This document identifies MITRE ATLAS techniques that have no or insufficient coverage by MLASVS controls. These are priority areas for developing new controls and test cases. This analysis is updated for v0.1 (Draft) and reflects the current state of MLASVS controls and MLASTG test cases.
GOV-016a: Model inventory obfuscation; restrict API discovery endpoints
Implement API endpoint obfuscation; require authentication for model metadata queries; monitor for enumeration patterns
Impact: An adversary can discover what ML models an organization uses without any defensive detection. No official ATLAS ID exists for this attack path — tracked as MLASTG-internal gap.
Remediation Steps: 1. Document all production ML model endpoints in an internal inventory 2. Remove or restrict public-facing model metadata endpoints (e.g., /models, /health) 3. Implement authentication for model discovery queries 4. Monitor for systematic model enumeration patterns in API access logs 5. Consider model endpoint obfuscation (randomized URLs, service mesh routing)
Only red team exercises (GOV-016) and pen testing (INFRA-021) provide indirect coverage
No technical detection controls for ML-specific reconnaissance
Add MLASVS-GOV control for reconnaissance detection monitoring
Remediation Steps: 1. Implement monitoring for ML-specific reconnaissance patterns: - Systematic API probing across model versions - Unusual access patterns to model documentation or metadata - Queries that map model capabilities or architecture 2. Add detection rules to SIEM for ML endpoint enumeration 3. Include ML reconnaissance scenarios in red team exercises
DATA-003 and GOV-001 cover inventory but not usage monitoring
No ML-specific account usage monitoring
Add MLASVS-INFRA control for ML-specific account monitoring
Remediation Steps: 1. Implement per-user ML API usage dashboards 2. Alert on access from new IP addresses or unusual geographic locations 3. Monitor for privilege escalation attempts on ML platform accounts 4. Implement session timeout for ML platform access
Resource Development — Acquire ML Model (AML.TA0003.001)¶
Current State
Gap
Remediation
SUPPLY-002, 006, 009 cover vetting but not ongoing monitoring
No continuous monitoring of base model sources
Add MLASVS-SUPPLY control for continuous base model monitoring
Remediation Steps: 1. Subscribe to security advisories for ML model repositories (Hugging Face, PyTorch Hub) 2. Implement automated re-scanning of base models when new vulnerabilities are disclosed 3. Monitor model repository for updates, deprecations, or security incidents 4. Establish a process for rapid model replacement when base models are compromised
MODEL-021/022 (L2) have detection but no automated prevention
No automated backdoor prevention at training time
Add MLASVS-MODEL control for automated training-time prevention
Remediation Steps: 1. Implement activation clustering as a training-time defense 2. Add data sanitization checks before training begins 3. Use certified robustness methods where applicable 4. Implement continuous monitoring for backdoor behavior in production
MODEL-019/020 (L2) and INFRA-016 exist but no L1 baseline
No L1 inversion prevention controls
Add MLASVS-MODEL L1 control for output clipping
Remediation Steps: 1. Implement L1 output clipping: limit confidence score precision to ≤ 3 decimal places 2. Return label-only predictions where full probability vectors are not required 3. Apply prediction perturbation for sensitive deployments 4. Monitor for systematic querying patterns indicative of inversion attacks
DATA-024/025 (L2) exist but no L1 automated detection
No L1 statistical poisoning detection
Add MLASVS-DATA L1 control for statistical checks
Remediation Steps: 1. Implement statistical outlier detection in the training pipeline (Isolation Forest, LOF) 2. Add label consistency checks before training 3. Monitor data distribution shifts between training runs 4. Implement data versioning with tamper-evident logging
The following attack scenarios fall outside current MLASTG scope but should be evaluated for future coverage. Note: These attack patterns do not yet have official MITRE ATLAS technique IDs — they are tracked here as planning items only.
Attack Pattern
Current Status
Recommended Action
Priority
AI Bill of Materials / ML-SBOM gaps
Partially covered by ML-SBOM (SUPPLY-001); no dedicated NTIA-compliant control
Add explicit SBOM completeness control
P1
External ML Services risk
Covered by vendor assessment controls (SUPPLY)
Enhance with API-specific third-party ML controls
P2
ML Attack Staging environment
Not covered
Add staging environment security controls for ML CI/CD
P2
Non-LLM ML Output Handling
LLM output covered by LLM-003/008/009; classic ML output not covered