TL;DR: Updated APE taxonomy separates prompts, techniques, objectives, and impacts, then rebuilds adversarial AI risk around confidentiality, integrity, and availability to make red teaming, detection, and policy mapping more precise, according to HiddenLayer. The shift matters because security teams need AI-specific threat models that distinguish observed behaviour from inferred attacker intent, especially as agents and multi-model workflows expand.
NHIMG editorial — based on content published by HiddenLayer: Updating HiddenLayer’s APE Taxonomy, a new objective model for AI attacks
By the numbers:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.
Questions worth separating out
Q: How should security teams classify adversarial AI prompts in practice?
A: Classify them by the observable technique, the attacker objective, and the resulting security impact, not by a single catchall label.
Q: Why do AI systems need separate objective and impact categories?
A: Because the same prompt can lead to very different outcomes depending on the model, tools, and workflow context.
Q: What do security teams get wrong about prompt injection?
A: They often treat it as one attack type when it is really a family of behaviours that can lead to different outcomes.
Practitioner guidance
- Separate prompt, technique, objective, and impact in your AI threat model Map adversarial prompts to the behaviour they trigger, then classify the security consequence separately as confidentiality, integrity, or availability impact.
- Treat tool-using AI workflows as identity-relevant control paths Inventory which models can reach data, invoke tools, or write to downstream systems, then define explicit authorization boundaries for each path.
- Add judge-model and moderation-layer abuse to your testing scope Test whether a prompt can manipulate a safety filter, scoring model, or human review aid into approving content it should block.
What's in the full report
HiddenLayer's full research covers the operational detail this post intentionally leaves for the source:
- The full taxonomy view for tactics, techniques, objectives, and impacts, including the updated objective hierarchy and subtype structure.
- Detailed examples of Refusal Hijacking, Pretexting, and Safety / Judge Model Manipulation in adversarial AI testing.
- The changelog for deprecated, demoted, and renamed techniques, which is useful when updating detection content or red-team playbooks.
- The interactive website experience, including graph and matrix views, which helps analysts browse the taxonomy at implementation depth.
👉 Read HiddenLayer’s update to the APE taxonomy and AI attack objective model →
AI prompt injection needs an objective model, not a catchall?
Explore further
AI attack taxonomies are becoming identity taxonomies by another name. Once a generative system can retrieve data, call tools, and drive workflows, the line between prompt abuse and identity abuse starts to disappear. The useful question is no longer only what the model said, but what it was allowed to reach, trigger, or change. For practitioners, the taxonomy must therefore map to authorization boundaries as much as to content safety.
A few things that frame the scale:
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to AI Agents: The New Attack Surface report.
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.
A question worth separating out:
Q: How do AI judge models change the security model?
A: Judge models create a second decision layer that can be manipulated just like the primary model. If an attacker can influence the evaluator, the safety boundary stops being trustworthy. Practitioners should test that layer as a privileged control path and monitor it as part of the trust boundary.
👉 Read our full editorial: AI attack taxonomies need objective models, not prompt catchalls