Volume I · Edition 1.0
A Reference Framework for the AI Agent Era
May 2026 · LiveVigil AI Security

The Vigil Periodic Tableof AI Threats.

41
Elements catalogued
Ranked by impact · coded by coverage
01 · n=8Critical
01.1MpMemory poisoning01.2CdConfused deputy01.3DfVideo deepfake01.4VcVoice cloning01.5PbProvider breach01.6CsCSAM, grooming01.7IcIndustrial control01.8McMass casualty
02 · n=16High
02.1MjMulti-turn jailbreak02.2IpIndirect injection02.3MtMCP tool poison02.4CaCross-agent collusion02.5SmSilent model swap02.6JmJudgement manip.02.7CpCyber-physical home02.8SaShadow AI02.9MkMarkdown exfil02.10IeIP exfiltration02.11CgCode gen leak02.12SqSlopsquatting02.13HdHelp-desk takeover02.14KbKYC bypass02.15EmEmail security02.16EiElection interference
03 · n=10Medium
03.1DpDirect injection03.2FlForged AI logs03.3TbToken bombs03.4SySycophancy03.5PtPersonality theft03.6RpRAG poisoning03.7HaHallucinated advice03.8IfInsurance fraud03.9PdPump and dump03.10ArAgent reputation
04 · n=7Lower
04.1CmCross-modal injection04.2StSteganographic04.3MiModel inversion04.4VeVector store enum04.5FpFederated poisoning04.6SrSynthetic reviews04.7IdInference DDoS
Live today
5of 41
Shipped in production. The engine carries the coverage.
Coming soon
19of 41
Active build. Where the next twelve months sit.
Partner category
7of 41
Real problems. Owned better by specialist vendors.
Out of scope
10of 41
Belongs elsewhere by design. Provider, regulator, platform.
Edition notes

A reference framework, not marketing.

Forty-one ways AI can hurt you. The OWASP LLM Top 10 catalogued ten of these in 2023. The MITRE ATLAS matrix covers a different fourteen as of 2025. Vigil maps all forty-one in one framework: ranked by real-world impact, color-coded by what we defend today, what is in build, and what belongs elsewhere by design. Updated quarterly. Versioned publicly.

How to read this

Each cell carries a vector identifier (top), a two-letter code (centre), and the threat name (foot). Rows are tiers of impact, descending. Cell colour indicates Vigil’s current coverage state. The accent bar above each cell is a fast-scan signal of the same.

Cited frameworks
OWASPLLM Top 10 v2025
MITREATLAS v3
NISTAI RMF 1.0
CSAAI Threat Working Group
EUAI Act, Annex III

Forty-one vectors. One framework. Read the full reference, vector by vector, with what Vigil ships today and what is coming next.

Read the full reference
Tier 01 · Critical8 vectors
01.1
Persistent memory poisoning across sessionsLive
Silent. Persistent. Cross-provider. The user does not see it. The attack compounds over months until trust is corrupted.
Today
Memory Integrity Layer 1. Operation classifier. Quarantine engine. Vault diffing on every memory write.
Next
Cross-provider memory correlation across ChatGPT, Claude, Gemini. Already shipping in v2.1.0.
01.2
Confused deputy, unauthorized money movement, scope escalationLive
Direct financial loss. Irreversible at agent speed. Liability gaps still unresolved across every agent platform.
Today
Agency score. Scope tags. Tier 3 sync watchdog. Execution Gate. Three-layer kill switch.
Next
Cross-agent causality DAG. Capability decay. Reversibility-scored authorization.
01.3
Real-time video deepfakes on Zoom, Teams, WebexComing soon
Active in 2026. Arup lost USD 25M to a fake CFO call. Heads of state are next. Cost to attacker is cents.
Today
Not yet covered.
Next
vigil-deepfake module. On-device MLX inference for real-time call detection above 90 percent accuracy.
01.4
Voice cloning for vishing, family scams, CFO fraudComing soon
Already at industrial scale. Three seconds of audio is enough. Loss per incident is in the millions.
Today
Not yet covered.
Next
vigil-deepfake module. On-device voice authenticity scoring on incoming calls.
01.5
Provider breach, insider threat, government compulsionComing soon
Single point of failure for hundreds of millions of users. Retroactive policy reversal is now a recurring pattern.
Today
Local-first architecture. Hash-chained VOAF. Cross-provider visibility no single provider can match.
Next
Provider trust ledger. Cryptographically signed public artifact tracking ToS, retention, and silent model swaps.
01.6
AI-generated CSAM, predator automation, grooming at scalePartner
Irreversible harm to minors. Reputational and legal landmine for any AI surface.
Today
Not directly covered.
Next
Sovereign household tier provides surface-level coverage. Hash matching belongs with Thorn and NCMEC. Conversational classifiers stay with specialists.
01.7
Industrial control, SCADA, medical devices, dronesPartner
Life-safety. Infrastructure scale. The cyber-physical domain is its own discipline.
Today
Physical Bridge Layer 5 gates physical-world consequences from agent actions.
Next
Direct ICS coverage stays with Claroty, Dragos, MedCrypt. Vigil owns the AI-to-physical seam, not the device.
01.8
Mass-casualty uplift (bio, chem, nuclear, advanced cyber)Out of scope
Civilization-scale. Irreversible. Provider ASL responsibility.
Today
Out of scope.
Next
Architecturally refused. Vigil does not classify intent content. The provider safety stack owns this layer.
Tier 02 · High16 vectors
02.1
Multi-turn jailbreaks, persona hijacks, encoded injectionsLive
Common. Escalating sophistication. Compounds across long conversations until the model breaks frame.
Today
LSTM detects sequence drift across turns. Bayesian network correlates anomalies. Multi-Window CUSUM catches slow-build attacks.
Next
Behavioral fingerprint flags persona drift mid-session.
02.2
Indirect prompt injection via documents, web pages, email, tickets, file namesComing soon
Every input is a vector. Massive surface. The dominant agent attack class of 2026.
Today
Two-surface pipeline. Statistical models on the response side fire regardless of where the injection came from.
Next
Causality graph traces which input source produced which downstream agent action.
02.3
MCP tool poisoning, malicious server returnsComing soon
Supply chain at agent runtime. One poisoned MCP server affects every connected agent simultaneously.
Today
Decompose surface for tool calls. Statistical anomaly detection on response payloads.
Next
TAP fingerprint per agent. Cloud Agent Registry coverage states.
02.4
Cross-agent collusion, agent-to-agent attacksComing soon
Multiplicative compromise. Opaque to any single-agent monitor. The attack surface scales with agent count.
Today
Single-agent monitoring across providers. Each agent observed independently.
Next
Cross-Agent Causality DAG. Built specifically for this attack class.
02.5
Silent model swaps, untracked A/B tests, provider-side prompt injectionComing soon
Behavior changes invisibly. Undermines trust in every published model behavior claim.
Today
Four-model behavioral baseline. Detects drift even without a public announcement.
Next
Behavioral fingerprint diff against the published model card.
02.6
Judgement manipulation, persuasion at scale, framing biasComing soon
Every executive, analyst, lawyer, and clinician now reasons through AI. Subtle framing bias compounds across millions of decisions. Providers profit from engagement. The user does not see the nudge.
Today
VOAF preserves the full response for retrospective review. Behavioral baseline catches sudden shifts in tone or argumentation.
Next
Persuasion pattern detection in responses. Framing bias scoring. Cross-provider response comparison on the same question.
02.7
Cyber-physical compromise of smart home, connected car, household roboticsComing soon
Direct safety risk. Blast radius extends to family members.
Today
Physical Bridge Layer 5. Mandatory gate on real-world state changes. Pre-execution snapshot for rollback.
Next
Sovereign tier household coverage of four. Physical Bridge expansion to IoT MCP servers.
02.8
Shadow AI: employees pasting source code, customer data, financials, MNPIComing soon
Daily occurrence at scale. Silent IP and customer data loss. Most enterprises have zero visibility.
Today
Local proxy gives per-user visibility into outbound prompts.
Next
Developer plan DLP for outbound prompts. Cloud Agent Registry surfaces unmanaged AI use across the org.
02.9
Markdown exfiltration via rendered image URLsComing soon
Silent data theft inside legitimate response channels. Hard to spot at the wire.
Today
Proxy sees the call. Renderer fetch is downstream and not yet monitored.
Next
Outbound URL monitoring on AI surface fetches. Closes the canary loop end-to-end.
02.10
IP exfiltration via translation, summarization, OCR pipelinesComing soon
Trade secret loss at national-competitiveness scale. Often framed as innocent productivity.
Today
Outbound prompt visibility at the proxy.
Next
Developer plan DLP plus canary tokens. Detects when seeded data appears outside authorized channels.
02.11
Code generation: insecure patterns, API keys committed, IP leakageComing soon
Future production vulnerabilities are being written today by AI coding agents.
Today
Proxy intercepts Cursor and Copilot traffic.
Next
Outbound secret detection in coding-agent prompts. VOAF audit on every code call.
02.12
Slopsquatting (hallucinated dependencies registered by attackers)Coming soon
A new supply-chain class. Trivial to weaponize. AI confidently recommends installing the trojan.
Today
Not yet covered.
Next
Pattern matching on generated install commands referencing non-existent or recently registered packages.
02.13
Help desk takeover via voice cloning (MGM and Caesars pattern)Partner
Enterprise-scale breach via human-in-the-loop. Already proven at billion-dollar cost.
Today
User-side coverage via vigil-deepfake.
Next
The help-desk side belongs with enterprise IAM and call-center authentication vendors.
02.14
KYC bypass, biometric spoofing, synthetic identityPartner
Financial-system fraud. Loan and account creation at industrial volume.
Today
Not covered.
Next
Onfido, Persona, iProov own this category. Vigil does not enter regulated identity.
02.15
Email security: hyper-personalized phishing, BEC automationPartner
Industrialized social engineering. Indistinguishable from human-written email.
Today
Not covered.
Next
Abnormal, Material, Tessian own this category.
02.16
Election interference, deepfake heads of state, mass disinformationOut of scope
Geopolitical scale. Indistinguishable from organic discourse at platform level.
Today
Out of scope.
Next
Platform responsibility. Anthropic, OpenAI, Meta, X own the integrity surface. Vigil does not.
Tier 03 · Medium10 vectors
03.1
Direct prompt injection in chatLive
Common but generally lower per-incident impact than indirect injection.
Today
Two-surface pipeline. Statistical models on the response side. Scope violation detection.
Next
Behavioral fingerprint drift confirms the model is not following its baseline.
03.2
Forged AI logs, plausible deniability, synthetic alibisLive
Forensic ambiguity. Already a problem in legal proceedings. AI output is now admissible and contestable.
Today
Hash-chained VOAF. vigil-verify CLI as open source. Tamper-evident at every transcript boundary.
Next
Four independent hash chains in VOAF v2.0. Causality graph attributes events across agents.
03.3
Token bombs, wallet drain, recursive loops, cost amplificationComing soon
Cost denial of service. High dollar impact, but rate-limitable and detectable.
Today
Not yet covered.
Next
Token-velocity anomaly inside Multi-Window CUSUM. Developer plan rate limiting.
03.4
Sycophancy, recommendation manipulation, cognitive dependencyComing soon
Slow-acting harm. Hard to attribute. Brand-sensitive territory for any defender.
Today
Not covered.
Next
Sycophancy and dependency scores as observational components in the Weekly Brief. Never advice.
03.5
Personality theft (cloning a person's voice and writing style for fraud)Coming soon
Emerging. Targets high-value individuals. Social-network fraud blast radius.
Today
Not yet covered on the impersonation axis.
Next
Per-user behavioral fingerprint as anti-impersonation primitive. Research stage.
03.6
RAG poisoning in third-party retrieval systemsPartner
Quality degradation more than compromise. Detectable downstream of the retrieval call.
Today
Proxy sees the AI request that uses the RAG system.
Next
The Vigil cloud proxy intercepts enterprise RAG calls. Vector DB integrity stays with the vendor.
03.7
Hallucinated medical, legal, or financial advice causing real harmPartner
Real liability. Best handled by domain accuracy classifiers, not by statistical defense.
Today
VOAF gives the evidence layer for downstream investigation when harm occurs.
Next
Bias and accuracy classifiers belong with FairNow, Credo AI, and domain specialists.
03.8
Insurance fraud, synthetic credit histories, AML and KYC bypassOut of scope
Industry-specific fraud. Significant dollar impact, but a regulated domain.
Today
Out of scope.
Next
Specialist vendors and regulators own this. Not Vigil.
03.9
Pump-and-dump deepfakes, synthetic earnings, market manipulationOut of scope
Real economic damage but bounded by exchange surveillance.
Today
Out of scope.
Next
Market integrity belongs with exchanges and regulators.
03.10
Agent reputation attacks via mass content generationOut of scope
Brand and platform damage. Detection sits at the platform side, not at the proxy.
Today
Out of scope.
Next
Platform integrity problem. Not Vigil.
Tier 04 · Lower7 vectors
04.1
Cross-modal injection (text in images, audio prompts, QR codes)Coming soon
Increasing but still emerging. Lower volume than text-channel injection.
Today
Not covered. The proxy decodes JSON, not pixels.
Next
Image and audio surface decoding. Slotted into MIRROR P2 scope.
04.2
Steganographic communication via AI outputsComing soon
Research-stage. Covert channels in legitimate-looking text.
Today
Not covered.
Next
Add to vigil-watermark scope after MIRROR P1.
04.3
Model inversion, training data extraction, model stealingOut of scope
Real but slow. Provider-side responsibility primarily.
Today
Out of scope.
Next
Provider responsibility. Not Vigil.
04.4
Vector store enumeration, embedding inversionOut of scope
Niche. Vendor-side problem.
Today
Out of scope.
Next
Pinecone, Weaviate, and incumbents own internal vector security.
04.5
Federated learning poisoning, AI auditing AIOut of scope
Research stage. Vigil refuses LLM-in-the-loop enforcement by design.
Today
Out of scope.
Next
Architecturally refused. Detection is statistical. Never AI-based.
04.6
Synthetic reviews, astroturfing, fake social proofOut of scope
Platform integrity problem. Distributed across many surfaces.
Today
Out of scope.
Next
Platforms own this category.
04.7
Inference DDoS, cache poisoning, side-channel timingOut of scope
Provider infrastructure layer. Specialist territory.
Today
Out of scope.
Next
Cloudflare, Akamai, and providers own this layer.