In March 2016, Microsoft launched Tay, a Twitter-based chatbot designed to learn from conversations with users and respond in kind. Within 24 hours, some Twitter users began trolling it, tweeting, among other things, politically incorrect phrases and sending it inflammatory messages until it began producing them on its own. Microsoft pulled the plug the next day.

The attack wasn’t sophisticated in any traditional sense. No CVE was exploited. No credentials were stolen. No network was breached. It was simply provided inputs through the interface the system was designed to accept, and the model’s own learning mechanism turned those inputs into a weapon against itself. If you tried to map that attack to MITRE ATT&CK at the time, you’d come up empty. The attack surface wasn’t an endpoint or a network. It was the model’s relationship with its training data.

That gap, the space between what ATT&CK covers and what AI systems actually expose, is exactly what MITRE ATLAS was built to fill.

ATLAS stands for Adversarial Threat Landscape for Artificial-Intelligence Systems. It’s a structured knowledge base of adversary tactics, techniques, and real-world case studies specifically targeting AI and machine learning systems. Think of it as ATT&CK’s purpose-built extension into territory that traditional threat frameworks never modeled: data pipelines, model architectures, inference APIs, and training processes. As of today, ATLAS documents 16 tactics and 167 techniques across 57 case studies, with 35 mapped mitigations, and the framework is actively growing.