Resource · Frameworks comparison

AI security frameworks compared

NIST AI RMF, MITRE ATLAS, and OWASP — what each framework covers, where each stops, and where infrastructure-level enforcement closes the gap.

Scroll for report
Cameron McClellan headshotBy Cameron McClellan, Growth Engineer
Published

Most enterprises approaching AI security governance pick a framework and build a program around it. NIST AI RMF is the most common choice. It’s voluntary, credible, and audit-friendly. The problem is that NIST specifies no runtime controls. An organization can be fully NIST-aligned, with a completed AI inventory and a documented risk register, while its agents make ungoverned tool calls to production databases with no audit trail.

NIST AI RMF, MITRE ATLAS, and OWASP each address a different part of the problem. NIST is an organizational governance process. MITRE ATLAS is a living knowledge base of adversary tactics and techniques against AI-enabled systems. OWASP is a vulnerability taxonomy across three separate publications for different layers of the AI stack. Using any one as your complete AI security program leaves specific, predictable gaps.

This article maps all three: scope, audience, enforcement layer, and where each stops. It is a companion to What is AI security?, which covers the vendor and product landscape. The OWASP Agentic Top 10 is covered in depth in its own post: The OWASP Agentic Top 10, explained.

The table below maps all five publications across six capability dimensions.

AI security frameworks at a glance: comparison table showing what NIST AI RMF, MITRE ATLAS, OWASP LLM Top 10, OWASP Agentic Top 10, and OWASP MCP Top 10 each cover across governance process, adversary TTPs, vulnerability taxonomy, runtime enforcement, and regulatory evidence

NIST AI RMF is an organizational risk management process

AI RMF 1.0 was published in January 2023. It is voluntary, non-regulatory, and sector-agnostic. Its purpose is to give organizations a structured process for identifying, assessing, and managing AI risk, not to enumerate technical vulnerabilities or specify controls to deploy.

The framework organizes AI risk management into four functions:

  • Govern. Establish organizational practices, policies, and accountability structures for AI risk.
  • Map. Categorize AI systems, identify context and stakeholders, and enumerate risks associated with each system.
  • Measure. Analyze, assess, benchmark, and monitor AI risks using qualitative and quantitative methods.
  • Manage. Prioritize, respond to, and document actions taken to address identified risks.

The GenAI Profile (NIST AI 600-1), published July 2024, extends the framework to generative AI. It adds 12 GenAI risk categories and maps more than 400 suggested actions across the four functions. The categories most relevant to AI security are:

  • Data Privacy — risks from training data handling and model outputs containing personal information
  • Information Security — risks from unauthorized access, model misuse, and system compromise
  • Value Chain and Component Integration — risks from third-party models, datasets, and tooling

The Information Security category mentions runtime controls like logging, access management, and output filtering, but does not specify what those controls must be or how to implement them.

NIST recognizes the gap. In February 2026, NIST’s Center for AI Standards and Innovation (CAISI) launched the AI Agent Standards Initiative to address agent-specific risks, with initial deliverables expected later in 2026. Until those land, the framework has no guidance on governing agentic AI at runtime.

NIST AI RMF does not specify runtime enforcement

NIST AI RMF specifies no prescriptive technical controls. There is no mandated tooling, certification, or enforcement mechanism, and no guidance on how to intercept a model call or attribute agent actions to specific users.

It is voluntary unless adopted by contract or sector regulator. The EU AI Act, for example, creates obligations for high-risk AI systems that sector regulators may satisfy by referencing NIST standards. An organization can satisfy NIST AI RMF entirely through documentation and governance process without deploying a single runtime control.

Audience: Governance, risk, compliance, and AI leadership teams.

Enforcement layer: Organizational / process. NIST provides the accountability structure but does not prescribe the infrastructure that enforces it.


MITRE ATLAS is an adversary threat catalog for AI systems

MITRE ATLAS (Adversarial Threat Landscape for Artificial-Intelligence Systems) is a knowledge base of adversary tactics, techniques, and case studies targeting AI-enabled systems. Built on the model of MITRE ATT&CK, it maps tactics to techniques, which map to documented case studies of real-world adversary behavior.

ATLAS is developed through MITRE’s Secure AI initiative, a collaboration with funding research participants including Microsoft, CrowdStrike, JPMorganChase, and Siemens.

Version 5.1.0 (November 2025) is the current release. It includes:

  • 16 tactics, 84 techniques, and 56 sub-techniques
  • 32 mitigations, including Adversarial Input Detection, Model Hardening, and Segmentation of AI Agent Components
  • 42 case studies drawn from real-world adversary activity

A collaboration with Zenity Labs in October 2025 added 14 agent-focused techniques, including AI agent context poisoning and exfiltration via agent tool invocation. ATLAS draws the majority of its tactics from ATT&CK and adds two AI-specific ones, AI Model Access and AI Attack Staging.

ATLAS launched with founding contributors including Microsoft, IBM, Bosch, and NVIDIA, and is now maintained through MITRE’s Secure AI collaboration with a broader set of enterprise partners. Version 5.1.0 (November 2025) includes 16 tactics, 84 techniques, 56 sub-techniques, 32 mitigations, and 42 case studies. A collaboration with Zenity Labs in October 2025 added 14 agent-focused techniques and sub-techniques, including AI agent context poisoning and exfiltration via agent tool invocation. ATLAS draws the majority of its tactics from ATT&CK and adds ML-specific ones: ML Model Access, ML Attack Staging, and AI-tuned variants of Discovery and Resource Development.

MITRE ATLAS does not specify defender architecture

ATLAS is scoped to adversary behavior. Identity design, access control, governance processes, and compliance mapping are all outside its coverage. An organization that has mapped every ATLAS technique still needs separate answers to:

  • who is authorized to call which tools
  • how credentials are managed
  • what constitutes a complete audit trail

Knowing the attacker playbook is a starting point, but ATLAS leaves the defensive infrastructure design entirely to the organization.

Audience: Red teams, threat-intelligence practitioners, security engineers building detection rules.

Enforcement layer: Threat model / detection. ATLAS informs what to detect. The enforcement infrastructure must be built separately.


OWASP maps specific vulnerabilities across three layers of the AI stack

The Open Worldwide Application Security Project takes an engineer-first approach to AI security. Unlike NIST (governance process) and MITRE (adversary behavior), OWASP enumerates specific vulnerability classes at each layer of the AI stack and maps what must be defended against at each point.

OWASP’s AI security coverage spans three separate publications, one per layer:

  • OWASP LLM Top 10 — the application layer. Covers risks including prompt injection, sensitive information disclosure, data and model poisoning, excessive agency, system prompt leakage, and unbounded consumption.
  • OWASP Agentic AI Top 10 — the agentic layer. Covers risks including tool misuse, identity and privilege abuse, inter-agent communication vulnerabilities, cascading failures, and memory and context poisoning.
  • OWASP MCP Top 10 — the protocol layer. Covers risks including token mismanagement, privilege escalation, tool poisoning, command injection, insufficient authentication, and gaps in audit telemetry.

This is the most prescriptive of the three frameworks. OWASP names specific vulnerability classes, describes the attack pattern, and maps each risk to the enforcement layer where it must be addressed.

OWASP does not address organizational governance or compliance

As a vulnerability taxonomy, OWASP describes what can go wrong at each layer of the stack, without prescribing an organizational program for managing risk over time, mapping to regulatory frameworks, or creating accountability structures. A team that has implemented controls against every relevant OWASP category still has no compliance evidence and no governance process. That is NIST’s job.

Audience: Security engineers, architects, and platform teams building or governing AI applications and infrastructure.

Enforcement layer: Application, agentic, and protocol layers. Spans from the LLM gateway through the MCP gateway to agent hooks and identity.


No single framework is sufficient

An enterprise that adopts only one of these three frameworks will have specific, predictable gaps.

NIST AI RMF alone

NIST produces a governance process with no runtime controls. An organization that is fully NIST-aligned, with a completed AI inventory, documented risk register, and mapped GenAI risk categories, can still have agents making ungoverned tool calls to production databases with no audit trail. NIST specifies how to manage what you deploy, leaving the deployment decisions entirely to the organization.

MITRE ATLAS alone

ATLAS gives threat intelligence with no defensive architecture. Knowing that prompt injection chains and memory manipulation attacks exist is useful for detection engineering, but leaves open the harder questions:

  • where in the stack to put the detection
  • who is authorized to call which tools
  • how to design the identity layer that makes access auditable

OWASP alone

OWASP gives precise vulnerability taxonomy with no organizational governance. A team that has implemented controls against every relevant OWASP category still needs:

  • an accountability structure
  • a risk management process
  • a way to demonstrate due diligence to auditors and boards

OWASP publications are engineering references and carry no weight as compliance evidence.

Using all three together

A mature program draws from all three. NIST provides organizational process and accountability. MITRE provides threat intelligence and detection engineering. OWASP provides the specific controls to build at each infrastructure layer. The three frameworks are complementary because they address genuinely different parts of the same problem.


What each framework covers and what it misses

NIST AI RMFMITRE ATLASOWASP
Core purposeOrganizational governance processAdversary threat intelligenceVulnerability taxonomy
Key question”Are we managing AI risk responsibly?""What will attackers do to our systems?""What can go wrong at each layer of the stack?”
Primary outputRisk register, accountability documentation, AI inventoryAdversary technique catalog, detection engineering inputsControl requirements mapped to each layer of the AI stack
Who uses itGRC, AI leadership, boardsRed teams, threat-intel practitioners, security engineersPlatform engineers, architects, security teams
Regulatory valueYes — structured evidence for auditorsNoNo
Runtime enforcementNot addressedNot addressedMapped by layer; implementation not prescribed

The last row highlights the enforcement gap each framework leaves. NIST tells you to govern your runtime controls but doesn’t specify what they are. MITRE tells you which adversary techniques to instrument against but not where in the stack to put the instrumentation. OWASP goes furthest, mapping specific vulnerability classes to the enforcement layer where each must be addressed, but stops short of prescribing implementations. In every case, the actual deployment of identity, gateway enforcement, audit logging, and agent hooks is left to the organization.


Enforcing these frameworks requires infrastructure at every layer

Each framework describes risk or process at a different layer, and enforcing that risk requires infrastructure at the same layer.

The AI control plane is the architecture that spans the full stack. It covers:

  • Model calls, via an LLM gateway
  • Tool calls, via an MCP gateway
  • Runtime interception and tamper-evident audit logging
  • A governance layer that maps to NIST’s four functions

The table below shows which layer each framework addresses and where enforcement infrastructure must fill the gap.

Where each framework maps to the enforcement stack: table showing NIST AI RMF, MITRE ATLAS, OWASP LLM, OWASP Agentic, and OWASP MCP mapped across governance layer, LLM gateway, MCP gateway, agent hooks, and audit logging

The practical starting point for most enterprises is the layer where exposure is most immediate. For organizations with production MCP deployments, that’s the MCP gateway — the enforcement point for tool-call authentication, credential management, and schema validation, where AI infrastructure vulnerabilities are most actively concentrated. For organizations primarily concerned with model-call governance, it’s the LLM gateway. For organizations running an AI governance initiative, it’s mapping the existing stack against NIST’s four functions to surface what’s documented versus what’s actually enforced.

  • Production MCP deployments — start with the MCP gateway, the enforcement point for tool-call authentication, credential management, and schema validation.
  • Model-call governance — start with the LLM gateway.
  • AI governance initiative — start by mapping the existing stack against NIST’s four functions to surface what’s documented versus what’s actually enforced.

The AI control plane is what enforcement looks like when these frameworks are turned into deployed infrastructure. For the full vendor and product landscape across all five enforcement layers, see What is AI security?.


A note on Speakeasy

Speakeasy is building the AI control plane, the enforcement infrastructure that all three frameworks require but none specifies.

The MCP gateway enforces tool-call authentication, access policy, and credential management on every agent-to-tool interaction. The LLM gateway governs model calls. Agent hooks intercept tool execution at runtime. Tamper-evident audit logging covers the audit trail that NIST’s Manage function requires but doesn’t specify how to build.

Frequently asked questions

No single framework is sufficient. NIST AI RMF provides the organizational governance process. MITRE ATLAS maps adversary techniques for red teams. OWASP LLM Top 10 addresses model-layer vulnerabilities in applications. OWASP Agentic Top 10 addresses agent-system threats. OWASP MCP Top 10 addresses protocol and server-layer risks. A mature enterprise security program draws from all five, layered against an enforcement architecture rather than a single checklist.

The NIST AI Risk Management Framework is voluntary and non-prescriptive. It defines four functions, Govern, Map, Measure, and Manage, and more than 400 suggested actions across them. The GenAI Profile (NIST AI 600-1, July 2024) maps 12 generative AI risk categories to those functions. NIST does not specify required tooling, certification, runtime controls, or enforcement mechanisms. A framework adopter must determine their own technical controls. NIST is relevant to procurement, contractual obligations, and sector-specific regulatory adoption, but leaves all deployment decisions to the organization.

MITRE ATLAS (Adversarial Threat Landscape for Artificial-Intelligence Systems) applies the ATT&CK knowledge-base model to AI-enabled systems. Where ATT&CK maps adversary techniques against enterprise IT, ATLAS maps adversary techniques against AI models, covering adversarial examples, model inversion, data poisoning, and prompt injection. ATLAS v5.1.0 (November 2025) includes 16 tactics, 84 techniques, and 56 sub-techniques, including new agentic AI techniques. The majority of its tactics are adapted from ATT&CK. Two are AI-specific additions: AI Model Access and AI Attack Staging. Like ATT&CK, ATLAS focuses on adversary behavior and case studies rather than defensive architecture.

The OWASP LLM Top 10 covers risks at the single-model-call boundary: what goes wrong when an application submits prompts and receives completions. The Agentic Top 10 covers systems of agents with multi-step orchestration, tool use, persistent memory, and inter-agent communication. The Agentic list introduces threat categories that have no equivalent in the LLM list, including rogue agents, cascading failures, and identity and privilege abuse, because these risks only emerge at the multi-agent level.

The OWASP MCP Top 10 addresses risks specific to the Model Context Protocol, the standard that governs how AI agents connect to external tools and data sources. Published in 2025 and currently in beta, it covers ten risk categories including token mismanagement, privilege escalation, tool poisoning, supply chain attacks, command injection, and shadow MCP servers. Between January and February 2026, [more than 30 CVEs were filed](https://www.practical-devsecops.com/owasp-mcp-top-10/) against MCP servers, clients, and tooling. The MCP Top 10 is the most operationally relevant framework for organizations deploying production MCP infrastructure.

Frameworks describe risks, and turning those descriptions into enforcement requires infrastructure at each layer. The LLM gateway handles prompt and completion inspection, covering OWASP LLM Top 10 risks. The MCP gateway handles tool-call authentication, credential management, schema validation, and access policy, covering the MCP Top 10 and agentic tool misuse risks. Agent hooks handle pre- and post-tool-call interception at runtime. Tamper-evident audit logging covers the audit trail requirements across all three frameworks. No single product covers all enforcement layers.

None of these frameworks are legally mandated in themselves. NIST AI RMF is voluntary unless adopted by contract or sector regulator. MITRE ATLAS and the OWASP publications are community-maintained references with no regulatory force. Regulated industries may face sector-specific AI requirements that reference NIST standards or OWASP guidance. The [EU AI Act](https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai) creates obligations for high-risk AI systems in European markets. In practice, enterprise procurement increasingly asks vendors to demonstrate alignment with these frameworks as a proxy for security maturity.

AI everywhere.