arXiv: Decoys Cannot Go Everywhere: Mapping the Deception Surface in MITRE ATT&CK

This publication, a research paper from arXiv, does not represent a formal regulatory change but rather a significant technical analysis relevant to AI safety and cybersecurity compliance. The paper, titled "Decoys Cannot Go Everywhere," critically examines the use of deception technologies—such as honeypots and decoys—within the MITRE ATT&CK framework. It maps the "deception surface" to identify where such tactics are effective and where they fail, highlighting limitations that could expose organizations to undetected adversarial attacks. This analysis is particularly pertinent as regulators increasingly expect robust, validated defenses against sophisticated AI-driven threats.

The findings affect any organization deploying or planning to deploy deception-based cybersecurity measures, especially those in critical infrastructure, finance, healthcare, and technology sectors subject to strict AI safety and data protection regulations like the EU AI Act or NIS2. Compliance teams must recognize that reliance on decoys without understanding their coverage gaps may create false confidence and regulatory exposure. The paper underscores the need for defense-in-depth strategies that do not over-rely on any single technique.

Compliance teams should immediately review their current deception deployments against the paper's mapping to identify blind spots. They should document these limitations in their risk assessments and update their security controls to include complementary detection methods. Furthermore, teams should engage with technical staff to ensure that any AI safety or cybersecurity compliance submissions to regulators accurately reflect the validated effectiveness of their deception measures, avoiding overstatement of capabilities. This analysis should be incorporated into ongoing compliance training and audit preparations.