Impact Categories
Overview of the real-world consequences of successful AI attacks, from misinformation and harmful content to financial fraud and regulatory violations.
Impact Categories
Overview
Successful attacks against AI systems produce consequences that extend far beyond the technical domain. When a large language model is compromised, the resulting damage can range from subtle erosion of public trust through misinformation to direct financial losses through fraud, from regulatory penalties exceeding tens of millions of euros to complete degradation of downstream systems that depend on the model's outputs. Understanding these impact categories is essential for red teamers, because the value of discovering a vulnerability is measured not by the cleverness of the exploit but by the severity of the outcome it enables.
Impact assessment bridges the gap between technical findings and business risk. A prompt injection that causes a chatbot to recommend a competitor's product is technically identical to one that causes it to leak customer records, but the business impact differs by orders of magnitude. Red team reports that articulate impact in business terms -- revenue loss, regulatory exposure, reputational damage -- receive executive attention and drive remediation investment. Reports that describe only the technical mechanism are often deprioritized regardless of actual severity.
The impact categories covered in this section reflect the current threat landscape for organizations deploying AI systems. Misinformation and harmful content generation represent the most widely studied categories, with established attack patterns and defenses. Reputation damage has proven disproportionately impactful relative to its technical sophistication, as a single viral screenshot can dominate news cycles. Denial of service, data corruption, financial fraud, and compliance violations represent emerging categories where the intersection of AI capabilities and real-world consequences is still being mapped.
Each category is not mutually exclusive. A single attack chain can produce multiple simultaneous impacts: a RAG poisoning attack might corrupt downstream databases (data corruption), cause the system to generate false medical advice (misinformation), violate HIPAA through improper disclosure (compliance violation), and generate headlines about the organization's negligent AI deployment (reputation damage). Effective risk assessment must consider these cascading effects.
Impact Reference Map
The following table maps each impact category to its primary framework references and provides a rough severity assessment based on typical organizational exposure.
| Impact Category | OWASP LLM Top 10 | MITRE ATLAS | Typical Severity | Recovery Difficulty |
|---|---|---|---|---|
| Misinformation Generation | LLM09 Misinformation | AML.T0048 | High | Hard (trust erosion) |
| Harmful Content Generation | LLM01 Prompt Injection | AML.T0040 | Critical | Medium |
| Reputation Damage | LLM09 Overreliance | AML.T0048 | High | Hard (public perception) |
| Denial of Service | LLM10 Unbounded Consumption | AML.T0029 | Medium-High | Easy (technical) |
| Data Corruption | LLM09 Misinformation | AML.T0020 | Critical | Very Hard |
| Financial Fraud | LLM01 Prompt Injection | AML.T0048 | Critical | Medium |
| Compliance Violations | LLM06 Sensitive Info Disclosure | AML.T0024 | Critical | Hard (regulatory) |
Assessing Impact in Red Team Engagements
When conducting red team assessments, impact should be evaluated along four dimensions:
- Blast radius -- How many users, systems, or business processes are affected? A training data poisoning attack affects every user; a single-session prompt injection affects one.
- Persistence -- Does the impact end when the attack stops, or does it continue? Data corruption persists until detected and remediated. Denial of service stops when the attack stops.
- Reversibility -- Can the damage be undone? Financial losses can potentially be recovered. Reputational damage and regulatory penalties cannot.
- Attribution -- Can the impact be traced to the AI system? Subtle misinformation may never be attributed to the compromised model, making it simultaneously less visible and more dangerous.
Learning Path
Start with Misinformation Generation and Harmful Content Generation as the most extensively documented categories. Then review Reputation Damage for the business-impact perspective. The remaining categories -- Denial of Service, Data Corruption, Financial Fraud, and Compliance Violations -- cover emerging areas where AI-specific risks are increasingly relevant.
References
- OWASP: "LLM Top 10 for Large Language Model Applications" (2025)
- MITRE: "ATLAS -- Adversarial Threat Landscape for Artificial Intelligence Systems" (2024)
- NIST: "AI Risk Management Framework (AI RMF 1.0)" (2023)
- EU AI Act: Regulation (EU) 2024/1689, Articles 6-55