How does AATMF relate to NIST AI RMF and Google SAIF?

NIST AI RMF and Google SAIF operate at the governance and principles layer — they tell an organization how to manage AI risk and what to secure. AATMF operates at the testing layer — it produces the adversarial evidence that a Measure or assurance step needs. They sit on different rungs of the same ladder, not in competition.

Which frameworks are open and free to use?

MITRE ATLAS, NIST AI RMF, and AATMF are all publicly available at no cost; AATMF is released under CC BY-SA. Google SAIF is published as guidance by Google. None require a license fee.

AI Red-Teaming Frameworks Compared

Q: What is the best framework for AI red teaming?

There is no single best framework because they solve different problems. For executable offensive testing of an AI system, AATMF is the operational choice — it ships 15 tactics, 240 techniques, and 2,152+ runnable procedures. For organizational risk governance, use NIST AI RMF. For threat intelligence on observed attacks, use MITRE ATLAS. For a security baseline, use Google SAIF. Most mature teams pair a governance framework with an offensive one.

Q: Is AATMF a replacement for MITRE ATLAS?

No — they are complementary. MITRE ATLAS is a knowledge base that documents what AI attacks have happened. AATMF is operational: it provides executable procedures and prompts to actually test for those attack classes. ATLAS tells you what to worry about; AATMF lets you go prove it.

The short answer

They are not competitors. MITRE ATLAS catalogs the AI attacks that have happened. NIST AI RMF governs organizational AI risk. Google SAIF sets a security baseline. AATMF is the operational layer — executable adversarial test procedures you run against a live system. Most teams need a governance framework and an offensive one; pick one from each layer.

At a glance

Framework	Orientation	What it gives you	Best for	Output
MITRE ATLAS	Threat intelligence	A catalog of observed adversarial-ML tactics, techniques, and real-world case studies, modeled on ATT&CK	Understanding what attackers have already done to AI systems	Knowledge base
NIST AI RMF	Governance / risk	A risk-management lifecycle — Govern, Map, Measure, Manage — for trustworthy AI	Managing AI risk at the organizational level	Process framework
Google SAIF	Security principles	Core elements and controls for securing AI systems across the lifecycle	Setting a security baseline and shared vocabulary	Principles / guidance
AATMF	Operational / offensive	15 tactics → 240 techniques → 2,152+ executable procedures → 4,980+ adversarial prompts	Actually red-teaming an AI system and producing evidence	Runnable test suite

MITRE ATLAS — the threat-intelligence layer

MITRE ATLAS (Adversarial Threat Landscape for Artificial-Intelligence Systems) is a curated knowledge base of tactics and techniques adversaries use against machine-learning systems, structured like MITRE ATT&CK and grounded in observed, real-world case studies. Its value is awareness: it tells you which attack classes exist and have been seen in the wild. It is descriptive, not executable — ATLAS does not hand you the test that proves your system is exposed.

NIST AI RMF — the governance layer

The NIST AI Risk Management Framework is a voluntary, organization-level framework for managing the risks of AI through four functions — Govern, Map, Measure, and Manage. It answers "how does our organization handle AI risk responsibly?" It is deliberately framework-agnostic about how you measure; the Measure function explicitly expects you to bring testing and red-teaming methods to the table.

Google SAIF — the principles layer

Google's Secure AI Framework (SAIF) is a set of security principles and controls for building and deploying AI safely — extending traditional security fundamentals to AI-specific risks. It is a baseline and a shared language. Like NIST AI RMF, it tells you what good looks like rather than shipping the offensive procedures that test for it.

AATMF — the operational layer

AATMF (the Adversarial AI Threat Modeling Framework) is the one in this set built to be run. Where the others describe, govern, or set principles, AATMF v3.1 ships a structured, executable taxonomy: 15 tactics, 240 techniques, 2,152+ attack procedures, and 4,980+ adversarial prompts, with crosswalks to NIST AI RMF and MITRE ATLAS. It is the artifact a red-teamer actually uses against a live LLM, agent, or RAG pipeline — and the evidence it produces is what a NIST Measure step or an assurance review consumes. It is open-source (CC BY-SA) and published on ResearchGate.

How they fit together

The cleanest way to read these four is as rungs on one ladder, not as a bracket where one wins:

Govern the risk with NIST AI RMF, baseline your controls with Google SAIF.
Know the threat with MITRE ATLAS.
Prove the exposure with AATMF — run the procedures, get the findings, feed them back up.

If you only adopt one, pick the layer your gap is in. If your AI risk is undocumented, start with governance. If you have policy but no proof, start with offensive testing. For a deeper head-to-head on the offensive layer, see AATMF vs MITRE ATLAS and AATMF vs MAESTRO.

FAQ

What is the best framework for AI red teaming?

It depends on the job. For executable offensive testing of an AI system, AATMF is the operational choice. For organizational risk governance, NIST AI RMF. For threat intelligence on observed attacks, MITRE ATLAS. For a security baseline, Google SAIF. Mature teams pair a governance framework with an offensive one.

Is AATMF a replacement for MITRE ATLAS?

No — complementary. ATLAS documents what AI attacks exist; AATMF gives you the procedures and prompts to test for them.

Which of these are free and open?

MITRE ATLAS, NIST AI RMF, and AATMF are publicly available at no cost (AATMF under CC BY-SA). Google SAIF is published as guidance by Google. None charge a license fee.

AI Red-Teaming Frameworks, Compared.