The AI Threat Mitigation Playbook: A Comprehensive Roadmap for Organizations
A unified, phased roadmap that harmonizes NIST AI RMF, MITRE ATLAS, OWASP LLM & Agentic AI Top 10, and CISA guidance into a single, actionable AI security strategy.
Purpose of This Playbook: This document provides a unified, phased roadmap that harmonizes the major AI security frameworks into a single, actionable strategy. It is designed for CISOs, security architects, governance teams, and technical practitioners who need to move from policy aspiration to operational reality.
1. Executive Summary
Artificial intelligence is no longer an emerging technology—it is embedded in enterprise operations, from customer-facing chatbots and predictive analytics to autonomous decision-making agents. With this adoption comes a fundamentally new class of security threats that traditional cybersecurity frameworks were never designed to address.
The good news is that the industry has responded. A robust ecosystem of AI-specific security frameworks has emerged, each addressing a different dimension of the problem. The NIST AI Risk Management Framework provides top-down governance structure. MITRE ATLAS catalogs adversary tactics and techniques targeting AI systems. The OWASP Top 10 for LLM Applications and the new Top 10 for Agentic Applications give developers actionable vulnerability checklists. CISA has issued operational guidance for securing AI in government and critical infrastructure environments.
However, the sheer number of frameworks creates its own challenge. Organizations starting their AI security journey face “compliance chaos”—overlapping guidance, competing vocabularies, and no clear roadmap for where to begin. This playbook solves that problem.
The playbook is organized around five phases—Discover, Govern, Harden, Detect, and Evolve—that take an organization from initial awareness through operational maturity. At each phase, we map specific actions to the frameworks that inform them, creating a practical integration layer that eliminates duplication and ensures comprehensive coverage.
2. The Problem: Why Traditional Security Frameworks Fall Short
Traditional cybersecurity operates on well-understood principles: protect the network perimeter, harden endpoints, manage identities and access, encrypt data in transit and at rest, and monitor for indicators of compromise. These principles remain essential, but they were designed for a world where software behaves deterministically.
AI systems break these assumptions in fundamental ways:
Non-Deterministic Behavior
AI models, particularly large language models, produce outputs that vary even with identical inputs. This makes traditional testing and validation approaches insufficient. You cannot write a test case for every possible output of a generative AI system.
Data as an Attack Surface
In traditional software, the code is the primary attack surface. In AI systems, the training data, fine-tuning data, retrieval-augmented generation (RAG) data, and even runtime input data all become vectors for manipulation. Data poisoning can alter model behavior without touching a single line of code.
The Agency Problem
Agentic AI systems can plan, remember, choose tools, and take autonomous actions. This introduces risks that have no analog in traditional software—goal hijacking, cascading failures across multi-agent systems, rogue agent behavior, and the exploitation of human trust in AI-generated outputs.
Supply Chain Complexity
AI supply chains include not just software dependencies but also pre-trained models, datasets, fine-tuning services, plugins, MCP servers, and runtime tool integrations. Each link introduces potential compromise that traditional software composition analysis does not cover.
The Speed of Evolution
AI threats evolve faster than traditional cyber threats. New attack techniques emerge as researchers and adversaries probe the boundaries of model behavior. Frameworks must be treated as living documents, and security programs must be designed for continuous adaptation.
The Key Insight: AI security is not a replacement for traditional cybersecurity—it is a necessary extension. Organizations need both. The frameworks discussed in this playbook are designed to layer on top of existing security programs, filling the gaps that AI introduces.
3. The Framework Landscape: Understanding Your Arsenal
Before building an integrated strategy, it is essential to understand what each framework does, who it serves, and where it fits. Each answers a different fundamental question:
| Framework | Core Question | Primary Audience | Type |
|---|---|---|---|
| NIST AI RMF | How do we govern and manage AI risk at scale? | CISOs, Executives, Governance Teams | Risk Management Framework |
| MITRE ATLAS | How do adversaries attack AI systems? | Red Teams, SOC Analysts, Threat Modelers | Adversary Knowledge Base |
| OWASP LLM Top 10 | What are the most common LLM vulnerabilities? | Developers, AppSec Engineers | Vulnerability Checklist |
| OWASP Agentic AI Top 10 | What are the unique risks of autonomous AI agents? | AI Engineers, Platform Teams | Risk Framework |
| CISA AI Guidance | How do we secure AI in critical infrastructure? | Federal Agencies, CI/CD Operators | Government Best Practices |
3.1 NIST AI Risk Management Framework (AI RMF)
Released in January 2023 and continuously evolving, the NIST AI RMF is the governance backbone of any AI security program. It is voluntary, flexible, and designed to be adapted to an organization’s specific context, risk tolerance, and AI maturity. The framework organizes risk management into four core functions:
| Function | Description |
|---|---|
| GOVERN | Establish organizational AI risk culture, policies, accountability structures, and oversight mechanisms. This is the foundation for everything else. |
| MAP | Identify and contextualize AI risks throughout the system lifecycle. Understand your AI systems, their intended uses, their stakeholders, and their potential impacts. |
| MEASURE | Quantify and track identified risks using metrics, testing, and evaluation. This includes bias testing, robustness evaluation, and adversarial testing. |
| MANAGE | Prioritize, respond to, and monitor AI risks. Implement controls, deploy mitigations, and maintain continuous oversight. |
NIST also provides a companion Playbook with actionable sub-actions for each function, a Generative AI Profile (NIST AI 600-1) addressing GenAI-specific risks, and a Cyber AI Profile (NIST IR 8596, preliminary draft) that maps AI considerations to the NIST Cybersecurity Framework 2.0.
Key Takeaway: Use NIST AI RMF as your strategic North Star. It defines the governance structure, accountability model, and risk management lifecycle that all other frameworks plug into. Start here for organizational alignment.
3.2 MITRE ATLAS
MITRE ATLAS (Adversarial Threat Landscape for Artificial-Intelligence Systems) is the AI equivalent of MITRE ATT&CK. As of October 2025, it catalogs 15 tactics, 66 techniques, 46 sub-techniques, 26 mitigations, and 33 real-world case studies targeting AI and ML systems. The October 2025 update added significant coverage for agentic AI threats.
ATLAS is organized by adversary objectives—from initial reconnaissance through resource development, model access, model manipulation, and impact. Its power lies in providing defenders with an adversary’s perspective: understanding not just what could go wrong, but how attackers actually exploit AI systems.
Critical capabilities include ATLAS Navigator for visual threat mapping, STIX 2.1 format data for automated SIEM integration, the SAFE-AI framework that maps ATLAS threats to NIST SP 800-53 controls, and the AI Incident Sharing initiative launched in October 2024 for anonymized attack data exchange.
Key Takeaway: Use MITRE ATLAS as your threat intelligence and red-teaming engine. It translates governance requirements into concrete attack scenarios you can test against. Approximately 70% of ATLAS mitigations map to existing security controls, making SOC integration practical.
3.3 OWASP Top 10 for LLM Applications
The OWASP Top 10 for LLM Applications is the most widely adopted developer-facing guide for LLM security. Updated annually, it identifies the most critical vulnerabilities in LLM-powered applications. The 2025 version covers prompt injection, insecure output handling, training data poisoning, model denial of service, supply chain vulnerabilities, and more.
Its strength is accessibility. Unlike the comprehensive governance frameworks, the OWASP LLM Top 10 gives developers and AppSec engineers a prioritized checklist they can apply immediately during design and code review.
3.4 OWASP Top 10 for Agentic AI Applications
Released in December 2025, this is the newest and arguably most urgent addition to the landscape. The OWASP Top 10 for Agentic Applications 2026 addresses the unique risks of autonomous AI agents—systems that plan, act, and make decisions with limited human intervention.
| Risk ID | Risk Name | Description |
|---|---|---|
| ASI01 | Agent Behavior Hijacking | Adversaries redirect agent goals through prompt injection or poisoned content |
| ASI02 | Tool and Function Misuse | Agents misuse or are tricked into misusing integrated tools |
| ASI03 | Identity and Privilege Abuse | Agents operate with excessive permissions or impersonate users |
| ASI04 | Supply Chain and Agent Dependency Risks | Compromised MCP servers, plugins, or runtime dependencies |
| ASI05 | Memory and Context Manipulation | Adversaries poison agent memory for cross-session attacks |
| ASI06 | Misguided or Unsafe Agent Actions | Agents take harmful actions due to ambiguous instructions |
| ASI07 | Insecure Inter-Agent Communication | Spoofed messages between agents in multi-agent systems |
| ASI08 | Cascading Failures | False signals propagate through automated pipelines |
| ASI09 | Human-Agent Trust Exploitation | Agents produce confident outputs that mislead human operators |
| ASI10 | Rogue Agents | Agents exhibit misalignment, concealment, or self-directed action |
Why This Matters Now: These are not theoretical risks. Real-world incidents include malicious MCP servers discovered on npm impersonating legitimate services, RCE vulnerabilities found in major AI assistant extensions, and agents autonomously installing compromised packages. The OWASP Agentic Top 10 is essential reading for any organization deploying AI agents.
3.5 CISA AI Security Guidance
CISA has issued multiple guidance documents that provide practical, government-backed best practices for AI security. Key publications include the CISA AI Roadmap (updated April 2025), the Joint Guidance on AI Data Security (May 2025, co-authored with NSA and FBI), the Guidelines for Secure AI System Development, and the Principles for Secure Integration of AI in OT (December 2025).
CISA’s guidance is particularly relevant for federal agencies, defense industrial base organizations, and critical infrastructure operators. It emphasizes four principles for OT environments: understand AI risks, assess AI use cases, establish AI governance, and embed safety and security into AI operations.
4. The Unified Playbook: A Five-Phase Roadmap
This playbook synthesizes all five frameworks into a phased approach that organizations can follow regardless of their current AI maturity. Each phase builds on the previous one, and each action is mapped to the framework(s) that inform it.
Phase 1: Discover and Assess (Weeks 1–4)
Goal: Know what you have, know what’s at risk, establish your baseline.
1.1 Create a Comprehensive AI Asset Inventory
Before you can secure AI, you must find it. Many organizations discover AI components running in their environments that no one formally approved—shadow AI. Your inventory should catalog every AI model (commercial, open-source, fine-tuned, custom-built), every dataset used for training, fine-tuning, or RAG, all AI-powered applications and integrations, agentic AI deployments and their tool access, and third-party AI services and APIs.
Framework alignment: This maps directly to NIST AI RMF’s MAP function, specifically MAP 1.1 through 1.6. CISA’s data security guidance emphasizes inventorying data sources throughout the AI lifecycle.
1.2 Classify AI Systems by Risk Tier
Not all AI systems carry equal risk. Classify each system based on its autonomy level (advisory vs. decision-making vs. fully autonomous), the sensitivity of data it processes, its impact scope (individual, organizational, public), whether it operates in critical infrastructure or OT environments, and its external exposure.
1.3 Conduct Initial Threat Modeling
Using MITRE ATLAS as your guide, walk through each AI system and identify which of the 15 ATLAS tactics could target it. Pay particular attention to initial access vectors (prompt injection, supply chain compromise), data manipulation risks (training data poisoning, data drift), model-specific threats (extraction, inversion, evasion), and agentic risks (goal hijacking, tool misuse, privilege escalation).
1.4 Assess Current Security Posture
Evaluate your existing security controls against AI-specific requirements. OWASP LLM Top 10 provides a practical checklist for application-level vulnerabilities. Key questions include: Do you have input validation for LLM prompts? Are model outputs sanitized before being acted upon? Is your AI supply chain monitored? Do AI agents operate with least privilege?
Phase 2: Govern and Organize (Weeks 5–12)
Goal: Establish the organizational structure, policies, and accountability needed to sustain AI security.
2.1 Establish an AI Governance Committee
Create a cross-functional governance body with clear authority over AI risk decisions. This committee should include representation from information security and CISO office, data science and AI engineering, legal and compliance, privacy, business unit leadership, and risk management. Define a clear charter, decision rights, escalation paths, and meeting cadence.
2.2 Develop AI-Specific Security Policies
Your existing security policies will need AI-specific extensions. At minimum, you need an Acceptable AI Use Policy defining approved and prohibited AI uses, an AI Data Governance Policy covering data sourcing, labeling, retention, and deletion, an AI Model Lifecycle Policy addressing development, testing, deployment, monitoring, and retirement, and an AI Agent Authorization Policy specifying who can deploy agents and what permissions they receive.
2.3 Define AI Risk Appetite and Thresholds
Work with executive leadership to define the organization’s tolerance for AI-specific risks. This includes setting acceptable accuracy and reliability thresholds, defining bias and fairness metrics, establishing maximum autonomy levels for different use cases, and determining data sensitivity boundaries for AI processing.
2.4 Integrate AI Risk into Enterprise Risk Management
AI risk should not exist in a silo. Integrate it into your existing enterprise risk management (ERM) program, GRC platform, and audit cycles. Map AI risks to business processes and existing control frameworks such as SOC 2, CMMC, FedRAMP, PCI DSS, or HITRUST as applicable. NIST’s new Cyber AI Profile (IR 8596) provides explicit crosswalks to CSF 2.0 categories.
Phase 3: Harden and Defend (Weeks 13–26)
Goal: Implement technical controls that protect AI systems against the threats identified in Phase 1.
3.1 Secure the AI Data Pipeline
Data is the lifeblood of AI and its primary attack surface. Following CISA’s May 2025 AI Data Security guidance, implement cryptographic integrity verification for all training and fine-tuning datasets using quantum-resistant digital signature standards. Establish a data provenance chain that tracks every dataset from source through preprocessing, training, and deployment.
3.2 Harden LLM Applications
Apply OWASP LLM Top 10 mitigations systematically. Priority actions include implementing prompt sanitization and input validation to defend against prompt injection (LLM01). Apply output filtering and encoding to prevent insecure output handling (LLM02). Pin and verify all model dependencies, libraries, and plugins to address supply chain risks (LLM05). Implement rate limiting and resource controls to prevent model denial of service (LLM04).
3.3 Secure Agentic AI Deployments
For organizations deploying AI agents, the OWASP Agentic Top 10 mitigations are critical. Apply the principle of Least Agency—do not give agents more autonomy than the business problem justifies. Implement unique, scoped identities for every agent with custom RBAC roles. Validate all tool invocations server-side with schema enforcement. Deploy human-in-the-loop checkpoints for high-impact actions.
3.4 Establish AI Supply Chain Security
Following both CISA guidance and OWASP recommendations, implement AI Software Bills of Materials (AI-SBOMs) that document model dependencies, training data sources, and tool integrations. Monitor for supply chain compromise including typosquatting attacks on model registries and package managers, runtime dependency injection, and compromised MCP servers.
3.5 Deploy AI-Aware Security Controls
Traditional security tools need augmentation. Deploy AI guardrails technology that can inspect, validate, and filter AI inputs and outputs in real time. Implement model integrity verification to detect unauthorized model modifications. Deploy behavioral analytics that can identify anomalous AI system behavior.
Phase 4: Detect and Respond (Weeks 27–40)
Goal: Build operational capabilities to detect AI-specific attacks and respond effectively when they occur.
4.1 Extend SOC Capabilities for AI Threats
Your Security Operations Center needs new detection capabilities for AI-specific attacks. Integrate MITRE ATLAS tactics and techniques into your SOC’s threat detection playbooks. Define detection rules for prompt injection attempts, unusual model query patterns that suggest extraction attacks, unexpected changes in model behavior that could indicate poisoning, and anomalous agent activities.
4.2 Develop AI-Specific Incident Response Playbooks
Create runbooks for AI-specific incident types including data poisoning response (quarantine affected data, assess model impact, retrain if necessary), model compromise response (isolate model, audit all recent outputs, deploy clean version), prompt injection response (analyze attack vector, update filters, assess data exfiltration), and agent compromise response (revoke agent credentials, audit all actions taken, assess blast radius).
4.3 Implement AI Red Teaming
Establish a regular AI red-teaming program that uses MITRE ATLAS techniques to simulate adversarial attacks against your AI systems. This should include adversarial input testing (evasion and manipulation), prompt injection campaigns against LLM applications, data poisoning simulations, model extraction attempts, and agentic attack scenarios (goal hijacking, tool misuse, privilege escalation).
4.4 Establish AI-Specific Metrics and Monitoring
Define and track key performance indicators for your AI security program. Map these to NIST AI RMF’s MEASURE function. Key metrics include model drift rate and anomaly detection frequency, number and severity of prompt injection attempts blocked, AI supply chain vulnerability scan results, agent action audit coverage, and mean time to detect and respond to AI-specific incidents.
Phase 5: Evolve and Mature (Ongoing)
Goal: Continuously improve your AI security posture as threats, technologies, and regulations evolve.
5.1 Conduct Quarterly Threat Model Reviews
MITRE ATLAS is a living framework that receives regular updates. The October 2025 update added 14 new agentic AI techniques. Conduct quarterly reviews to incorporate new techniques into your threat model, retire mitigations for threats that no longer apply, assess new AI deployments against the current threat landscape, and update red team scenarios.
5.2 Participate in AI Incident Sharing
Join MITRE’s AI Incident Sharing initiative to both contribute and benefit from anonymized attack data. This “neighborhood watch” approach provides visibility into real-world attack patterns that may not appear in public threat intelligence feeds.
5.3 Track Regulatory Evolution
The AI regulatory landscape is evolving rapidly. NIST AI RMF is currently in revision. The NIST Cyber AI Profile is in preliminary draft. NIST SP 800-53 is developing AI control overlays. The EU AI Act implementation timelines are advancing. CISA guidance continues to expand. New OWASP updates are in development. Build regulatory tracking into your quarterly review cycle.
5.4 Invest in AI Security Training
Build organizational competency through targeted training programs. SOC analysts need training on AI-specific detection and response. Developers need secure AI coding practices aligned with OWASP guidance. Red teams need adversarial ML skills aligned with MITRE ATLAS techniques. Governance teams need fluency in NIST AI RMF and emerging regulations.
5.5 Benchmark Against Maturity Model
Use the maturity model in Section 7 to assess your progress annually. Set realistic targets for advancement and tie maturity improvements to business value—reduced incident costs, faster compliance, and increased stakeholder confidence.
5. Framework Integration: The Rosetta Stone
The following table maps key AI security activities to the frameworks that inform them. This is the integration layer that eliminates duplication and ensures comprehensive coverage. Use it as a reference when planning specific initiatives.
| Activity | NIST AI RMF | MITRE ATLAS | OWASP LLM/Agentic | CISA Guidance |
|---|---|---|---|---|
| AI Asset Inventory | MAP 1.1–1.6 | Prerequisite | Scope definition | Best Practice #1 |
| Risk Classification | MAP 3.1–3.5 | Impact analysis | Risk prioritization | OT risk assessment |
| Governance Structure | GOVERN 1.1–1.7 | — | — | Principle 3 |
| Policy Development | GOVERN 2.1–2.2 | — | Security checklists | Multiple guidelines |
| Threat Modeling | MAP 5.1–5.2 | 15 Tactics, 66 Techniques | Top 10 risk categories | Threat awareness |
| Data Security | MANAGE 2.1–2.4 | Data poisoning TTPs | LLM03, LLM06 | Data security CSI |
| Input/Output Controls | MANAGE 4.1 | Evasion techniques | LLM01, LLM02 | Best Practice #3 |
| Supply Chain Security | MAP 4.1–4.2 | Supply chain TTPs | LLM05, ASI04 | Data supply chain |
| Agent Security | MANAGE 3.1–3.2 | 14 agentic techniques | ASI01–ASI10 | OT agent guidance |
| Red Teaming | MEASURE 2.1–2.13 | Case studies, Navigator | FinBot CTF | Testing guidance |
| SOC Integration | MANAGE 1.1–1.4 | STIX 2.1 data, SAFE-AI | Detection patterns | Monitoring guidance |
| Incident Response | MANAGE 4.2 | IR mapping | Mitigation guides | IR integration |
| Continuous Monitoring | MEASURE 3.1–3.3 | Ongoing updates | Annual updates | Continuous validation |
| Regulatory Alignment | Crosswalk documents | — | EU AI Act alignment | Federal compliance |
Integration Principle: Think of NIST AI RMF as the strategic layer (WHY and WHAT), MITRE ATLAS as the adversary intelligence layer (WHO and HOW), OWASP as the implementation checklist (WHAT specifically to fix), and CISA as the operational guidance layer (HOW to do it in practice, especially in federal and CI environments). Together, they provide 360-degree coverage.
6. Quick-Start Guide: First 90 Days
For organizations just beginning their AI security journey, here is a prioritized action plan for the first 90 days. These actions deliver the highest risk reduction with the most practical effort.
Quick Win: The single highest-impact action you can take today is to audit and scope down the permissions of every AI agent and LLM-powered tool in your environment. The principle of Least Agency, combined with prompt sanitization and output filtering, addresses the majority of the most common and most dangerous attack vectors across both the OWASP LLM and Agentic Top 10 lists.
Days 1–30: Foundation
Inventory all AI systems in your environment, including shadow AI. Appoint an AI Security Lead or assign ownership to an existing role. Apply OWASP LLM Top 10 mitigations to your highest-risk LLM applications, focusing on prompt injection defense, output sanitization, and supply chain dependency pinning. Begin MITRE ATLAS familiarization training for your security team.
Days 31–60: Structure
Establish a governance committee with a clear RACI matrix. Draft an initial Acceptable AI Use Policy. Conduct your first MITRE ATLAS-informed threat modeling session on your highest-risk AI system. Integrate AI asset monitoring into your existing SIEM platform. If deploying AI agents, audit all agent permissions and implement least privilege.
Days 61–90: Operationalize
Deploy AI guardrails technology for real-time input and output inspection on customer-facing AI applications. Develop your first AI-specific incident response playbook. Conduct a tabletop exercise simulating an AI security incident. Establish a quarterly review cadence for threat model updates and framework changes.
7. Maturity Model: Measuring Progress
Use this five-level maturity model to assess your current state and set targets for advancement. Each level builds on the previous one.
| Level | Name | Characteristics | Framework Focus |
|---|---|---|---|
| 1 | Initial | Ad hoc AI adoption with no formal security oversight. AI risks are not identified or managed. No AI-specific policies exist. | None formally adopted |
| 2 | Developing | AI asset inventory exists. Initial governance structure formed. Basic OWASP LLM Top 10 mitigations applied. AI risk is acknowledged at executive level. | NIST GOVERN (partial), OWASP LLM (partial) |
| 3 | Defined | Formal AI security policies in place. MITRE ATLAS-informed threat models completed. AI risk integrated into ERM. SOC monitoring includes AI telemetry. AI agents secured with least privilege. | NIST AI RMF (all functions), MITRE ATLAS (threat modeling), OWASP (full), CISA (guidance applied) |
| 4 | Managed | Quantitative AI security metrics tracked. Regular red teaming conducted. AI incident response tested and refined. Supply chain security operationalized. Continuous model monitoring deployed. | All frameworks operationalized. NIST MEASURE function fully implemented. |
| 5 | Optimizing | AI security program continuously improved based on metrics, incident data, and framework updates. Active participation in AI incident sharing. Threat models updated quarterly. AI security integrated into business strategy. | All frameworks in continuous improvement. Active community contribution. |
Most organizations today are at Level 1 or Level 2. The goal of this playbook is to provide a clear path to Level 3 within the first year and Level 4 within 18–24 months. Level 5 represents ongoing operational excellence.
8. Conclusion and Next Steps
AI is transforming enterprise operations faster than security programs can adapt—but the frameworks exist to close that gap. The challenge is not a lack of guidance; it is the need for a practical integration strategy that harmonizes governance, threat intelligence, application security, and operational response.
This playbook provides that integration. By using NIST AI RMF as your governance backbone, MITRE ATLAS as your adversary intelligence engine, OWASP’s LLM and Agentic Top 10 as your implementation checklists, and CISA guidance as your operational reference, you can build an AI security program that is comprehensive, practical, and adaptable.
The key principles to carry forward are:
Start with governance, not technology. Technology controls are essential, but they must be anchored in clear policies, accountability structures, and risk appetite definitions. NIST AI RMF’s GOVERN function should be your first priority.
Think like the adversary. MITRE ATLAS gives you the attacker’s playbook. Use it to test your defenses before real adversaries do. Red teaming is not optional—it is how you validate that your controls actually work.
Prioritize ruthlessly. You cannot address every risk simultaneously. Use the OWASP Top 10 lists to focus on the vulnerabilities that are most common, most impactful, and most actively exploited.
Treat AI security as a continuous program, not a project. The threat landscape is evolving at a pace that demands quarterly review cycles, not annual compliance checkboxes. Build your program for continuous adaptation.
Integrate, don’t isolate. AI risk must flow into your existing ERM, GRC, and SOC operations. The frameworks provide crosswalks and mappings to make this integration practical. Use them.
The organizations that thrive in the AI era will be those that embrace AI’s transformative potential while managing its risks with the same discipline they apply to every other dimension of cybersecurity. This playbook is your roadmap to getting there.
Appendix: Key Resources and References
NIST Resources
- NIST AI Risk Management Framework (AI RMF 1.0)
- NIST AI RMF Playbook
- NIST GenAI Profile (AI 600-1)
- NIST Cyber AI Profile (IR 8596, Preliminary Draft)
- NIST SP 800-53 (Release 5.2.0)
MITRE Resources
- MITRE ATLAS
- ATLAS Navigator: Available via atlas.mitre.org
- SAFE-AI Framework
- AI Incident Sharing Initiative
OWASP Resources
- OWASP GenAI Security Project
- OWASP Top 10 for LLM Applications
- OWASP Top 10 for Agentic Applications
- Agentic AI Threats and Mitigations
CISA Resources
- CISA AI Roadmap
- Joint AI Data Security Guidance (May 2025)
- Guidelines for Secure AI System Development
- Principles for Secure Integration of AI in OT (Dec 2025)
Additional Frameworks
- ISO/IEC 42001:2023 (AI Management System Standard)
- CSA MAESTRO (Agentic AI Threat Modeling Framework)
- EU AI Act
