MITRE ATLAS: The Adversary's Playbook for AI Systems
ATLAS gives you the adversary's playbook. C2B B9 gives you the builder's checklist. SDD-B01 gives you the offensive expansion. ATLAS is the connective tissue — the framework that names every technique an adversary has actually used against an AI system, in the order an adversary actually chains them, from reconnaissance through impact. The ATT&CK equivalent for AI/ML: twelve tactics, ~80+ techniques, dozens of case studies.
ATLAS is the connective tissue between OWASP, Microsoft, and SDD-B01. OWASP is a builder's checklist (ten rows). Microsoft is a diagnostic (twelve failure modes). SDD-B01 is the offensive expansion (the same ten rows as attack procedures). ATLAS is the adversary's full playbook — a kill chain, fed by real-world case studies, structured like ATT&CK. A failure that is an ATLAS technique, an OWASP row, and a Microsoft failure mode is the highest-confidence finding — robust to framework-shopping.
ATLAS covers the model layer OWASP is silent on. Four of the six load-bearing techniques (Model Inversion, Data Poisoning model-layer variant, Model Stealing, Membership Inference) target the model the agent is built on, not the agent. OWASP ASI has no row for them — it is an agent-layer framework by design. ATLAS is the framework that covers the model; OWASP covers the agent; together they cover both. The empty OWASP cells are the finding surface ATLAS adds that OWASP cannot reach.
ATLAS is a kill chain, not a checklist. The value is the compound: Reconnaissance enables Initial Access enables Execution enables Impact. Single-technique findings are entry points; the compound chain is the finding. This is the SDD-B01 'compound is the finding' thesis restated in ATLAS terms — the ATLAS kill chain is the structure for designing the compound. Treating ATLAS as 'one technique per tactic, scored' reproduces the OWASP-as-checklist mistake in ATLAS clothing.
The two AI-specific tactics (ML Model Access, ML Attack Staging) are what makes ATLAS distinct from ATT&CK. They exist because AI systems have an asset class — the trained model — that traditional systems do not. The access tier determines which downstream techniques are available (black-box API scopes to prompt injection, model stealing, membership inference; white-box weights unlock adversarial examples, representation-level attacks, weight poisoning). ML Attack Staging has no runtime defense — it happens on the adversary's laptop. Scoping these two tactics out reduces ATLAS to a relabeled ATT&CK and loses the model-layer coverage that justifies the framework.