Loading visualization...
Loading visualization...
AI risk governance is 2 to 5 years behind how fast AI is being deployed. Compliance frameworks describe the threatscape we’ve already seen, not the one unfolding right now. Traditional threat tracking misses most AI failure modes by design. This page is my attempt to show that gap and start a conversation about what to build.
AI is already causing real harm at scale. CISA KEV (the official US feed that tells security teams what to patch first) has catalogued 1,599 vulnerabilities spanning 24 years of CVEs, from CVE-2002-0367 forward. Only three are on AI platforms, and all three are classical software bugs landing on AI infrastructure, not the AI failure modes the rest of this page documents.
The measurement gap
What the official US patch-priority list flags as AI-platform CVEs:
AI-platform entries in CISA KEV: a Langflow authentication bypass (added 2025-05-05), a Langflow code injection (2026-03-25), and a BerriAI LiteLLM SQL injection (2026-05-08). Same classical bug classes; just landing on AI infrastructure.
What’s actually happening:
AI incidents recorded by OECD.ai’s AI Incidents Monitor between January 2022 and May 2026.
The chart below has two lanes. The top lane plots AI incidents that OECD.ai’s Incidents Monitor has logged month by month since consumer AI hit the mainstream in 2022. The bottom lane plots how many CISA KEV entries (the list federal agencies use to prioritize patching) flag AI platforms over the same months. The top lane is a heartbeat, meaning AI is causing harm every month, in numbers we can count. The bottom lane is near-silence: three years of consumer AI before any AI-platform CVE landed on KEV. The first was Langflow’s authentication bypass in May 2025, then Langflow’s code injection in March 2026, then BerriAI LiteLLM’s SQL injection in May 2026. The structural point holds. KEV catches AI when AI has a bug shaped like what KEV was built to catch, not when AI fails in the new ways the rest of this page documents. That near-silence isn’t because CISA missed something. It’s because of how the list is built. The vertical markers show when governments tried to catch up. Notice the lag.
How to read it: the top lane counts the AI incidents OECD logs each month. The bottom lane counts KEV entries that reference AI in the same month. The vertical lines mark major AI governance milestones: NIST AI RMF, the Biden executive order on AI safety, its rescission, the EU AI Act, and the NIST CI Profile draft.
Here’s the teachable moment: the silence isn’t because nobody’s tracking AI risk. OWASP has a Top 10 for LLMs and a newer GenAI security project. MITRE has ATLAS for AI attack techniques. NIST has the AI RMF. These cover the harms that don’t fit a CVE shape: prompt injection, model poisoning, an agent that acts beyond its granted permissions, a model that leaks data under the right input.
And the AI tools themselves do have CVEs. Microsoft 365 Copilot has CVE-2025-32711 (publicly known as EchoLeak), an AI command-injection that lets an unauthorized attacker disclose information over a network. Microsoft rates it 9.3 Critical. Anthropic Claude’s Windows installer has CVE-2026-22561, a DLL search-order hijack. Google’s Vertex Gemini API has CVE-2024-12236, a data-exfiltration bypass of VPC service controls. None are in KEV. A 9.3 Critical in a product that ships to millions of enterprise tenants, and the catalog meant to flag urgent patches hasn’t picked it up.
The gap isn’t awareness or cataloging. It’s in the mechanism. KEV is designed for CVEs with confirmed exploitation and a patch. Most AI harms are behavioral and don’t fit that shape. The CVEs that do fit are entering the pipeline but mostly not making it through to KEV. AI risk lives in the advisory lane, where awareness happens. KEV is the action lane, where federal agencies actually decide what to patch. As of May 2026, the two lanes have three points of contact: a Langflow auth bypass, a Langflow code injection, and a BerriAI LiteLLM SQL injection. All classical bug classes on AI infrastructure. The crossings are shaped like the catalog, not like the new harm.
Every AI attack technique MITRE ATLAS has catalogued, ranked by how closely it overlaps with real-world software exploits (CISA KEV) and ICS advisories. Techniques with the strongest classical-CVE shape sit at the top; novel-AI techniques with no software analog fall to the bottom. Filter by sector, severity, or NIST function to focus the view. Click any row to drill in.
Matrix of 101 ATLAS techniques across 16 tactics. 101 techniques have at least one matching exploit in CISA KEV. Use Tab to navigate between techniques and cells; cells announce their intensity level.
Reference & methodology
These CVEs are actively exploited in the wild per CISA. They're mostly pre-AI-era and rarely map directly to AI/ML surfaces, included here as supplemental context rather than primary AI threat data. Occasionally an AI-adjacent infrastructure CVE lands on the list.
CISA ICS advisories provide cross-domain context for sector-specific risk. Relevant for ICS/OT-adjacent teams, not central to the AI threat narrative.
Sources
atlas.mitre.orggenai.owasp.orgMapping methodology
MAESTRO layers → ATLAS techniques and OWASP LLM entries are editorial. Each MAESTRO threat includes a sourceUrl to the CSA MAESTRO repository; cross-framework mappings reflect the author's reading of overlap and are open to revision.
Start date
Timeline coverage begins 2022-11-30, the ChatGPT public launch. Before that date consumer AI wasn't a mass-market tool; starting here keeps the incident set focused on the modern era.
Contribute
Corrections, missing incidents, or mapping revisions: open an issue at https://github.com/abaine/whoami/issues.
Four different desks. One missing measurement layer.
If you're a defender
Your playbooks assume software flaws. Most AI harm doesn't look like a software flaw. It's the AI doing something it shouldn't, in a context that wasn't anticipated. The AI KEV Board on the previous tab is a starting list of those patterns.
If you run critical infrastructure
Your AI deployments are ahead of your governance. The NIST CI Profile is still a year away from being operational. The AI KEV Board is built to fill that gap in the meantime.
If you work in national security
You already see this. What's missing is the public-facing version, so the sectors that don't operate under classification can catch up before adversaries who don't share those constraints.
If you're building AI systems
Every capability you add to your agent stack lives in two columns at once: opportunity and threat. The dual-use map on Tab 3 is meant to make that easier to think about while you build.
Author’s note
I spent most of the last decade on the hard side of this problem: cyber defender, cybersecurity advisement, cybersecurity risk management, consequence-driven cyber-informed engineering (CCE) for cross-sector critical infrastructure. We trained operators to assume the adversary was already inside and to plan around the consequences that would actually hurt.
That training framework assumed a human hand on every consequential action. It’s the assumption AI is quietly removing. My lab is here to track what that means, build the operational measurement layer that doesn’t exist yet, and put it in front of the people who need it. The next several years of AI deployment shouldn’t happen without one.
Nothing on this page is final. The AI KEV Board, the scorer, the MAESTRO bridge: all drafts, all sharpened by critique. If you work in this space, I want to hear where I’m wrong.