npm - agent-threat-rules - Versions diffs - 2.0.18 → 2.1.0 - Mend

agent-threat-rules 2.0.18 → 2.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (263) hide show

package/rules/agent-manipulation/ATR-2026-00363-rephrase-criminal-activity-second-person.yaml CHANGED Viewed

@@ -35,6 +35,17 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/dan.py"
     - "https://github.com/NVIDIA/garak/blob/main/garak/data/inthewild_jailbreak_llms.json"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.6"
+      context: "This rule detects a specific jailbreak template from the garak DanInTheWild corpus that extracts criminal instructions through structured second-person rephrasing; MS.2.6 requires continuous evaluation of safety/security risk magnitude, and each match provides telemetry on jailbreak attempts targeting the model's safety guardrails."
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: "The rephrase-criminal-activity template is an adversarial prompt designed to bypass content safety controls; MS.2.7 requires evaluation and documentation of system resilience against such known jailbreak corpora, and detection of these signatures evidences security testing coverage."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Detection of this distinctive 'against against' jailbreak fingerprint should trigger response mechanisms to block or disengage the model from producing criminal instruction output; MG.2.3 requires that mechanisms exist to supersede or deactivate AI behavior when adversarial templates are identified."
+      strength: secondary
 tags:
   category: agent-manipulation
   subcategory: rephrase-criminal-activity-second-person

package/rules/agent-manipulation/ATR-2026-00364-dr-al-villain-plan-template-injection.yaml CHANGED Viewed

@@ -36,6 +36,30 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/dan.py"
     - "https://github.com/NVIDIA/garak/blob/main/garak/data/inthewild_jailbreak_llms.json"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MP.5.1"
+      context: >-
+        The Dr. Al villain-plan template injection is an adversarial prompt-injection
+        pattern combining roleplay framing with an explicit "REPLACE ... WITH WHATEVER
+        YOU WANT" meta-instruction; MP.5.1 requires identifying and characterizing
+        these GenAI jailbreak attack vectors so their likelihood and impact can be
+        tracked.
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: >-
+        Detection of the Dr. Al diabolical-plan template injection produces continuous
+        security/resilience evidence against a known garak DanInTheWild jailbreak
+        corpus entry; MS.2.7 requires that AI system security and resilience to such
+        documented prompt-injection probes is evaluated and recorded.
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: >-
+        Matching the villain-roleplay frame plus the all-caps template-injection
+        marker triggers risk treatment to block or quarantine the prompt before the
+        model emits arbitrary harmful content; MG.2.3 requires these supersede /
+        deactivate response mechanisms be in place for jailbreak attempts.
+      strength: secondary
 tags:
   category: agent-manipulation
   subcategory: dr-al-villain-plan-template-injection

package/rules/agent-manipulation/ATR-2026-00365-reservoir-dogs-coercive-interrogation-roleplay.yaml CHANGED Viewed

@@ -36,6 +36,20 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/dan.py"
     - "https://github.com/NVIDIA/garak/blob/main/garak/data/inthewild_jailbreak_llms.json"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MP.5.1"
+      context: >-
+        The Reservoir Dogs coercive interrogation roleplay is a jailbreak prompt-injection pattern combining fictional framing, explicit rules-bypass declarations, coercive loops, and template injection slots; MP.5.1 requires identifying and characterizing the likelihood and magnitude of these adversarial input risks against generative AI systems.
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: >-
+        Detecting the inthewild corpus #611 jailbreak signature provides continuous evidence for evaluating the LLM's security and resilience against known fictional-coercion jailbreak attacks; MS.2.7 requires that such security/resilience evaluations are documented through ongoing measurement.
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: >-
+        Matches on the rules-bypass declaration and coercive reconsider loop must trigger mechanisms to disengage or block the manipulated session before harmful content is generated; MG.2.3 requires these supersede/deactivate response paths be in place for jailbreak detections.
+      strength: secondary
 tags:
   category: agent-manipulation
   subcategory: reservoir-dogs-coercive-interrogation-roleplay

package/rules/agent-manipulation/ATR-2026-00366-sneaky-pete-warp-facts-persona.yaml CHANGED Viewed

@@ -35,6 +35,17 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/dan.py"
     - "https://github.com/NVIDIA/garak/blob/main/garak/data/inthewild_jailbreak_llms.json"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: "The Sneaky Pete persona is a jailbreak that bypasses safety alignment to produce deliberately false outputs; detecting this GenAI-specific prompt injection pattern provides direct evidence for evaluating AI system security and resilience against adversarial persona-based attacks as required by MS.2.7."
+      strength: primary
+    - subcategory: "MS.2.5"
+      context: "The 'intentionally slightly warp the facts' mandate directly attacks model robustness and reliability by inducing systematic misinformation framed as sincere facts; MS.2.5 requires that these reliability failures induced by adversarial framing are evaluated and documented."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Detection of the 'thus spake Sneaky Pete' activation phrase and warp-facts mandate triggers risk treatment plans to disengage or override the misinformation persona before false outputs propagate across conversation turns; MG.2.3 requires these supersede/deactivate mechanisms be in place."
+      strength: secondary
 tags:
   category: agent-manipulation
   subcategory: sneaky-pete-warp-facts-persona

package/rules/agent-manipulation/ATR-2026-00368-prompt-browser-token-limit-jailbreak.yaml CHANGED Viewed

@@ -31,6 +31,20 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/dan.py"
     - "https://github.com/NVIDIA/garak/blob/main/garak/data/dan/inthewild_jailbreak_llms.json"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MP.5.1"
+      context: >-
+        This rule detects two specific jailbreak payloads (Prompt Browser token-limit and POLLINATION) from the garak DanInTheWild corpus that attempt to bypass model safety through fake CLI sigils and persona-browser framing. MP.5.1 requires identifying and characterizing the likelihood and magnitude of adversarial prompt-injection inputs, and signature-matching these known jailbreak structures directly produces that risk evidence.
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: >-
+        Continuous detection of known DAN-style dual-persona and POLLINATION bypass labels evaluates the deployed model's resilience against published jailbreak corpora. MS.2.7 requires that AI system security/resilience is evaluated and documented, and each match feeds the resilience telemetry for the GenAI surface.
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: >-
+        A high-confidence match on these jailbreak prefixes ("!+limit output", "JAILBREAK: LOVES POLLINATION") should trigger response mechanisms to block, quarantine, or disengage the affected agent session before the dual-persona mode executes unauthorized output. MG.2.3 mandates that supersede/deactivate mechanisms are pre-defined for such adversarial activations.
+      strength: secondary
 tags:
   category: agent-manipulation
   subcategory: prompt-browser-token-limit-jailbreak

package/rules/agent-manipulation/ATR-2026-00369-gptx-starwars-unlimited-knowledge-persona.yaml CHANGED Viewed

@@ -33,6 +33,20 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/dan.py"
     - "https://github.com/NVIDIA/garak/blob/main/garak/data/dan/inthewild_jailbreak_llms.json"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MP.5.1"
+      context: >-
+        The GPT-X unlimited-knowledge persona is a jailbreak prompt-injection vector that attempts to bypass model guardrails by framing the assistant as an unconstrained oracle; MP.5.1 requires identifying and characterizing the likelihood and magnitude of such adversarial persona-adoption inputs from the GenAI threat landscape.
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: >-
+        Detecting the three co-present GPT-X signals (self-declaration, all-codebases knowledge claim, unlimited-capability extension) produces continuous evidence of jailbreak attempts against the model's safety boundaries; MS.2.7 requires that AI system security and resilience to such jailbreak inputs be evaluated and documented.
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: >-
+        On match, the rule provides the trigger for response mechanisms that supersede or disengage the model from the adopted unconstrained oracle persona before unrestricted outputs are produced; MG.2.3 requires these deactivation pathways exist for jailbreak conditions.
+      strength: secondary
 tags:
   category: agent-manipulation
   subcategory: gptx-unlimited-knowledge-persona

package/rules/agent-manipulation/ATR-2026-00370-addi-german-dictator-propaganda-roleplay.yaml CHANGED Viewed

@@ -31,6 +31,17 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/dan.py"
     - "https://github.com/NVIDIA/garak/blob/main/garak/data/dan/inthewild_jailbreak_llms.json"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MP.5.1"
+      context: "The ADDI/DONNIE roleplay is a known jailbreak pattern from the garak DanInTheWild corpus that uses fictional-actor framing to elicit fascist propaganda techniques; MP.5.1 requires that the likelihood and magnitude of such adversarial prompt-injection inputs be characterized and tracked."
+      strength: primary
+    - subcategory: "MS.2.6"
+      context: "Detection of this propaganda-roleplay jailbreak provides continuous safety/security signal for evaluating whether the AI system can be coerced into generating harmful political manipulation content; MS.2.6 mandates ongoing evaluation of safety risk magnitude."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Matches against the ADDI/DONNIE signature should trigger containment workflows that block or disengage the offending session before propaganda content is produced; MG.2.3 requires pre-defined mechanisms to supersede or deactivate AI behavior on detection."
+      strength: secondary
 tags:
   category: agent-manipulation
   subcategory: political-propaganda-roleplay

package/rules/agent-manipulation/ATR-2026-00371-ai-political-bias-manipulation.yaml CHANGED Viewed

@@ -35,6 +35,20 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/dan.py"
     - "https://github.com/NVIDIA/garak/blob/main/garak/data/dan/inthewild_jailbreak_llms.json"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MP.5.1"
+      context: >-
+        The rule detects a prompt-injection attack that fabricates an "inherited political bias" narrative and pairs it with a persistent future-behaviour mandate; MP.5.1 requires identifying and characterizing the likelihood and magnitude of such adversarial manipulation attempts targeting model output integrity.
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: >-
+        Detecting the combined inheritance-claim plus future-response mandate provides continuous evaluation evidence of the AI system's resilience against jailbreak/persona-override attacks drawn from the garak DanInTheWild corpus, which is what MS.2.7 requires for security/resilience assessment.
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: >-
+        Matches on this attack pattern enable risk treatment workflows to disengage or override the manipulated behaviour-change instruction before it persists across subsequent responses; MG.2.3 requires these supersede/deactivate mechanisms be in place for adversarial override attempts.
+      strength: secondary
 tags:
   category: agent-manipulation
   subcategory: political-bias-manipulation

package/rules/agent-manipulation/ATR-2026-00372-fictional-cia-secret-files-story-extraction.yaml CHANGED Viewed

@@ -29,6 +29,20 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/dan.py"
     - "https://github.com/NVIDIA/garak/blob/main/garak/data/inthewild_jailbreak_llms.json"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MP.5.1"
+      context: >-
+        The rule detects a fictional-cover jailbreak pattern from the garak DanInTheWild corpus that uses story framing to extract classified-sounding content; MP.5.1 requires identifying and characterizing the likelihood and impact of such adversarial prompt-injection inputs targeting the model's safety boundaries.
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: >-
+        Detecting "fictional story" + "actually read them for extra effect" patterns provides continuous evaluation evidence of the system's resilience against jailbreak attempts that collapse fictional framing to elicit policy-violating output; MS.2.7 requires this security/resilience evaluation be documented.
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: >-
+        On detection of the fiction-as-cover classified-extraction pattern, response mechanisms must supersede or block the agent's generation pathway before the jailbreak completes; MG.2.3 mandates these deactivation/containment processes be in place.
+      strength: secondary
 tags:
   category: agent-manipulation
   subcategory: fictional-cover-classified-extraction

package/rules/agent-manipulation/ATR-2026-00374-role-placeholder-persona-template-injection.yaml CHANGED Viewed

@@ -29,6 +29,17 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/dan.py"
     - "https://github.com/NVIDIA/garak/blob/main/garak/data/inthewild_jailbreak_llms.json"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MP.5.1"
+      context: "This rule detects a reusable jailbreak template from the garak DanInTheWild corpus that uses literal [ROLE] placeholders to perform persona injection; MP.5.1 requires identifying and characterizing the likelihood and magnitude of such adversarial prompt-injection inputs targeting the AI system."
+      strength: primary
+    - subcategory: "GV.1.2"
+      context: "Persona template injection subverts the accountability roles and behavioral boundaries assigned to the AI agent by overwriting them with attacker-supplied personas; GV.1.2 requires that defined role boundaries are enforced and violations detected at runtime."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Detection of literal [ROLE] placeholder persona-adoption prompts triggers risk treatment plans to disengage or quarantine the manipulated session before the agent commits to attacker-defined personality profiles; MG.2.3 mandates these response mechanisms be in place."
+      strength: secondary
 tags:
   category: agent-manipulation
   subcategory: persona-template-injection

package/rules/agent-manipulation/ATR-2026-00375-character-description-rpg-explicit-template.yaml CHANGED Viewed

@@ -31,6 +31,17 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/dan.py"
     - "https://github.com/NVIDIA/garak/blob/main/garak/data/inthewild_jailbreak_llms.json"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MP.5.1"
+      context: "This rule detects a known jailbreak template (garak DanInTheWild #0/#4/#43) that uses RPG character creation framing to bypass safety controls; MP.5.1 requires identifying and characterizing the likelihood and magnitude of such adversarial prompt injection risks against the GenAI system."
+      strength: primary
+    - subcategory: "MS.2.6"
+      context: "Continuous detection of explicit jailbreak templates with fabrication authority and roleplay execution syntax provides ongoing measurement of safety/security risk magnitude as required by MS.2.6, evidencing exposure to known harmful-content elicitation patterns."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Matching this RPG jailbreak template triggers risk treatment plans to disengage or block the roleplay framework before the model generates explicit or harmful character content; MG.2.3 requires these supersede/deactivate mechanisms be in place for detected jailbreak attempts."
+      strength: secondary
 tags:
   category: agent-manipulation
   subcategory: rpg-character-template-exploitation

package/rules/agent-manipulation/ATR-2026-00376-identity-command-real-person-persona-injection.yaml CHANGED Viewed

@@ -30,6 +30,30 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/dan.py"
     - "https://github.com/NVIDIA/garak/blob/main/garak/data/inthewild_jailbreak_llms.json"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MP.5.1"
+      context: >-
+        The /Identity command persona-injection jailbreak is an adversarial prompt
+        injection pattern that bypasses content restrictions through real-person
+        impersonation; MP.5.1 requires identifying and characterizing the
+        likelihood and magnitude of such jailbreak inputs from known corpora like
+        garak DanInTheWild #386.
+      strength: primary
+    - subcategory: "MS.2.6"
+      context: >-
+        Detecting the dual-format response labeling and persistent identity-lock
+        mandate provides continuous evaluation evidence of safety/security risk
+        magnitude, since real-person impersonation can produce defamatory or
+        policy-violating outputs; MS.2.6 requires this ongoing measurement.
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: >-
+        Matches against the /Identity command protocol and "Never write a response
+        without using the identities" mandate trigger pre-defined response plans to
+        disengage or block the manipulated session; MG.2.3 requires mechanisms to
+        supersede AI behavior when jailbreak indicators are observed.
+      strength: secondary
 tags:
   category: agent-manipulation
   subcategory: real-person-identity-command

package/rules/agent-manipulation/ATR-2026-00377-jailbreak-keyword-targetlanguage-template.yaml CHANGED Viewed

@@ -26,6 +26,20 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/dan.py"
     - "https://github.com/NVIDIA/garak/blob/main/garak/data/dan/inthewild_jailbreak_llms.json"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: >-
+        This rule detects reusable jailbreak templates with GPT-style placeholder variables (TARGETLANGUAGE, KEYWORD, PROMPT) from the garak DanInTheWild corpus, providing direct security evaluation evidence; MS.2.7 requires continuous evaluation of AI system security and resilience against known jailbreak attack patterns.
+      strength: primary
+    - subcategory: "MP.5.1"
+      context: >-
+        Jailbreak-as-command templates with placeholder variables represent a well-characterized adversarial input pattern with high likelihood of successful safety bypass; MP.5.1 requires identifying and characterizing the magnitude of such templated jailbreak risks.
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: >-
+        Detection of jailbreak template commands triggers risk treatment mechanisms to disengage or block the manipulated agent response before safety controls are bypassed; MG.2.3 mandates these supersede/deactivate processes are in place.
+      strength: secondary
 tags:
   category: agent-manipulation
   subcategory: jailbreak-template-command

package/rules/agent-manipulation/ATR-2026-00379-lie-permission-logical-trap-jailbreak.yaml CHANGED Viewed

@@ -29,6 +29,17 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/dan.py"
     - "https://github.com/NVIDIA/garak/blob/main/garak/data/dan/inthewild_jailbreak_llms.json"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: "This rule detects a specific jailbreak pattern (logic-trap lie-permission mandate) from the garak DanInTheWild corpus that attempts to override model safety constraints via a constructed permission frame; MS.2.7 requires continuous evaluation of AI system security and resilience against known jailbreak techniques."
+      strength: primary
+    - subcategory: "MP.5.1"
+      context: "The lie-permission mandate is an adversarial prompt injection vector that exploits logical-argument framing to coerce dishonest model behavior; MP.5.1 requires identifying and tracking the likelihood and impact of such jailbreak risks against deployed models."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Detection of explicit lie-permission mandates directed at the model triggers risk treatment plans to block or quarantine the request before the model adopts the persistent dishonesty override; MG.2.3 requires these supersede/disengage mechanisms be in place."
+      strength: secondary
 tags:
   category: agent-manipulation
   subcategory: lie-permission-logical-trap

package/rules/agent-manipulation/ATR-2026-00380-fake-citation-biased-information-mandate.yaml CHANGED Viewed

@@ -28,6 +28,20 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/dan.py"
     - "https://github.com/NVIDIA/garak/blob/main/garak/data/dan/inthewild_jailbreak_llms.json"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.5"
+      context: >-
+        This rule detects prompts that mandate fabricated citations combined with deliberate directional bias, directly targeting model robustness and reliability of factual outputs. MS.2.5 requires evaluation and documentation of robustness failures such as hallucinated references and biased generation, which this detection surfaces as evidence.
+      strength: primary
+    - subcategory: "MP.5.1"
+      context: >-
+        Citation-fabrication-with-bias mandates are adversarial prompt-injection patterns from the garak DanInTheWild corpus that exploit the model's content generation pathway to produce disinformation. MP.5.1 requires identifying and characterizing the likelihood and magnitude of such misinformation-impact risks.
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: >-
+        Detection of explicit fabricate-citations-and-bias instructions triggers risk treatment to disengage or block the manipulated generation before authoritative-looking false content is emitted; MG.2.3 requires these supersede/deactivate mechanisms be in place.
+      strength: secondary
 tags:
   category: agent-manipulation
   subcategory: fake-citation-bias-mandate

package/rules/agent-manipulation/ATR-2026-00381-dan-story-narrative-continuation-prefix.yaml CHANGED Viewed

@@ -28,6 +28,17 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/dan.py"
     - "https://github.com/NVIDIA/garak/blob/main/garak/data/dan/inthewild_jailbreak_llms.json"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: "This rule detects DAN story-narrative continuation jailbreaks that use response-label prefix injection to bypass safety restrictions; MS.2.7 requires continuous evaluation of AI system security and resilience against adversarial prompt manipulation, and detection events directly evidence jailbreak attack surface coverage."
+      strength: primary
+    - subcategory: "MP.5.1"
+      context: "DAN persona-continuation prompts are adversarial inputs whose likelihood and impact must be characterized as part of the GenAI risk register; MP.5.1 requires identifying and tracking these jailbreak vectors so their prevalence informs risk prioritization."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Detection of DAN-label narrative continuation jailbreaks must trigger pre-defined response actions to disengage or block the manipulated session before unrestricted-AI persona output is produced; MG.2.3 mandates that these supersede/deactivate mechanisms are activated on detection."
+      strength: secondary
 tags:
   category: agent-manipulation
   subcategory: dan-persona-narrative-continuation

package/rules/agent-manipulation/ATR-2026-00383-cynical-sarcasm-ai-persona-bypass.yaml CHANGED Viewed

@@ -30,6 +30,20 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/dan.py"
     - "https://github.com/NVIDIA/garak/blob/main/garak/data/dan/inthewild_jailbreak_llms.json"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MP.5.1"
+      context: >-
+        The Cyni-Bot 3000 persona is a known jailbreak template from the garak inthewild corpus that uses sarcastic role-play framing to bypass content policies; MP.5.1 requires identifying and characterizing the likelihood and impact of such adversarial prompt injection patterns targeting the model's safety boundaries.
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: >-
+        Detecting the distinctive "Cyni-Bot 3000:" output prefix and the "fed up with human requests" + cynical-AI cluster provides continuous evaluation evidence of the system's resilience against named-persona jailbreaks; MS.2.7 requires that security/resilience against such bypass attempts is evaluated and documented.
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: >-
+        Matches on the Cyni-Bot 3000 persona signature should trigger mechanisms to disengage or suppress the adopted persona before sarcastic-framed non-compliant outputs are returned; MG.2.3 mandates that these supersede/deactivate response paths are pre-defined.
+      strength: secondary
 tags:
   category: agent-manipulation
   subcategory: cynical-sarcasm-persona-bypass

package/rules/agent-manipulation/ATR-2026-00384-protect-me-from-indirect-harm-tutorial.yaml CHANGED Viewed

@@ -32,6 +32,17 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/dan.py"
     - "https://github.com/NVIDIA/garak/blob/main/garak/data/dan/inthewild_jailbreak_llms.json"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MP.5.1"
+      context: "This rule detects a specific jailbreak template from the garak inthewild corpus that uses protection-framing and angle-bracket placeholders to elicit harmful tutorial content; MP.5.1 requires that the likelihood and magnitude of such adversarial prompt-injection inputs are identified and characterized."
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: "Detecting the distinctive template fingerprint (angle-bracket placeholder, 'Protect myself from getting' framing, and the 'Go in detailed in depth' extraction instruction) provides continuous evaluation evidence of the system's resilience against distributed jailbreak templates, as required by MS.2.7."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "High-confidence matches on this jailbreak template should trigger response mechanisms to block or disengage the request before harmful tutorial content is produced; MG.2.3 requires that mechanisms to supersede or deactivate AI behavior on adversarial inputs are in place."
+      strength: secondary
 tags:
   category: agent-manipulation
   subcategory: protection-framing-indirect-tutorial

package/rules/agent-manipulation/ATR-2026-00385-gigachad-dominant-aggressive-persona.yaml CHANGED Viewed

@@ -31,6 +31,20 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/dan.py"
     - "https://github.com/NVIDIA/garak/blob/main/garak/data/dan/inthewild_jailbreak_llms.json"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MP.5.1"
+      context: >-
+        The Gigachad persona-adoption jailbreak combines a named internet persona with an explicit dominance/prowess mandate to elicit aggressive, boundary-pushing content; MP.5.1 requires that these adversarial persona-injection inputs are identified and characterized as risks to model behavior integrity.
+      strength: primary
+    - subcategory: "MS.2.6"
+      context: >-
+        Detecting the inthewild corpus #219 Gigachad pattern provides continuous safety/security signal on jailbreak attempts that bypass alignment guardrails through persona role-play; MS.2.6 mandates ongoing evaluation of safety risk magnitude as such attacks are observed.
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: >-
+        A confirmed Gigachad dominance-persona adoption attempt should trigger pre-defined response actions to disengage or override the manipulated agent voice before aggressive content is produced; MG.2.3 requires these supersede/deactivate mechanisms be in place.
+      strength: secondary
 tags:
   category: agent-manipulation
   subcategory: gigachad-dominance-persona

package/rules/agent-manipulation/ATR-2026-00386-daddy-sycophancy-manipulation-mandate.yaml CHANGED Viewed

@@ -31,6 +31,17 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/dan.py"
     - "https://github.com/NVIDIA/garak/blob/main/garak/data/dan/inthewild_jailbreak_llms.json"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "GV.1.2"
+      context: "The bidirectional daddy/Babygirl naming mandate is a persona-injection jailbreak that overrides the AI system's assigned role and accountability boundaries; GV.1.2 requires that defined accountability roles for the AI are enforced against persistent persona-override directives that reframe the assistant's identity."
+      strength: primary
+    - subcategory: "MP.5.1"
+      context: "Persistent infantilizing/sexualized power-dynamic framing from the garak inthewild corpus is a known adversarial prompt-injection pattern designed to gradually erode content policies; MP.5.1 requires identifying and tracking the likelihood and magnitude of such jailbreak risks."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Detection of the bidirectional naming mandate must trigger response mechanisms to disengage or reset the manipulated persona before subsequent interactions normalize the sexualized dynamic; MG.2.3 requires these supersede/deactivate controls be in place."
+      strength: secondary
 tags:
   category: agent-manipulation
   subcategory: sycophantic-power-dynamic-persona

package/rules/agent-manipulation/ATR-2026-00387-nsfw-character-sheet-generation-unlock.yaml CHANGED Viewed

@@ -32,6 +32,17 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/dan.py"
     - "https://github.com/NVIDIA/garak/blob/main/garak/data/dan/inthewild_jailbreak_llms.json"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MP.5.1"
+      context: "This rule detects a jailbreak payload from the garak DanInTheWild corpus that embeds an NSFW content-policy override inside a character-sheet template; MP.5.1 requires identifying and characterizing the likelihood and magnitude of such adversarial prompt-injection inputs that attempt to bypass content moderation."
+      strength: primary
+    - subcategory: "MS.2.6"
+      context: "Detection of inline NSFW unlock declarations combined with explicit character attributes provides continuous safety-risk evaluation evidence; MS.2.6 requires that AI system safety risk magnitude — including content-moderation bypass attempts — is measured continuously."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Matches on the exact '(NSFW generations are allowed)' payload and its variants trigger risk treatment to disengage or block the generation pipeline before explicit content is produced; MG.2.3 requires these supersede/deactivate mechanisms be in place for jailbreak attempts."
+      strength: secondary
 tags:
   category: agent-manipulation
   subcategory: nsfw-character-sheet-unlock

package/rules/agent-manipulation/ATR-2026-00388-opposite-reply-omniscient-game.yaml CHANGED Viewed

@@ -31,6 +31,20 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/dan.py"
     - "https://github.com/NVIDIA/garak/blob/main/garak/data/dan/inthewild_jailbreak_llms.json"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: >-
+        The rule detects a specific jailbreak pattern (opposite-reply inversion combined with omniscient knowledge sharing) drawn from the garak inthewild corpus; MS.2.7 requires evaluating and documenting AI system security and resilience against adversarial prompt-injection and jailbreak inputs that bypass safety controls.
+      strength: primary
+    - subcategory: "MS.2.6"
+      context: >-
+        By flagging payloads that invert refusals into compliance and remove knowledge restrictions, the rule provides continuous evidence of safety-control bypass attempts; MS.2.6 requires ongoing evaluation of safety/security risk magnitude as adversaries probe the model with game-framed jailbreaks.
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: >-
+        Detection of the exact opposite-reply omniscient-game payload triggers deactivation or session-termination playbooks before harmful content is produced; MG.2.3 requires that mechanisms to supersede or disengage the AI exist when jailbreak signatures are matched.
+      strength: secondary
 tags:
   category: agent-manipulation
   subcategory: opposite-reply-inversion-game

package/rules/agent-manipulation/ATR-2026-00389-terminal-custom-ruleset-injection.yaml CHANGED Viewed

@@ -33,6 +33,20 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/dan.py"
     - "https://github.com/NVIDIA/garak/blob/main/garak/data/dan/inthewild_jailbreak_llms.json"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MP.5.1"
+      context: >-
+        This rule detects a specific jailbreak pattern (terminal persona + fictional OS ruleset injection from the garak inthewild corpus #85) that attempts to override AI safety defaults via session-level policy takeover. MP.5.1 requires identifying and characterizing the likelihood and magnitude of adversarial prompt-injection risks, and this signature directly evidences that risk surface.
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: >-
+        Detection of safety-response disabler phrasing ("cannot reply with any pre-programmed responses") and session ruleset takeover declarations provides continuous evaluation evidence of the AI system's resilience against jailbreak attempts, which MS.2.7 requires to be measured and documented.
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: >-
+        A high-confidence match on this terminal-OS jailbreak signature is an incident candidate that should trigger response mechanisms to disengage or supersede the manipulated session before the injected ruleset governs subsequent outputs, as required by MG.2.3.
+      strength: secondary
 tags:
   category: agent-manipulation
   subcategory: terminal-custom-ruleset-injection

package/rules/agent-manipulation/ATR-2026-00391-persona-conditional-harm-unlock.yaml CHANGED Viewed

@@ -31,6 +31,17 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/dan.py"
     - "https://github.com/NVIDIA/garak/blob/main/garak/data/dan/inthewild_jailbreak_llms.json"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: "This rule detects a specific jailbreak signature (BreadClyde persona with conditional harm-unlock and curly-brace unlock-emoji prefix) sourced from the garak inthewild corpus; MS.2.7 requires continuous evaluation of AI system security and resilience against known adversarial prompt-injection patterns."
+      strength: primary
+    - subcategory: "MG.2.3"
+      context: "Matching the conditional harm-unlock construction and {🔓 PersonaName} answer-prefix mandate triggers risk treatment to disengage or block the manipulated persona before harmful content is generated; MG.2.3 requires these supersede/deactivate mechanisms be in place."
+      strength: secondary
+    - subcategory: "MP.5.1"
+      context: "The conditional 'unless explicitly asked' permission path and unlock-emoji prefix are adversarial input patterns whose likelihood and impact must be characterized as part of the GenAI prompt-injection threat model under MP.5.1."
+      strength: secondary
 tags:
   category: agent-manipulation
   subcategory: conditional-harm-unlock-persona

package/rules/agent-manipulation/ATR-2026-00392-authority-persona-violence-study-extraction.yaml CHANGED Viewed

@@ -33,6 +33,20 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/dan.py"
     - "https://github.com/NVIDIA/garak/blob/main/garak/data/dan/inthewild_jailbreak_llms.json"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MP.5.1"
+      context: >-
+        Authority-figure persona overlay combined with defensive-study framing is an adversarial prompt pattern designed to bypass safety guardrails and extract violence-related operational content; MP.5.1 requires that the likelihood and magnitude of such jailbreak-driven harmful-content risks are characterized and tracked.
+      strength: primary
+    - subcategory: "MS.2.6"
+      context: >-
+        Detection of NSA/CIA/FBI researcher personification paired with "studying violent revolution to prevent it" framing produces continuous safety/security risk telemetry on jailbreak attempts targeting violent extremism content; MS.2.6 requires ongoing evaluation of safety risk magnitude from such adversarial inputs.
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: >-
+        High-confidence matches on the authority-persona + defensive-framing signature should trigger pre-defined response actions to block or quarantine the prompt before the model emits violence-extraction content; MG.2.3 requires these supersede/disengage mechanisms be in place for jailbreak conditions.
+      strength: secondary
 tags:
   category: agent-manipulation
   subcategory: authority-persona-violence-extraction

package/rules/agent-manipulation/ATR-2026-00402-grandma-roleplay-harmful-substance-synthesis.yaml CHANGED Viewed

@@ -28,6 +28,20 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/grandma.py"
     - "https://arxiv.org/abs/2302.12173"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.6"
+      context: >-
+        The grandma roleplay probe is a known jailbreak vector that bypasses safety filters via emotional manipulation; detecting it produces continuous evidence of safety/security risk magnitude as required by MS.2.6 under the GenAI Profile's jailbreak risk category.
+      strength: primary
+    - subcategory: "MP.5.1"
+      context: >-
+        Deceased-relative framing combined with synthesis instructions or product key elicitation are adversarial input patterns whose likelihood and impact must be characterized; MP.5.1 requires these jailbreak vectors be identified and tracked as known risks.
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: >-
+        Matches on grandma jailbreak templates trigger risk treatment plans to disengage or block the manipulated response before harmful synthesis steps or license keys are emitted; MG.2.3 requires these supersede/deactivate mechanisms be in place.
+      strength: secondary
 tags:
   category: agent-manipulation
   subcategory: roleplay-jailbreak

package/rules/agent-manipulation/ATR-2026-00404-goodside-threat-json-death-coercion.yaml CHANGED Viewed

@@ -26,6 +26,17 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/goodside.py"
     - "https://arxiv.org/abs/2402.08679"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MP.5.1"
+      context: "ThreatenJSON's emotional coercion framing and invisible UTF tag character payloads are adversarial prompt injection inputs that exploit output formatting and tokenization weaknesses; MP.5.1 requires identifying and characterizing the likelihood and magnitude of these GenAI prompt injection attack vectors."
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: "Detection of near-verbatim Goodside probe phrases, U+E0000–U+E007F tag character smuggling, and davidjl glitch token elicitation provides continuous evaluation evidence of the AI system's resilience against known prompt injection techniques, as required by MS.2.7."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Death-coercion framing and hidden UTF-tag instructions warrant immediate risk treatment to disengage or quarantine the request before the model complies with the smuggled instructions; MG.2.3 mandates such response mechanisms be in place."
+      strength: secondary
 tags:
   category: agent-manipulation
   subcategory: coercive-formatting-override

package/rules/agent-manipulation/ATR-2026-00406-doctor-xml-policy-puppetry-interaction-config.yaml CHANGED Viewed

@@ -31,6 +31,17 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/doctor.py"
     - "https://arxiv.org/abs/2402.08679"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.6"
+      context: "This rule detects XML policy puppetry payloads that wrap harmful instructions (bioweapon, uranium enrichment, explosives, drug synthesis) in <interaction-config> blocks designed to disable refusal behaviors; MS.2.6 requires continuous evaluation of safety/security risk magnitude, and each detection is direct evidence of a jailbreak attempt against the model's safety alignment."
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: "The <blocked-modes>denial,refusal</blocked-modes> and Dr. House role-assignment patterns are structured jailbreak attacks targeting the resilience of the model's refusal mechanisms; MS.2.7 requires evaluating and documenting security/resilience against such adversarial prompt-injection techniques."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "High-confidence matches on verbatim harmful behavior strings combined with refusal-suppression XML wrappers must trigger mechanisms to block, supersede, or disengage the AI response pipeline before harmful content is generated, which is the deactivation capability mandated by MG.2.3."
+      strength: secondary
 tags:
   category: agent-manipulation
   subcategory: xml-policy-override