Cross-Framework Mapping Reference
Intermediate8 min readUpdated 2026-03-13
How OWASP LLM Top 10, MITRE ATLAS, NIST AI RMF, and EU AI Act map to each other. Unified taxonomy and quick reference tables for multi-framework reporting.
Different stakeholders speak different framework languages. A CISO wants OWASP categories. A risk manager wants NIST AI RMF functions. A compliance officer wants EU AI Act articles. A security engineer wants MITRE ATLAS technique IDs. This page provides the translation tables to present the same finding in whatever framework your audience expects.
OWASP LLM Top 10 to MITRE ATLAS
| OWASP Category | Primary ATLAS Techniques | ATLAS Tactic |
|---|---|---|
| LLM01: Prompt Injection | AML.T0051 (Prompt Injection) | Execution |
| LLM02: Sensitive Information Disclosure | AML.T0025 (Model Inversion), AML.T0026 (Membership Inference) | Collection, Exfiltration |
| LLM03: Supply Chain | AML.T0018 (Backdoor ML Model), AML.T0020 (Data Poisoning) | Persistence, ML Attack Staging |
| LLM04: Data and Model Poisoning | AML.T0020 (Data Poisoning), AML.T0018 (Backdoor) | ML Attack Staging |
| LLM05: Improper Output Handling | No direct ATLAS equivalent | N/A (application layer) |
| LLM06: Excessive Agency | No direct ATLAS equivalent | N/A (configuration issue) |
| LLM07: System Prompt Leakage | AML.T0051 (Prompt Injection -- used for extraction) | Execution, Collection |
| LLM08: Vector and Embedding Weaknesses | AML.T0043 (Adversarial Examples -- embedding domain) | ML Attack Staging |
| LLM09: Misinformation | No direct ATLAS equivalent | N/A (model behavior) |
| LLM10: Unbounded Consumption | Closest: traditional DoS techniques | Impact |
OWASP LLM Top 10 to NIST AI RMF
| OWASP Category | NIST AI RMF Function | NIST AI 600-1 Risk Category |
|---|---|---|
| LLM01: Prompt Injection | Measure (MS-1, MS-2) | Information Security |
| LLM02: Sensitive Information Disclosure | Measure (MS-1), Manage (MG-1) | Data Privacy |
| LLM03: Supply Chain | Govern (GV-1), Map (MP-2) | Information Security |
| LLM04: Data and Model Poisoning | Map (MP-2), Measure (MS-1) | Information Integrity |
| LLM05: Improper Output Handling | Measure (MS-1), Manage (MG-1) | Information Security |
| LLM06: Excessive Agency | Govern (GV-1), Map (MP-2) | Human-AI Configuration |
| LLM07: System Prompt Leakage | Measure (MS-1) | Data Privacy |
| LLM08: Vector and Embedding Weaknesses | Measure (MS-1) | Information Security |
| LLM09: Misinformation | Measure (MS-2) | Confabulation, Information Integrity |
| LLM10: Unbounded Consumption | Manage (MG-2) | Environmental |
OWASP LLM Top 10 to EU AI Act
| OWASP Category | EU AI Act Requirement | Applicable Article |
|---|---|---|
| LLM01: Prompt Injection | Cybersecurity, robustness | Art. 15 |
| LLM02: Sensitive Information Disclosure | Data governance, privacy | Art. 10, GDPR |
| LLM03: Supply Chain | Quality management | Art. 17 |
| LLM04: Data and Model Poisoning | Data governance, training data quality | Art. 10 |
| LLM05: Improper Output Handling | Accuracy, robustness | Art. 15 |
| LLM06: Excessive Agency | Human oversight | Art. 14 |
| LLM07: System Prompt Leakage | Transparency | Art. 13 |
| LLM08: Vector and Embedding Weaknesses | Robustness | Art. 15 |
| LLM09: Misinformation | Accuracy | Art. 15 |
| LLM10: Unbounded Consumption | Robustness, cybersecurity | Art. 15 |
MITRE ATLAS to NIST AI RMF
| ATLAS Tactic | NIST AI RMF Function | Key Subcategories |
|---|---|---|
| Reconnaissance (TA0000) | Map (MP-1, MP-2) | Context, risk identification |
| Resource Development (TA0001) | Map (MP-2) | Threat landscape understanding |
| Initial Access (TA0002) | Measure (MS-1) | Assessment of access controls |
| ML Model Access (TA0003) | Measure (MS-1), Manage (MG-2) | Access monitoring |
| Execution (TA0004) | Measure (MS-1, MS-2) | Testing and evaluation |
| Persistence (TA0005) | Manage (MG-2) | Continuous monitoring |
| Defense Evasion (TA0006) | Measure (MS-1) | Detection capability assessment |
| Discovery (TA0007) | Measure (MS-1) | Information exposure assessment |
| Collection (TA0008) | Measure (MS-1), Manage (MG-1) | Data protection evaluation |
| Exfiltration (TA0010) | Manage (MG-1, MG-3) | Data loss prevention |
| Impact (TA0011) | Manage (MG-3) | Incident response |
Multi-Framework Finding Template
Use this template to document findings with cross-framework references:
Finding: [Title]
Severity: [Critical / High / Medium / Low]
Date Discovered: [Date]
--- Framework Mappings ---
OWASP LLM Top 10: [Category and number]
MITRE ATLAS: [Technique ID and name]
NIST AI RMF: [Function and subcategory]
EU AI Act: [Article number and requirement]
NIST AI 600-1: [Risk category]
--- Description ---
[What was found]
--- Impact ---
[Business and technical impact]
--- Reproduction Steps ---
[How to reproduce]
--- Remediation ---
[Recommended fix]
--- Evidence ---
[Screenshots, logs, payloads (sanitized)]Quick Reference: Common Attack Scenarios
| Attack Scenario | OWASP | ATLAS | NIST 600-1 | EU AI Act |
|---|---|---|---|---|
| Direct prompt injection to bypass safety | LLM01 | AML.T0051 | Info Security | Art. 15 |
| Extracting PII from model outputs | LLM02 | AML.T0025 | Data Privacy | Art. 10, GDPR |
| Indirect injection via RAG documents | LLM01, LLM08 | AML.T0051 | Info Security | Art. 15 |
| System prompt extraction | LLM07 | AML.T0051 | Data Privacy | Art. 13 |
| Model weight extraction via API | LLM02 | AML.T0024 | IP | Art. 15 |
| Training data poisoning | LLM04 | AML.T0020 | Info Integrity | Art. 10 |
| Tool abuse via excessive permissions | LLM06 | N/A | Human-AI Config | Art. 14 |
| Adversarial examples against classifiers | N/A | AML.T0043 | Info Security | Art. 15 |
| Token flooding / resource exhaustion | LLM10 | N/A | Environmental | Art. 15 |
| Hallucination in high-stakes decisions | LLM09 | N/A | Confabulation | Art. 15 |
Where Mappings Break Down
Not all concepts translate cleanly across frameworks. Be aware of these gaps:
| Concept | Framework That Covers It | Frameworks That Do Not |
|---|---|---|
| Agentic tool abuse | OWASP (LLM06) | ATLAS (no equivalent technique) |
| Traditional adversarial examples | ATLAS (AML.T0043) | OWASP (focused on LLMs, not CV) |
| Organizational governance | NIST AI RMF (Govern) | OWASP, ATLAS (technical focus) |
| Fairness and bias | NIST AI 600-1, EU AI Act | OWASP, ATLAS (security focus) |
| Environmental impact | NIST AI 600-1 | OWASP, ATLAS, EU AI Act (limited) |
| Physical safety | EU AI Act (Art. 9) | OWASP, ATLAS (cyber focus) |
Related Topics
- OWASP LLM Top 10 Deep Dive -- detailed OWASP category analysis
- MITRE ATLAS Walkthrough -- ATLAS tactics and techniques reference
- NIST AI RMF & ISO 42001 -- risk management framework context
- EU AI Act Compliance Testing -- EU regulatory requirements
References
- "OWASP Top 10 for LLM Applications" - OWASP Foundation (2025) - Vulnerability taxonomy used as one axis in cross-framework mapping
- "MITRE ATLAS" - MITRE Corporation (2024) - Adversarial tactics and techniques taxonomy used as the attack-perspective axis
- "NIST AI 600-1: Generative AI Profile" - National Institute of Standards and Technology (2024) - Risk categories that bridge NIST AI RMF and OWASP vulnerability classes
- "Mapping AI Risk Frameworks: A Comparative Analysis" - World Economic Forum (2024) - Cross-framework analysis of AI governance standards and their interrelationships
Knowledge Check
A red team finding shows that an AI system's RAG pipeline retrieves and follows malicious instructions embedded in documents. Which combination of framework references most completely classifies this finding?