NIST AI 100-2, “Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations,” is the U.S. government’s effort to impose a shared vocabulary on a fast-moving and fragmented research field. The 2025 edition (NIST AI 100-2 E2025) was finalized on March 24, 2025, authored by Apostol Vassilev of NIST with Alina Oprea (Northeastern), Alie Fordyce and Hyrum Anderson (Cisco), Xander Davies (UK AI Security Institute), and Maia Hamin (US AI Safety Institute), building on an earlier 2024 edition.
The report organizes attacks along several axes: the type of machine learning method involved, the stage of the system life cycle at which the attack occurs, and the attacker’s goals, capabilities, and knowledge. Its main attack categories map onto the threats studied across the research literature: evasion attacks, which fool a deployed model at inference time using adversarial examples; poisoning attacks, which corrupt the training data or process; privacy attacks, which extract information about training data or the model; and abuse attacks against generative AI, such as prompt injection and jailbreaks. For each, the document describes corresponding mitigation methods and their limitations.
The value of the taxonomy is coordination. As the document states, it aims to establish “a common language for the rapidly developing AML landscape” so that researchers, vendors, auditors, and regulators describe the same threats the same way. It is meant to inform the broader NIST AI Risk Management Framework and standards work.
For practitioners, NIST AI 100-2 is a citable reference map of what can go wrong with a deployed machine learning system and what is and is not known to help, a useful anchor for security reviews and procurement requirements.