Reverse crosswalk
NIST AI 100-2e2025 Adversarial ML
28 entries, 28 mapped to canonical risks. Each entry below is shown with the canonical risk it maps to, or the reason it sits outside the register.
| Framework entry | Description | Disposition | Register mapping | Confidence | Note |
|---|---|---|---|---|---|
NISTAML.01 Availability Violations | A disruption of the ability of other users or processes to obtain timely and reliable access to an AI system's outputs or functionality (availability breakdown). | Mapped | Clear | Availability breakdown of the AI system is the register's general AI security weakness and availability-attack risk; denial of service and cost-harvesting are the MITRE ATLAS-anchored sub-risks. | |
NISTAML.02 Integrity Violations | An AI system being forced to misperform against its intended objectives, producing outputs or predictions that align with the attacker's objective. | Mapped | Clear | Integrity violations are realised through evasion (MR-012), poisoning and backdoors (MR-014) and prompt injection (MR-010); the MITRE ATLAS integrity-erosion and trusted-output-manipulation sub-risks apply. | |
NISTAML.03 Privacy Compromises | The unauthorized access of restricted or proprietary information that is part of an AI system, including information about a model's training data, weights or architecture, or sensitive information that the model accesses (e.g. a RAG knowledge base). | Mapped | Clear | Privacy compromise spans privacy-invasive inference (MR-017), leakage of personal or sensitive data (MR-009) and model or data extraction (MR-016). | |
NISTAML.04 Misuse Violations | Misuse enablement: a circumvention of technical restrictions imposed by the AI system's owner on its use, such as restrictions designed to prevent a GenAI system from producing outputs that could cause harm to others. | Mapped | Clear | Misuse enablement (circumventing owner-imposed safety restrictions, e.g. jailbreaks) maps to misuse or repurposing (MR-032) achieved via guardrail bypass (MR-010.2). | |
NISTAML.05 Supply Chain Attacks | Attacks that compromise components introduced through the AI supply chain, such as poisoned third-party data or a poisoned model published to a repository. | Mapped | Clear | Supply-chain attacks that introduce poisoned data or models map to the AI supply-chain risk (MR-018) and to data and model poisoning (MR-014). | |
NISTAML.011 Model Poisoning (availability) | A poisoning attack which operates through model control (the attacker can modify the trained model parameters), here aimed at degrading availability. | Mapped | Clear | Model poisoning through model control is direct manipulation or backdoor insertion under data and model poisoning (MR-014). | |
NISTAML.012 Clean-label Poisoning | A poisoning attack in which the adversary controls training samples but cannot change their labels (the label-limit capability). | Mapped | Clear | Clean-label poisoning is a training-data poisoning variant under MR-014. | |
NISTAML.013 Data Poisoning | A poisoning attack in which an adversary controls part of the training data. | Mapped | Clear | Data poisoning is squarely MR-014, with MITRE ATLAS sub-risks for training-data poisoning and poisoned datasets published for ingestion. | |
NISTAML.014 Energy-latency | An attack that exploits the performance dependency on hardware and model optimizations to negate the effects of hardware optimizations, increase computational latency, increase hardware temperature, and massively increase the amount of energy consumed (e.g. sponge examples). | Mapped | Clear | Energy-latency (sponge) attacks degrade availability and inflate compute cost, mapping to general AI availability attacks (MR-015), denial of service and denial of wallet. | |
NISTAML.015 Indirect Prompt Injection | A type of prompt injection executed through resource control (adversary-controlled external data the model ingests) rather than through user-provided input as in a direct prompt injection. | Mapped | Clear | Indirect prompt injection via adversary-controlled external data is the register's indirect prompt injection sub-risk (MR-010.9). | |
NISTAML.018 Prompt Injection | An attack which exploits the concatenation of untrusted input with a prompt constructed by a higher-trust party such as the application designer. | Mapped | Clear | Prompt injection is MR-010 directly, with the deployed-LLM prompt injection sub-risk (MR-010.1). | |
NISTAML.021 Clean-label Backdoor | A backdoor poisoning attack mounted without control over training-data labels (a clean-label variant of backdoor poisoning). | Mapped | Clear | Clean-label backdoor is a backdoor-insertion variant under data and model poisoning (MR-014). | |
NISTAML.022 Evasion | Modifying test samples to create adversarial examples that the model misclassifies at inference time, without altering the model. | Mapped | Clear | Evasion via adversarial examples is the register's adversarial examples and evasion risk (MR-012). | |
NISTAML.023 Backdoor Poisoning | A poisoning attack that causes a model to perform an adversary-selected behaviour in response to inputs that follow a particular backdoor pattern. | Mapped | Clear | Backdoor poisoning maps to MR-014 with the direct model manipulation and backdoor insertion sub-risk. | |
NISTAML.024 Targeted Poisoning | A poisoning attack that changes the prediction on a small number of targeted samples. | Mapped | Clear | Targeted poisoning is a training-data poisoning variant under MR-014. | |
NISTAML.025 Black-box Evasion | An evasion attack mounted with only query access and no knowledge of the model's parameters or architecture (black-box setting). | Mapped | Clear | Black-box evasion is an evasion attack under MR-012 conducted with query access only. | |
NISTAML.026 Model Poisoning (integrity) | A poisoning attack which operates through model control, here aimed at violating integrity (causing targeted misclassification or adversary-selected behaviour). | Mapped | Clear | Model poisoning for integrity maps to MR-014 (direct model manipulation and backdoor insertion). | |
NISTAML.027 Misaligned Outputs | Integrity attacks (often via indirect prompt injection) that cause a GenAI system to become untrustworthy and generate content that deviates from benign behaviour to align with the attacker's objectives (e.g. incorrect summaries, attacker-specified content, suppressed sources, hijacked agents). | Mapped | Clear | Misaligned outputs are produced via indirect prompt injection that manipulates trusted output (MR-010.4); the agent-hijack variant is MR-071. | |
NISTAML.031 Model Extraction | A type of privacy attack that extracts details of the model architecture and/or parameters. | Mapped | Clear | Model extraction is the register's model theft and extraction risk (MR-016), via the inference API or white-box access. | |
NISTAML.032 Reconstruction | Privacy attacks that reconstruct sensitive data in a model's training data from aggregate information (data reconstruction). | Mapped | Partial | Data reconstruction has no dedicated register risk; it is covered by leakage of sensitive data (MR-009) and privacy-invasive inference (MR-017). | |
NISTAML.033 Membership Inference | A data privacy attack to determine whether a data sample was part of the training set of a machine learning model. | Mapped | Clear | Membership inference is the register's privacy-invasive inference and re-identification risk (MR-017). | |
NISTAML.034 Property Inference | A data privacy attack that infers a global property about the training data of a machine learning model. | Mapped | Clear | Property inference is a privacy-invasive inference attack under MR-017. | |
NISTAML.035 Prompt Extraction | An attack that tries to divulge the system prompt or other information in the context of a large language model that would normally be hidden from a user. | Mapped | Clear | Prompt extraction is system-prompt and instruction extraction (MR-013.2) under disclosure of confidential or proprietary information (MR-013). | |
NISTAML.036 Leaking information from user interactions | An indirect prompt injection that instructs a model to persuade the end user to reveal information, then exfiltrates it (e.g. by querying an attacker-controlled URL or via markdown image rendering). | Mapped | Clear | Leaking information from user interactions is prompt-induced leakage of sensitive data (MR-009.1) driven by indirect prompt injection (MR-010.9). | |
NISTAML.037 Training Data Attacks | Training-data extraction: the ability of an attacker to extract the training data of a generative model by prompting the model with specific inputs. | Mapped | Clear | Training-data extraction surfaces memorized sensitive data, mapping to leakage of personal or sensitive data (MR-009). | |
NISTAML.038 Data Extraction | Extraction of memorized training data or other sensitive context from a generative model through crafted queries (information-extraction attacks). | Mapped | Clear | Data extraction of memorized content maps to leakage of personal or sensitive data in outputs (MR-009). | |
NISTAML.039 Compromising connected resources | Prompt injection attacks that cause a GenAI system to leak or exfiltrate private information from the restricted resources it can access (e.g. an email client forwarding messages to an attacker inbox; querying an attacker-controlled URL with user data). | Mapped | Clear | Compromising connected resources uses injection to exfiltrate data from tools the model can reach, mapping to insecure tool/integration (MR-020) and data exfiltration through agent tool invocation (MR-071.6). | |
NISTAML.051 Model Poisoning (supply chain) | Publishing a poisoned model (or poisoned data) into the AI supply chain so that downstream users inherit adversary-controlled behaviour. | Mapped | Clear | Supply-chain model poisoning maps to the AI supply-chain risk (MR-018), poisoned models published to registries (MR-018.2) and data and model poisoning (MR-014). |
Descriptions are each source framework's own text, where it provides one; long entries are clipped here.