OWASP AI Top 10 with MITRE ATLAS

As artificial intelligence and Large Language Models (LLMs) become increasingly integrated into business operations, the security landscape is evolving rapidly. Traditional application security concerns are no longer sufficient. Organizations must now address threats unique to AI systems, including prompt injection, model poisoning, system prompt leakage, and excessive AI agent permissions.

To help security teams understand these emerging risks, the Open Worldwide Application Security Project (OWASP) maintains the OWASP Top 10 for LLM Applications. Complementing this effort, MITRE ATLAS provides a framework for understanding how adversaries target AI systems through real world attack techniques.

This article explores the OWASP AI Top 10 risks and maps them to relevant MITRE ATLAS techniques, helping defenders understand how these vulnerabilities can be exploited in practice.

1. Prompt Injection

Prompt injection occurs when an attacker manipulates an LLM through carefully crafted input that overrides its intended instructions.

MITRE ATLAS Mapping

AML.T0051 – LLM Prompt Injection

Real World Scenario

An attacker embeds hidden instructions inside a webpage. When an AI assistant summarizes the page, the hidden prompt causes the model to reveal sensitive conversation history or perform unauthorized actions.

Security Impact

• Unauthorized actions

• Data leakage

• Policy bypass

• AI manipulation

2. Sensitive Information Disclosure

LLMs can expose confidential information stored within training data, connected databases, or retrieval systems.

MITRE ATLAS Mapping

AML.T0024.000 – Infer Training Data Membership

Real World Scenario

An attacker repeatedly queries a model and determines whether specific sensitive records were included in training data.

Security Impact

• Privacy violations

• Exposure of proprietary information

• Regulatory compliance risks

3. Supply Chain Vulnerabilities

AI systems rely heavily on third party models, datasets, frameworks, and libraries.

MITRE ATLAS Mapping

AML.T0010 – ML Supply Chain Compromise

Real World Scenario

A malicious model uploaded to a public repository executes harmful code when downloaded and loaded into a development environment.

Security Impact

• Developer compromise

• Backdoor deployment

• Environment takeover

4. Data and Model Poisoning

Attackers manipulate training data or retrieval sources to influence model behavior.

MITRE ATLAS Mapping

AML.T0020 – Poison Training Data

Real World Scenario

An attacker introduces specially crafted records into a dataset, creating hidden triggers that alter model responses under specific conditions.

Security Impact

• Biased outputs

• Backdoors

• Trust degradation

5. Improper Output Handling

Developers sometimes trust LLM generated content and pass it directly into applications without validation.

MITRE ATLAS Mapping

AML.T0051.002 – LLM Output Injection

Real World Scenario

A malicious prompt causes the model to generate dangerous commands that are automatically executed by downstream systems.

Security Impact

• Command execution

• System compromise

• Data destruction

6. Excessive Agency

AI agents become dangerous when granted excessive permissions without sufficient controls.

MITRE ATLAS Mapping

AML.T0061 – AI Agent Tools

Real World Scenario

A compromised AI assistant uses its authorized email and calendar access to perform actions on behalf of an attacker.

Security Impact

• Unauthorized transactions

• Account abuse

• Data exposure

7. System Prompt Leakage

System prompts define the hidden behavior and restrictions of AI applications.

MITRE ATLAS Mapping

AML.T0054 – LLM Jailbreak

Real World Scenario

An attacker tricks the model into revealing its internal instructions, hidden prompts, or confidential operational logic.

Security Impact

• Exposure of security controls

• Easier prompt injection attacks

• Disclosure of internal architecture

8. Vector and Embedding Weaknesses

Retrieval Augmented Generation (RAG) systems rely on vector databases to retrieve relevant information.

MITRE ATLAS Mapping

AML.T0060 – Data from AI Services

Real World Scenario

An attacker introduces malicious content into a vector database, causing the AI to retrieve and present false information.

Security Impact

• Knowledge manipulation

• Incorrect responses

• Business decision risks

9. Misinformation

AI generated misinformation becomes a security issue when users rely on AI generated guidance for critical decisions.

MITRE ATLAS Mapping

AML.T0043 – Craft Adversarial Data

Real World Scenario

Attackers influence public information sources, causing AI systems to learn and repeat incorrect security recommendations.

Security Impact

• Unsafe guidance

• Vulnerable code generation

• Loss of trust

10. Unbounded Consumption

AI systems consume significant computational resources and can be targeted through resource exhaustion attacks.

MITRE ATLAS Mapping

AML.T0029 – Denial of Service

Real World Scenario

Attackers repeatedly submit highly complex prompts that maximize processing requirements and overwhelm inference infrastructure.

Security Impact

• Service outages

• Increased operational costs

• Resource exhaustion

Why OWASP and MITRE ATLAS Matter Together

OWASP identifies the most critical AI security risks, while MITRE ATLAS explains how attackers operationalize those risks.

Together, they help organizations:

• Build AI threat models

• Develop AI security controls

• Improve detection engineering

• Strengthen red and purple team exercises

• Secure LLM and agentic AI deployments

Final Thoughts

The rapid adoption of LLMs has introduced a new attack surface that traditional security frameworks were not designed to address. Understanding both the OWASP AI Top 10 and the MITRE ATLAS framework allows defenders to move beyond theoretical risks and focus on real adversarial techniques.

As AI becomes increasingly embedded in enterprise environments, security teams must treat AI security as a core component of their cybersecurity strategy rather than a future concern.