Cybersecurity for AI Decipher File · Initial publication January 2024; NIST AI 100-2 e2025 (expanded edition) early 2025
NIST AI 100-2 (Adversarial ML Taxonomy, 2024 to 2025): The Federal Reference for AI Attack and Defense Vocabulary
NIST AI 100-2 is the federal publication that gives Cybersecurity-for-AI practitioners a named, citable taxonomy of adversarial machine learning attacks and the matching defenses. The initial version published January 2024; the updated NIST AI 100-2 e2025 publishes in early 2025 with expanded coverage. The taxonomy structures attacks across the AI lifecycle (training, deployment, inference), names attacker capabilities and goals, and references mitigations. Federal contractors, regulated industries, and AI security teams now cite NIST AI 100-2 as the working reference for adversarial-ML vocabulary.
Failure pattern
Federal publication establishing the canonical taxonomy of adversarial ML attacks and defenses
Organizations involved
National Institute of Standards and Technology (NIST), United States Department of Commerce
Incident summary
NIST AI 100-2 is the federal taxonomy publication for adversarial machine learning. The initial draft circulated in January 2024; the expanded NIST AI 100-2 e2025 publishes in early 2025 with broader coverage of generative AI attacks. The document organizes adversarial ML attacks across the AI lifecycle and names the defenses each attack admits.
The publication is structured around attacker capabilities, attacker goals, and the AI-system surface under attack. Capabilities range from query-only (the attacker can only submit inputs to the deployed model) to data-poisoning (the attacker can influence training data) to model-inversion (the attacker queries to reconstruct training data). Goals range from availability (denial of service) to confidentiality (extraction) to integrity (causing wrong outputs).
The publication is a companion to the parent NIST AI 100-1 Risk Management Framework. AI 100-1 provides the governance frame; AI 100-2 provides the adversarial vocabulary the GOVERN, MAP, MEASURE, MANAGE functions reference.
Failure technique
The publication is not an incident in the failure-mode sense. It is the federal artifact that gives the AI security community a citable common vocabulary for attacks that were previously described in inconsistent terms. Before AI 100-2, attacks such as evasion, prompt injection, model extraction, membership inference, model inversion, and data poisoning were used loosely. The taxonomy fixes definitions and ties each attack class to the defender's operational interest.
The taxonomy reflects what the AI security research community had been reporting. Adversarial-example research from Goodfellow et al. (2014), membership inference from Shokri et al. (2017), model inversion from Fredrikson et al. (2015), backdoor attacks from Gu et al. (2017), and the prompt injection literature from 2023 to 2024 all map into AI 100-2 categories.
The publication does not prescribe specific control implementations. It enumerates attack patterns, defense directions, and the operational considerations each category requires. Implementation choice belongs to the deploying organization.
Impact and consequences
Direct compliance impact concentrates in federal contractors and regulated industries that cite NIST framing in their risk programs. AI 100-2 vocabulary now appears in AI procurement language, AI risk registers, AI vendor questionnaires, and AI incident-response playbooks across the regulated AI deployment base.
Industry impact is the vocabulary stabilization. Conversations between AI security engineers, AI safety engineers, AI red teams, and AI governance teams are faster because everyone refers to the same taxonomy. Vendor model cards increasingly disclose adversarial-evaluation results against NIST AI 100-2 categories.
Engineering impact is in the MEASURE function of the parent AI RMF. AI security teams build adversarial evaluation suites against the named NIST AI 100-2 categories, producing evidence the GOVERN function consumes for release decisions.
Lessons for builders
Adopt the NIST AI 100-2 vocabulary in internal AI security documentation. Internal documents that use the same names are easier to audit, easier to hand off across teams, and easier to communicate to regulators and customers.
Map your existing AI threat model to the NIST AI 100-2 categories. The map surfaces categories where the threat model is silent or weak. Many teams discover that they have strong measurement against three or four categories and almost no documented activity against the rest.
Build adversarial evaluation suites that exercise each named category that applies to your deployment. Capability-only adversarial testing (the cheapest variant) is the floor; capability plus training-data and model-state testing follow.
Track the AI 100-2 publication cadence. The expanded edition (e2025) added categories; future editions will continue to evolve. Your AI security program should reference the specific version and have a documented re-adoption cadence.
Mitigations
What cybersecurity teams should put in place to reduce AI system risk. Each mitigation maps to operational practice that Cybersecurity for AI convergence roles own.
- ›Adopt the NIST AI 100-2 vocabulary in AI security documentation, threat models, incident-response playbooks, and vendor questionnaires.
- ›Map every deployment to the AI 100-2 attacker-capability and attacker-goal taxonomy. The map produces a documented matrix that is the basis for both internal governance and external audit response.
- ›Build adversarial evaluation suites that exercise each named category that applies to the deployment. Capability-only evaluation is the floor; expand to training-data and model-state evaluation as risk justifies.
- ›Track the AI 100-2 publication version and have a documented re-adoption cadence. The expanded edition (e2025) added categories; future editions will continue.
- ›Maintain a NIST framework cross-reference document linking AI 100-1 (RMF), AI 600-1 (GenAI profile), and AI 100-2 (adversarial taxonomy) for any AI governance program citing NIST framing.
- ›Train cross-functional teams on the taxonomy. Product, engineering, legal, security, and operations need a shared understanding of which categories apply to their work and which controls they own.
Related Cybersecurity for AI roles
The Cybersecurity for AI convergence roles whose day-to-day work this case study touches.
- AI Security Engineer: An AI Security Engineer hardens AI systems and the surrounding infrastructure against attack across the cybersecurity stack.
- AI Red Team Engineer: An AI Red Team Engineer adversarially tests AI systems to find safety and cybersecurity failures before attackers do.
- AI Safety Engineer: An AI Safety Engineer builds cybersecurity-grade safety measures into AI systems before they ship to reduce misuse and harm.
Related Cybersecurity for AI Decipher Files
Frequently asked questions
What is NIST AI 100-2?
NIST AI 100-2 (Adversarial Machine Learning Taxonomy and Terminology) is the federal publication that establishes the canonical vocabulary of adversarial machine learning attacks and defenses. The initial version published January 2024; the expanded NIST AI 100-2 e2025 publishes in early 2025. Federal contractors, regulated industries, and AI security teams cite it as the working reference for adversarial-ML vocabulary.
How does NIST AI 100-2 relate to NIST AI 100-1 and AI 600-1?
NIST AI 100-1 is the parent AI Risk Management Framework (governance and process). NIST AI 600-1 is the generative-AI risk profile (risk categories specific to GenAI). NIST AI 100-2 is the adversarial-ML taxonomy that gives the GOVERN / MAP / MEASURE / MANAGE functions an attacker-centric vocabulary. Together they form the federal AI risk reference stack.
How does NIST AI 100-2 relate to MITRE ATLAS?
MITRE ATLAS is the industry-maintained adversarial-ML technique catalog modeled on MITRE ATT&CK. NIST AI 100-2 is the federal taxonomy that organizes attacker capabilities and goals across the AI lifecycle. The two reference each other; security teams use ATLAS for specific techniques and AI 100-2 for the parent taxonomy framing.
Is NIST AI 100-2 mandatory?
Voluntary at the federal level, but referenced by federal procurement language, state AI laws that reference NIST framing, and EU AI Act guidance. In practice, federal contractors, regulated industries, and AI security teams treat AI 100-2 as the working compliance vocabulary even where it is not directly required.
Which Cybersecurity-for-AI roles work with NIST AI 100-2?
AI Security Engineer maps deployments to the taxonomy and builds defenses. AI Red Team Engineer uses the taxonomy to scope adversarial evaluation. AI Safety Engineer ties the taxonomy to safety eval coverage. AI GRC Analyst documents compliance against the taxonomy for audit and regulator review.
Sources
DecipherU is not affiliated with, endorsed by, or sponsored by any company listed in this directory. Information compiled from publicly available sources for educational purposes.
Get cybersecurity career insights delivered weekly
Join cybersecurity professionals receiving weekly intelligence on threats, job market trends, salary data, and career growth strategies.
By subscribing you agree to our privacy policy. Unsubscribe anytime.