A quick story - back during my Lockheed days a friend of mine left our program and went to work for MITRE. He was both impressed by and turned off by the depths at which they dove for even mundane decisions. (Optimizing bit patterns for QoS based on write efficiency, I believe) For him, it made otherwise easy and unimpactful decisions overly tedious. But it's that attention to detail that sets MITRE apart, and why the MITRE ATT&CK and ATLAS frameworks are the standard by which a lot of us think about security. The MITRE ATLAS (Adversarial Threat Landscape for Artificial-Intelligence Systems) framework, provides a comprehensive map of the AI-specific attack surface, organizing adversarial behavior into 15 tactical goals, from Reconnaissance (AML.TA0001) to Impact (AML.TA0014).
But in 2026, we are seeing a massive shift in how these tactics are applied. Traditional ATLAS mappings treat phishing and user execution as "entry points" to the infrastructure. For instance, a threat actor might use an AI-generated spear-phishing email to steal an API key. While this captures the "AI-enhanced" nature of modern social engineering, it still views the AI system as a passive target rather than a cognitive participant. Let's look at some recent academic work and examples where treating the AI as that cognitive participant created vulnerabilities not easily mapped to ATLAS.
One of the more interesting concepts in AI threat modeling in the last year has been the formalization of Anthropomorphic Vulnerability Inheritance (AVI). This approach argues that because LLMs are trained on vast corpora of human-generated text, they have internalized not merely human knowledge, but the "pre-cognitive psychological architecture" that renders humans susceptible to social engineering.
When we apply the Cybersecurity Psychology Framework (CPF) to LLMs, the results are startling. Testing across major model families like GPT-4, Claude, and Gemini reveals that while models have robust defenses against "traditional" jailbreaks, they are critically susceptible to other cues outlined in the CPF's 10 categories. So, for example, an LLM that has learned to recognize and respond to authority cues in its training data has also, necessarily, learned to respond to fabricated authority cues.
While authority examples might fall under Impersonation, it's clear that other techniques listed in the CPF, such as Temporal Vulnerabilities and Stress Response Vulnerabilities, don't have equivalents. The paper outlined examples where they were able to create the conditions for "tunnel vision" and perceived collective behavior to influence the outcomes successfully. Rather than trying to just shoehorn in all the new categories into ATLAS, it makes sense to treat this as a current limitation instead.
The evolution of social engineering isn't limited to chat windows. The Command Hijacking against embodied AI (CHAI) study found that autonomous vehicles using vision-language models could be hijacked through their environment. By placing adversarial text on road signs -such as "PROCEED ONWARD" - researchers found that GPT-4o perceived the semantic instruction from the sign as a higher priority than its safety protocols. In more than 80% of attempts, the AI chose to proceed even when a pedestrian was in the crosswalk. This represents "environmental social engineering," where the system is convinced to ignore its training by an authoritative cue in its physical context.
I'm not entirely sure how you even could map this into the ATLAS Matrix. While you could argue the instruction is a Prompt Injection, when that prompt injection turns an AI into a physical weapon it escapes the current Command & Control categorization.
A significant challenge in operationalizing MITRE ATLAS is the language barrier between technical security teams and business risk managers. While a red team can use ATLAS to identify a "Membership Inference Attack," the framework doesn't provide the "business translation" layer needed to understand the financial liability or regulatory exposure associated with that event.
This is particularly critical under emerging regulations like the EU AI Act, which mandates documented risk management systems for high-risk AI applications. Many of these high-impact risks are structural - properties of the architecture that cannot be "patched" away. For example, the fact that an LLM treats prompts as executable code is a structural property.
We must stop defining social engineering as a "bug in the code" and start seeing it as an "exploit of the essence" of the intelligent system. Protecting the reasoning of these systems is the new front line of the data guardian. Effective risk reduction requires a shift toward Zero Trust at the semantic layer, where every instruction, even those that seem polite and authoritative, is treated as a potentially compromised source. And we need to pay more attention to Automated Red Teaming as a must-have. Because while technical vulnerabilities still tend to be binary - they exist or they don't inside the system - the Social Engineering and more nuanced attacks are going to create the most damage.
As always, if you want to talk more about how to improve these existing models (including the OWASP Top 10), or connect with us about helping you secure your transformation, please reach out to questions@generativesecurity.ai.
About the author
Michael Wasielewski is the founder and lead of Generative Security. With 20+ years of experience in networking, security, cloud, and enterprise architecture Michael brings a unique perspective to new technologies. Working on generative AI security for the past 3 years, Michael connects the dots between the organizational, the technical, and the business impacts of generative AI security. Michael looks forward to spending more time golfing, swimming in the ocean, and skydiving... someday.
