International Standards and Frameworks in AI Security

Introduction

The security of artificial intelligence systems is not the result of a single technological solution, but is based on the integrated application of multiple complementary standards and frameworks. These frameworks operate at different levels of abstraction: some provide high-level governance and risk management models, while others define concrete technical attack taxonomies and security controls.

An organization’s AI security maturity can be measured precisely by whether it is capable of applying these frameworks as a unified system covering the full spectrum of the AI lifecycle, and of interpreting and operationalizing them in the context of AI-specific risks.

1. Risk-Based Governance: NIST AI Risk Management Framework

The NIST AI Risk Management Framework is one of the most important technology-neutral governance models, supporting the structured, iterative management of risks associated with AI systems. A fundamental characteristic of the framework is that it does not prescribe specific technical solutions, but rather provides a conceptual and operational structure that can be applied across different organizational and technological environments.

The model organizes risk management around four closely related and iteratively operating functions. The governance (Govern) dimension focuses on defining organizational responsibilities, risk appetite, and ethical principles, thereby creating the framework within which AI systems operate.

This is complemented by the mapping (Map) function, which performs the systematic identification of the system’s context, objectives, and potential risks.

In the measurement (Measure) phase, the organization evaluates the model’s performance, biases, uncertainty, and vulnerabilities using qualitative and quantitative methods. This step is particularly critical in probabilistic systems, where risks do not appear in a binary way.

The process is concluded by the management (Manage) function, which ensures the implementation of technical and organizational controls designed to reduce identified risks, as well as their continuous validation.

One of the most important characteristics of the framework is that it does not operate linearly. The four functions build on one another, while at the same time forming continuous feedback loops that make dynamic reassessment of risks possible. Accordingly, the NIST AI RMF is not a one-time compliance tool, but a continuously operated governance system that covers the organization’s entire AI lifecycle.

2. Concrete Security Controls: NIST SP 800-53 and the Related AI-Specific Extension

While the NIST AI RMF provides a high-level governance framework, NIST SP 800-53 Rev. 5 (and its AI-specific extensions) provides a catalog of practical, implementable security controls. From 2025, the NIST Control Overlays for Securing AI Systems (COSAiS) project is developing AI-tailored control overlays that adapt the baseline controls of SP 800-53 to AI components (models, training data, inference pipelines).

In AI environments, the controls require an extended interpretation: access control (AC family) extends to model weights and to training and validation datasets as well. Similarly, audit and logging mechanisms must record not only infrastructure-level events, but also input–output interactions related to the model’s operation, thereby ensuring the traceability of behavior.

System integrity and configuration management also gain a new dimension in the case of AI systems. Control over model versions, training parameters, and data sources is just as critical as it is for traditional software components. In addition, incident response processes must also adapt to AI-specific events, which do not necessarily appear as technical failures, but rather as behavioral anomalies.

It is important to emphasize that AI-specific security approaches do not replace classical information security controls. On the contrary: the security of AI systems is built on these foundations. Traditional IT security controls, such as access control, logging, configuration control, and incident response, remain indispensable and must be applied in ways adapted to the characteristics of AI.

3. Governance and Audit Framework: ISO/IEC 42001 and ISO/IEC 27001

ISO/IEC 42001:2023 is the first international certifiable management system standard that specifically focuses on the organizational-level governance of artificial intelligence systems. The purpose of the standard is to establish a formal AI Management System (AIMS) that provides a structured and auditable framework covering the full lifecycle of AI systems, including development, procurement, operation, and oversight. Its structure follows the unified high-level structure (Annex SL) of ISO standards, and therefore aligns closely with the information security management systems defined by ISO/IEC 27001, enabling their integrated application.

A central element of the standard is the system of documented processes and controls, which enables the organization to manage AI-related activities in a unified way. This is complemented by the requirement for auditability, which ensures that operations are not only controlled, but can also be demonstrated to an external party. The principle of continuous improvement, which is one of the core characteristics of ISO standards, is particularly important in the case of AI systems, as their behavior may change over time and as data changes.

The foundation of the standard’s operation is the risk-based approach, which makes it possible for the organization to adapt control mechanisms to the criticality of each use case and to the nature of the related risks. This is particularly relevant in the case of AI systems, where risks arise not only in technical dimensions, but also in business, legal, and ethical dimensions.

An important professional insight is that AI security cannot be interpreted as an isolated function. The protection of AI systems is closely connected to the Information Security Management System (ISMS), and can be interpreted as its extension. Accordingly, the risk management model defined by ISO/IEC 27005 can also be applied in AI environments, but requires supplementation with non-deterministic risk factors arising from the specific operation of models.

ISO/IEC 42001 does not prescribe the details of technical implementation, but rather provides an organizational and governance framework that enables the structured, controlled, and auditable operation of AI systems throughout the entire lifecycle.

4. Technical Attack Vectors: OWASP Top 10 for LLM Applications

The OWASP Top 10 for LLM Applications systematizes the most important attack surfaces and vulnerability categories related to large language models. While the previously presented frameworks primarily operate at the governance and risk management level, the OWASP approach focuses directly on development and operational practice. Accordingly, this framework primarily provides concrete guidance for technical teams.

One of the model’s central elements is input manipulation, especially the handling of prompt injection attacks. In these cases, the attacker attempts to influence model behavior through natural language inputs, bypassing restrictions built into the system. Closely related to this is the problem of insecure output handling, when responses generated by the model are forwarded to other systems without validation, leading to further vulnerabilities, such as code injection or automation failures.

The security of training data integrity is also a critical area. The goal of data poisoning attacks is to distort the model’s behavior already during the training phase, thereby influencing its decisions in the long term. At the same time, the leakage of sensitive information carries significant risk when the model (even unintentionally) reproduces confidential data from training data or from context.

Supply chain and plugin-related attacks add further complexity to the system. Modern AI solutions often consist of multiple components, one compromised element of which may indirectly endanger the security of the entire system.

It is important to emphasize that the OWASP Top 10 cannot be considered a complete security model. The list evolves continuously in parallel with changes in attack techniques, and therefore primarily serves as a starting point for identifying and prioritizing technical risks. For effective security, the framework must be applied together with other governance and threat modeling approaches.

5. Adversarial Threats: MITRE ATLAS

MITRE ATLAS is a structured knowledge base that systematizes adversarial attack techniques used against artificial intelligence systems. The goal of the framework is to provide a unified taxonomy and analytical model for understanding AI-specific attacks, serving a role similar to that of MITRE ATT&CK in classical IT security.

ATLAS is particularly valuable in that it documents not theoretical vulnerabilities, but real attack methods and their practical implementation. As a result, the framework can be directly applied in threat modeling, where security professionals can identify which attack techniques a given AI system is exposed to. This approach makes the systematic mapping of the attack surface possible, taking into account the type of model, the data sources, and the integration points.

Another key area of application for the framework is adversarial testing and red teaming. In this context, ATLAS is not merely a descriptive tool, but serves as the basis for concrete attack scenarios through which security mechanisms can be validated under real conditions. This is especially important in cases where model behavior is non-deterministic and classical testing methods are unable to cover the full range of possible outputs.

MITRE ATLAS also supports the evaluation of the effectiveness of security controls. The mitigation strategies assigned to individual attack techniques make it possible to examine the extent to which implemented security measures are capable of reducing risks. This approach helps avoid the common mistake of building security exclusively on theoretical or compliance considerations.

Overall, MITRE ATLAS plays a key role in ensuring that AI security is not limited to static controls and documented processes, but is based on active attacker-perspective validation. The use of the framework ensures that security not only complies with standards, but also operates effectively in the real threat environment.

6. Operational Implementation: MLSecOps and the Secure Lifecycle of AI Systems

The frameworks presented earlier - such as the NIST AI Risk Management Framework, ISO/IEC 42001, or MITRE ATLAS - do not in themselves guarantee security. They provide direction and structure, but actual security is only achieved if the principles are embedded into daily development and operational processes. This role is fulfilled by MLSecOps (Machine Learning Security Operations), which ensures the enforcement of security controls throughout the full lifecycle of AI systems.

MLSecOps is the further development of the traditional DevSecOps approach, specifically adapted to the characteristics of machine learning systems. While in classical software development code is at the center, in the case of AI systems data, models, and their dynamic behavior also form part of the attack surface. Accordingly, security controls cannot be limited to code review or infrastructure security, but must extend to the entire ML pipeline.

Overall, MLSecOps provides the operational bridge that connects regulatory expectations and technical controls to everyday operation. Without this, even the most sophisticated frameworks remain merely theoretical constructs. For mature organizations, MLSecOps is not an optional addition, but a fundamental requirement for the secure and scalable operation of AI systems.

7. Cloud-Based AI and the Shared Responsibility Model (Cloud & Shared Responsibility)

The overwhelming majority of modern AI systems operate on cloud-based infrastructure, whether by running self-developed models or using services provided by third parties. As a result, security is not the task of a single actor, but is shaped according to a shared responsibility model between the cloud provider and the user organization.

In the classical interpretation, the provider is responsible for the physical and basic logical protection of the infrastructure, including data center security, network isolation, and the integrity of foundational platform services, while the user organization is responsible for protecting data, applications, and configurations. In the case of AI systems, however, this boundary becomes significantly more complex.

AI-specific components, such as models, training data, inference pipelines, and API-based interfaces, create new attack surfaces that in almost every case belong to the control zone of the user organization. This means that even in the case of fully managed AI services (e.g. “AI-as-a-Service”), security responsibility cannot be delegated to the provider.

To understand the boundaries of responsibility, examining the service model is essential. In infrastructure-based (IaaS) environments, the organization exercises full control over the runtime environment, so model protection, network regulation, and access control are entirely its own responsibilities. In platform-level (PaaS) AI services, the provider abstracts certain components, but model behavior, data handling, and interface security remain the user’s responsibility. At the highest level of abstraction, when using generative AI or foundation model APIs, the organization no longer controls the model’s internal operation, but remains fully responsible for the security of inputs, outputs, and integration logic.

One of the most important professional insights is that the most critical risks of AI systems do not appear at the infrastructure layer, but at the application and logic layer. These attacks typically occur through legitimate interfaces, which is why classical network and perimeter security controls are not sufficient on their own.

As a consequence, the central element of cloud-based AI security is not infrastructure security, but the correct design of control points. This includes input validation, output filtering, the granularity of access, and what systems and data the model can access. An inadequately segmented AI system can easily become a bridge between different business systems, enabling chained attacks.

Overall, the shared responsibility model in AI environments does not reduce, but rather redefines organizational responsibility. The cloud provider ensures the foundation of operation, but the actual security of the AI system must in every case be guaranteed by the user organization, particularly with regard to risks affecting model behavior and data handling. An organization that misunderstands this boundary can easily end up in a “secure infrastructure, insecure AI” state, where the platform is secure, but the intelligent system running on it is not.

8. Integration of Frameworks into the AI Lifecycle

The standards and frameworks used in the field of AI security do not in themselves provide full protection. Real security capability only emerges if these models do not appear as independent tools from one another, but rather operate as a unified system, integrated into every phase of the AI lifecycle.

The different frameworks operate at different levels of abstraction and address different problems. The foundation of risk-based thinking and structural approach is provided by the NIST AI Risk Management Framework, which defines what must be identified, measured, and managed in the case of an AI system. In parallel, ISO/IEC 42001 and ISO/IEC 27001 establish governance and auditability frameworks, ensuring that the organization’s operation is documented, repeatable, and demonstrable from a compliance perspective.

High-level governance models, however, are not sufficient on their own to create technical security. This gap is filled by frameworks defining concrete security controls, such as NIST SP 800-53, which provides fundamental information security controls, and OWASP Top 10 for LLM, which focuses on AI-specific attack surfaces. These provide the practical toolkit that can be directly applied at development and operational levels.

To achieve complete security, however, the integration of the attacker perspective is also indispensable. This is where MITRE ATLAS plays a key role, systematically organizing attack techniques used against AI systems. This framework makes it possible for security not to be based merely on theoretical compliance, but to be validated against real attack patterns.

The integration of these models into operations is realized through the MLSecOps approach. This approach ensures that risk management principles, governance requirements, and technical controls do not exist as separate documents, but are embedded into the full lifecycle of AI systems, from data collection through model development and deployment to runtime monitoring.

In practice, this means that the security of a given AI system is not the result of “checking off” a single framework, but the consequence of their coordinated application.

Risks are identified along the lines of the NIST AI RMF, organizational operation is formalized according to ISO frameworks, technical controls are implemented based on NIST SP 800-53 and OWASP guidance, while the effectiveness of security is ensured by validation against the attack patterns described by MITRE ATLAS.

Overall, AI security maturity is measured not by the number of tools applied, but by the quality of their integration. An organization capable of arranging these frameworks into a unified architecture not only complies with regulatory expectations, but also achieves real engineering-grade security.