OWASP AI Exchange

Work in progress

Cross-industry reference for AI & ML security, privacy, and governance controls

Reference page — no machine-readable feed yet

OWASP AI Exchange publishes threats and controls as prose on owaspai.org, not as JSON/YAML/CSV. Explicit crosswalks to MITRE ATLAS, ATT&CK, CWE, and NIST AI RMF are on the 2026 roadmap. This page mirrors the taxonomy from the AI Security Overview and deep-links each item to its canonical Exchange page via /go/<slug>/ short-links. Content faithfully follows owaspai.org/docs/ai_security_overview.

Three attacker goals — six impact categories

Disclose (Confidentiality)
Training/test data, model IP (parameters + process), input or augmentation data.
Deceive (Integrity)
Model-behaviour manipulation causing unintended outputs or actions.
Disrupt (Availability)
Model availability + CIA of non-AI-specific assets around the model.

Threats — by impact & attack surface

The OWASP AI Exchange organises threats in a matrix of six impact dimensions against five attack-surface/lifecycle contexts. Click any threat to open its Exchange page.

Model behaviour integrity

Deceive

Runtime — Model useDirect prompt injection
Runtime — Model useIndirect prompt injection
Runtime — Model useEvasion (adversarial examples)
Runtime — Break into deployed modelDirect runtime model poisoning (reprogramming)
Development — Engineering envDirect development-environment model poisoning
Development — Engineering envData poisoning of train/finetune data
Development — Supply chainSupply-chain model poisoning

Training data confidentiality

Disclose

Runtime — Model useDisclosure in output
Runtime — Model useModel inversion / Membership inference
Development — Engineering envDirect training data leak

Model confidentiality

Disclose

Runtime — Model useModel exfiltration (I/O harvesting)
Runtime — Break into deployed modelDirect runtime model leak
Development — Engineering envDirect development-time model leak

Model behaviour availability

Disrupt

Model useAI resource exhaustion

Model input-data confidentiality

Disclose

Runtime — All ITInput data leak

Any asset — CIA

Disrupt

Runtime — All ITOutput contains conventional injection

Controls — 5 categories

1 · AI Governance

AI governance controls

2 · Conventional security (+ AI-adapted)

Supply-chain management

SUPPLY CHAIN MANAGE

Development-time

Runtime

Adapted conventional controls

New IT security controls

3 · AI-engineer controls

4 · Data minimisation / obfuscation

Data handling limits

5 · Limit model behaviour

Behavioural guardrails

Framework alignment status

Framework	Status	Note
ISO/IEC 27090 (AI security)	aligned	Active editorial contribution by OWASP AI Exchange.
ISO/IEC 27091 (AI privacy)	aligned	Parallel contribution track.
ISO/IEC 5338 (AI lifecycle)	aligned	Lifecycle language shared with Exchange taxonomy.
EU AI Act	partial	~70 pages contributed during drafting — no formal crosswalk yet.
MITRE ATLAS	roadmap	Harmonisation prioritised for summer 2026.
NIST AI RMF	roadmap	Mapping planned alongside ATLAS harmonisation.
MITRE ATT&CK / CWE	roadmap	No explicit per-threat mapping in the current release.

References

OWASP AI Exchange

Work in progress

Cross-industry reference for AI & ML security, privacy, and governance controls

Reference page — no machine-readable feed yet

Three attacker goals — six impact categories

Disclose (Confidentiality)
Training/test data, model IP (parameters + process), input or augmentation data.
Deceive (Integrity)
Model-behaviour manipulation causing unintended outputs or actions.
Disrupt (Availability)
Model availability + CIA of non-AI-specific assets around the model.

Threats — by impact & attack surface

The OWASP AI Exchange organises threats in a matrix of six impact dimensions against five attack-surface/lifecycle contexts. Click any threat to open its Exchange page.

Model behaviour integrity

Deceive

Runtime — Model useDirect prompt injection
Runtime — Model useIndirect prompt injection
Runtime — Model useEvasion (adversarial examples)
Runtime — Break into deployed modelDirect runtime model poisoning (reprogramming)
Development — Engineering envDirect development-environment model poisoning
Development — Engineering envData poisoning of train/finetune data
Development — Supply chainSupply-chain model poisoning

Training data confidentiality

Disclose

Runtime — Model useDisclosure in output
Runtime — Model useModel inversion / Membership inference
Development — Engineering envDirect training data leak

Model confidentiality

Disclose

Runtime — Model useModel exfiltration (I/O harvesting)
Runtime — Break into deployed modelDirect runtime model leak
Development — Engineering envDirect development-time model leak

Model behaviour availability

Disrupt

Model useAI resource exhaustion

Model input-data confidentiality

Disclose

Runtime — All ITInput data leak

Any asset — CIA

Disrupt

Runtime — All ITOutput contains conventional injection

Controls — 5 categories

1 · AI Governance

AI governance controls

2 · Conventional security (+ AI-adapted)

Supply-chain management

SUPPLY CHAIN MANAGE

Development-time

Runtime

Adapted conventional controls

New IT security controls

3 · AI-engineer controls

4 · Data minimisation / obfuscation

Data handling limits

5 · Limit model behaviour

Behavioural guardrails

Framework alignment status

Framework	Status	Note
ISO/IEC 27090 (AI security)	aligned	Active editorial contribution by OWASP AI Exchange.
ISO/IEC 27091 (AI privacy)	aligned	Parallel contribution track.
ISO/IEC 5338 (AI lifecycle)	aligned	Lifecycle language shared with Exchange taxonomy.
EU AI Act	partial	~70 pages contributed during drafting — no formal crosswalk yet.
MITRE ATLAS	roadmap	Harmonisation prioritised for summer 2026.
NIST AI RMF	roadmap	Mapping planned alongside ATLAS harmonisation.
MITRE ATT&CK / CWE	roadmap	No explicit per-threat mapping in the current release.