Safeguard
AI Security

AI Red Teaming vs. AI-SPM: Why You Need Both

OWASP's 2025 LLM Top 10 and MITRE ATLAS both treat adversarial testing and posture scanning as separate disciplines — most AI programs still run only one.

Safeguard Research Team
Research
5 min read

The 2025 revision of the OWASP Top 10 for LLM Applications kept Prompt Injection at LLM01 and added two new categories entirely — System Prompt Leakage and Vector and Embedding Weaknesses — a sign that the risk surface for AI systems is still expanding faster than most security programs' coverage of it. At the same time, MITRE ATLAS, the ATT&CK-style knowledge base for adversarial tactics against ML systems, now documents real-world techniques spanning data poisoning, model exfiltration via inference APIs, and prompt injection against deployed agents. Two very different classes of tooling have emerged to address this: AI red teaming, which actively attacks a live model or agent to see what breaks, and AI security posture management (AI-SPM), which continuously audits the configuration of models, datasets, pipelines, and permissions without ever sending an adversarial prompt. Teams that buy one and assume it covers the other are leaving a real gap. This post explains what each discipline actually catches, where they overlap, and why NIST's own AI Risk Management Framework treats them as complementary rather than interchangeable.

What does AI red teaming actually test?

AI red teaming actively probes a live model or agent the way an attacker would, rather than reading its configuration. That means attempting jailbreaks that bypass safety training, crafting prompt injections hidden in documents or tool outputs that the model will process, testing whether an agent can be manipulated into calling tools outside its intended scope, and attempting to extract training data or system prompts through adversarial querying. MITRE ATLAS catalogs these as named techniques — including data poisoning and inference-API-based model exfiltration — because they've been observed against real deployed systems, not just theorized. Red teaming is inherently a point-in-time exercise: it tells you whether this version of this model, wired into this specific application context, resists a given attack today. It does not tell you whether tomorrow's fine-tune, a new tool integration, or a permissions change reintroduces the same weakness, which is precisely the gap AI-SPM is built to close.

What does AI security posture management cover instead?

AI-SPM is the AI-system analog of cloud security posture management (CSPM): it continuously discovers AI assets — models, training datasets, vector stores, inference endpoints, fine-tuning pipelines — and audits their configuration for drift and misconfiguration, without ever interacting adversarially with the model itself. Typical checks include whether model weights are signed and their provenance verified, whether a fine-tuned model's training data carries an unresolved license or contains regulated data (PII, PHI, PCI) without controls, whether an inference endpoint is exposed without authentication, and whether a vendor's published model card matches what the weights actually contain. None of this requires sending a single crafted prompt. It's the same category of work as scanning a pyproject.toml for a vulnerable dependency versus fuzzing the running application — one confirms configuration is sound, the other confirms behavior under attack holds up.

Why does NIST treat these as two separate practices, not one?

The NIST AI Risk Management Framework's GOVERN function calls for both adversarial security testing and separate behavioral/safety evaluation as distinct, necessary activities rather than one substituting for the other, according to guidance summarized in coverage of the framework's red-teaming provisions. The reasoning tracks with how the two disciplines fail differently: a model can pass every AI-SPM configuration check — signed weights, verified provenance, clean license lineage — and still be jailbroken in under ten prompts if nobody ever attacked it. Conversely, a red team can confirm a model resists a specific set of known jailbreak patterns this week, but that result says nothing about whether next month's dependency update to the serving stack, a newly granted tool permission, or an unsigned weight swap during a hotfix silently reopens a different door. Point-in-time adversarial proof and continuous configuration truth are answering different questions.

Where do the two disciplines actually overlap?

The overlap sits at the model card and provenance layer, where OWASP's newly added System Prompt Leakage category and MITRE ATLAS's exfiltration techniques both depend on facts that AI-SPM tooling already tracks: what's actually inside a model, where it came from, and what it's connected to. A red team testing for prompt leakage benefits from knowing, going in, whether the target model has documented jailbreak-resistance test results and what input/output filters are already applied at serving time — posture data, not attack data. Conversely, a posture tool that flags a model as "unsigned, unverified provenance" is describing exactly the kind of untrusted artifact a red team should prioritize attacking first. Neither discipline is complete without feeding the other; treating them as a single combined checklist rather than sequential, disconnected exercises is where mature AI security programs are heading.

How does Safeguard fit into this picture?

Safeguard's AI-BOM tracks the posture side of this problem directly: model identity, weight provenance and signing status, fine-tune lineage, and training-data license risk, enforced at load time so unsigned weights or models without a valid signed model card are blocked before they ever serve traffic. Eagle runs statistical tests on weights for trojan triggers and class-level backdoors, and for agentic systems, Safeguard validates tool calls against a declared tool surface and scores prompt-injection attempts at inference time — real-time detection, layered on top of posture data. Safeguard's Red Team engine adds a defensive-only layer on top of that: breach-and-attack-simulation canaries, purple-team validation against your own detections, and an AI/LLM guardrail-validation harness that probes prompt-injection and jailbreak resistance with benign, non-weaponized test cases. What it does not do is run unrestricted, offensive red-team campaigns — the kind that actively try to defeat a model's safety training with live jailbreak payloads or extract training data through adversarial querying — against a live model on your behalf; that remains a distinct, necessary practice organizations should run separately, ideally against a model whose provenance and configuration Safeguard has already verified as sound. Posture management narrows what a red team needs to test; it doesn't replace the test.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.