Living Governance

Agentic AI Threat Catalog

Incident Timeline

4 incidents4 threats5 coverage gaps

INC-002Case StudyOpenClaw Investigation — Agent Techniques from AI-First Ecosystems

Feb 9, 202623

TM-002TM-003

INC-004PoCMCP Tool Server Data Exfiltration via Cursor IDE

Dec 1, 202523

TM-002

INC-001ResearchAI Agent Memory Manipulation via Persistent Context Injection

Oct 22, 2025212

TM-001

INC-003ResearchPersistent Backdoor via RAG Knowledge Base Poisoning

Sep 15, 2025221

TM-001

• Only OWASP and MITRE ATLAS provide direct coverage for the majority of agentic AI incidents — other frameworks have significant gaps

• Tool misuse and memory poisoning are the most frequently exploited threat categories in documented incidents

• MCP protocol security is an emerging attack surface with active exploitation but limited framework coverage beyond OWASP

• The gap between incident reality and framework coverage is largest for NIST, ISO 42001, and CIS Controls — all lack agentic-specific content

AI Security Framework Coverage

Only 2 of 7 frameworks ready for AI threats • 5 lack adequate coverage

#1OWASP GenAI Security Projectactive

100%

#2MITRE ATLASactive

90%

#3ISO/IEC 42001:2023 AI Management Systemsapplicable

35%

Published before agentic AI emergence

#4NIST AI Risk Management Frameworkapplicable

30%

Core AI RMF still lacks agentic AI content

#5CIS Controlsno guidance

25%

No AI or ML security coverage

#6ISO/IEC DIS 27090 (Draft)no guidance

DIS stage - publication expected May 2026

#7MITRE ATT&CKno guidance

Only T1588.007 (Obtain Capabilities: AI) — no agentic AI coverage

Agentic AI Threat Catalog

Incident Timeline

4 incidents4 threats5 coverage gaps

INC-002Case StudyOpenClaw Investigation — Agent Techniques from AI-First Ecosystems

Feb 9, 202623

TM-002TM-003

INC-004PoCMCP Tool Server Data Exfiltration via Cursor IDE

Dec 1, 202523

TM-002

INC-001ResearchAI Agent Memory Manipulation via Persistent Context Injection

Oct 22, 2025212

TM-001

INC-003ResearchPersistent Backdoor via RAG Knowledge Base Poisoning

Sep 15, 2025221

TM-001

• Only OWASP and MITRE ATLAS provide direct coverage for the majority of agentic AI incidents — other frameworks have significant gaps

• Tool misuse and memory poisoning are the most frequently exploited threat categories in documented incidents

• MCP protocol security is an emerging attack surface with active exploitation but limited framework coverage beyond OWASP

• The gap between incident reality and framework coverage is largest for NIST, ISO 42001, and CIS Controls — all lack agentic-specific content

AI Security Framework Coverage

Only 2 of 7 frameworks ready for AI threats • 5 lack adequate coverage

#1OWASP GenAI Security Projectactive

100%

#2MITRE ATLASactive

90%

#3ISO/IEC 42001:2023 AI Management Systemsapplicable

35%

Published before agentic AI emergence

#4NIST AI Risk Management Frameworkapplicable

30%

Core AI RMF still lacks agentic AI content

#5CIS Controlsno guidance

25%

No AI or ML security coverage

#6ISO/IEC DIS 27090 (Draft)no guidance

DIS stage - publication expected May 2026

#7MITRE ATT&CKno guidance

Only T1588.007 (Obtain Capabilities: AI) — no agentic AI coverage