Threat Taxonomy Reconciliation
Six threat taxonomies are in active use across agentic and generative AI security as of June 2026, each built for a different job. This page is the single cross-walk that maps them to one another and onto the wiki’s two control artifacts: the AAI-S RA six planes and the CMM nine domains. It is the source of truth that Threat Modeling for AI, the RA Threat-Control Matrix, and the CMM Standards Crosswalk all reference; the narrative explaining when to use which taxonomy lives on the spine page.
The six taxonomies and their jobs
| Taxonomy | Form | Job it does |
|---|---|---|
| OWASP ASI Top 10 (ASI01–ASI10) | Ranked risk list | The consensus agentic risk taxonomy; the Rosetta Stone other lists cross-map to |
| OWASP T1–T17 | Reference threat model + playbooks | The catalog the ASI list ranks; pairs each threat with proactive/reactive/detective controls |
| OWASP LLM Top 10 (LLM01–LLM10) | Ranked risk list | The non-agentic GenAI base the agentic risks inherit from |
MITRE ATLAS (AML.T####) | Adversary technique catalog | The attacker’s-eye view — techniques and tactics, the ATT&CK analogue |
| CSA MAESTRO (L1–L7) | Layered decomposition | Partitions the agentic stack into seven layers for architectural threat placement |
| STRIDE-AI | Elicitation method | A six-category procedure for eliciting threats against AI assets, not a catalog |
Two structural tests sit alongside the catalogs: the Lethal Trifecta (private data + untrusted content + external communication → exfiltration) and the Lethal Bifecta (untrusted content + sensitive write → damaging action). They are design-time go/no-go checks, not enumerations. The five threat classes are the wiki’s expansion beyond the published lists, covering gaps a peer reviewer surfaces (insider, APT, collusion, model-version regression, jurisdictional).
Primary reconciliation — by OWASP ASI category
The ASI Top 10 is the spine. Each row gives the cross-taxonomy anchors plus the RA plane and CMM domain where the wiki places the primary control. Secondary planes/domains are in parentheses. Codes verified against the published ASI 2026 PDF, the T1–T17 reference model, and ATLAS v5.6.0 per the 2026-Q2 standards review.
| ASI | Threat | T-codes | LLM Top 10 | MITRE ATLAS | MAESTRO | RA plane | CMM domain | Example control |
|---|---|---|---|---|---|---|---|---|
| ASI01 | Agent Goal Hijack | T6 | LLM01 | AML.T0051 | L1, L3 | Runtime (Control) | D4 (D3, D9) | AlignmentCheck CoT audit; HITL on goal change |
| ASI02 | Tool Misuse | T2 | LLM06 | AML.T0053 | L3, L7 | Control (Egress) | D3 (D4, D5) | Cedar/OPA tool-call policy; AgentGateway runtime authz |
| ASI03 | Identity & Privilege Abuse | T3, T9 | — | AML.T0055 | L4 | Identity | D2 (D1) | Agent ID + credential proxy |
| ASI04 | Agentic Supply Chain | T17 | LLM03 | AML.T0010 | L3, L7 | Data (Egress) | D8 (D5, D6) | AI-BOM; sigstore; pre-install scan |
| ASI05 | Unexpected Code Execution | T11 | LLM05 | — | L4 | Runtime (Control) | D4 (D3) | Sandboxing; code-gen/exec separation |
| ASI06 | Memory & Context Poisoning | T1 | LLM04, LLM08 | AML.T0070, AML.T0080 | L2 | Data (Observability) | D6 (D7) | Cognitive file integrity; trust-weighted retrieval |
| ASI07 | Insecure Inter-Agent Comms | T12, T16 | — | — | L7 | Egress | D5 (D7) | A2A over TLS + signed Agent Cards |
| ASI08 | Cascading Failures | T5 | — | — | cross-layer | Control (Observability) | D3 (D7) | Step-up gates; graph-walk anomaly detection |
| ASI09 | Human-Agent Trust Exploitation | T10, T15 | — | — | L7 | Observability (Control) | D7 (D3, D9) | Plan-divergence detection; HITL on sensitive actions |
| ASI10 | Rogue Agents | T13 | — | — | L7 | Identity (Observability) | D2 (D7) | Behavioral drift; distributed kill switch |
Three ASI categories (ASI07, ASI08, ASI10) are entirely new risk classes absent from the LLM Top 10; they have no LLM-Top-10 anchor and no MITRE ATLAS technique as of v5.6.0, which is why the wiki’s multi-agent controls lean on the RA Egress and Observability planes rather than an external catalog.
The five threat classes — gaps beyond the published lists
The five threat classes do not map one-to-one onto ASI categories; they are cross-cutting adversary models that a CISO raises and the standard lists under-serve. Each lands across several planes and domains.
| Class | Threat | RA planes | CMM domains | Single highest-leverage control |
|---|---|---|---|---|
| 1 | AI-aware insider | Identity, Control, Data, Observability | D2, D3, D6, D8, D9 | Customer-owned, version-pinned eval harness over every artifact (AI-BOM + always-on eval) |
| 2 | Long-running APT campaign | Runtime, Egress, Observability | D4, D5, D7, D9 | Cross-version eval continuity + sustained AI-workload threat hunting |
| 3 | Collusion (agent–agent / insider–agent / agent–human) | Control, Runtime, Observability | D3, D4, D7, D9 | Mutually-blind monitor isolation + output canonicalization + deception probes |
| 4 | Model-version degradation | Runtime, Data, Supply Chain | D4, D6, D8, D9 | Customer eval suite versioned independently of the vendor; pin-by-hash |
| 5 | Jurisdictional adversary | Governance, Data | D1, D9 | Multi-vendor model abstraction; jurisdiction tagging; vendor-cutoff playbook |
Classes 1, 2, and 4 collapse to one observable signal — a delta against a trusted baseline produced by a continuously-executed, version-pinned eval harness with cryptographic provenance over every artifact (weights, prompts, RAG documents, tool definitions). Class 3 partially overlaps it via output canonicalization and monitor isolation. Class 5 is the outlier: technical artifact controls do not mitigate a legal cutoff, so it resolves to governance (D1) and operations (D9) only.
Structural tests — design-time go/no-go
The trifecta and bifecta are not catalog entries; they are necessary-condition tests applied at design time, before enumeration. They map to the planes that break the condition rather than to a single threat.
| Test | Condition | What it predicts | RA plane (breaker) | CMM domain |
|---|---|---|---|---|
| Lethal Trifecta | private data + untrusted content + external comms | Exfiltration at scale | Control (downgrade) + Egress (remove comms) | D3, D5 |
| Lethal Bifecta | untrusted content + sensitive write | Damaging action | Control (tool annotation) + Runtime (review gate) | D3, D4 |
Removing any one leg of the trifecta, or interposing a deterministic gate on the bifecta’s write leg, collapses the structural risk regardless of which catalog threat is in play. This is why the RA treats the trifecta as a Design Principle, not a Threat-Control Matrix row.
STRIDE-AI as the elicitation overlay
STRIDE-AI is orthogonal to the catalogs: it is the method that walks an architecture and surfaces candidate threats, which the analyst then names using the catalogs above. Its six categories re-map onto AI assets, and each category tends to surface a recurring set of ASI categories.
| STRIDE-AI category | AI asset focus | Tends to surface |
|---|---|---|
| Spoofing | Agent / user / service identity | ASI03, ASI07, ASI10 |
| Tampering | Training data, weights, memory, prompts | ASI04, ASI06 |
| Repudiation | Action logs, attribution | ASI03 (T8 untraceability) |
| Information disclosure | Context window, RAG corpus, system prompt | ASI06, LLM02, LLM07 |
| Denial of service | Compute, quotas, agent loops | T4 Resource Overload; availability threats |
| Elevation of privilege | Delegation chains, tool scope | ASI02, ASI03, ASI05 |
How to read this page
For a design-time assessment, start with the structural tests, run STRIDE-AI elicitation against the architecture, name the results with the ASI/T-code rows above, check the five classes for what the standard lists miss, then follow each row’s RA plane and CMM domain to the control. The full method and a worked example over a multi-agent RAG system with MCP servers are on Threat Modeling for AI.
See also
- Threat Modeling for AI — the spine: when to use which taxonomy, plus the worked example
- Agentic AI Threat Classes — the five-class expansion in full
- AI Security Standards in Q1 2026 — the framework-coverage gap matrix (standards vs ASI)
- AAI-S RA · CMM — the control artifacts each row lands on