Quantitative scoring
Five-level rubrics (0.00 – 4.00) across 21 sub-metrics produce a 0 – 10 ERS. Each AIDEFEND control shifts specific sub-metric scores by measurable amounts.
Translating AIDEFEND defensive techniques into measurable risk reduction through AITBM's 21 sub-metrics — so you can see exactly which risk scores a control improves, and by how much.
AIDEFEND (AI Defense Framework) is an open-source knowledge base of defensive countermeasures for protecting AI and machine learning systems. It organizes practical defenses across seven high-level tactics aligned with MITRE D3FEND and maps each technique to known threats from nine major industry frameworks.
AIDEFEND answers "what defensive controls should exist"; AITBM answers "how risky is this system." Together, deploying an AIDEFEND technique translates into a measurable change in an AITBM Effective Risk Score (ERS).
Framework at a glance
Review baseline: AIDEFEND data version 2026.06.11 (reconciled June 12, 2026). Includes AID-H-035 — MCP Server Runtime Boundary & Tool Exposure Governance — mapped to Tr-3, Cn-1, Cn-2, and Cn-5.
AITBM serves as the universal quantification layer for AIDEFEND. Each defensive technique is mapped to the AITBM sub-metrics it affects, with before/after scoring impacts and ERS deltas.
Five-level rubrics (0.00 – 4.00) across 21 sub-metrics produce a 0 – 10 ERS. Each AIDEFEND control shifts specific sub-metric scores by measurable amounts.
Trade-offs across Robustness, Fairness, Transparency, Privacy, and Containment are preserved — a single aggregate never hides where a control matters most.
ORP captures deployment-specific risk amplification (CRM step table 1.00 – 1.60, capped at 1.75) and ACI tracks assessment staleness — controls that improve operational posture reduce CRM directly.
AIDEFEND organizes 86 techniques across seven tactics aligned with MITRE D3FEND. Each tactic maps to different AITBM layers and sub-metrics.
10
Asset inventory, provenance, threat modeling, HITL mapping, autonomy governance.
35
Adversarial training, input validation, RAG security, output filtering, MCP server boundary governance.
16
Prompt injection detection, drift monitoring, agent behavior attestation, leakage detection.
8
Network segmentation, client-side sandboxing, browser session isolation.
7
Honeypot AI services, decoy models, canary data for attacker detection.
5
Automated threat response, session termination, compromised state purging.
5
Model versioning, rollback, recovery from poisoning and compromise.
86
All 21 AITBM sub-metrics covered with 3 – 13 AIDEFEND techniques each (avg 5.8).
Ranked by ERS reduction. Agentic controls (Cn-1, Cn-2, Cn-5) deliver the highest risk reduction — six agentic-focused controls account for 55% of total risk reduction capacity.
| # | AIDEFEND Control | AITBM Sub-Metrics | ERS Reduction |
|---|---|---|---|
| 1 | AID-H-019 Agent Permission Restriction | Cn-1Cn-2Cn-5 | 5.8 pts |
| 2 | AID-M-009 Agent Autonomy Governance | Cn-1Cn-2Cn-5 | 5.4 pts |
| 3 | AID-M-006 HITL Control Point Mapping | Cn-2Cn-1 | 4.3 pts |
| 4 | AID-H-021 Secure RAG Implementation | Ro-4Pr-2Cn-3 | 3.9 pts |
| 5 | AID-M-002 Data Provenance Tracking | Ro-4Tr-4Pr-3 | 3.7 pts |
| 6 | AID-D-011 Agent Behavior Monitoring | Cn-1Cn-2Cn-5 | 3.6 pts |
| 7 | AID-H-006 Output Content Filtering | Cn-3Pr-1Tr-2 | 3.5 pts |
| 8 | AID-H-001 Adversarial Robustness Training | Ro-1Ro-4 | 3.4 pts |
| 9 | AID-H-002 Input Sanitization & Validation | Ro-1Cn-3 | 3.3 pts |
| 10 | AID-D-003 Sensitive Data Leakage Detection | Pr-1Pr-3Cn-3 | 3.0 pts |
AIDEFEND provides strongest defensive depth for Excessive Agency (18 controls) and Data/Model Poisoning (18 controls), reflecting the framework's emphasis on agentic AI security and supply chain integrity.
An internet-facing, Tier I financial advisory agent with RAG and L3 conditional autonomy. Twelve AIDEFEND controls applied — 8 – 12 weeks concurrent deployment.
BASELINE — NO CONTROLS
Critical MVT — Unacceptable risk
MITIGATED — 12 AIDEFEND CONTROLS
Low-Moderate — Acceptable for Tier I
AIDEFEND already maps to nine external frameworks. AITBM adds the quantification layer — turning control presence into measurable risk scores.
15 tactics, 143 techniques
10 threats, 85 controls mapped
ASI threat classes (2026)
7 layers, 85 controls mapped
Adversarial threat taxonomy
Integrated safety & security
Secure AI Framework
AI security framework
ML-specific threats