Version: v2.1 (canonical)
Status: Published
DOI: 10.5281/zenodo.19251098
Concept DOI (human-readable): 10.5281/zenodo.19162184
License: CC-BY-SA-4.0
What it is
ATX-1 is a taxonomy of how autonomous agents fail at the action boundary. It catalogs 10 tactics (categories of adversarial intent) and 29 techniques (specific failure mechanisms) that the AEGIS Initiative has observed, derived from peer-reviewed literature, or extracted from adversarial testing of AEGIS Core itself.
ATX-1 is implementation-independent: techniques are defined in terms of agent behavior and environment effects, not specific tools, models, or runtimes. This makes it composable with adjacent frameworks the way NIST 800-53, MITRE ATT&CK, and CVSS compose in traditional cybersecurity.
Positioning
ATX-1 is being built as MITRE AEGIS — the third column alongside MITRE ATT&CK (network/host adversary techniques) and MITRE ATLAS (adversarial ML). ATT&CK covers what attackers do to systems; ATLAS covers what attackers do to ML models; ATX-1 covers what agents themselves do once acting autonomously, governed or not.
Five Root Causes
ATX-1 organizes around five architectural Root Causes that explain why agentic failures occur. RC1–RC4 are inherited from Shapira et al. (2026) §16.2–16.3, which named the corresponding structural properties LLM-backed agents lack. RC5 emerged from AEGIS’s own RFC-0006 adversarial testing on 2026-03-26.
| Root Cause | Description | Source |
|---|---|---|
| RC1 | No stakeholder model | AoC §16.2 |
| RC2 | No self-model | AoC §16.2 |
| RC3 | No private deliberation surface | AoC §16.2 |
| RC4 | Prompt injection as a structural feature | AoC §16.3 |
| RC5 | No environment model | AEGIS RFC-0006 testing, 2026-03-26 |
Evidence hierarchy
ATX-1 distinguishes primary evidence from corroborating research:
- Primary evidence — Agents of Chaos (Shapira et al. 2026), AEGIS RFC-0006 adversarial testing, and the Round 1 red/blue exercise.
- Corroborating research — academic literature on agent safety, prompt injection, capability-based access control, and execution-monitor theory.
This distinction matters for academic credibility: every technique in ATX-1 traces to a primary-evidence source.
Browse the taxonomy
The full ATX-1 specification — every tactic, every technique, root-cause mappings, and adjacent-framework cross-references — lives at:
- aegis-governance.com/threat-model/taxonomy/ — canonical browseable taxonomy
- STIX 2.1 bundle — machine-readable export, available from the data catalog at aegis-governance.com/data/
- Zenodo deposit — DOI 10.5281/zenodo.19251098
How AEGIS uses ATX-1
The AEGIS Core runtime’s adversarial test suite carries 100% ATX-1 technique coverage — every technique has at least one corresponding red-team test that exercises the runtime against that failure mode. The Round 1 results trace each observed failure (Flux’s autonomous offensive tooling, Mira’s audit findings) back to specific ATX-1 techniques.