7 articles27 distinct techniques26 distinct CWEs

AI ACTEU AI Act compliance map

The cybersecurity surface for Regulation (EU) 2024/1689 — each high-risk-AI obligation mapped to the MITRE ATT&CK techniques an adversary would use to violate it. Authored by Adam Lundqvist, Founder at SQUR.

Art. 10Data and data governance

pentest relevance: medium

High-risk AI systems making use of techniques involving training of models with data shall be developed on the basis of training, validation and testing data sets that meet quality criteria. Data governance and management practices shall address relevance, representativeness, freedom from errors, biases that could impa

ATT&CK techniques (15)

T1190T1566T1078T1547T1068T1027T1003T1083T1005T1071T1041T1485+3 more

Underlying CWE weaknesses (7)

CWE-20CWE-287CWE-269CWE-352CWE-502CWE-798CWE-732

Art. 12Record keeping

pentest relevance: high

High-risk AI systems shall technically allow for the automatic recording of events (logs) over the duration of the lifetime of the system. The logging capabilities shall ensure a level of traceability of the AI system's functioning that is appropriate to the intended purpose, including for post-incident investigation,

ATT&CK techniques (15)

T1070.001T1070.002T1070.003T1070.004T1562.001T1562.004T1485T1490T1003T1087T1071T1041+3 more

Underlying CWE weaknesses (6)

CWE-223CWE-778CWE-345CWE-284CWE-200CWE-532

Art. 14Human oversight

pentest relevance: medium

High-risk AI systems shall be designed and developed in such a way that they can be effectively overseen by natural persons during the period in which they are in use. Human oversight measures aim at preventing or minimising the risks to health, safety, or fundamental rights that may emerge when a high-risk AI system i

Underlying CWE weaknesses (6)

CWE-1004CWE-1021CWE-1078CWE-1090CWE-1114CWE-1119

Art. 15Accuracy, robustness and cybersecurity

pentest relevance: high

High-risk AI systems shall be designed and developed in such a way that they achieve an appropriate level of accuracy, robustness, and cybersecurity, and perform consistently in those respects throughout their lifecycle. High-risk AI systems must be resilient against attempts by unauthorised third parties to alter thei

ATT&CK techniques (15)

T1190T1566T1078T1547T1068T1027T1070T1003T1087T1083T1005T1074+3 more

Underlying CWE weaknesses (7)

CWE-20CWE-327CWE-287CWE-269CWE-798CWE-502CWE-732

Art. 72Post-market monitoring by providers

pentest relevance: medium

Providers shall establish and document a post-market monitoring system. The post-market monitoring system shall actively and systematically collect, document and analyse relevant data which may be provided by deployers or which may be collected through other sources on the performance of high-risk AI systems throughout

Underlying CWE weaknesses (7)

CWE-20CWE-287CWE-276CWE-306CWE-502CWE-79CWE-89

Art. 73Reporting of serious incidents

pentest relevance: high

Providers of high-risk AI systems placed on the Union market shall report any serious incident to the market surveillance authorities of the Member States where that incident occurred. Such reports shall be made immediately after the provider has established a causal link between the AI system and the serious incident

Underlying CWE weaknesses (6)

CWE-20CWE-287CWE-306CWE-327CWE-434CWE-502

Art. 9Risk management system

pentest relevance: high

A risk management system shall be established, implemented, documented and maintained in relation to high-risk AI systems. It shall consist of a continuous iterative process planned and run throughout the entire lifecycle of a high-risk AI system, including identification and analysis of known and foreseeable risks, es

Underlying CWE weaknesses (7)

CWE-20CWE-284CWE-327CWE-434CWE-502CWE-798CWE-915
SQUR runs annual TLPT against the ATT&CK techniques mapped to AI Act Art. 15 (Accuracy, robustness and cybersecurity) as part of standard pentests. Sourced from EUR-Lex CELEX 32024R1689 + Vertex Gemini mega-mapping. Curated by Adam Lundqvist, Founder at SQUR.