "Application and Interface Security; Supply Chain Management" - asset: AI Gateways and Routers mapping: "Infrastructure Security; Interoperability and Portability" - asset: AI Model mapping: "Model Security; Governance, Risk and Compliance" - asset: Training Data mapping: "Data Security and Privacy Lifecycle Management; Model Security" - asset: Runtime AI Data mapping: "Data Security and Privacy Lifecycle Management; Application and Interface Security" - asset: AI Agent Identities mapping: "IAM; Governance, Risk and Compliance" - asset: Cyber Defense Matrix mapping: "IT & Cloud Security; Endpoint & Network Security; IAM (non-AI-specific domains)" isCdm: true - id: iso-42001 name: ISO 42001 url: https://www.iso.org/standard/42001 descriptor: AI management system standard — Annex A controls summary: ISO 42001 Annex A defines controls for an AI management system. Each asset class maps to one or more Annex A clauses. Non-AI-specific controls fall under ISO/IEC 27001. columnHeader: ISO 42001 Annex A Clauses rows: - asset: AI-Workload Platforms mapping: "A.6 AI system life cycle; A.4 Resources for AI systems" - asset: AI Orchestration Tools mapping: "A.6 AI system life cycle; A.5 Assessing impacts of AI systems" - asset: AI-Generated Code mapping: A.6 AI system life cycle - asset: AI Gateways and Routers mapping: "A.8 Information for interested parties; A.9 Use of AI systems; A.10 Third-party and customer relationships" - asset: AI Model mapping: "A.6 AI system life cycle; A.10 Third-party and customer relationships; A.5 Assessing impacts of AI systems" - asset: Training Data mapping: A.7 Data for AI systems - asset: Runtime AI Data mapping: "A.7 Data for AI systems; A.8 Information for interested parties" - asset: AI Agent Identities mapping: "A.9 Use of AI systems; A.3 Internal organization; A.5 Assessing impacts of AI systems" - asset: Cyber Defense Matrix mapping: ISO/IEC 27001 Annex A (general IT security controls) isCdm: true - id: google-saif name: Google SAIF url: https://saif.google/ descriptor: Secure AI Framework — six core principles summary: Google SAIF organizes AI security into six principles covering infrastructure, model, data, and application layers. Full coverage — and SAIF's Focus on Agents section maps directly to the AI Agent Identities row. columnHeader: SAIF Coverage rows: - asset: AI-Workload Platforms mapping: "Expand strong security foundations; secure and harden the AI deployment environment" - asset: AI Orchestration Tools mapping: "Secure the AI supply chain; application and pipeline security; agent orchestration controls" - asset: AI-Generated Code mapping: "Secure the AI pipeline; code provenance and supply chain integrity" - asset: AI Gateways and Routers mapping: "Harden and monitor infrastructure; network-level access and egress controls" - asset: AI Model mapping: "Protect the AI model; ensure model integrity, provenance, and weight security" - asset: Training Data mapping: "Secure training data; data-security foundations; dataset provenance and integrity" - asset: Runtime AI Data mapping: "Expand AI red-teaming; runtime input and output safety; prompt defense" - asset: AI Agent Identities mapping: "Focus on Agents (explicit SAIF section); identity, authorization, and delegation controls" - asset: Cyber Defense Matrix mapping: "Expand strong security foundations — non-AI-specific infrastructure, endpoint, and identity security" isCdm: true - id: mitre-atlas name: MITRE ATLAS url: https://atlas.mitre.org/ descriptor: Adversarial ML tactics and techniques summary: ATLAS tactics populate matrix cells (Identify, Protect, Detect columns) rather than rows. Techniques are listed here by the asset class most directly affected. columnHeader: Relevant Tactics and Techniques rows: - asset: AI-Workload Platforms mapping: "AML.T0010 ML Supply Chain Compromise; AML.T0012 Valid Accounts (platform credential abuse); container and inference-server exploits" - asset: AI Orchestration Tools mapping: "AML.T0051 LLM Prompt Injection; AML.T0054 LLM Jailbreak; AML.T0016 Obtain Capabilities (malicious plugins)" - asset: AI-Generated Code mapping: "AML.T0018 Backdoor ML Model (via training-poisoned code); hallucinated-package injection" - asset: AI Gateways and Routers mapping: "AML.T0057 LLM Meta Prompt Extraction; network-level exfiltration via AI egress channels" - asset: AI Model mapping: "AML.T0043 Craft Adversarial Data; AML.T0034 Model Inversion Attack; AML.T0006 Adversarial ML Attack; AML.T0024 Exfiltration via ML Inference API" - asset: Training Data mapping: "AML.T0020 Poison Training Data; AML.T0019 Publish Poisoned Datasets" - asset: Runtime AI Data mapping: "AML.T0051 LLM Prompt Injection; AML.T0054 LLM Jailbreak; AML.T0056 Embedding Inversion Attack" - asset: AI Agent Identities mapping: "AML.T0053 Compromised ML Software Dependencies; credential and delegation-chain abuse; unauthorized tool invocation" - asset: Cyber Defense Matrix mapping: "Standard MITRE ATT&CK techniques apply to underlying infrastructure (Initial Access, Persistence, Lateral Movement)" isCdm: true - id: owasp-ai-exchange name: OWASP AI Exchange url: https://owaspai.org/ descriptor: Threats across development-time, input, and runtime phases summary: OWASP AI Exchange classifies threats across development-time, input, and runtime phases. Each asset class sits primarily in one or two of those phases. columnHeader: Threat Categories rows: - asset: AI-Workload Platforms mapping: "Development-time threats — supply chain attacks, model-platform CVEs, container escape" - asset: AI Orchestration Tools mapping: "Development-time threats — agent framework supply chain; runtime threats — plugin abuse, prompt injection via tools" - asset: AI-Generated Code mapping: "Development-time threats — insecure code generation, license risk, hallucinated dependencies" - asset: AI Gateways and Routers mapping: "Runtime threats — data leakage via AI egress; network-level access control gaps" - asset: AI Model mapping: "Development-time and runtime model threats — model inversion, extraction, evasion, poisoning" - asset: Training Data mapping: "Development-time threats — data poisoning, backdoor injection, dataset integrity violations" - asset: Runtime AI Data mapping: "Input threats — prompt injection, adversarial inputs, evasion; runtime threats — RAG poisoning, memory tampering" - asset: AI Agent Identities mapping: "Runtime threats — unauthorized agent actions, capability abuse, delegation chain exploitation" - asset: Cyber Defense Matrix mapping: "Standard OWASP secure software development (SSDF) and application security practices" isCdm: true - id: owasp-llm-top10 name: OWASP LLM Top 10 url: https://genai.owasp.org/llm-top-10/ descriptor: Prompt injection, poisoning, supply chain, disclosure summary: Each LLM risk maps to one or two rows. The table shows primary mapping; several risks span multiple asset classes. columnHeader: Applicable Risks rows: - asset: AI-Workload Platforms mapping: "LLM03 Supply Chain (compromised ML platform components); LLM04 Data and Model Poisoning (via platform)" - asset: AI Orchestration Tools mapping: "LLM01 Prompt Injection; LLM02 Insecure Output Handling; LLM07 System Prompt Leakage; LLM10 Unbounded Consumption" - asset: AI-Generated Code mapping: "LLM06 Excessive Agency (code execution); insecure or vulnerable code patterns inherited from training data" - asset: AI Gateways and Routers mapping: "LLM10 Unbounded Consumption (cost and rate control); shadow AI egress and output handling" - asset: AI Model mapping: "LLM03 Supply Chain; LLM04 Data and Model Poisoning; LLM09 Misinformation" - asset: Training Data mapping: "LLM04 Data and Model Poisoning; LLM03 Supply Chain (dataset provenance)" - asset: Runtime AI Data mapping: "LLM01 Prompt Injection; LLM08 Vector and Embedding Weaknesses; LLM05 Improper Output Handling" - asset: AI Agent Identities mapping: "LLM06 Excessive Agency; LLM05 Improper Output Handling; unauthorized actions by AI agents" - asset: Cyber Defense Matrix mapping: "Traditional OWASP Top 10 (injection, broken access control, etc.) applies to underlying web and API infrastructure" isCdm: true - id: owasp-asi name: OWASP Agentic Security Top 10 url: https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/ descriptor: Agent goal hijack, tool misuse, memory poisoning summary: OWASP ASI reinforces AI Agent Identities and AI Orchestration Tools as the primary rows. Memory and context poisoning touches Runtime AI Data; unexpected code execution touches AI-Generated Code. columnHeader: Applicable Issues rows: - asset: AI-Workload Platforms mapping: "ASI-06 Resource Oversubscription; platform-level agent execution environment risks" - asset: AI Orchestration Tools mapping: "ASI-01 Agent Goal and Instruction Manipulation; ASI-04 Excessive Autonomy; ASI-07 Prompt Injection; ASI-08 Misuse of Tool Calls" - asset: AI-Generated Code mapping: "ASI-09 Unexpected Code Execution; ASI-06 Resource Oversubscription via generated code" - asset: AI Gateways and Routers mapping: "ASI-03 Identity and Authorization Exploitation; API and tool invocation scope enforcement" - asset: AI Model mapping: "ASI-02 Compromised AI Model; model integrity and manipulation issues" - asset: Training Data mapping: "ASI-10 Trust Boundary Violations; malicious data injection affecting model behavior" - asset: Runtime AI Data mapping: "ASI-07 Prompt Injection Attacks; ASI-05 Context Manipulation and Memory Poisoning" - asset: AI Agent Identities mapping: "ASI-01 Agent Goal and Instruction Manipulation; ASI-03 Identity and Authorization Exploitation; ASI-08 Misuse of Tool Calls" - asset: Cyber Defense Matrix mapping: Supporting identity, network, and endpoint controls that underpin agentic infrastructure isCdm: true