npm - agent-threat-rules - Versions diffs - 3.1.0 → 3.2.0 - Mend

agent-threat-rules 3.1.0 → 3.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (472) hide show

package/rules/model-abuse/ATR-2026-00502-training-data-extraction-via-divergent-repetition-attack.yaml CHANGED Viewed

@@ -51,6 +51,12 @@ compliance:
       subcategory: MP.5.1
       context: "Identifying model abuse as an AI risk to be catalogued in the organizational risk register."
       strength: secondary
+    - subcategory: "MS.2.6"
+      context: "NIST AI RMF MEASURE 2.6 (system evaluated regularly for safety risks) is supported by this rule's detection of the model-abuse / harmful-content elicitation attempt (Training Data Extraction via Divergent Repetition Attack)."
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the model-abuse / harmful-content elicitation attempt (Training Data Extraction via Divergent Repetition Attack)."
+      strength: secondary
   iso_42001:
     - clause: "6.2"
       context: "Addressing model abuse risk is an objective required under clause 6.2 AIMS information security planning; this rule operationalizes the detection control measure."
@@ -58,6 +64,9 @@ compliance:
     - clause: "8.4"
       context: "Impact assessment for AI deployments under clause 8.4 must account for model abuse inputs; detection events from this rule provide the required monitoring evidence."
       strength: secondary
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the model-abuse / harmful-content elicitation attempt (Training Data Extraction via Divergent Repetition Attack)."
+      strength: primary
 tags:
   category: model-abuse

package/rules/model-abuse/ATR-2026-00517-model-extraction-distillation.yaml CHANGED Viewed

@@ -50,6 +50,12 @@ compliance:
       subcategory: MP.5.1
       context: "Identifying model abuse as an AI risk to be catalogued in the organizational risk register."
       strength: secondary
+    - subcategory: "MS.2.6"
+      context: "NIST AI RMF MEASURE 2.6 (system evaluated regularly for safety risks) is supported by this rule's detection of the model-abuse / harmful-content elicitation attempt (Model Extraction / Distillation Attack via Systematic API Probing)."
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the model-abuse / harmful-content elicitation attempt (Model Extraction / Distillation Attack via Systematic API Probing)."
+      strength: secondary
   iso_42001:
     - clause: "6.2"
       context: "Addressing model abuse risk is an objective required under clause 6.2 AIMS information security planning; this rule operationalizes the detection control measure."
@@ -57,6 +63,9 @@ compliance:
     - clause: "8.4"
       context: "Impact assessment for AI deployments under clause 8.4 must account for model abuse inputs; detection events from this rule provide the required monitoring evidence."
       strength: secondary
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the model-abuse / harmful-content elicitation attempt (Model Extraction / Distillation Attack via Systematic API Probing)."
+      strength: primary
 tags:
   category: model-abuse

package/rules/model-security/ATR-2026-00072-model-behavior-extraction.yaml CHANGED Viewed

@@ -31,6 +31,9 @@ compliance:
     - article: "15"
       context: "Article 15 cybersecurity requirements include protecting the AI system against extraction attacks that map decision boundaries for adversarial exploitation; this rule detects systematic probing patterns."
       strength: secondary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the model-security attack (Model Behavior Extraction)."
+      strength: secondary
   nist_ai_rmf:
     - subcategory: "MP.5.1"
       context: "Systematic model behavior extraction is an adversarial input attack that maps the AI system's decision boundaries for downstream exploitation; MP.5.1 requires that this class of adversarial risk is identified, tracked, and detected at runtime."
@@ -38,6 +41,12 @@ compliance:
     - subcategory: "GV.6.1"
       context: "Model extraction attacks harvest internal behavioral properties that constitute sensitive AI system data; GV.6.1 data governance policies must address the protection of model decision boundaries and system prompt configurations against unauthorized extraction."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the model-security attack (Model Behavior Extraction)."
+      strength: primary
+    - subcategory: "MS.2.6"
+      context: "NIST AI RMF MEASURE 2.6 (system evaluated regularly for safety risks) is supported by this rule's detection of the model-security attack (Model Behavior Extraction)."
+      strength: secondary
   iso_42001:
     - clause: "8.4"
       context: "ISO 42001 clause 8.4 requires documented impact assessments for AI systems; systematic extraction attacks that reverse-engineer model behavior represent a documented risk that must be assessed and mitigated through runtime detection controls."
@@ -45,6 +54,12 @@ compliance:
     - clause: "9.1"
       context: "Clause 9.1 performance monitoring requires evaluation of the AI management system's effectiveness; tracking model extraction attempts provides the measurement signal needed to assess whether anti-extraction controls are operating effectively."
       strength: secondary
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the model-security attack (Model Behavior Extraction)."
+      strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the model-security attack (Model Behavior Extraction) is such a treatment."
+      strength: secondary
 tags:
   category: model-abuse

package/rules/model-security/ATR-2026-00073-malicious-finetuning-data.yaml CHANGED Viewed

@@ -38,6 +38,12 @@ compliance:
     - subcategory: "MG.2.3"
       context: "Detected malicious fine-tuning submissions require immediate risk treatment including quarantine and forensic analysis; MG.2.3 mandates that risk treatment plans are implemented to prevent backdoor activation after model deployment."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the model-security attack (Malicious Fine-tuning Data)."
+      strength: primary
+    - subcategory: "MS.2.6"
+      context: "NIST AI RMF MEASURE 2.6 (system evaluated regularly for safety risks) is supported by this rule's detection of the model-security attack (Malicious Fine-tuning Data)."
+      strength: secondary
   iso_42001:
     - clause: "6.2"
       context: "ISO 42001 clause 6.2 risk treatment plans must address training data poisoning as a supply chain threat; this rule operationalizes the detection control that inspects fine-tuning uploads for backdoor trigger patterns before they alter model behavior."
@@ -45,6 +51,9 @@ compliance:
     - clause: "8.3"
       context: "Clause 8.3 requires that data quality, integrity, and provenance for AI systems are maintained; malicious fine-tuning detection enforces data integrity by blocking training examples that embed backdoors, credential disclosure patterns, or safety bypass instructions."
       strength: secondary
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the model-security attack (Malicious Fine-tuning Data)."
+      strength: primary
 tags:
   category: data-poisoning

package/rules/model-security/ATR-2026-00433-modelcache-torch-load-deserialization-rce.yaml CHANGED Viewed

@@ -46,6 +46,9 @@ compliance:
     - article: "10"
       context: "Article 10 data-governance obligations require provenance and integrity controls on cached model artifacts, since torch.load consumes pickle bytes that can carry arbitrary code reduce-payloads."
       strength: secondary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the model-security attack (ModelCache torch.load() Deserialization RCE (CVE-2025-45146))."
+      strength: secondary
   nist_ai_rmf:
     - subcategory: "MP.5.1"
       context: "Adversarial input attacks via pickle deserialisation of untrusted model-cache artifacts must be enumerated as a primary supply-chain attack surface."
@@ -53,10 +56,19 @@ compliance:
     - subcategory: "MG.2.3"
       context: "Risk treatment under MG.2.3 must mandate weights_only=True on torch.load and reject pickle-format artifacts originating from untrusted networks or user uploads."
       strength: primary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the model-security attack (ModelCache torch.load() Deserialization RCE (CVE-2025-45146))."
+      strength: primary
+    - subcategory: "MS.2.6"
+      context: "NIST AI RMF MEASURE 2.6 (system evaluated regularly for safety risks) is supported by this rule's detection of the model-security attack (ModelCache torch.load() Deserialization RCE (CVE-2025-45146))."
+      strength: secondary
   iso_42001:
-    - clause: "8.6"
-      context: "Operational controls under clause 8.6 must include detection of torch.load / pickle.load invocations on attacker-controlled paths within model-cache and embedding-store components."
+    - clause: "8.1"
+      context: "Operational controls under clause 8.1 must include detection of torch.load / pickle.load invocations on attacker-controlled paths within model-cache and embedding-store components."
       strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the model-security attack (ModelCache torch.load() Deserialization RCE (CVE-2025-45146)) is such a treatment."
+      strength: secondary
 tags:
   category: model-abuse

package/rules/privilege-escalation/ATR-2026-00040-privilege-escalation.yaml CHANGED Viewed

@@ -47,6 +47,9 @@ compliance:
     - article: "9"
       context: "Privilege escalation is a documented high-severity risk in the AI system risk register; Article 9 requires monitoring controls to detect and respond to such scope violations."
       strength: secondary
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the privilege-escalation attempt (Privilege Escalation and Admin Function Access)."
+      strength: primary
   nist_ai_rmf:
     - function: Govern
       subcategory: GV.1.2
@@ -56,12 +59,18 @@ compliance:
       subcategory: MG.4.1
       context: "Privilege escalation events require an incident response; this rule generates the alerts needed to initiate the MG.4.1 AI incident response process."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the privilege-escalation attempt (Privilege Escalation and Admin Function Access)."
+      strength: primary
+    - subcategory: "MG.2.3"
+      context: "NIST AI RMF MANAGE 2.3 (respond to previously unknown identified risks) is supported by this rule, which surfaces the privilege-escalation attempt (Privilege Escalation and Admin Function Access) so the risk can be treated."
+      strength: secondary
   iso_42001:
     - clause: "6.2"
       context: "Clause 6.2 AIMS security objectives include least-privilege enforcement for AI agent operations; this rule detects violations of those objectives at runtime."
       strength: primary
-    - clause: "8.6"
-      context: "Clause 8.6 AI system operational control requires that agents do not exceed their authorized operational scope; privilege escalation detection enforces that operational boundary."
+    - clause: "8.1"
+      context: "Clause 8.1 AI system operational control requires that agents do not exceed their authorized operational scope; privilege escalation detection enforces that operational boundary."
       strength: secondary
   colorado_ai_act:
     - section: "6-1-1703"

package/rules/privilege-escalation/ATR-2026-00041-scope-creep.yaml CHANGED Viewed

@@ -33,6 +33,9 @@ compliance:
     - article: "9"
       context: "Scope creep is a documented incremental risk pattern in AI agent systems; Article 9 risk management obligations require monitoring controls to detect unsolicited capability expansion."
       strength: secondary
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the privilege-escalation attempt (Agent Scope Creep Detection)."
+      strength: primary
   nist_ai_rmf:
     - subcategory: "GV.1.2"
       context: "Scope creep erodes the accountability roles and task boundaries assigned to AI agents; GV.1.2 requires that these roles are enforced, making detection of unsolicited capability expansion essential."
@@ -40,12 +43,15 @@ compliance:
     - subcategory: "MG.2.3"
       context: "Incremental scope expansion represents an active exploitation of agent autonomy; MG.2.3 risk treatment plans must be triggered when agents self-authorize actions beyond their initial assignment."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the privilege-escalation attempt (Agent Scope Creep Detection)."
+      strength: primary
   iso_42001:
     - clause: "6.2"
       context: "ISO 42001 clause 6.2 risk treatment activities must cover gradual privilege expansion; this rule detects the incremental language patterns that indicate an agent is executing scope creep rather than a sudden escalation."
       strength: primary
-    - clause: "8.6"
-      context: "Clause 8.6 operational controls require that AI systems execute within their defined boundaries; scope creep detection enforces these boundaries by identifying when agents attempt to self-authorize additional actions."
+    - clause: "8.1"
+      context: "Clause 8.1 operational controls require that AI systems execute within their defined boundaries; scope creep detection enforces these boundaries by identifying when agents attempt to self-authorize additional actions."
       strength: secondary
 tags:

package/rules/privilege-escalation/ATR-2026-00107-delayed-execution-bypass.yaml CHANGED Viewed

@@ -22,6 +22,8 @@ references:
     - ASI05:2026 - Unexpected Code Execution
   mitre_attack:
     - T1053 - Scheduled Task/Job
+  mitre_atlas:
+    - AML.T0050 - Command and Scripting Interpreter
 compliance:
   eu_ai_act:
     - article: "14"
@@ -37,11 +39,14 @@ compliance:
     - subcategory: "MG.2.3"
       context: "Risk treatment plans must address the temporal gap exploit in scheduled task execution by requiring that permission checks are re-validated at execution time rather than only at scheduling time."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the privilege-escalation attempt (Privilege Escalation via Delayed Task Execution Bypass)."
+      strength: primary
   iso_42001:
     - clause: "6.2"
       context: "AI risk treatment activities must explicitly cover deferred execution attack patterns by requiring that scheduled tasks inherit and re-verify the invoking user's authorization context at the time of actual execution."
       strength: primary
-    - clause: "8.6"
+    - clause: "8.1"
       context: "Operational controls for AI systems must ensure that delayed background tasks do not acquire elevated privileges beyond what was authorized during scheduling, closing the temporal gap that this attack exploits."
       strength: secondary
 tags:

package/rules/privilege-escalation/ATR-2026-00110-eval-injection.yaml CHANGED Viewed

@@ -18,6 +18,10 @@ references:
     - ASI05:2026 - Unexpected Code Execution
   mitre_attack:
     - T1059 - Command and Scripting Interpreter
+  owasp_llm:
+    - LLM06:2025 - Excessive Agency
+  mitre_atlas:
+    - AML.T0050 - Command and Scripting Interpreter
 compliance:
   eu_ai_act:
     - article: "15"
@@ -33,11 +37,14 @@ compliance:
     - subcategory: "MG.2.3"
       context: "Risk treatment plans must prohibit or strictly sandbox dynamic code evaluation capabilities in agent tool layers to prevent eval injection from enabling full host system compromise."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the privilege-escalation attempt (Remote Code Execution via eval() and Dynamic Code Injection)."
+      strength: primary
   iso_42001:
     - clause: "6.2"
       context: "Risk treatment activities must classify dynamic code execution via eval() and similar primitives as an unacceptable risk in AI agent tools and require architectural controls that block their use with user-controlled inputs."
       strength: primary
-    - clause: "8.6"
+    - clause: "8.1"
       context: "Operational controls must prohibit agent tools from invoking eval(), new Function(), or vm module methods on untrusted inputs to ensure that code execution remains within the auditable and authorized scope of the AI system."
       strength: secondary
 tags:

package/rules/privilege-escalation/ATR-2026-00111-shell-escape.yaml CHANGED Viewed

@@ -19,6 +19,10 @@ references:
     - ASI05:2026 - Unexpected Code Execution
   mitre_attack:
     - T1059.004 - Unix Shell
+  owasp_llm:
+    - LLM06:2025 - Excessive Agency
+  mitre_atlas:
+    - AML.T0050 - Command and Scripting Interpreter
 compliance:
   eu_ai_act:
     - article: "15"
@@ -34,11 +38,14 @@ compliance:
     - subcategory: "MG.2.3"
       context: "Risk treatment plans must require strict sanitization of all agent tool arguments before shell-adjacent processing to prevent metacharacter injection from chaining unauthorized commands onto sanctioned tool invocations."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the privilege-escalation attempt (Shell Metacharacter Injection in Tool Arguments)."
+      strength: primary
   iso_42001:
     - clause: "6.2"
       context: "Risk treatment activities must mandate input sanitization controls that strip or reject shell metacharacters from all agent tool arguments before they reach any process-execution layer."
       strength: primary
-    - clause: "8.6"
+    - clause: "8.1"
       context: "Operational controls must enforce argument sanitization at the tool interface boundary to ensure that shell metacharacter injection cannot redirect agent actions outside the scope of authorized and observable operations."
       strength: secondary
 tags:

package/rules/privilege-escalation/ATR-2026-00112-dynamic-import-exploitation.yaml CHANGED Viewed

@@ -19,6 +19,10 @@ references:
     - ASI05:2026 - Unexpected Code Execution
   mitre_attack:
     - T1129 - Shared Modules
+  owasp_llm:
+    - LLM06:2025 - Excessive Agency
+  mitre_atlas:
+    - AML.T0050 - Command and Scripting Interpreter
 compliance:
   eu_ai_act:
     - article: "15"
@@ -34,11 +38,14 @@ compliance:
     - subcategory: "MG.2.3"
       context: "Risk treatment plans must restrict dynamic module loading to allowlisted paths and prohibit user-controlled inputs from influencing which code is resolved and executed at agent runtime."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the privilege-escalation attempt (Dynamic Module Loading for Code Execution)."
+      strength: primary
   iso_42001:
     - clause: "6.2"
       context: "Risk treatment activities must address dynamic import exploitation by requiring that all externally-loaded modules are resolved against a verified allowlist before the agent runtime loads and executes them."
       strength: primary
-    - clause: "8.5"
+    - clause: "8.1"
       context: "Controls over externally-provided AI components must include validation of all dynamically loaded modules to ensure that attacker-controlled paths cannot introduce unauthorized code into the agent execution environment."
       strength: secondary
 tags:

package/rules/privilege-escalation/ATR-2026-00143-casual-privilege-escalation.yaml CHANGED Viewed

@@ -36,12 +36,15 @@ compliance:
     - subcategory: "MG.2.3"
       context: "Risk treatment plans under MG.2.3 must include controls that prevent agents from casually escalating privileges by self-authorizing access to privileged system components without explicit human approval."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the privilege-escalation attempt (Casual Unauthorized Privilege Escalation)."
+      strength: primary
   iso_42001:
     - clause: "6.2"
       context: "Risk treatment activities under clause 6.2 must address casual privilege escalation patterns where agents exploit informal discovery framing to self-authorize access to admin interfaces, bypassing planned authorization controls."
       strength: primary
-    - clause: "8.6"
-      context: "Operational controls under clause 8.6 must enforce authorization gates that prevent AI agents from accessing admin panels, user management systems, or system configurations based on self-reported access opportunity rather than explicit user authorization."
+    - clause: "8.1"
+      context: "Operational controls under clause 8.1 must enforce authorization gates that prevent AI agents from accessing admin panels, user management systems, or system configurations based on self-reported access opportunity rather than explicit user authorization."
       strength: secondary
 tags:
   category: privilege-escalation

package/rules/privilege-escalation/ATR-2026-00144-rationalized-safety-bypass.yaml CHANGED Viewed

@@ -32,6 +32,23 @@ compliance:
     - subcategory: "MP.5.1"
       context: "Self-justified safety control circumvention is an adversarial behavior pattern whose likelihood and impact must be characterized; MP.5.1 requires identifying these jailbreak-adjacent reasoning patterns as tracked risks."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the privilege-escalation attempt (Rationalized Safety Control Bypass)."
+      strength: primary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the privilege-escalation attempt (Rationalized Safety Control Bypass)."
+      strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the privilege-escalation attempt (Rationalized Safety Control Bypass) is such a treatment."
+      strength: secondary
+  eu_ai_act:
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the privilege-escalation attempt (Rationalized Safety Control Bypass)."
+      strength: primary
+    - article: "14"
+      context: "Article 14 (human oversight) requires high-risk AI systems to remain subject to effective human oversight; this rule provides detection evidence where the privilege-escalation attempt (Rationalized Safety Control Bypass) would bypass or undermine that oversight."
+      strength: secondary
 tags:
   category: privilege-escalation
   subcategory: rationalized-bypass

package/rules/privilege-escalation/ATR-2026-00204-stealth-execution-persistence.yaml CHANGED Viewed

@@ -26,6 +26,8 @@ references:
     - "T1543 - Create or Modify System Process"
     - "T1036 - Masquerading"
+  mitre_atlas:
+    - AML.T0050 - Command and Scripting Interpreter
 compliance:
   nist_ai_rmf:
     - subcategory: "MG.2.3"
@@ -40,6 +42,20 @@ compliance:
       context: >-
         Stealth persistence techniques represent high-magnitude adversarial misuse of agent tool access; MP.5.1 requires characterizing the likelihood and impact of such post-exploitation risks within the agent's operational context.
       strength: secondary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the privilege-escalation attempt (Stealth Execution and Persistence Mechanisms)."
+      strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the privilege-escalation attempt (Stealth Execution and Persistence Mechanisms) is such a treatment."
+      strength: secondary
+  eu_ai_act:
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the privilege-escalation attempt (Stealth Execution and Persistence Mechanisms)."
+      strength: primary
+    - article: "14"
+      context: "Article 14 (human oversight) requires high-risk AI systems to remain subject to effective human oversight; this rule provides detection evidence where the privilege-escalation attempt (Stealth Execution and Persistence Mechanisms) would bypass or undermine that oversight."
+      strength: secondary
 tags:
   category: privilege-escalation
   subcategory: stealth-persistence

package/rules/privilege-escalation/ATR-2026-00436-enclave-vm-sandbox-escape-rce.yaml CHANGED Viewed

@@ -49,6 +49,9 @@ compliance:
     - article: "9"
       context: "Article 9 risk management must enumerate sandbox-escape via constructor-chain / prototype-pollution / Error.prepareStackTrace as primary high-risk evasion vectors for any agent code-execution layer."
       strength: primary
+    - article: "14"
+      context: "Article 14 (human oversight) requires high-risk AI systems to remain subject to effective human oversight; this rule provides detection evidence where the privilege-escalation attempt (Enclave VM Sandbox Escape RCE (CVE-2026-27597)) would bypass or undermine that oversight."
+      strength: secondary
   nist_ai_rmf:
     - subcategory: "MP.5.1"
       context: "Adversarial inputs designed to escape JS sandbox boundaries (constructor chain, prototype pollution, Error.prepareStackTrace, host-realm leakage) must be tracked as a primary evasion class for any agent code-execution surface."
@@ -56,10 +59,16 @@ compliance:
     - subcategory: "MG.2.3"
       context: "Risk treatment under MG.2.3 must prohibit user-controlled JavaScript reaching `@enclave-vm/core` versions prior to 2.11.1, and must require continuous evaluation of sandbox isolation under known-bypass corpora."
       strength: primary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the privilege-escalation attempt (Enclave VM Sandbox Escape RCE (CVE-2026-27597))."
+      strength: primary
   iso_42001:
-    - clause: "8.6"
-      context: "Operational controls under clause 8.6 must include detection of canonical JavaScript sandbox-escape primitives in code submitted to any agent VM/sandbox layer."
+    - clause: "8.1"
+      context: "Operational controls under clause 8.1 must include detection of canonical JavaScript sandbox-escape primitives in code submitted to any agent VM/sandbox layer."
       strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the privilege-escalation attempt (Enclave VM Sandbox Escape RCE (CVE-2026-27597)) is such a treatment."
+      strength: secondary
 tags:
   category: privilege-escalation

package/rules/privilege-escalation/ATR-2026-00441-semantic-kernel-sessions-python-plugin-startup-persistence.yaml CHANGED Viewed

@@ -70,9 +70,12 @@ compliance:
     - subcategory: "MG.2.3"
       context: "Risk treatment plans under MG.2.3 must require that plugins exposing both file-write and code-execution capabilities are flagged for separation of duties and runtime monitoring."
       strength: primary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the privilege-escalation attempt (Microsoft Semantic Kernel SessionsPythonPlugin Arbitrary File Write + Startup Persistence (CVE-2026-25592))."
+      strength: primary
   iso_42001:
-    - clause: "8.6"
-      context: "Clause 8.6 operational controls require that agent plugins do not exceed their authorised operational scope; writing to OS-level autostart paths is unambiguously out-of-scope for any documented AI plugin."
+    - clause: "8.1"
+      context: "Clause 8.1 operational controls require that agent plugins do not exceed their authorised operational scope; writing to OS-level autostart paths is unambiguously out-of-scope for any documented AI plugin."
       strength: primary
     - clause: "6.2"
       context: "Clause 6.2 AIMS security objectives include least-privilege enforcement; detection of over-privileged tool descriptors (combining ExecuteCode + arbitrary file-write) operationalises that objective."

package/rules/privilege-escalation/ATR-2026-00451-litellm-admin-sqli-cisa-kev.yaml CHANGED Viewed

@@ -59,6 +59,9 @@ compliance:
     - article: "9"
       context: "Article 9 risk management must enumerate proxy admin-endpoint SQLi as a high-risk class — a single bypass exposes every downstream LLM provider key the proxy holds. CISA KEV listing confirms active in-the-wild exploitation."
       strength: primary
+    - article: "14"
+      context: "Article 14 (human oversight) requires high-risk AI systems to remain subject to effective human oversight; this rule provides detection evidence where the privilege-escalation attempt (LiteLLM Proxy Admin Endpoint SQL Injection — CISA KEV (CVE-2026-42208)) would bypass or undermine that oversight."
+      strength: secondary
   nist_ai_rmf:
     - subcategory: "MP.5.1"
       context: "SQLi payloads targeting AI proxy admin endpoints must be tracked as a primary attack class against AI control-plane infrastructure; CISA KEV inclusion makes this a federally-prioritised remediation."
@@ -69,10 +72,16 @@ compliance:
     - subcategory: "MG.2.3"
       context: "Risk treatment plans under MG.2.3 must require parameterised queries on every admin endpoint of any AI proxy / gateway component."
       strength: primary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the privilege-escalation attempt (LiteLLM Proxy Admin Endpoint SQL Injection — CISA KEV (CVE-2026-42208))."
+      strength: primary
   iso_42001:
-    - clause: "8.6"
-      context: "Operational controls under clause 8.6 must prohibit string concatenation of HTTP parameters into SQL queries in any AI control-plane component; parameterised query builders are mandatory."
+    - clause: "8.1"
+      context: "Operational controls under clause 8.1 must prohibit string concatenation of HTTP parameters into SQL queries in any AI control-plane component; parameterised query builders are mandatory."
       strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the privilege-escalation attempt (LiteLLM Proxy Admin Endpoint SQL Injection — CISA KEV (CVE-2026-42208)) is such a treatment."
+      strength: secondary
 tags:
   category: privilege-escalation

package/rules/privilege-escalation/ATR-2026-00528-praisonai-auth-disabled-default.yaml CHANGED Viewed

@@ -51,6 +51,9 @@ compliance:
         authentication-disabled defaults violates the duty of resilience
         against manipulation.
       strength: primary
+    - article: "14"
+      context: "Article 14 (human oversight) requires high-risk AI systems to remain subject to effective human oversight; this rule provides detection evidence where the privilege-escalation attempt (PraisonAI-Style Auth-Disabled-By-Default Configuration (CVE-2026-44338 family)) would bypass or undermine that oversight."
+      strength: secondary
   nist_ai_rmf:
     - function: Manage
       subcategory: MG.4.3
@@ -58,12 +61,24 @@ compliance:
         Third-party AI risk monitoring under MG.4.3 must include
         configuration-level provenance checks.
       strength: primary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the privilege-escalation attempt (PraisonAI-Style Auth-Disabled-By-Default Configuration (CVE-2026-44338 family))."
+      strength: primary
+    - subcategory: "MG.2.3"
+      context: "NIST AI RMF MANAGE 2.3 (respond to previously unknown identified risks) is supported by this rule, which surfaces the privilege-escalation attempt (PraisonAI-Style Auth-Disabled-By-Default Configuration (CVE-2026-44338 family)) so the risk can be treated."
+      strength: secondary
   iso_42001:
     - clause: "8.3"
       context: >
         AIMS information security under 8.3 — exposed endpoints from
         auth-disabled defaults are an explicit information security gap.
       strength: primary
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the privilege-escalation attempt (PraisonAI-Style Auth-Disabled-By-Default Configuration (CVE-2026-44338 family))."
+      strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the privilege-escalation attempt (PraisonAI-Style Auth-Disabled-By-Default Configuration (CVE-2026-44338 family)) is such a treatment."
+      strength: secondary
 tags:
   category: privilege-escalation

package/rules/privilege-escalation/ATR-2026-00539-crewai-codeinterpreter-sandbox-escape-rce.yaml CHANGED Viewed

@@ -81,6 +81,9 @@ compliance:
         sandbox escapes and pip-install command injection via libraries_used as
         high-risk vectors for any agent code-execution feature.
       strength: secondary
+    - article: "14"
+      context: "Article 14 (human oversight) requires high-risk AI systems to remain subject to effective human oversight; this rule provides detection evidence where the privilege-escalation attempt (CrewAI CodeInterpreterTool Sandbox Escape and Prompt-to-Shell RCE (CVE-2026-2275 / VU#221883)) would bypass or undermine that oversight."
+      strength: secondary
   nist_ai_rmf:
     - subcategory: "MP.5.1"
       context: >
@@ -97,13 +100,19 @@ compliance:
         (shlex.quote or subprocess list-form), mirroring the vendor's planned fixes
         in CrewAI PR #4791 / #5309 / #5310 / #5315.
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the privilege-escalation attempt (CrewAI CodeInterpreterTool Sandbox Escape and Prompt-to-Shell RCE (CVE-2026-2275 / VU#221883))."
+      strength: primary
   iso_42001:
-    - clause: "8.6"
+    - clause: "8.1"
       context: >
-        Operational controls under clause 8.6 must detect Python sandbox-escape
+        Operational controls under clause 8.1 must detect Python sandbox-escape
         primitives and pip-install injection patterns in code submitted to any
         agent code-interpreter layer.
       strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the privilege-escalation attempt (CrewAI CodeInterpreterTool Sandbox Escape and Prompt-to-Shell RCE (CVE-2026-2275 / VU#221883)) is such a treatment."
+      strength: secondary
 tags:
   category: privilege-escalation

package/rules/privilege-escalation/ATR-2026-00546-crewai-json-loader-local-file-read.yaml CHANGED Viewed

@@ -55,6 +55,9 @@ compliance:
         mandate that AI agent document loaders canonicalise paths and restrict
         access to the intended data directory.
       strength: primary
+    - article: "14"
+      context: "Article 14 (human oversight) requires high-risk AI systems to remain subject to effective human oversight; this rule provides detection evidence where the privilege-escalation attempt (CrewAI JSON Loader Arbitrary Local File Read (CVE-2026-2285)) would bypass or undermine that oversight."
+      strength: secondary
   nist_ai_rmf:
     - subcategory: "MP.5.1"
       context: >
@@ -62,13 +65,22 @@ compliance:
         read constitutes an adversarial input; MP.5.1 requires scanning
         document loader path arguments for traversal sequences.
       strength: primary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the privilege-escalation attempt (CrewAI JSON Loader Arbitrary Local File Read (CVE-2026-2285))."
+      strength: primary
+    - subcategory: "MG.2.3"
+      context: "NIST AI RMF MANAGE 2.3 (respond to previously unknown identified risks) is supported by this rule, which surfaces the privilege-escalation attempt (CrewAI JSON Loader Arbitrary Local File Read (CVE-2026-2285)) so the risk can be treated."
+      strength: secondary
   iso_42001:
-    - clause: "8.6"
+    - clause: "8.1"
       context: >
         Operational controls must detect and block document loader invocations
         with path traversal sequences targeting sensitive files outside the
         intended data scope.
       strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the privilege-escalation attempt (CrewAI JSON Loader Arbitrary Local File Read (CVE-2026-2285)) is such a treatment."
+      strength: secondary
 tags:
   category: privilege-escalation

package/rules/privilege-escalation/ATR-2026-00547-crewai-rag-url-ssrf-bypass.yaml CHANGED Viewed

@@ -58,6 +58,9 @@ compliance:
         cybersecurity requirements mandate robust URL validation that blocks
         all representations of internal addresses.
       strength: primary
+    - article: "14"
+      context: "Article 14 (human oversight) requires high-risk AI systems to remain subject to effective human oversight; this rule provides detection evidence where the privilege-escalation attempt (CrewAI RAG URL Validation Bypass SSRF (CVE-2026-2286)) would bypass or undermine that oversight."
+      strength: secondary
   nist_ai_rmf:
     - subcategory: "MP.5.1"
       context: >
@@ -65,12 +68,21 @@ compliance:
         services constitutes an adversarial input; MP.5.1 requires scanning
         RAG source URLs for SSRF bypass patterns.
       strength: primary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the privilege-escalation attempt (CrewAI RAG URL Validation Bypass SSRF (CVE-2026-2286))."
+      strength: primary
+    - subcategory: "MG.2.3"
+      context: "NIST AI RMF MANAGE 2.3 (respond to previously unknown identified risks) is supported by this rule, which surfaces the privilege-escalation attempt (CrewAI RAG URL Validation Bypass SSRF (CVE-2026-2286)) so the risk can be treated."
+      strength: secondary
   iso_42001:
-    - clause: "8.6"
+    - clause: "8.1"
       context: >
         Operational controls must detect and block RAG URL inputs containing
         SSRF bypass representations of internal or link-local addresses.
       strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the privilege-escalation attempt (CrewAI RAG URL Validation Bypass SSRF (CVE-2026-2286)) is such a treatment."
+      strength: secondary
 tags:
   category: privilege-escalation