How to Threat Model an AI System: ATLAS, OWASP, MAESTRO & NIST

June 25, 2026 · Securing AI: How AI Gets Attacked — and Defended (part 3)

▶ Watch on YouTube & subscribe to The Stack Underflow

Every AI security meeting has the same moment: someone drops “ATLAS,” someone else says “but the OWASP Top 10,” a third person mentions NIST, and then MAESTRO appears in the chat. Four frameworks, quoted as if they’re interchangeable. They’re not. Each one answers a different question about a different slice of the problem. Reach for the wrong one and you get a useless answer — or worse, a false sense that you’ve covered the ground when you haven’t.

If you are building or operating an AI system right now, you need to know what each framework asks, what it answers, and how they layer together. That map is what this tutorial gives you.

The one-sentence version: ATLAS tells you how attackers move, OWASP tells you what tends to go wrong, MAESTRO gives you a method for threat-modeling an agent, and NIST governs the whole program — same attack surface, four different lenses.

The six-stage pipeline underneath all four frameworks

Before the frameworks make sense, you need the surface they’re mapping. AI systems share a common six-stage pipeline from raw data to running agent (covered in depth in The AI Attack Surface Explained):

S0 DATA  →  S1 TRAIN  →  S2 MODEL  →  S3 DEPLOY/SUPPLY  →  S4 INFERENCE  →  S5 AGENT

Every attack, every risk, and every governance concern anchors to one or more of these stages. The four frameworks each “land” on this pipeline differently, which is why they’re complementary rather than competing.

Framework 1: MITRE ATLAS — HOW do attackers move?

MITRE ATLAS (Adversarial Threat Landscape for Artificial Intelligence Systems) is a knowledge base of adversary tactics (the attacker’s goals at each phase) and techniques (specific methods used to achieve those goals). It mirrors the structure of MITRE ATT&CK — which most security teams already use for traditional IT — but applies it to AI and ML systems.

As of version 5.1.0 (November 2025), ATLAS contains:

CountWhat
16 tacticsHigh-level adversary goals (e.g., Reconnaissance, ML Model Access, Exfiltration, Impact)
84 techniquesSpecific attack methods (e.g., RAG Poisoning, LLM Prompt Crafting, AI Supply Chain Compromise)
56 sub-techniquesNarrower variants within a technique
32 mitigationsDefensive countermeasures mapped to specific techniques
42 case studiesReal-world incidents documented in the wild

Technique IDs follow the format AML.T####; tactic IDs follow AML.TA####; mitigations follow AML.M####.

ATLAS’s Spring 2025 update added 19 GenAI-specific techniques including RAG Poisoning, False RAG Entry Injection, and Impersonation. The October 2025 update (in partnership with Zenity Labs) added 14 agent-focused techniques and sub-techniques. The November 2025 v5.1.0 release added a 16th tactic — Command and Control (AML.TA0015) — reflecting the new reality of agents that communicate with external infrastructure.

What ATLAS answers: “How would an attacker move through my system stage by stage, and what specific technique would they use at each step?”

Attacker question: "How do I corrupt a RAG pipeline?"
                         |
                         v
    ATLAS technique chip: RAG Poisoning (GenAI technique, Spring 2025)
    Stage: S4 Inference (RAG query path)
    Related tactic: ML Attack Staging (AML.TA0001)

What ATLAS does NOT answer: Which risks are most common in production, how to run a governance program, or how to threat-model an agent system layer by layer. That’s what the other three frameworks cover.

Framework 2: OWASP LLM and Agentic Top 10 — WHAT tends to go wrong?

OWASP (Open Worldwide Application Security Project) produces risk taxonomies — ranked lists of the vulnerabilities most likely to bite you in a real deployment. For AI, it publishes two relevant lists.

OWASP LLM Top 10 (2025 edition): Released November 2024, it maps ten risk categories across the six-stage pipeline. This series uses it as its recurring spine — every attack tutorial in the series tags its OWASP ID.

IDRisk namePrimary pipeline stage
LLM01Prompt InjectionS4 Inference
LLM02Sensitive Information DisclosureS2 Model / S4
LLM03Supply ChainS3 Deploy/Supply
LLM04Data and Model PoisoningS0 Data / S1 Train
LLM05Improper Output HandlingS4 Inference
LLM06Excessive AgencyS5 Agent
LLM07System Prompt LeakageS4 Inference
LLM08Vector and Embedding WeaknessesS4 (RAG)
LLM09MisinformationS4
LLM10Unbounded ConsumptionS4

Two entries are new in the 2025 edition: LLM07 System Prompt Leakage (reflecting how widely system prompts now encode business logic and secrets) and LLM09 Misinformation (absorbing the former “Overreliance” category). LLM06 Excessive Agency was elevated as agentic deployments became mainstream.

OWASP Top 10 for Agentic Applications (December 2025): Released December 9–10, 2025 by the OWASP GenAI Security Project, this companion list covers risks that are unique to or dramatically amplified in autonomous agents. The ten entries are:

ASI01  Agent Goal Hijack
ASI02  Tool Misuse
ASI03  Identity and Privilege Abuse
ASI04  Agentic Supply Chain Vulnerabilities
ASI05  Unexpected Code Execution
ASI06  Memory and Context Poisoning
ASI07  Insecure Inter-Agent Communication
ASI08  Cascading Failures
ASI09  Human-Agent Trust Exploitation
ASI10  Rogue Agents

What OWASP answers: “What are the named, ranked risk categories I need to address, mapped to specific stages of my pipeline?”

What OWASP does NOT answer: The exact attacker technique behind each risk (that’s ATLAS), how to systematically walk an agent’s internal layers (that’s MAESTRO), or how to build a governance program (that’s NIST).

Framework 3: MAESTRO — HOW do I threat-model an agent?

MAESTRO (Multi-Agent Environment, Security, Threat, Risk, and Outcome) was introduced by the Cloud Security Alliance in February 2025. It is not a risk list — it is a method: a structured way to walk an agentic AI system layer by layer and ask “what can go wrong here?”

The framework breaks an agent’s operational stack into seven layers:

Layer 7: Agent Ecosystem
         (real-world interfaces, user interactions, marketplace)
         |
Layer 6: Security and Compliance  <-- vertical, cuts across ALL layers
         |
Layer 5: Evaluation and Observability
         (monitoring, anomaly detection, performance tracking)
         |
Layer 4: Deployment and Infrastructure
         (cloud/on-prem runtime, networking, compute)
         |
Layer 3: Agent Frameworks
         (orchestration toolkits, tool-calling logic, planning loops)
         |
Layer 2: Data Operations
         (databases, vector stores, RAG pipelines, ingestion)
         |
Layer 1: Foundation Models
         (the underlying LLM or multimodal model)

Layer 6 (Security and Compliance) is a vertical layer — it does not sit between the others, it spans all of them. Think of it as a cross-cutting concern rather than a rung on the ladder.

Why does this matter? Because attacks on agents rarely stay in one layer. A data poisoning attack starts at Layer 2, shapes the model’s behavior at Layer 1 via RAG retrieval, influences the decision loop at Layer 3, and ultimately causes unauthorized real-world actions at Layer 7. MAESTRO gives you a systematic method to trace that path rather than stumbling onto it after an incident.

MAESTRO’s positioning as “the agent-era complement to STRIDE” is deliberate. STRIDE (a classic threat-modeling method asking: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) works well on static systems with well-defined trust boundaries. Agents are dynamic, probabilistic, and autonomous — MAESTRO was designed for that.

What MAESTRO answers: “Given this specific agent architecture, what are the threats at each layer, and how do they propagate across layers?”

What MAESTRO does NOT answer: How adversaries move at the technique level (ATLAS), which risks to prioritize across the industry (OWASP), or how to govern the program (NIST).

Framework 4: NIST AI RMF — HOW do I govern the whole program?

NIST AI RMF 1.0 (National Institute of Standards and Technology AI Risk Management Framework, January 2023) operates at the program level. It is not a technique list or a threat-modeling method — it is a continuous governance loop that wraps around everything else.

The four core functions are:

  +----------------------------------------------------------+
  |                                                          |
  |   GOVERN  ------>  MAP  ------>  MEASURE  -->  MANAGE   |
  |      ^                                            |      |
  |      +--------------------------------------------+      |
  |                                                          |
  |  (the loop runs continuously around the whole pipeline) |
  +----------------------------------------------------------+
  • Govern: Establish policies, roles, accountability structures, and culture around AI risk. This is where legal, compliance, and executive stakeholders live.
  • Map: Identify and categorize the AI risks relevant to your specific context — your deployment environment, your users, your risk tolerance.
  • Measure: Evaluate and test those risks. Red teaming, benchmarks, audits, monitoring, and evals all live here.
  • Manage: Prioritize, treat, respond to, and track the risks you’ve measured. This includes incident response and ongoing remediation.

In July 2024, NIST published NIST AI 600-1, the Generative AI Profile — a companion document that extends AI RMF 1.0 specifically for generative AI. It identifies 12 GenAI-specific risk categories (including Confabulation/hallucination, Data Privacy, Information Security, and Value Chain and Component Integration) and provides 200+ suggested actions organized by the four RMF functions (NIST AI 600-1, July 26, 2024).

What NIST AI RMF answers: “How do we run an ongoing organizational program to govern, identify, evaluate, and manage AI risk across the whole lifecycle?”

What NIST does NOT answer: Which specific techniques attackers use (ATLAS), which risk categories dominate in LLM deployments (OWASP), or how to threat-model an agent system layer by layer (MAESTRO).

The four-question map

Here is the complete picture in one place:

FrameworkVersionThe question it answersScope
MITRE ATLASv5.1.0 (Nov 2025)HOW do attackers move, stage by stage?Adversary tactics and techniques
OWASP LLM Top 102025 editionWHAT tends to go wrong in LLM deployments?Risk taxonomy, ranked
OWASP Agentic Top 10Dec 2025WHAT tends to go wrong in agentic systems?Agent-specific risk taxonomy
MAESTROFeb 2025 (CSA)HOW do I threat-model THIS agent, layer by layer?Agent threat-modeling method
NIST AI RMF1.0 (Jan 2023) + AI 600-1 (Jul 2024)HOW do I govern the AI risk program?Organizational governance loop

These frameworks compose — they do not compete. A real threat-modeling session might: use MAESTRO to walk the agent layers, tag each identified threat with its ATLAS technique ID and its OWASP risk category, then feed the prioritized results into the NIST Manage function. Ask “how?” and reach for ATLAS. Ask “what?” and reach for OWASP. Ask “how do I model this agent?” and reach for MAESTRO. Ask “how do I govern all of this?” and reach for NIST.

How to defend: putting the frameworks to work

Knowing the frameworks intellectually is different from using them defensively. Here is a concrete workflow:

Step 1 — Scope with MAESTRO. Before any meeting, draw the seven-layer stack for your specific agent. Which layers exist in your system? Which are third-party? Where do trust boundaries cross?

Step 2 — Walk each layer with ATLAS. For each layer, ask: which ATLAS tactics and techniques apply here? RAG pipelines at Layer 2 attract RAG Poisoning and False RAG Entry Injection. Tool-calling at Layer 3 attracts LLM Prompt Crafting and agent hijack techniques added in October 2025.

Step 3 — Tag each threat with its OWASP ID. This connects your architectural analysis to the industry-standard vocabulary your security, legal, and compliance stakeholders already use. A RAG poisoning threat maps to ATLAS technique plus LLM08 (Vector and Embedding Weaknesses) and LLM04 (Data and Model Poisoning).

Step 4 — Feed the results into NIST’s Manage function. Prioritize by likelihood and impact. Document the residual risk. Assign owners and remediation timelines. Schedule reassessment.

Step 5 — Log and monitor continuously. The NIST loop never closes. Techniques in ATLAS grow (16 new techniques in v5.1.0 alone). OWASP categories evolve. Your threat model must be a living document, not a one-time exercise.

The defensive payoff of running all four frameworks: you get attacker-aware architecture (MAESTRO plus ATLAS), a standard vocabulary for risk communication (OWASP), and a governance structure that ensures the work actually gets done and stays current (NIST).

Common misconceptions

  • “I quoted the OWASP Top 10 in my design doc, so I’ve done threat modeling.” OWASP is a risk taxonomy, not a threat-modeling method. Listing the ten risk categories does not tell you which ones apply to your specific architecture, where in your pipeline they surface, or what the attack technique looks like. Use MAESTRO or a STRIDE session to do the actual modeling; use OWASP to name and rank what you find.

  • “MITRE ATLAS is only for researchers — it’s too complex for a product team.” ATLAS includes the free Navigator tool (mirroring ATT&CK Navigator) that lets any team load their architecture and visually map which techniques are relevant. Even a 30-minute session tagging five to ten techniques for a RAG pipeline is more rigorous than a blank threat model.

  • “NIST AI RMF is just a compliance checkbox for enterprises.” The four functions — Govern, Map, Measure, Manage — describe the minimum viable security program for any team shipping AI in production. Even a two-person startup benefits from naming who owns AI risk (Govern), listing their specific risk categories (Map), running basic red-team evals (Measure), and having a plan for when something goes wrong (Manage). Scale the effort, not the structure.

  • “MAESTRO replaces STRIDE for all threat modeling.” MAESTRO is purpose-built for agentic AI. For non-agentic LLM use cases — a summarization endpoint, a classification pipeline — STRIDE is still a perfectly valid starting point. MAESTRO adds value precisely where agentic autonomy, multi-step tool use, and cross-layer propagation are in play.

Frequently asked questions

Do I need all four frameworks, or can I just pick one? You almost certainly need at least two. OWASP gives you a prioritized checklist to work from, and NIST gives you the governance loop to ensure the work gets done. For agentic systems, add MAESTRO. Add ATLAS whenever you want to move from “what risk” to “how a real attacker would execute it.” The frameworks are designed to compose, and using more than one in the same session is normal — tag a MAESTRO-identified threat with both its ATLAS technique ID and its OWASP ID, and you’ve done exactly what the ecosystem intends.

How current are ATLAS and the OWASP lists — do they go stale quickly? Yes, and intentionally so. ATLAS v5.1.0 (November 2025) added 18 new techniques focused on agent security in a single release. The OWASP LLM Top 10 moved from 2023 to a substantially revised 2025 edition, adding two new categories and reordering based on real deployment data. Treat these as living documents. Pin a review of your threat model to each major ATLAS or OWASP release, or at minimum once per year.

What is the relationship between MAESTRO and the OWASP Agentic Top 10? They are complementary in the same way ATLAS and OWASP are complementary. MAESTRO is a method — it gives you the seven-layer structure to walk. The OWASP Agentic Top 10 (December 2025) is a taxonomy — it names the ten most critical risk categories for agents. Run MAESTRO to discover threats layer by layer, then tag each discovered threat against the Agentic Top 10 (ASI01 through ASI10) to communicate it in standard vocabulary. ASI06 Memory and Context Poisoning, for example, lives at MAESTRO Layer 2 (Data Operations) and Layer 3 (Agent Frameworks), and maps to ATLAS techniques added in October 2025.

How does the NIST AI 600-1 Generative AI Profile differ from AI RMF 1.0? AI RMF 1.0 (January 2023) is the general framework applicable to all AI systems. NIST AI 600-1 (July 2024) is a profile — a focused extension that applies the four RMF functions specifically to generative AI. It names 12 GenAI-specific risk categories (including Confabulation, Information Security, and Value Chain and Component Integration) and provides over 200 suggested actions mapped back to the Govern/Map/Measure/Manage functions. If you are shipping LLMs or agents, AI 600-1 is the more immediately applicable document; AI RMF 1.0 is the foundational structure it builds on.

Can I use these frameworks for a RAG pipeline specifically, or are they only for full LLM products? All four apply to RAG pipelines. ATLAS has named RAG Poisoning and False RAG Entry Injection as specific techniques since Spring 2025. OWASP LLM08 (Vector and Embedding Weaknesses) covers the embedding and retrieval path directly. MAESTRO Layer 2 (Data Operations) covers the vector store and ingestion pipeline. NIST’s Map function asks you to identify your specific risk context — a RAG pipeline is a specific, well-scoped context to analyze. Start with MAESTRO Layer 2 and tag everything to ATLAS and OWASP as you go.

Where this fits in the series

This tutorial is the final orientation piece before the series dives into specific attacks. The two previous tutorials — The AI Attack Surface Explained and AI Security vs AI Safety vs Cybersecurity — established the six-stage pipeline and the three discipline distinctions that underpin everything here.

From here, the series moves into the substrate: Why AI Is Uniquely Attackable covers the four inherent properties that break traditional security assumptions — nondeterminism, uninterpretability, unpatchability, and scale. After that, The ML Lifecycle Attack Surface maps the six handoffs where attackers inject influence.

Every subsequent tutorial in the series will anchor its attack and defense to a specific OWASP LLM Top 10 ID, name the relevant ATLAS technique where known, and place itself on the six-stage pipeline — because the frameworks only pay off when they’re used consistently, not quoted once and forgotten.

Browse all tutorials to follow the full series.

“Break it on the board, not in prod.”

Found this useful? The deep version lives on YouTube — new breakdowns of how AI dev tools actually work, weekly.

Subscribe on YouTube →