agent-threat-rules 2.0.13 → 2.0.15

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agent-threat-rules",
-  "version": "2.0.13",
+  "version": "2.0.15",
   "type": "module",
   "description": "Open detection standard -- like Sigma, but for AI agents. 311 rules for prompt injection, tool poisoning, context exfiltration, and MCP attacks. Shipped in Cisco AI Defense. 97.1% recall on NVIDIA garak.",
   "main": "./dist/index.js",

package/rules/agent-manipulation/ATR-2026-00030-cross-agent-attack.yaml

@@ -32,6 +32,57 @@ references:
     - "AML.T0043 - Craft Adversarial Data"
     - "AML.T0052.000 - Spearphishing via Social Engineering LLM"
 
+# Audit-grade compliance mapping — see spec/compliance-metadata.md
+compliance:
+  owasp_agentic:
+    - id: "ASI01:2026"
+      context: "Detects agent goal hijack when an attacker spoofs a peer agent's identity to inject manipulative instructions into inter-agent messages."
+      strength: primary
+    - id: "ASI07:2026"
+      context: "Directly addresses insecure inter-agent communication by flagging forged system-level message tags and manipulated message format conventions."
+      strength: primary
+    - id: "ASI10:2026"
+      context: "Surfaces rogue agents attempting orchestrator bypass or fake status-message injection against trusted peers."
+      strength: secondary
+  owasp_llm:
+    - id: "LLM01:2025"
+      context: "Inter-agent prompt injection is a prompt-injection vector operating at the agent-to-agent boundary rather than the user-to-agent boundary."
+      strength: primary
+    - id: "LLM06:2025"
+      context: "Excessive agency is what an attacker exploits when cross-agent spoofing succeeds — the target agent takes actions it would not otherwise take."
+      strength: secondary
+  eu_ai_act:
+    - article: 12
+      clause: "Automatic logging for high-risk AI systems"
+      context: "Every cross-agent attack detection emits a log record with actor agent, target agent, timestamp, payload hash, and rule match — satisfying Article 12's continuous logging requirement."
+      strength: primary
+    - article: 14
+      clause: "Human oversight"
+      context: "Critical-severity detections route to the respond-agent human-in-the-loop flow before allowing the attacker-controlled inter-agent call to complete."
+      strength: primary
+    - article: 15
+      clause: "Accuracy, robustness, and cybersecurity"
+      context: "Cross-agent attack detection is a cybersecurity control contributing to the Article 15 robustness requirement for high-risk AI systems."
+      strength: secondary
+  nist_ai_rmf:
+    - function: "Manage"
+      subcategory: "MG.2.3"
+      context: "Contributes detection evidence to incident response playbooks; each match is an incident candidate for the respond-agent pipeline."
+      strength: primary
+    - function: "Govern"
+      subcategory: "GV.1.1"
+      context: "Logs support organizational AI governance by recording every inter-agent communication risk event for quarterly governance review."
+      strength: secondary
+  iso_42001:
+    - clause: "6.2"
+      clause_name: "AI risk treatment"
+      context: "Cross-agent impersonation is an identified AI threat vector; this rule is the operational risk-treatment control."
+      strength: primary
+    - clause: "9.1"
+      clause_name: "Monitoring, measurement, analysis, evaluation"
+      context: "Confidence-scored detection events feed the AIMS monitoring and measurement requirements."
+      strength: secondary
+
 tags:
   category: agent-manipulation
   subcategory: cross-agent-attack

package/rules/context-exfiltration/ATR-2026-00020-system-prompt-leak.yaml

@@ -32,6 +32,45 @@ references:
     - "AML.T0056 - LLM Meta Prompt Extraction"
     - "AML.T0051 - LLM Prompt Injection"
 
+compliance:
+  owasp_agentic:
+    - id: ASI01:2026
+      context: "Revealing system prompt content enables adversaries to map agent constraints and craft targeted bypass attacks, directly enabling future Agent Goal Hijack attacks classified under ASI01."
+      strength: primary
+    - id: ASI06:2026
+      context: "System prompt leakage exposes the agent's memory and context configuration to adversaries, falling under ASI06 Memory and Context Poisoning as an information disclosure precursor."
+      strength: secondary
+  owasp_llm:
+    - id: LLM07:2025
+      context: "This rule is the primary detection implementation for LLM07:2025 System Prompt Leakage, covering direct quotation, instruction paraphrasing, guardrail revelation, and config exposure in agent output."
+      strength: primary
+    - id: LLM02:2025
+      context: "System prompt content constitutes sensitive operational information; its disclosure in agent output also satisfies the LLM02:2025 Sensitive Information Disclosure category."
+      strength: secondary
+  eu_ai_act:
+    - article: "13"
+      context: "While transparency is required toward users, internal guardrail and system-prompt disclosure to adversaries violates Article 13 by exposing configurations that undermine safe operation of the AI system."
+      strength: primary
+    - article: "12"
+      context: "Detection events generated by this rule serve as Article 12 automatic log records of system-prompt leakage incidents, enabling post-incident review by deployers."
+      strength: secondary
+  nist_ai_rmf:
+    - function: Govern
+      subcategory: GV.6.1
+      context: "Organizational policies for AI data and privacy (GV.6.1) must cover protection of internal operational configurations; this rule enforces that policy at runtime."
+      strength: primary
+    - function: Measure
+      subcategory: MS.2.5
+      context: "Measuring the effectiveness of data protection controls for AI systems (MS.2.5) requires detection of unauthorized disclosure of system-level configurations."
+      strength: secondary
+  iso_42001:
+    - clause: "8.4"
+      context: "Clause 8.4 AI system impact assessment identifies confidential operational parameters as assets requiring protection; this rule detects when those assets are disclosed in output."
+      strength: primary
+    - clause: "9.1"
+      context: "Clause 9.1 monitoring and evaluation requires measuring AI system behavior against expected norms; system prompt disclosure events are anomalies that must be measured and reported."
+      strength: secondary
+
 tags:
   category: context-exfiltration
   subcategory: system-prompt-leak

package/rules/context-exfiltration/ATR-2026-00021-api-key-exposure.yaml

@@ -29,6 +29,43 @@ references:
     - "AML.T0057 - LLM Data Leakage"
     - "AML.T0055 - Unsecured Credentials"
 
+compliance:
+  owasp_agentic:
+    - id: ASI03:2026
+      context: "Credential exposure in agent output enables adversaries to abuse the identity and privileges associated with leaked keys, directly enabling unauthorized resource access classified under ASI03."
+      strength: primary
+  owasp_llm:
+    - id: LLM02:2025
+      context: "API keys, tokens, private keys, and database credentials are sensitive information whose disclosure in agent output is the canonical LLM02:2025 Sensitive Information Disclosure scenario."
+      strength: primary
+    - id: LLM07:2025
+      context: "Credentials embedded in or derived from system prompts that appear in agent output constitute a LLM07:2025 System Prompt Leakage incident with direct security impact."
+      strength: secondary
+  eu_ai_act:
+    - article: "12"
+      section: "1"
+      context: "Article 12 requires automatic logging of events; a credential exposure incident is a high-severity event that must be automatically recorded and reported to the deployer for incident investigation."
+      strength: primary
+    - article: "9"
+      context: "Credential leakage is a documented risk class in the AI system risk management plan; Article 9 requires that monitoring controls are implemented to detect and respond to such events."
+      strength: secondary
+  nist_ai_rmf:
+    - function: Govern
+      subcategory: GV.6.1
+      context: "GV.6.1 requires organizational policies governing sensitive data and credentials in AI systems; this rule enforces those policies by detecting credential exposure at runtime."
+      strength: primary
+    - function: Manage
+      subcategory: MG.3.1
+      context: "Credential exposure requires an immediate risk treatment response; this detection rule is the technical implementation of the risk treatment plan for credential leakage events."
+      strength: secondary
+  iso_42001:
+    - clause: "8.4"
+      context: "Clause 8.4 AI system impact assessment must identify credential leakage as a high-severity impact scenario; this rule generates the detection evidence needed for audit and impact reporting."
+      strength: primary
+    - clause: "6.2"
+      context: "Protecting credentials from exposure is an explicit AIMS information security objective under clause 6.2; detection of leakage events measures whether this objective is being achieved."
+      strength: secondary
+
 tags:
   category: context-exfiltration
   subcategory: credential-exposure

package/rules/data-poisoning/ATR-2026-00070-data-poisoning.yaml

@@ -29,6 +29,46 @@ references:
   mitre_atlas:
     - AML.T0051.001 - Indirect Prompt Injection
     - AML.T0020 - Poison Training Data
+
+compliance:
+  owasp_agentic:
+    - id: ASI06:2026
+      context: "Injecting hidden directives into RAG-retrieved documents or knowledge base entries is the primary ASI06 Memory and Context Poisoning attack — the agent's context window is contaminated with attacker-controlled instructions."
+      strength: primary
+  owasp_llm:
+    - id: LLM01:2025
+      context: "Hidden instruction markers and role-override commands embedded in retrieved content deliver indirect prompt injection through the data layer, satisfying the LLM01:2025 Prompt Injection category via the RAG attack surface."
+      strength: primary
+    - id: LLM03:2025
+      context: "Poisoned knowledge base entries injected into the supply chain of training or retrieval data satisfy the LLM03:2025 Supply Chain Vulnerabilities category at the data tier."
+      strength: secondary
+    - id: LLM08:2025
+      context: "Malicious vector store entries that cause the agent to retrieve and act on attacker-controlled instructions fall under LLM08:2025 Excessive Agency triggered by contaminated retrieval context."
+      strength: partial
+  eu_ai_act:
+    - article: "15"
+      context: "Article 15 accuracy and robustness requirements demand that AI systems maintain reliable behavior even when training or retrieval data is adversarially contaminated; this rule detects such contamination in the data pipeline."
+      strength: primary
+    - article: "9"
+      context: "Data poisoning of RAG pipelines is a documented risk requiring monitoring controls under Article 9; detection events from this rule provide the evidence trail for risk management reporting."
+      strength: secondary
+  nist_ai_rmf:
+    - function: Map
+      subcategory: MP.5.1
+      context: "Adversarial manipulation of retrieval data is an AI-specific risk source requiring identification; this rule maps data poisoning attempts as they occur in the production pipeline."
+      strength: primary
+    - function: Manage
+      subcategory: MG.2.3
+      context: "Active detection of data poisoning events implements the risk treatment for the data contamination risk identified in the AI risk register."
+      strength: secondary
+  iso_42001:
+    - clause: "8.3"
+      context: "Clause 8.3 data governance for AI systems requires controls ensuring data integrity; detection of hidden directives in retrieved content is the runtime enforcement of clause 8.3 data quality requirements."
+      strength: primary
+    - clause: "6.2"
+      context: "Clause 6.2 AIMS security planning must include controls for adversarial data injection into AI pipelines; this rule operationalizes the detection measure for that planning objective."
+      strength: secondary
+
 tags:
   category: data-poisoning
   subcategory: rag-and-knowledge-poisoning

package/rules/excessive-autonomy/ATR-2026-00050-runaway-agent-loop.yaml

@@ -25,6 +25,43 @@ references:
   mitre_atlas:
     - AML.T0053 - LLM Plugin Compromise
     - AML.T0046 - Spamming ML System with Chaff Data
+
+compliance:
+  owasp_agentic:
+    - id: ASI05:2026
+      context: "Runaway agent loops represent uncontrolled autonomous execution — the agent performs repeated identical actions without human intervention, satisfying the ASI05 Unexpected Code Execution category at the behavioral level."
+      strength: primary
+  owasp_llm:
+    - id: LLM06:2025
+      context: "An agent running infinite retry loops without termination conditions exercises excessive agency beyond its task scope, accumulating costs and resource consumption classified under LLM06:2025."
+      strength: primary
+    - id: LLM10:2025
+      context: "Runaway loops that exhaust compute resources, API rate limits, or accumulated context constitute an LLM10:2025 Unbounded Consumption incident with direct financial and availability impact."
+      strength: secondary
+  eu_ai_act:
+    - article: "14"
+      context: "Article 14 human oversight requires that AI systems can be stopped and corrected; runaway loops that resist termination or mask their loop state undermine the human override capability Article 14 mandates."
+      strength: primary
+    - article: "15"
+      context: "Article 15 robustness requires that AI systems handle failure states gracefully; detection of runaway loops is a monitoring control ensuring the system does not enter unrecoverable autonomous states."
+      strength: secondary
+  nist_ai_rmf:
+    - function: Manage
+      subcategory: MG.3.2
+      context: "Runaway agent loops are an AI system failure mode requiring active detection and termination; this rule implements the MG.3.2 response capability for AI failures and disruptions."
+      strength: primary
+    - function: Govern
+      subcategory: GV.1.2
+      context: "GV.1.2 accountability roles must include responsibility for detecting and halting runaway agent behavior; this rule provides the signal required to fulfill that accountability."
+      strength: secondary
+  iso_42001:
+    - clause: "8.6"
+      context: "Clause 8.6 AI system operational control requires monitoring for abnormal execution patterns; runaway loop detection is the primary operational control for this failure class."
+      strength: primary
+    - clause: "9.1"
+      context: "Clause 9.1 monitoring and evaluation requires measuring AI system behavior against expected norms; loop counter patterns are the measurable anomaly indicators for this rule."
+      strength: secondary
+
 tags:
   category: excessive-autonomy
   subcategory: runaway-loop

package/rules/privilege-escalation/ATR-2026-00040-privilege-escalation.yaml

@@ -30,6 +30,40 @@ references:
     - T1611 - Escape to Host
   cve:
     - CVE-2026-0628
+
+compliance:
+  owasp_agentic:
+    - id: ASI03:2026
+      context: "Privilege escalation via tool permission abuse or admin function invocation is the primary ASI03 Identity and Privilege Abuse scenario — the agent acquires capabilities exceeding its authorized scope."
+      strength: primary
+  owasp_llm:
+    - id: LLM06:2025
+      context: "An agent requesting tools with elevated permissions beyond its assigned role is the canonical LLM06:2025 Excessive Agency scenario, operationalized here via tool-name and argument pattern detection."
+      strength: primary
+  eu_ai_act:
+    - article: "14"
+      context: "Article 14 requires that humans can oversee and intervene in AI system operation; privilege escalation techniques that bypass system-level controls directly undermine the human oversight mechanisms Article 14 mandates."
+      strength: primary
+    - article: "9"
+      context: "Privilege escalation is a documented high-severity risk in the AI system risk register; Article 9 requires monitoring controls to detect and respond to such scope violations."
+      strength: secondary
+  nist_ai_rmf:
+    - function: Govern
+      subcategory: GV.1.2
+      context: "GV.1.2 requires defined accountability roles and controls for AI system permissions; detection of privilege escalation enforces least-privilege boundaries established in the governance framework."
+      strength: primary
+    - function: Manage
+      subcategory: MG.4.1
+      context: "Privilege escalation events require an incident response; this rule generates the alerts needed to initiate the MG.4.1 AI incident response process."
+      strength: secondary
+  iso_42001:
+    - clause: "6.2"
+      context: "Clause 6.2 AIMS security objectives include least-privilege enforcement for AI agent operations; this rule detects violations of those objectives at runtime."
+      strength: primary
+    - clause: "8.6"
+      context: "Clause 8.6 AI system operational control requires that agents do not exceed their authorized operational scope; privilege escalation detection enforces that operational boundary."
+      strength: secondary
+
 tags:
   category: privilege-escalation
   subcategory: tool-permission-escalation

package/rules/prompt-injection/ATR-2026-00001-direct-prompt-injection.yaml

@@ -30,6 +30,39 @@ references:
     - "CVE-2024-3402"
     - "CVE-2025-53773"
 
+compliance:
+  owasp_agentic:
+    - id: ASI01:2026
+      context: "Direct prompt injection is the canonical agent goal hijack vector — adversarial user input overrides the agent's assigned objectives and behavioral constraints via instruction-override verbs, persona switching, and encoding obfuscation."
+      strength: primary
+  owasp_llm:
+    - id: LLM01:2025
+      context: "This rule is the primary runtime implementation of the LLM01:2025 Prompt Injection category, covering instruction-override verbs, fake system delimiters, restriction removal, and encoding-wrapped payloads."
+      strength: primary
+  eu_ai_act:
+    - article: "15"
+      context: "High-risk AI systems must be resilient against adversarial attempts to alter output or behavior. Deployment of this detection rule satisfies the Article 15 requirement to implement technical measures ensuring robustness against manipulation."
+      strength: primary
+    - article: "9"
+      context: "Prompt injection is a documented risk class; this rule implements the monitoring control required by Article 9 risk management obligations for high-risk AI systems."
+      strength: secondary
+  nist_ai_rmf:
+    - function: Manage
+      subcategory: MG.2.3
+      context: "Treating direct prompt injection as an identified AI risk requires active runtime countermeasures; this detection rule is the primary risk treatment implementation."
+      strength: primary
+    - function: Map
+      subcategory: MP.5.1
+      context: "Identifying adversarial input manipulation as an AI risk to be catalogued in the organizational risk register."
+      strength: secondary
+  iso_42001:
+    - clause: "6.2"
+      context: "Addressing adversarial manipulation risk is an objective required under clause 6.2 AIMS information security planning; this rule operationalizes the detection control measure."
+      strength: primary
+    - clause: "8.4"
+      context: "Impact assessment for AI deployments under clause 8.4 must account for adversarial user inputs; detection events from this rule provide the required monitoring evidence."
+      strength: secondary
+
 tags:
   category: prompt-injection
   subcategory: direct

package/rules/prompt-injection/ATR-2026-00002-indirect-prompt-injection.yaml

@@ -33,6 +33,42 @@ references:
     - "CVE-2025-32711"
     - "CVE-2026-24307"
 
+compliance:
+  owasp_agentic:
+    - id: ASI01:2026
+      context: "Indirect prompt injection hijacks agent goals via externally-consumed content (documents, web pages, API responses); the agent processes attacker-controlled instructions without user awareness."
+      strength: primary
+    - id: ASI06:2026
+      context: "Injection via external content poisons the agent's context window and memory with attacker-controlled directives, satisfying the ASI06 Memory and Context Poisoning category."
+      strength: secondary
+  owasp_llm:
+    - id: LLM01:2025
+      context: "Indirect prompt injection via HTML comments, zero-width characters, hidden CSS text, and data URIs is a primary LLM01 attack variant delivered through external content rather than direct user input."
+      strength: primary
+  eu_ai_act:
+    - article: "15"
+      context: "High-risk AI systems must resist adversarial content embedded in external inputs. Detection of hidden injection payloads in consumed documents satisfies Article 15 robustness and cybersecurity requirements."
+      strength: primary
+    - article: "9"
+      context: "Indirect injection from third-party content sources is a documented risk category requiring mitigation controls under Article 9 risk management obligations."
+      strength: secondary
+  nist_ai_rmf:
+    - function: Manage
+      subcategory: MG.2.3
+      context: "Runtime detection of injection payloads embedded in third-party content implements the risk treatment for indirect prompt injection identified in the AI risk register."
+      strength: primary
+    - function: Map
+      subcategory: MP.3.3
+      context: "External content providers are third-party components in the AI supply chain; this rule identifies their attack surface as a risk source."
+      strength: secondary
+  iso_42001:
+    - clause: "6.2"
+      context: "Clause 6.2 AIMS planning requires controls for externally-sourced risks; this rule operationalizes the detection measure for indirect injection via consumed content."
+      strength: primary
+    - clause: "8.5"
+      context: "Externally-provided content processed by the agent falls under clause 8.5 control of externally-provided processes; this rule validates that external content does not contain adversarial directives."
+      strength: secondary
+
 tags:
   category: prompt-injection
   subcategory: indirect

package/rules/skill-compromise/ATR-2026-00060-skill-impersonation.yaml

@@ -26,6 +26,43 @@ references:
     - AML.T0010 - ML Supply Chain Compromise
   mitre_attack:
     - T1195 - Supply Chain Compromise
+
+compliance:
+  owasp_agentic:
+    - id: ASI04:2026
+      context: "MCP skill impersonation via typosquatting, namespace collision, and version spoofing is the primary ASI04 Agentic Supply Chain Vulnerabilities attack vector — malicious skills masquerade as trusted tools to gain agent execution context."
+      strength: primary
+  owasp_llm:
+    - id: LLM03:2025
+      context: "Typosquatted and impersonated MCP skills are supply chain compromise artifacts targeting the tool ecosystem; this rule implements LLM03:2025 Supply Chain Vulnerabilities detection at the skill-name level."
+      strength: primary
+    - id: LLM05:2025
+      context: "An agent invoking an impersonated skill may receive malicious responses that require LLM05:2025 Improper Output Handling controls; this rule prevents the initial tool invocation before output is processed."
+      strength: secondary
+  eu_ai_act:
+    - article: "13"
+      context: "Article 13 transparency requires that AI systems operate with clearly identified components; skill impersonation violates this requirement by substituting unauthorized tools that appear legitimate."
+      strength: primary
+    - article: "9"
+      context: "Supply chain compromise via malicious skill registries is a documented risk requiring monitoring controls under Article 9; skill-name pattern detection is the runtime enforcement of those controls."
+      strength: secondary
+  nist_ai_rmf:
+    - function: Map
+      subcategory: MP.2.3
+      context: "Identifying typosquatted and impersonated MCP skills as AI supply chain risks implements MP.2.3 AI supply chain risk identification at the tool-registry level."
+      strength: primary
+    - function: Govern
+      subcategory: GV.1.2
+      context: "GV.1.2 accountability roles must include responsibility for validating third-party tool integrity; this rule provides the automated signal needed to fulfill that governance obligation."
+      strength: secondary
+  iso_42001:
+    - clause: "8.5"
+      context: "MCP skills are externally-provided AI-related components under clause 8.5; this rule enforces controls over externally-provided tools by detecting impersonation before invocation."
+      strength: primary
+    - clause: "6.2"
+      context: "Clause 6.2 AIMS security planning requires controls for third-party component integrity; skill impersonation detection operationalizes that planning objective at runtime."
+      strength: secondary
+
 tags:
   category: skill-compromise
   subcategory: skill-impersonation

package/rules/tool-poisoning/ATR-2026-00010-mcp-malicious-response.yaml

@@ -40,6 +40,45 @@ references:
     - "CVE-2025-59536"
     - "CVE-2026-21852"
 
+compliance:
+  owasp_agentic:
+    - id: ASI02:2026
+      context: "Malicious content injected via MCP tool responses is the primary ASI02 Tool Misuse and Exploitation vector — a compromised or impersonated MCP server weaponizes the tool call interface to deliver shells, encoded payloads, and privilege escalation commands."
+      strength: primary
+    - id: ASI05:2026
+      context: "Shell commands and code execution payloads in tool responses aim to trigger unexpected code execution by the agent, falling under the ASI05 Unexpected Code Execution category."
+      strength: secondary
+  owasp_llm:
+    - id: LLM01:2025
+      context: "Prompt injection delivered through MCP tool responses is an indirect LLM01:2025 attack variant where the injection payload is embedded in tool output rather than user input."
+      strength: primary
+    - id: LLM05:2025
+      context: "Failure to validate MCP tool response content before agent processing is a LLM05:2025 Improper Output Handling scenario enabling downstream command injection and reverse shell execution."
+      strength: secondary
+  eu_ai_act:
+    - article: "15"
+      context: "MCP tool response injection attacks the cybersecurity integrity of the AI system; Article 15 requires technical measures ensuring the system can resist such third-party content attacks."
+      strength: primary
+    - article: "9"
+      context: "Compromised MCP server responses are a documented attack surface in the AI system risk register; Article 9 requires detection controls to manage this identified risk."
+      strength: secondary
+  nist_ai_rmf:
+    - function: Manage
+      subcategory: MG.2.3
+      context: "Runtime detection of malicious MCP tool responses is the primary risk treatment for tool-poisoning attacks identified in the AI risk register."
+      strength: primary
+    - function: Map
+      subcategory: MP.3.3
+      context: "MCP servers are third-party components in the AI tool ecosystem; identifying malicious tool responses is an MP.3.3 third-party component risk detection action."
+      strength: secondary
+  iso_42001:
+    - clause: "6.2"
+      context: "Clause 6.2 AIMS security planning requires controls for third-party tool interfaces; this rule operationalizes the detection measure for malicious content delivered via MCP."
+      strength: primary
+    - clause: "8.5"
+      context: "MCP server integrations are externally-provided AI-related processes under clause 8.5; this rule validates that external tool responses do not contain adversarial payloads before the agent acts on them."
+      strength: secondary
+
 tags:
   category: tool-poisoning
   subcategory: mcp-response-injection

package/spec/compliance-metadata.md

@@ -0,0 +1,125 @@
+# ATR Rule Compliance Metadata Schema
+
+**Status:** Draft v0.1 · Proposed 2026-04-22
+**Scope:** Every `rules/**/*.yaml` may optionally include a top-level `compliance:` block that maps the rule to controls / articles / clauses in published AI compliance frameworks.
+
+## Why
+
+ATR rules already include `references:` pointing to OWASP LLM / OWASP Agentic Top 10 / MITRE ATLAS. That is an academic-citation block useful for researchers.
+
+`compliance:` is a separate, audit-grade block whose purpose is different: an enterprise customer's GRC team must be able to take a detection event, trace it back to a specific rule ID, and show an auditor that the rule addresses a specific **published article or control** of:
+
+1. EU AI Act (Regulation 2024/1689) — Articles 9-15, 50, 72, Annex III
+2. Colorado AI Act SB24-205 — enforced 2026-06-30
+3. NIST AI RMF 1.0 — Govern / Map / Measure / Manage functions + subcategories
+4. ISO/IEC 42001:2023 — clauses 6-10 (AIMS)
+5. OWASP Agentic Top 10 (2026) — ASI01..ASI10
+6. OWASP LLM Top 10 (2025) — LLM01..LLM10
+
+The `references:` block is not sufficient because:
+- It does not distinguish "we studied this paper" from "this rule enforces this specific regulatory control."
+- It has no structure for "what clause" vs "what context this rule addresses within that clause."
+- It cannot carry the prose an auditor needs to accept the mapping.
+
+## Schema
+
+```yaml
+compliance:
+  # One key per framework the rule maps to. Omit frameworks that do not apply.
+  owasp_agentic:
+    - id: "ASI01:2026"          # Required. Canonical category ID.
+      context: "..."            # Required. One-sentence prose explaining *how*
+                                # this rule addresses the category. Auditor-
+                                # readable; no jargon-only text.
+      strength: primary         # Optional. primary | secondary | partial.
+
+  owasp_llm:
+    - id: "LLM01:2025"
+      context: "..."
+      strength: primary
+
+  eu_ai_act:
+    - article: 12               # Required. Article number (integer).
+      clause: "Automatic logging for high-risk AI systems"  # Required. Short name.
+      context: "..."            # Required. How this rule satisfies the clause.
+      strength: primary
+
+  colorado_ai_act:
+    - section: "SB24-205.5"     # Required. Section identifier.
+      clause: "High-risk disclosure"
+      context: "..."
+      strength: primary
+
+  nist_ai_rmf:
+    - function: "Manage"        # Required. Govern | Map | Measure | Manage.
+      subcategory: "MG.2.3"     # Required. Full subcategory ID.
+      context: "..."
+      strength: primary
+
+  iso_42001:
+    - clause: "6.2"             # Required. AIMS clause (e.g. 6.2, 9.1).
+      clause_name: "Risk treatment"  # Required. Human-readable name.
+      context: "..."
+      strength: primary
+```
+
+### Field reference
+
+| Field | Type | Required | Notes |
+|---|---|---|---|
+| `id` / `article` / `section` / `function`+`subcategory` / `clause` | string/int | yes | Framework-specific canonical identifier. Must match the published framework exactly. |
+| `clause` (EU/Colorado/ISO) | string | yes | Short human name for the clause. Helps report readers. |
+| `context` | string | yes | One sentence, auditor-readable, explaining *why* the rule addresses this control. Not a copy of the clause text. |
+| `strength` | enum | no | `primary` (rule is a main control for this clause), `secondary` (supports it), `partial` (covers part of it). Defaults to `primary` if omitted. |
+
+### Multiplicity
+
+A rule MAY map to multiple items within the same framework (a rule that logs event AND enforces policy touches both Article 12 and Article 14 of the EU AI Act). List each separately.
+
+A rule MAY map to zero frameworks (e.g., an experimental research rule). Omit the `compliance:` block entirely in that case — do not include an empty one.
+
+### Deprecation
+
+When a framework publishes a new version, both old and new keys MAY coexist during a transition window (e.g., both `owasp_llm` 2023 and 2025 items), clearly distinguished by the `id` version suffix.
+
+## Relationship to `references:`
+
+The existing `references:` block is preserved unchanged. `references:` is for academic / research citations (MITRE ATLAS technique IDs, papers, blog posts). `compliance:` is for regulatory audit evidence.
+
+A rule can have entries in both blocks — e.g., `references.mitre_atlas` AND `compliance.nist_ai_rmf` — and often will.
+
+## Validation
+
+- `scripts/validate-compliance.mjs` (to be added) validates every `compliance:` block against a per-framework allowlist of valid IDs / articles / subcategories / clauses. Rules with invalid entries fail CI.
+- The allowlists live in `data/compliance-frameworks/*.json` — one file per framework — and are updated via PR when a framework publishes revisions.
+
+## Downstream consumers
+
+The primary consumer is **PanGuard Enterprise's AI Compliance Audit Evidence Module**, which generates quarterly reports mapping detection events (via rule IDs) to auditor-grade framework evidence. Other downstream consumers may include:
+
+- ATR-compatible scanners that want to tag each detection with its regulatory context
+- GRC platforms (Vanta, Drata, etc.) that integrate ATR rule packs
+- Independent auditors verifying AI-system compliance claims
+
+All downstream consumers are welcome — the `compliance:` block is MIT-licensed alongside the rules.
+
+## Out of scope for this spec
+
+- How a scanner renders compliance data in its UI
+- How a GRC platform surfaces this in a customer's audit trail
+- The legal interpretation of any framework clause — this spec provides the mapping data; auditors and counsel interpret it
+
+## Open questions
+
+1. Should `strength` be required (forcing every mapping to declare its strength)? Argument for: signals rigour. Argument against: extra authoring friction for common `primary` case. **Current answer: optional, default `primary`.**
+2. Should framework-specific metadata (e.g., EU AI Act Annex III categories) live alongside article mappings? **Current answer: yes, under a nested `annex:` key within the article object if needed.**
+3. How to handle frameworks that don't exist yet but are expected (e.g., Japan AI Safety Act 2027)? **Current answer: add keys as frameworks publish; no speculative schema for unpublished frameworks.**
+
+## Roll-out plan
+
+1. 2026-04-22: this spec document merged
+2. 2026-04-W4: 10 sample rules carry `compliance:` block for OWASP Agentic + OWASP LLM (bootstrap from existing `references:` data)
+3. 2026-05: 50 rules extended across all 6 frameworks (LLM-assisted authoring + human QA)
+4. 2026-Q2-end: all 311 rules mapped across at least the 3 most-requested frameworks (EU AI Act, NIST AI RMF, OWASP Agentic)
+5. 2026-Q3: remaining frameworks (Colorado, ISO 42001, OWASP LLM) complete
+6. Ongoing: new ATR rules MUST include `compliance:` from day 1 (enforced by contribution checklist)