The New Baseline for AI Security 

AI is no longer an experimental capability or a back-office automation tool: it is becoming a core operational layer inside modern enterprises. The pace of adoption is breathtaking. Yet, according to Cisco's 2025 AI Readiness Index, only 29 percent of companies believe they are adequately equipped to defend against AI threats and only 33 percent have a formal change-management plan for guiding responsible adoption.

Executives and leaders increasingly find themselves in a troubling position: they understand cybersecurity, but AI security feels foreign. Humans, organizations, and governments cannot adequately comprehend or respond to the implications of such rapidly evolving technology and the threats that ensue: organizations are deploying systems whose behavior evolves, whose modes of failure are not fully understood, and whose interactions with their environment are dynamic and sometimes unpredictable.

Cisco's Integrated AI Security and Safety Framework (also referred to in this blog as "AI Security Framework") offers a fundamentally different approach. It represents one of the first holistic attempts to classify, integrate, and operationalize the full range of AI risks, from adversarial threats, content safety failures, model and supply chain compromise, agentic behaviors and ecosystem risks (e.g., orchestration abuse, multi-agent collusion), and organizational governance. This vendor-agnostic framework provides a structure for understanding how modern AI systems fail, how adversaries exploit them, and how organizations can build defenses that evolve alongside capability advancements.

A Fragmented Landscape-and the Need for Integration

For years, organizations that attempted to secure AI pieced together guidance from disparate sources. MITRE ATLAS helped define adversarial tactics in machine learning systems. NIST's Adversarial Machine Learning taxonomy described attack primitives. OWASP published Top 10 lists for LLM and agentic risks. Frontier AI labs like Google, OpenAI, and Anthropic shared internal safety practices and principles. Yet each of these efforts focused on a particular slice of the risk landscape, offering pieces of the puzzle but stop short of providing a unified, end-to-end understanding of AI risk.

What has been missing is a cohesive model-one that seamlessly spans safety and security, runtime and supply chain, model behavior and system behavior, input manipulation and harmful outputs. Cisco's analysis makes the gap clear: no existing framework covers content harms, agentic risks, supply chain threats, multimodal vulnerabilities, and lifecycle-level exposure with the completeness needed for enterprise-grade deployment. The real world does not segment these domains, and adversaries certainly do not either.

Assessment of coverage across AI security taxonomies and frameworks

A New Paradigm for Understanding AI Risk

AI security and safety risks present very real concerns for organizations. Taken together, AI security and AI safety form complementary dimensions of a unified risk framework: one concerned with protecting AI systems from threats, and the other with ensuring that their behavior remains aligned with human values and ethics. Treating these domains in tandem can enable organizations to build AI systems that are not only robust and reliable, but also responsible and worthy of trust.

We define them as:

• AI security: the discipline of ensuring AI accountability and protecting AI systems from unauthorized use, availability attacks, and integrity compromise across the AI lifecycle.
• AI safety: helping ensure AI systems behave ethically, reliably, fairly, transparently, and in alignment with human values.

Cisco's Integrated AI Security and Safety Framework is built upon five design elements that distinguish it from prior taxonomic efforts and encompass an evolving AI threat landscape: the integration of AI threats and content harms, AI development lifecycle awareness, multi-agent coordination, multimodality, and audience-aware utility.

(1) Integration of threats and harms: One core innovation of Cisco's framework is its recognition that AI security and AI safety are inseparable. Adversaries exploit vulnerabilities across both domains, and oftentimes, link content manipulation with technical exploits to achieve their objectives. A security attack, such as injecting malicious instructions or corrupting training data, often culminates in a safety failure, such as generating harmful content, leaking confidential information, or producing unwanted or harmful outputs.

Traditional approaches have treated safety and security as parallel tracks. Our AI Security Framework attempts to reflect the reality of modern AI systems: where adversarial behavior, intended and unintended system behavior, and user harm are interconnected. The AI Security Framework's taxonomy brings these elements into a single structure that organizations can use to understand risk holistically and build defenses that address both the mechanism of attack and the resulting impact.

(2) AI lifecycle awareness: Another defining feature of the AI Security Framework is its anchor in the full AI lifecycle. Security considerations during data collection and preprocessing differ from those during model training, deployment and integration, tool use, or runtime operation. Vulnerabilities that are irrelevant during model development may become critical once the model gains access to tooling or interacts with other agents. Our AI Security Framework follows the model across this entire journey, making it clear where different categories of risk emerge and how they may evolve, and allowing organizations to implement defense-in-depth strategies that account for how risks evolve as AI systems progress from development to production.

(3) Multi-agent orchestration: The AI Security Framework can also account for the risks that emerge when AI systems work together, encompassing orchestration patterns, inter-agent communication protocols, shared memory architectures, and collaborative decision-making processes. Our taxonomy accounts for associated risks that emerge in systems with autonomous planning capabilities (agents), external tool access (MCP¹), persistent memory, and multi-agent collaboration-threats that would be invisible to frameworks designed for earlier generations of AI technology.

(4) Multimodality considerations: The AI Security Framework also reflects the reality that AI is increasingly multimodal. Threats can emerge from text prompts, audio commands, maliciously constructed images, manipulated video, corrupted code snippets, or even embedded signals in sensor data. As we continue to research how multimodal threats can manifest, treating these pathways consistently is essential, especially as organizations adopt multimodal systems in robotics and autonomous vehicle deployments, customer experience platforms, and real-time monitoring environments.

(5) An audience-aware security compass: Finally, the framework is intentionally designed for multiple audiences. Executives can operate at the level of attacker objectives: broad categories of risk that map directly to business exposure, regulatory considerations, and reputational impact. Security leaders can focus on techniques, while engineers and researchers can dive deeper into subtechniques. Drilling down even further, AI red teams and threat intelligence teams can build, test, and evaluate procedures. All of these groups can share a single conceptual model, creating alignment that has been missing from the industry.

The AI Security Framework provides teams with a shared language and mental model for understanding the threat landscape beyond individual model architectures. The framework includes the supporting infrastructure, complex supply chains, organizational policies, and human-in-the-loop interactions that collectively determine security outcomes. This enables clearer communication between AI developers, AI end-users, business functions, security practitioners, and governance and compliance entities.

Inside the AI Security Framework: A Unified Taxonomy of AI Threats

A crucial component of the AI Security Framework is the underlying taxonomy of AI threats that is structured into four layers: objectives (the "why" behind attacks), techniques (the "how"), subtechniques (specific variants of "how"), and procedures (real-world implementations). This hierarchy creates a logical, traceable pathway from high-level motivations to detailed implementation.

The framework identifies nineteen attacker objectives, ranging from goal hijacking and jailbreaks to communication compromise, data privacy violations, privilege escalation, harmful content generation, and cyber-physical manipulation. These objectives map directly to observed patterns and threats, to vulnerabilities organizations are encountering as they scale AI adoption, and finally extend to areas that are technically feasible, though not yet observed outside of a research setting. Each objective becomes a lens through which executives and leaders can understand their exposure: which business functions could be impacted, which regulatory obligations might be triggered, and which systems require heightened monitoring.

Techniques and subtechniques provide the specificity necessary for operational teams. These include over 150 techniques and subtechniques such as prompt injections (both direct and indirect), jailbreaks, multi-agent manipulation, memory corruption, supply chain tampering, environment-aware evasion, tool exploitation, and dozens more. The richness of this layer reflects the complexity of modern AI ecosystems. A single malicious prompt may propagate across agents, tools, memory stores, and APIs; a single compromised dependency may introduce unobserved backdoors into model weights; or a single cascaded failure may cause an entire multi-agent workflow to diverge from its intended goal.

Screenshot of the AI Security Framework's Taxonomy Navigator

The safety taxonomy embedded within the framework is equally robust. It includes twenty-five categories of harmful content, ranging from cybersecurity misuse to safety and content harms to intellectual property compromise and privacy attacks. This breadth acknowledges that many AI failures are emergent behaviors that can still cause real-world harm. A unified taxonomy ensures that organizations can evaluate both malicious inputs and harmful outputs through a coherent lens.

Along that vein, there are additional model context protocol (MCP), agentic, and supply chain threat taxonomies embedded within the AI Security Framework. Protocols like MCP and A2A govern how LLMs interpret tools, prompts, metadata, and execution environments, and when these components are tampered with, impersonated, or misused, benign agent operations can be redirected toward malicious goals. The MCP taxonomy (which currently covers 14 threat types) and our A2A taxonomy (which currently covers 17 threat types) are both standalone resources that are also integrated into AI Defense and in our open source tools: MCP Scanner and A2A Scanner. Finally, supply chain risk is also a core dimension of lifecycle-aware AI security. We've developed a taxonomy that covers 22 distinct threats and is similarly integrated into AI Defense, our partners in model security, and other tools we are developing for the open source community.

Cisco's Integrated AI Security and Safety Framework offers one of the most complete, forward-looking approaches available today. At a time when AI is redefining industries, that clarity is not merely valuable-it is essential. This framework is also integrated into Cisco AI Defense, where threats are identified with associated indicators and mitigation strategies. Navigate our Integrated AI Security and Safety Framework today. We look forward to working with the community to deepen the awareness and strengthen defenses against this novel ecosystem of AI threats.