Adversarial Machine Learning: Attack Vectors, Defences, and Robustness

<p><b><i><span>Background.</span></i></b><span> Adversarial machine learning has progressed from a marginal concern within machine learning research into a first-order discipline for the secure deployment of artificial intelligence systems in regulated and operational environments. The contemporary threat landscape encompasses evasion at inference time, data poisoning across training pipelines, model extraction and inference attacks against deployed systems, and a defence ecosystem whose claimed robustness frequently fails to generalise beyond the threat models under which it was measured.</span></p> <p><b><i><span>Purpose.</span></i></b><span> This paper synthesises the adversarial machine learning literature spanning 2012 to 2025 to provide practitioners with an analytically grounded mapping between attack taxonomies, defence mechanisms, and the governance and risk-management controls required for defensible AI deployment. It further examines a structural critique of current robustness benchmarking practice and its implications for procurement, assurance, and regulatory compliance.</span></p> <p><b><i><span>Approach.</span></i></b><span> The paper adopts a narrative literature review methodology, drawing on authoritative primary sources, including NIST AI 100-2 E2025, the OWASP Top 10 for Large Language Model Applications, MITRE ATLAS, and peer-reviewed research on adversarial machine learning. Sources were selected for authority, currency, and direct relevance to operational practice across both predictive and generative AI systems.</span></p> <p><b><i><span>Findings.</span></i></b><span> Three findings are advanced. First, transferability renders the black-box assumption operationally weak, requiring defenders to assume adversarial knowledge of model behaviour as the default threat posture. Second, supply chain risks for datasets, pre-trained models, and fine-tuning pipelines are now first-order concerns that map to existing governance, risk, and compliance primitives but require AI-specific controls. Third, robustness benchmarking practices systematically overestimate defensive efficacy, with implications for procurement decisions and regulatory assurance.</span></p> <p><b><i><span>Implications.</span></i></b><span> Practitioners require a layered control architecture combining adversarial training, certified components on highest-risk decision paths, input validation, continuous red-teaming, and governance treatments that operationalise threat models within ISO/IEC 42001 and the NIST AI Risk Management Framework. Procurement, vendor onboarding, and assurance processes should integrate adversarial robustness evaluation against named threat models rather than relying on aggregate robustness claims.</span></p> <p><b><i><span>Keywords: </span></i></b><span>adversarial machine learning; AI security; evasion attacks; data poisoning; model extraction; certified robustness; AI governance</span></p> <p><b><i><span>JEL Classification: </span></i></b><span>O33; K24; L86</span></p> <p><b><i><span>ACM CCS: </span></i></b><span>Security and privacy ~ Software and application security; Computing methodologies ~ Machine learning ~ Adversarial learning; Security and privacy ~ Human and societal aspects of security and privacy ~ Governance</span></p>