The National Institute of Standards and Technology (NIST) published a new 2025 version of its adversarial AI taxonomy,
first published in January 2024.
The latest version of
“Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations,” released March 2025, supplies significant updates, including expanded sections on generative AI (GenAI) and key challenges, and a standardized index for more efficient navigation and referencing.
“Overall, we updated the content to reflect the progress over the year since the previous version, including terminology, glossary, and bibliography,” Apostol Vassilev, report co-author and research team supervisor at NIST’s Information Technology Laboratory, Computer Security Division, told SC Media.
The report is designed to be used in conjunction with
NIST’s AI Risk Management Framework to help organizations understand how AI models can be misused by attackers and how these attacks can be combatted, Vassilev said.
GenAI attack guidance adds details on supply chain attacks, agent security
The taxonomy report is divided into separate sections for predictive AI (PredAI) and GenAI, with the GenAI section seeing the most substantial change in the 2025 update.
“We renamed the Abuse class of attacks to the Misuse class […] in order to handle a wider range of exploits and align our standard with other NIST and external standards,” Vassilev explained.
This change adds model jailbreaks, data poisoning and fine-tuning circumvention under the umbrella of misuse, where an attacker seeks to bypass restrictions and produce potentially harmful AI outputs.
The section on supply chain attacks saw significant changes, with distinct subsections on data poisoning and model poisoning attacks. This change recognizes the extensive use of third-party foundation models in the AI supply chain, and the potential harm of
malicious and backdoored models.
A new section on the security of AI agents noted that these autonomous AI systems can be vulnerable to many of the same exploits as traditional large language models (LLMs), with added risks due to their expanded capabilities.
The 2025 report also includes a more detailed description of the GenAI stages of learning to help readers better understand attacks targeting specific learning stages. This information is further incorporated into the guidance on mitigations for direct prompt injection attacks, with interventions divided into pre-training, post-training, evaluation and deployment stages.
A longer, updated list of indirect prompt injection techniques was added in the 2025 report; for example, the section highlights self-propagating injections, where a model reads an email that instructs it to send malicious emails to everyone in the user’s contact list.
The GenAI section concluded with a new subsection on adversarial machine leaning (AML) benchmarks, referencing nearly a dozen different benchmarking tools and frameworks to help assess models’ susceptibility to varied attacks.
AI security challenges and limitations in 2025
The concluding section on key challenges and discussion underwent an overhaul in the latest report, including updated information on supply chain challenges, new subsections on risk management and mitigation evaluations, and a lengthier discussion on tradeoffs between the attributes of trustworthy AI.
“In this section we also elaborate on the existing theoretical barriers to robust AI, to make sure stakeholders are aware of these limitations and understand the need to look for alternative mechanisms for hardening their infrastructure,” Vassilev told SC Media.
The new section on evaluation noted a lack of reliable benchmarks to assess the effectiveness of proposed AML mitigations and calls for more research to develop reliable, standardized methods.
“More broadly, the effectiveness of a mitigation is determined not jus by how well it will defend against existing attack[s], but also how well it defends against unforeseen attacks,” the report stated. “This means hat new mitigations should be tested adversarially, with the researchers proposing he mitigation also trying to break it.”
The discussion on supply chain challenges now includes mention of increasing reliance on AI coding assistants, which
could potentially lead to less secure code and more opportunities for attackers.
The final subsections of the report discuss how organizations should consider AML in their overall risk management, cybersecurity and software development strategies, as AI is increasingly integrated into existing systems and processes.
Editor's Note: A previous version of this story incorrectly stated that the 2025 version of NIST's "Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations" report was published in May 2025. This story has been updated to reflect that the report was published in March 2025. 
