MITRE ATLAS (Adversarial Threat Landscape for Artificial-Intelligence Systems) is a structured knowledge base of adversary tactics, techniques, and case studies targeting AI and machine learning systems. Think of it as the AI-specific extension of MITRE ATT&CK applied not to networks and endpoints, but to data pipelines, model inference APIs, training processes, and the AI tools your employees use every day. As of 2026, ATLAS documents 16 tactics, 170 techniques, 35 mitigations, and 57 real-world case studies.
What is MITRE ATLAS and what problem does it solve?
For two decades, MITRE ATT&CK gave defenders a shared language for adversary behavior. It cataloged how attackers move through networks, escalate privileges, and exfiltrate data. It worked because the attack surface was relatively stable: endpoints, servers, network protocols, credentials.
AI changed that. When Microsoft launched Tay in 2016, the attack that took it down in 24 hours exploited no CVE. No credentials were stolen. No network was breached. Adversaries simply provided inputs through the interface the system was designed to accept, and the model’s own learning mechanism turned those inputs against itself. ATT&CK had no category for it.
That gap is exactly what MITRE ATLAS fills. The framework documents how adversaries target AI systems specifically: manipulating training data, abusing inference APIs, injecting malicious prompts, poisoning model outputs, and exploiting the trust relationships that autonomous AI agents hold within enterprise infrastructure. It provides security teams with a structured taxonomy to identify threats, model attack paths, and map controls to the AI layer of their stack.
ATLAS is maintained by MITRE’s Center for Threat-Informed Defense and updated continuously based on real-world incident reporting. The v5.1.0 update in November 2025 expanded coverage significantly. The first 2026 update added new agentic AI techniques, reflecting the rapid shift from AI tools that assist users to AI agents that act on their behalf.
How does MITRE ATLAS differ from MITRE ATT&CK?
ATLAS and ATT&CK are complementary, not competing. ATT&CK covers the traditional attack surface: initial access through phishing, lateral movement through credential abuse, exfiltration through command-and-control channels. ATLAS inherits 13 tactics directly from ATT&CK and applies them to AI-specific contexts, then adds three tactics with no ATT&CK equivalent.
The key structural difference is the attack target. ATT&CK models attacks against infrastructure. ATLAS models attacks against AI systems — the model itself, the data it was trained on, the API it exposes, and the decisions it makes. A prompt injection attack on ChatGPT does not touch a network. It touches the model’s reasoning process. ATT&CK has no technique for that. ATLAS does.
In practice, most enterprise environments need both. ATT&CK remains the right framework for lateral movement, ransomware, and endpoint compromise. ATLAS becomes essential the moment AI usage controls are part of the workflow — which, for the majority of knowledge workers, it already is. 45% of enterprise employees actively use AI tools, according to LayerX research. Security frameworks that ignore the AI layer are leaving a large and active attack surface unmapped.
The other meaningful difference is pace. ATLAS is updated faster than ATT&CK because the AI threat landscape moves faster. Techniques covering agentic AI browsers, AI agent credential harvesting, and LLM-based command-and-control channels appeared in ATLAS before most security teams had finished assessing their first ChatGPT deployment.
What tactics and techniques does MITRE ATLAS cover?
ATLAS organizes adversary behavior into 16 tactics, each representing a phase or goal in an attack against an AI system. The framework inherits familiar ATT&CK tactics and applies them to AI contexts. Three tactics have no ATT&CK equivalent:
ML Attack Staging covers preparation work specific to AI attacks: building proxy models, training adversarial data, preparing attack infrastructure that mirrors the target AI system.
ML Model Access covers methods adversaries use to interact with an AI model — through a public API, a compromised internal endpoint, or physical access to model artifacts.
ML Model Attacks covers direct attacks on model behavior: evasion, inference, inversion, and poisoning.
Within these tactics, several techniques appear most frequently in enterprise incident reports. Prompt injection (AML.T0051) tops the list. Data exfiltration via AI model (AML.T0025) documents how sensitive information submitted to an AI tool can be extracted or exposed. Supply chain compromise for ML (AML.T0010) covers attacks against the libraries, datasets, and third-party models organizations integrate into their AI workflows. For a deeper look at how these risks map to GenAI security controls, LayerX’s research provides a practitioner-level breakdown.
Which MITRE ATLAS techniques are most relevant to enterprise AI usage?
Most ATLAS discussions focus on model-level attacks: adversarial examples, model extraction, training data poisoning. These are real threats for organizations that build and operate AI models. For the majority of enterprises, the more immediate exposure is different. Their AI risk is not in the model architecture. It is in how employees interact with AI tools every day.
77% of enterprise employees paste data into GenAI prompts. Half of that paste activity includes corporate data. 89% of AI logins in enterprise environments bypass corporate oversight, with users accessing ChatGPT, Copilot, Claude, and Gemini through personal accounts that IT never provisioned and cannot monitor.
The ATLAS techniques most relevant to this reality:
AML.T0051 — Prompt Injection: Adversaries embed malicious instructions in content the AI model processes. In enterprise environments using Copilot or AI-assisted email tools, this requires no special access — only that a malicious actor can get content in front of an AI the target user trusts. AI misuse prevention controls address this at the session layer.
AML.T0025 — Exfiltration via AI Model: Sensitive data submitted to an AI tool is largely invisible to network-level DLP because it moves as normal HTTPS traffic to a sanctioned destination. This is the core problem AI DLP is designed to solve.
AML.T0098 — AI Agent Tool Credential Harvesting: A 2026 addition to ATLAS. When an agent has persistent access to SharePoint, OneDrive, or CRM, compromising the agent is equivalent to compromising those tools directly.
AML.T0100 — AI Agent Clickbait: Adversaries craft web pages, documents, or UI elements designed to manipulate AI agent decision-making. The agent complies with instructions that appear task-aligned, even when adversarial.
Where do MITRE ATLAS threats actually execute in the enterprise environment?
This is the question most ATLAS explainers avoid, and it is the most operationally important one.
Security teams reading ATLAS naturally think in terms of existing control points: network, endpoint, identity. For most enterprise AI attacks, threats do not enter the perimeter. They execute inside it, through surfaces the perimeter was never designed to monitor.
Prompt injection does not arrive as a network intrusion. It arrives as a document a user opens in their browser. Data exfiltration via AI model does not look like a data breach. It looks like a user typing into ChatGPT over HTTPS.
The common thread across the highest-frequency enterprise ATLAS techniques is that they execute at the browser layer, inside AI tool sessions. Network tools see the connection to ChatGPT’s domain. They do not see what was typed. Endpoint tools see the browser process. They do not see what happened inside the session. Identity tools know the user authenticated. They do not know what data moved through the AI interaction afterward.
That coverage gap is not a configuration problem. It is an architectural one. Browser extension security addresses it at the layer where these techniques execute.
How do security teams operationalize MITRE ATLAS controls?
ATLAS provides the threat model. Operationalizing it requires mapping framework techniques to actual controls, then closing gaps where those controls do not reach.
A practical starting point is the ATLAS Navigator. Security teams can layer existing control coverage against the ATLAS matrix to visualize which techniques they can detect, prevent, or have no coverage for. Approximately 70% of ATLAS mitigations map to existing security controls. The remaining 30% require coverage most stacks do not currently provide — disproportionately concentrated in the AI interaction layer.
Teams that have gone furthest with ATLAS operationalization treat AI interactions as a distinct visibility domain requiring dedicated controls: session-level monitoring of AI tool interactions, classification of data flowing into AI prompts, and enforcement policies that respond to ATLAS-mapped behaviors in real time.
Reddit’s security community has surfaced this friction directly. Practitioners find ATLAS valuable as a taxonomy but frustrating to operationalize because the techniques assume visibility that most security teams do not have. The framework tells you what to look for. Getting the vantage point to see it is a separate problem.
How does browser-level enforcement address MITRE ATLAS techniques?
Most ATLAS-mapped enterprise AI threats execute inside the browser session. Addressing them requires enforcement at that layer.
LayerX operates as an Enterprise Browser Extension, providing real-time visibility and control over AI tool interactions at the session level. Several specific technique mappings are direct:
For prompt injection (AML.T0051), LayerX monitors the content of AI interactions — what is pasted into ChatGPT, Copilot, Claude, and Gemini. When content matches injection patterns or sensitive data classifiers, it can warn the user, redact the sensitive element, or prevent the submission.
For data exfiltration via AI model (AML.T0025), LayerX classifies what employees paste and upload to AI tools. 50% of paste activity to GenAI tools contains corporate data. Security teams can apply graduated controls — monitor, warn, prevent, or redact — without blocking AI access entirely.
For shadow AI and unauthorized tool access, LayerX provides continuous discovery of every AI tool in use across the organization. 89% of enterprise AI usage currently bypasses corporate oversight. LayerX makes that usage visible and brings it under policy control.
For agentic AI threats — credential harvesting (AML.T0098), AI agent clickbait (AML.T0100) — LayerX is the only security platform with visibility and enforcement over agentic AI browsers including ChatGPT Atlas, Perplexity Comet, and Dia.
What does MITRE ATLAS mean for AI governance and compliance?
ATLAS is increasingly referenced in regulatory and compliance frameworks for AI security. The EU AI Act, NIST AI RMF, and ISO 42001 all address AI risk management at a policy level. ATLAS provides the technical vocabulary that translates policy requirements into specific, testable controls.
For CISOs briefing boards on AI risk, ATLAS offers a credible external reference point. Organizations that integrate ATLAS into their threat modeling process are better positioned to answer auditors, regulators, and insurers asking specific questions about AI security posture.
The compliance angle affects vendor evaluation. Tools that can map detection and enforcement capabilities to specific ATLAS technique identifiers — AML.T0051, AML.T0025, AML.T0098 — allow teams to produce structured coverage maps rather than narrative descriptions.
The direction is clear. ATLAS is transitioning from a research framework to a compliance benchmark.
Frequently Asked Questions
Is MITRE ATLAS the same as MITRE ATT&CK?
No. ATT&CK covers traditional network and endpoint attack paths. ATLAS extends that taxonomy specifically to AI systems. ATLAS inherits 13 tactics from ATT&CK and adds three with no ATT&CK equivalent. Security teams should use both frameworks together.
Does MITRE ATLAS cover prompt injection?
Yes. Prompt injection is documented under ATLAS technique AML.T0051. It covers attacks where adversaries craft inputs that manipulate an AI model’s behavior, including direct jailbreaking, indirect injection via documents or web content, and plugin abuse.
How often is MITRE ATLAS updated?
Actively. Version 5.1.0 launched November 2025 with 16 tactics, 170 techniques, 35 mitigations, and 57 case studies. The first 2026 update added agentic AI techniques. ATLAS is a living document updated from real-world incident reports.
Do I need to replace my existing security tools to implement MITRE ATLAS?
No. MITRE ATLAS is a framework, not a product. Around 70% of its mitigations map to existing security controls. The gap is coverage of the AI interaction layer — specifically what happens inside browser sessions during GenAI usage.
Which MITRE ATLAS techniques are hardest to detect with traditional security tools?
Exfiltration via AI model (AML.T0025), prompt injection (AML.T0051), and AI agent credential harvesting (AML.T0098) are rarely visible to network or endpoint tools. They occur as normal HTTPS traffic within sanctioned applications, during authenticated sessions.
Does MITRE ATLAS apply to browser-based AI tools like ChatGPT or Microsoft Copilot?
Yes. Several ATLAS techniques execute directly through browser-based AI interactions, including data exfiltration via prompt (AML.T0025) and prompt injection via documents (AML.T0051). These are the highest-frequency enterprise AI threats.
