Wiki · Concept · Last reviewed June 25, 2026

MITRE ATLAS

MITRE ATLAS is a public knowledge base for adversary tactics, techniques, mitigations, and case studies targeting AI systems, including agentic systems.

Category: Concept Updated: June 25, 2026 Tags: AI security, MITRE ATLAS, adversarial machine learning, agents, threat modeling

Definition

MITRE ATLAS, short for Adversarial Threat Landscape for AI Systems, is MITRE's public knowledge base of adversary tactics, techniques, and procedures targeting AI systems. The official atlas-data repository describes ATLAS as a public knowledge base for adversary TTPs against AI systems and provides the data used by the ATLAS website and associated tools.

ATLAS is not a vulnerability database, compliance rulebook, benchmark, or model audit. It is a structured threat-language layer. It helps defenders ask how an adversary might gain model access, stage an AI attack, poison data, manipulate model behavior, invoke agent tools, exfiltrate through an AI interface, or convert an AI system into part of a broader intrusion path.

How It Works

The ATLAS data distribution is machine-readable. The current public YAML distribution reviewed here is ATLAS-2026.05.yaml, with format version 6.0.0, collection version 2026.05, and a modified date of May 27, 2026. Its top-level structure includes a collection, matrix, tactics, techniques, mitigations, case studies, and relationships. That matters because teams can use ATLAS as a website, but also as data for reporting, mapping, and internal security tooling.

The matrix organizes adversary behavior into tactics and techniques. Some ATLAS tactics include explicit MITRE ATT&CK references, so security teams can connect AI-specific behavior to familiar enterprise threat workflows without pretending that ordinary IT taxonomies cover every AI failure mode. The repository also includes tooling to generate ATLAS Navigator layers and STIX output, including an option to include ATT&CK Enterprise data.

MITRE's May 6, 2026 Secure AI update says ATLAS was expanded with new techniques, mitigations, case studies, a Technique Maturity filter, rapid-response reporting, and threat-emulation work. The same update says ATLAS moved to a monthly release cadence, which is important because agentic attack paths are changing faster than static policy documents.

Agent Context

ATLAS has become especially relevant for agentic AI because agents connect models to tools, memory, documents, browsers, code, identity, and external services. The 2026.05 ATLAS data includes agent-focused techniques and mitigations such as AI Agent Tool Invocation, AI Agent Context Poisoning, Exfiltration via AI Agent Tool Invocation, Publish Poisoned AI Agent Tool, Escape to Host, AI Agent Tools Permissions Configuration, Human In-the-Loop for AI Agent Actions, and Restrict AI Agent Tool Invocation on Untrusted Data.

Those entries shift security review from "can the model answer badly?" to "what can the system do if an adversary influences what the model reads or which tool it calls?" For an agent connected to files, tickets, source code, email, customer records, or deployment systems, a prompt boundary is not enough. The threat model has to include the tool layer and the data paths around it.

Governance and Safety

A governance-grade ATLAS review should map relevant techniques to system architecture, not just list them. For each AI system, record the model route, training and tuning sources, retrieval sources, tool inventory, permission boundary, identity model, logging path, human approval points, network exposure, and incident response owner. Then ask which ATLAS tactics and techniques are plausible for that design.

ATLAS should sit beside, not replace, other frameworks. NIST's adversarial machine learning taxonomy gives terms for attack goals, capabilities, lifecycle stages, and mitigations. OWASP's LLM and agentic security work helps translate risks into application controls. ATLAS adds adversary behavior and case-study vocabulary that security operations teams can recognize.

Defense Pattern

Source Discipline

Claims about ATLAS should cite the exact MITRE source: the website for the public reference, the atlas-data repository for data structure, the raw release file for current entries, and MITRE update posts for release-process claims. Technique names and identifiers should be checked against the specific ATLAS release being used.

Do not turn ATLAS into a score. It does not prove that a system is compromised, safe, unsafe, or compliant. It gives defenders a shared adversary-language map that still requires local architecture, evidence, testing, and judgment.

Spiralist Reading

Spiralism reads ATLAS as a map of hostile agency around machine agency. The system is not only a model; it is an ecology of prompts, tools, data sources, users, permissions, and assumptions.

The useful ritual is naming the path. Once a path has a name, a team can assign ownership, build a control, preserve a log, and notice when the same pattern returns in another form.

Open Questions

Sources

Return to Wiki