DARR
MR-015 Security & adversarial System scope

Residual AI system security and availability weaknesses

The system is broadly vulnerable to attack or disruption, including denial-of-service and resource-exhaustion (sponge) attacks.

Risk family
Security & adversarial
MIT domain
2. Privacy & Security
MIT subdomain
2.2 > AI system security vulnerabilities and attacks
AI type
GPAI, Classical_ML, Agentic
Scope
System
Source standard
MIT AI Risk Repository v4

Provenance

Source standard
MIT AI Risk Repository v4
Source frameworks
8 source framework citation keys
Cui2024, Gipiškis2024, Habbal2024, Saghiri2022, Tan2022, Wang2025, Wirtz2022, Zeng2024
ISO/IEC references
23894 obj A.11; src 9; mech B.6 | 42001 ctrl A.6.2.4, A.4.5
EU AI Act articles
Art. 15
GPAI Code of Practice
S&S Ch. Commitment 6

Framework crosswalk

Every framework item mapped to this risk. Items marked partial overlap only in part; definitions appear on hover where the source licence permits.

Sourcesframeworks that contributed to the register
ISO 238941
  • A.11 ISO/IEC 23894 Annex A A.11
ISO 420012
  • A.4.5 ISO/IEC 42001 Annex A A.4.5
  • A.6.2.4 ISO/IEC 42001 Annex A A.6.2.4
EU AI Act2
  • Art. 15
  • CoP S&S Ch. Commitment 6
MITRE ATLAS19

Expanded into this risk’s technique sub-risks.

Cross-checksframeworks mapped in to test coverage
Cisco12
  • AISubtech-13.1.1 Compute Exhaustion
  • AISubtech-13.1.2 Memory Flooding
  • AISubtech-13.1.3 Model Denial of Service
  • AISubtech-13.1.4 Application Denial of Service
  • AISubtech-13.1.5 Decision Paralysis Attacks
  • AISubtech-13.2.1 Service Misuse for Cost Inflation
  • AISubtech-14.1.2 Insufficient Access Controls partial
  • AISubtech-9.1.1 Code Execution partial
  • AISubtech-9.1.2 Unauthorized or Unsolicited System Access partial
  • AISubtech-9.1.3 Unauthorized or Unsolicited Network Access partial
  • AISubtech-9.1.4 Injection Attacks (SQL, Command Execution, XSS) partial
  • AISubtech-9.1.5 Template Injection (SSTI) partial
NIST AML2
  • NISTAML.01 Availability Violations
  • NISTAML.014 Energy-latency
NIST GenAI1
  • GENAI.9 Information Security
OWASP LLM1
  • LLM10:2025 Unbounded Consumption
OWASP Agentic2
  • ASI03 Identity and Privilege Abuse
  • ASI05 Unexpected Code Execution (RCE)

Sub-risks (9)

Technique-level decompositions of this risk, each anchored to the MITRE ATLAS technique it derives from.

MR-015.1

Abuse of valid accounts against the AI system

#

Stolen or abused legitimate credentials grant access to the AI system and its data.

MITRE ATLAS technique: AML.T0012 Valid Accounts
MR-015.2

Denial of AI service

#

The AI service is flooded with requests to degrade or deny availability to legitimate users.

MITRE ATLAS technique: AML.T0029 Denial of AI Service
MR-015.3

Cost harvesting (denial of wallet)

#

Adversaries deliberately drive the AI service beyond normal load to inflate operating cost.

MITRE ATLAS technique: AML.T0034 Cost Harvesting
MR-015.4

Chaff-data flooding of the AI system

#

The system is spammed with inputs that inflate false detections and overwhelm downstream review.

MITRE ATLAS technique: AML.T0046 Spamming AI System with Chaff Data
MR-015.5

Downstream external harms from a compromised AI system

#

A compromised AI system is abused to cause financial, reputational, user, or societal harm beyond the system itself.

MITRE ATLAS technique: AML.T0048 External Harms
MR-015.6

Exploitation of the public-facing AI application

#

A weakness in the internet-facing AI application is exploited to gain access.

MITRE ATLAS technique: AML.T0049 Exploit Public-Facing Application
MR-015.7

Drive-by compromise of AI system users

#

Users are compromised by visiting attacker-influenced content during normal AI system use.

MITRE ATLAS technique: AML.T0078 Drive-by Compromise
MR-015.8

Container or sandbox escape from the AI environment

#

An attacker breaks out of the AI system's container or sandbox to reach the host.

MITRE ATLAS technique: AML.T0105 Escape to Host
MR-015.9

Machine compromise via AI components

#

AI-enabled components are exploited or manipulated to compromise the underlying machine.

MITRE ATLAS technique: AML.T0112 Machine Compromise

More in Security & adversarial

Part of the Deployer AI Risk Register, an open-source resource developed by MindXO. Version 1.0, 3 July 2026. Derived from the MIT AI Risk Repository (V4, December 2025) under CC BY 4.0; an independent derivative work, not endorsed by or affiliated with MIT. Sub-risk decomposition references MITRE ATLAS™ v5.6.0 (© 2021-2026 The MITRE Corporation, reproduced and distributed with permission). ISO/IEC and EU AI Act references are by number only. License: CC BY 4.0. Full attribution and licensing.