Untitled

AI-specific security frameworks, threat taxonomies, government secure development guidance, and information security management standards applied to AI systems.

Last Updated: June 2026

Scope

This directory covers:

Adversarial AI threat taxonomies — MITRE ATLAS (adversarial threat knowledge base for ML systems)
Government secure development guidelines — NCSC/CISA/ASD joint guidelines for secure AI system development (18 national agencies, November 2023)
Information security management standards applied to AI — ISO/IEC 27001 (Information Security Management Systems) and ISO/IEC 27701 (Privacy Information Management)
AI-specific attack vectors — prompt injection, data poisoning, model inversion, membership inference, supply chain attacks on AI systems, non-human identity and access management
Adversarial testing & supply-chain tooling surveys — open-source tool landscapes for AI red teaming (Garak, PyRIT) and ML supply-chain security
Agentic security tooling — agentic/ contains practical implementation guides for sandboxing, agent identity (SPIFFE/SPIRE), policy controls (OPA/Casbin), prompt security (Guardrails AI, Rebuff, Presidio), and secrets/network management for AI agents, plus an attack-vector and detection-tooling survey (agentic-ai-security.md)

What is not here: How to conduct assurance engagements over AI security controls (→ AI-assurance/ — in particular Professional-Assurance-Standards/ for ASAE 3150 controls assurance, and AI-Assurance-market-scan/Regulator-Analysis-APRA.md and APRA-AI-Assurance-Obligations.md for CPS 234 AI-extended obligations). Technical AI standards (→ AI-Governance/standards/).

Relationship to Other Directories

Directory	Role
This directory (`AI-security/`)	Security frameworks, threat models, secure development guidance, ISMS standards, and agentic security tooling (`agentic/` subdirectory)
`AI-assurance/`	How security controls are formally assured — ASAE 3150 controls assurance, CPS 234 tripartite review, APRA AI letter obligations
`AI-Governance/standards/`	Normative technical standards for AI systems (ISO/IEC SC 42 family, NIST AI RMF, EU AI Act)
`AI-Governance/`	Controls templates, OWASP AI Security Top 10, incident response, monitoring

Key connection to APRA: APRA’s April 2026 AI letter (Observation Area 1: Cyber and Information Security) operationalises CPS 234 for AI-specific attack vectors — prompt injection, non-human IAM, AI-generated code risks, agentic workflow controls. See AI-assurance/AI-Assurance-market-scan/APRA-AI-Assurance-Obligations.md for the assurance engagement mapping.

Coming: ISO/IEC 27090 (AI security) and 27091 (AI privacy) — add deep-dives on publication.

File Index

Adversarial Threat Taxonomies

File	Coverage
`MITRE-ATLAS-Deep-Dive.md`	MITRE ATLAS v5.4 — adversarial threat knowledge base for ML systems; attack techniques, case studies, mitigations

Government Secure Development Guidelines

File	Coverage
`NCSC-CISA-ASD-Secure-AI-Development-Deep-Dive.md`	Joint guidelines from 18 national agencies (NCSC UK, CISA US, ASD Australia, and others) — November 2023; secure design, development, deployment, and operation of AI systems; agentic AI and frontier model security considerations

Information Security Management Standards

File	Standard	Notes
`ISO-IEC-27001-Deep-Dive.md`	ISO/IEC 27001 — Information Security Management Systems	Certifiable ISMS standard; foundational for CPS 234 compliance
`ISO-IEC-27701-Deep-Dive.md`	ISO/IEC 27701 — Privacy Information Management	Extension to ISO 27001 for privacy; relevant to AI data governance

Security Tooling Surveys

Open-source tool landscape analyses (relocated from research/tools/) — companions to the conceptual frameworks above.

File	Coverage
`ai-red-teaming.md`	AI red teaming & adversarial testing tools — Garak, PyRIT, automated jailbreak/safety probing; pairs with MITRE ATLAS
`ai-supply-chain-security.md`	ML supply-chain security tooling — securing the pipeline from data sources to deployment; pairs with the NCSC/CISA/ASD secure-development guidance

Agentic Security Tooling

Directory Coverage

agentic/ Practical implementation guides: sandboxing (Kata Containers, gVisor, Firecracker), policy controls (OPA, Casbin, Cedar), agent identity (SPIFFE/SPIRE, workload federation), prompt security (Guardrails AI, NeMo, Rebuff, Presidio), secrets and network management, plus agentic-ai-security.md (attack vectors and detection tooling — MCP poisoning, indirect injection, memory attacks, multi-agent trust). See agentic/00-index.md for the full index.

Directory	Coverage
`agentic/`	Practical implementation guides: sandboxing (Kata Containers, gVisor, Firecracker), policy controls (OPA, Casbin, Cedar), agent identity (SPIFFE/SPIRE, workload federation), prompt security (Guardrails AI, NeMo, Rebuff, Presidio), secrets and network management, plus `agentic-ai-security.md` (attack vectors and detection tooling — MCP poisoning, indirect injection, memory attacks, multi-agent trust). See `agentic/00-index.md` for the full index.

Pending Additions

Document	Trigger / Status
`ISO-IEC-27090-Deep-Dive.md` — AI security (cybersecurity and AI)	On publication of standard
`ISO-IEC-27091-Deep-Dive.md` — AI privacy	On publication of standard
`ASD-Agentic-AI-Security-Guidance.md` — ASD May 2026 agentic AI guidance	High priority — guidance published May 2026; referenced in APRA AI letter