Towards Secure MLOps: Surveying Attacks, Mitigation Strategies, and Research Challenges

The rapid adoption of machine learning (ML) technologies has driven organizations across diverse sectors to seek efficient and reliable methods to accelerate model development-to-deployment. Machine Learning Operations (MLOps) has emerged as an integrative approach addressing these requirements by unifying relevant roles and streamlining ML workflows. As the MLOps market continues to grow, securing these pipelines has become increasingly critical. However, the unified nature of MLOps ecosystem introduces vulnerabilities, making them susceptible to adversarial attacks where a single misconfiguration can lead to compromised credentials, severe financial losses, damaged public trust, and the poisoning of training data. Our paper presents a systematic application of the MITRE ATLAS (Adversarial Threat Landscape for Artificial-Intelligence Systems) framework, supplemented by reviews of white and grey literature, to systematically assess attacks across different phases of the MLOps ecosystem. We begin by reviewing prior work in this domain, then present our taxonomy and introduce a threat model that captures attackers with different knowledge and capabilities. We then present a structured taxonomy of attack techniques explicitly mapped to corresponding phases of the MLOps ecosystem, supported by examples drawn from red-teaming exercises and real-world incidents. This is followed by a taxonomy of mitigation strategies aligned with these attack categories, offering actionable early-stage defenses to strengthen the security of MLOps ecosystem. Given the gradual evolution and adoption of MLOps, we further highlight key research gaps that require immediate attention. Our work emphasizes the importance of implementing robust security protocols from the outset, empowering practitioners to safeguard MLOps ecosystem against evolving cyber attacks.

💡 Research Summary

The paper presents a comprehensive survey of security threats targeting the entire Machine Learning Operations (MLOps) lifecycle, a rapidly expanding domain that integrates DevOps practices with machine learning workflows to accelerate model development, deployment, and monitoring. Recognizing that the unified nature of MLOps pipelines creates a broad attack surface, the authors adopt the MITRE ATLAS (Adversarial Threat Landscape for Artificial‑Intelligence Systems) framework as the primary taxonomy, augmenting it with MITRE ATT&CK, OWASP Top 10 for Large Language Models, and a wide range of white‑ and grey‑literature sources (industry reports, incident disclosures, red‑team exercises).

The study first outlines the MLOps ecosystem, breaking it into seven core phases: business alignment, data collection, data preparation, model development, continuous integration/continuous delivery (CI/CD), deployment, and monitoring. For each phase, the authors identify specific adversarial techniques, classify attackers by knowledge, access, and resources (e.g., insider, cloud‑abuse actor, data‑poisoning specialist, model‑theft operator), and map these techniques to ATLAS tactics and techniques. Representative examples include:

• Data collection – OSINT‑driven scraping that injects mislabeled or malicious samples, compromising downstream training data.
• Data preparation – Automated pipelines that can be hijacked to perform data tampering, feature‑engineered backdoors, or covert exfiltration of raw datasets.
• Model development – Hyper‑parameter manipulation, adversarial example injection, and model‑stealing via query‑based extraction.
• CI/CD – Container image substitution, secret leakage through misconfigured IAM policies, and RBAC mis‑assignments that enable large‑scale cloud resource hijacking (e.g., the ShadowRay incident).
• Deployment – Unauthenticated inference APIs, inference‑time model extraction, denial‑of‑service attacks, and malicious model updates that bypass gated approval workflows.
• Monitoring – Log tampering, metric poisoning, and stealthy evasion of anomaly detection systems.

The authors then construct a three‑layer taxonomy (strategic, tactical, technical) of attacks and propose a parallel taxonomy of mitigation strategies aligned with each attack class. Preventive measures emphasize strong identity and access management, automated secret management, code signing, static and dynamic code analysis, container image scanning, and policy‑driven access controls. Detective and corrective controls include real‑time anomaly detection, sandboxed execution of untrusted code, model integrity verification (e.g., hash‑based checks, provenance tracking), continuous red‑team testing, and immutable logging.

A significant contribution of the paper is the identification of research gaps. Current literature lacks (1) automated adversarial simulation tools that can generate realistic end‑to‑end attack scenarios across the MLOps pipeline, (2) unified security policies for multi‑cloud and hybrid deployments, (3) practical integration of privacy‑preserving learning techniques (e.g., differential privacy, PATE) into production MLOps workflows, and (4) standardized security metrics and benchmarks for evaluating MLOps robustness. The authors call for future work on AI‑driven attack surface discovery, security‑by‑design CI/CD pipelines, and industry‑wide standardization efforts.

In summary, the paper delivers the first holistic mapping of MLOps‑centric attacks using the MITRE ATLAS framework, validates each technique with real‑world incidents or red‑team case studies, and offers a structured set of mitigation strategies. By highlighting both existing defenses and open research challenges, it provides practitioners with actionable guidance to embed security from the earliest stages of MLOps development and offers researchers a clear agenda for advancing the security of AI‑enabled production systems.