Evasion attacks manipulate inputs to induce misclassification while leaving the model unchanged. AAISM prescribes adversarial robustness controls, with adversarial training as a primary measure: incorporate adversarially perturbed examples into training/validation to harden decision boundaries and improve resilience across threat models (e.g., Lp-bounded perturbations). Monitoring (A) is detective, not preventive. Restricting parameter access (C) protects confidentiality but does not mitigate input-space attacks. Differential privacy (D) addresses training data leakage, not robustness to adversarial inputs.