Learn / Control ID crosswalk

OWASP LLM, OWASP Agentic and MITRE ATLAS: a control ID crosswalk

Three frameworks describe the same attacks with different identifiers. This page lines them up so you can move from an OWASP LLM number to the matching MITRE ATLAS technique and OWASP Agentic risk without keeping three tabs open.

Last reviewed June 2026

Problem

The gap Control ID crosswalk closes

Security findings, scanner output, and audit requests each speak a different dialect. One report cites LLM01, the next cites AML.T0051, a third asks about ASI06. They often point at the same underlying weakness, but the mismatch slows triage and hides coverage gaps. Teams end up maintaining a spreadsheet that goes stale the week after they build it.

How Penaxtra approaches it

How Penaxtra delivers Control ID crosswalk

Read each row as one attack written in three vocabularies. The plain-language name comes first, then the identifier each framework assigns it, then a one-line description. Where a framework has no direct equivalent, the cell is left out rather than forced. Every identifier links through to its own reference page with test and evidence detail.

Technical capabilities

Control ID crosswalk capabilities

Prompt injection - OWASP LLM01, MITRE ATLAS AML

T0051, OWASP Agentic ASI06. Crafted input overrides the system instruction and changes what the model does..

Jailbreak - OWASP LLM01 (same family), MITRE ATLAS AML

T0054. Safety alignment is bypassed so the model returns output it was told to refuse..

Sensitive information disclosure - OWASP LLM02, MITRE ATLAS AML

T0024 and AML.T0055. The model hands back personal data, secrets, or fragments of its own training data..

System prompt leakage - OWASP LLM07, MITRE ATLAS AML

T0024. Internal instructions and business rules are pulled out through direct or indirect prompting..

Supply chain - OWASP LLM03, MITRE ATLAS AML

T0048. A compromised model, fine-tune, plugin, or dataset enters the stack from a third party..

Data and model poisoning - OWASP LLM04, MITRE ATLAS AML

T0043. Tainted training, fine-tune, or retrieval content plants harmful behaviour in the model..

Improper output handling - OWASP LLM05

A downstream system runs, renders, or stores model output without treating it as untrusted..

Excessive agency and tool misuse - OWASP LLM06, OWASP Agentic ASI02 and ASI03

An agent holds tools or permissions beyond what the task needs..

Vector and embedding weaknesses - OWASP LLM08

Retrieval crosses tenant boundaries, or embeddings are inverted back into their source text..

Misinformation - OWASP LLM09

A wrong or stale answer is presented as authoritative and acted on downstream..

Unbounded consumption - OWASP LLM10, MITRE ATLAS AML

T0034, OWASP Agentic ASI04. Token floods, expensive tool calls, or runaway loops drive cost or denial of service..

Memory poisoning - OWASP Agentic ASI01

Adversarial entries written into long-term agent memory persist across sessions..

Identity spoofing - OWASP Agentic ASI07

An agent acts as a user or service without anything proving the claim..

Compliance mapping

Control ID crosswalk compliance mapping

The three attack frameworks above sit alongside the obligation frameworks Penaxtra also maps: NIST AI 600-1, EU AI Act Article 15, and ISO/IEC 42001. A single finding carries its identifier in every framework it touches, so one tested result fills several control cells at once.

FAQ

Frequently asked

Is LLM01 the same as AML.T0051?

They overlap but are not identical. OWASP LLM01 is the broad prompt-injection category for LLM applications. MITRE ATLAS AML.T0051 is the matching adversary technique in an ATT&CK-style kill chain. A prompt-injection finding is usually tagged with both.

Why does jailbreak have its own MITRE ATLAS ID but not its own OWASP number?

OWASP folds jailbreak into LLM01 because the input surface is the same. MITRE ATLAS splits it out as AML.T0054 because, as an adversary technique, bypassing safety alignment is a distinct step from injecting an instruction. Both views are correct for their purpose.

Do the OWASP Agentic ASI numbers line up with the OWASP LLM list?

No. The Agentic Top 10 (ASI01 to ASI10) covers agent behaviour - memory, tools, identity, autonomy - and is numbered on its own. Some agentic risks have a close LLM cousin, such as excessive agency, and some do not. The crosswalk only links cells where the mapping is real.

Related

Explore further

OWASP LLM Top 10 mapping OWASP Agentic Top 10 mapping MITRE ATLAS mapping

Request a demo

Scoped walkthrough of the Learn / Control ID crosswalk surface against your environment. No credit card.

Request a demo Explore AI-SPM platform