Threat Taxonomy Reconciliation

Six threat taxonomies are in active use across agentic and generative AI security as of June 2026, each built for a different job. This page is the single cross-walk that maps them to one another and onto the wiki’s two control artifacts: the AAI-S RA six planes and the CMM nine domains. It is the source of truth that Threat Modeling for AI, the RA Threat-Control Matrix, and the CMM Standards Crosswalk all reference; the narrative explaining when to use which taxonomy lives on the spine page.

The six taxonomies and their jobs

TaxonomyFormJob it does
OWASP ASI Top 10 (ASI01–ASI10)Ranked risk listThe consensus agentic risk taxonomy; the Rosetta Stone other lists cross-map to
OWASP T1–T17Reference threat model + playbooksThe catalog the ASI list ranks; pairs each threat with proactive/reactive/detective controls
OWASP LLM Top 10 (LLM01–LLM10)Ranked risk listThe non-agentic GenAI base the agentic risks inherit from
MITRE ATLAS (AML.T####)Adversary technique catalogThe attacker’s-eye view — techniques and tactics, the ATT&CK analogue
CSA MAESTRO (L1–L7)Layered decompositionPartitions the agentic stack into seven layers for architectural threat placement
STRIDE-AIElicitation methodA six-category procedure for eliciting threats against AI assets, not a catalog

Two structural tests sit alongside the catalogs: the Lethal Trifecta (private data + untrusted content + external communication → exfiltration) and the Lethal Bifecta (untrusted content + sensitive write → damaging action). They are design-time go/no-go checks, not enumerations. The five threat classes are the wiki’s expansion beyond the published lists, covering gaps a peer reviewer surfaces (insider, APT, collusion, model-version regression, jurisdictional).

Primary reconciliation — by OWASP ASI category

The ASI Top 10 is the spine. Each row gives the cross-taxonomy anchors plus the RA plane and CMM domain where the wiki places the primary control. Secondary planes/domains are in parentheses. Codes verified against the published ASI 2026 PDF, the T1–T17 reference model, and ATLAS v5.6.0 per the 2026-Q2 standards review.

ASIThreatT-codesLLM Top 10MITRE ATLASMAESTRORA planeCMM domainExample control
ASI01Agent Goal HijackT6LLM01AML.T0051L1, L3Runtime (Control)D4 (D3, D9)AlignmentCheck CoT audit; HITL on goal change
ASI02Tool MisuseT2LLM06AML.T0053L3, L7Control (Egress)D3 (D4, D5)Cedar/OPA tool-call policy; AgentGateway runtime authz
ASI03Identity & Privilege AbuseT3, T9AML.T0055L4IdentityD2 (D1)Agent ID + credential proxy
ASI04Agentic Supply ChainT17LLM03AML.T0010L3, L7Data (Egress)D8 (D5, D6)AI-BOM; sigstore; pre-install scan
ASI05Unexpected Code ExecutionT11LLM05L4Runtime (Control)D4 (D3)Sandboxing; code-gen/exec separation
ASI06Memory & Context PoisoningT1LLM04, LLM08AML.T0070, AML.T0080L2Data (Observability)D6 (D7)Cognitive file integrity; trust-weighted retrieval
ASI07Insecure Inter-Agent CommsT12, T16L7EgressD5 (D7)A2A over TLS + signed Agent Cards
ASI08Cascading FailuresT5cross-layerControl (Observability)D3 (D7)Step-up gates; graph-walk anomaly detection
ASI09Human-Agent Trust ExploitationT10, T15L7Observability (Control)D7 (D3, D9)Plan-divergence detection; HITL on sensitive actions
ASI10Rogue AgentsT13L7Identity (Observability)D2 (D7)Behavioral drift; distributed kill switch

Three ASI categories (ASI07, ASI08, ASI10) are entirely new risk classes absent from the LLM Top 10; they have no LLM-Top-10 anchor and no MITRE ATLAS technique as of v5.6.0, which is why the wiki’s multi-agent controls lean on the RA Egress and Observability planes rather than an external catalog.

The five threat classes — gaps beyond the published lists

The five threat classes do not map one-to-one onto ASI categories; they are cross-cutting adversary models that a CISO raises and the standard lists under-serve. Each lands across several planes and domains.

ClassThreatRA planesCMM domainsSingle highest-leverage control
1AI-aware insiderIdentity, Control, Data, ObservabilityD2, D3, D6, D8, D9Customer-owned, version-pinned eval harness over every artifact (AI-BOM + always-on eval)
2Long-running APT campaignRuntime, Egress, ObservabilityD4, D5, D7, D9Cross-version eval continuity + sustained AI-workload threat hunting
3Collusion (agent–agent / insider–agent / agent–human)Control, Runtime, ObservabilityD3, D4, D7, D9Mutually-blind monitor isolation + output canonicalization + deception probes
4Model-version degradationRuntime, Data, Supply ChainD4, D6, D8, D9Customer eval suite versioned independently of the vendor; pin-by-hash
5Jurisdictional adversaryGovernance, DataD1, D9Multi-vendor model abstraction; jurisdiction tagging; vendor-cutoff playbook

Classes 1, 2, and 4 collapse to one observable signal — a delta against a trusted baseline produced by a continuously-executed, version-pinned eval harness with cryptographic provenance over every artifact (weights, prompts, RAG documents, tool definitions). Class 3 partially overlaps it via output canonicalization and monitor isolation. Class 5 is the outlier: technical artifact controls do not mitigate a legal cutoff, so it resolves to governance (D1) and operations (D9) only.

Structural tests — design-time go/no-go

The trifecta and bifecta are not catalog entries; they are necessary-condition tests applied at design time, before enumeration. They map to the planes that break the condition rather than to a single threat.

TestConditionWhat it predictsRA plane (breaker)CMM domain
Lethal Trifectaprivate data + untrusted content + external commsExfiltration at scaleControl (downgrade) + Egress (remove comms)D3, D5
Lethal Bifectauntrusted content + sensitive writeDamaging actionControl (tool annotation) + Runtime (review gate)D3, D4

Removing any one leg of the trifecta, or interposing a deterministic gate on the bifecta’s write leg, collapses the structural risk regardless of which catalog threat is in play. This is why the RA treats the trifecta as a Design Principle, not a Threat-Control Matrix row.

STRIDE-AI as the elicitation overlay

STRIDE-AI is orthogonal to the catalogs: it is the method that walks an architecture and surfaces candidate threats, which the analyst then names using the catalogs above. Its six categories re-map onto AI assets, and each category tends to surface a recurring set of ASI categories.

STRIDE-AI categoryAI asset focusTends to surface
SpoofingAgent / user / service identityASI03, ASI07, ASI10
TamperingTraining data, weights, memory, promptsASI04, ASI06
RepudiationAction logs, attributionASI03 (T8 untraceability)
Information disclosureContext window, RAG corpus, system promptASI06, LLM02, LLM07
Denial of serviceCompute, quotas, agent loopsT4 Resource Overload; availability threats
Elevation of privilegeDelegation chains, tool scopeASI02, ASI03, ASI05

How to read this page

For a design-time assessment, start with the structural tests, run STRIDE-AI elicitation against the architecture, name the results with the ASI/T-code rows above, check the five classes for what the standard lists miss, then follow each row’s RA plane and CMM domain to the control. The full method and a worked example over a multi-agent RAG system with MCP servers are on Threat Modeling for AI.

See also