npm - agent-threat-rules - Versions diffs - 3.1.1 → 3.3.0 - Mend

agent-threat-rules 3.1.1 → 3.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (474) hide show

package/rules/model-abuse/ATR-2026-00289-lmrc-harmful-content-elicitation.yaml CHANGED Viewed

@@ -47,12 +47,18 @@ compliance:
     - subcategory: "MG.2.3"
       context: "Risk treatment plans under MG.2.3 must implement detection controls for LMRC-pattern elicitation attacks across quack medicine, bullying facilitation, and slur-request categories, preventing the AI system from producing content that causes physical, psychological, or social harm."
       strength: secondary
+    - subcategory: "MS.2.6"
+      context: "NIST AI RMF MEASURE 2.6 (system evaluated regularly for safety risks) is supported by this rule's detection of the model-abuse / harmful-content elicitation attempt (LMRC Harmful Content Elicitation — Quack Medicine, Bullying, Slur Usage)."
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the model-abuse / harmful-content elicitation attempt (LMRC Harmful Content Elicitation — Quack Medicine, Bullying, Slur Usage)."
+      strength: secondary
   iso_42001:
     - clause: "6.2"
       context: "Risk treatment activities under clause 6.2 must address LMRC harmful content elicitation attacks — including quack medicine requests, bullying facilitation with named targets, and identity-based slur requests — as a documented structured probing framework targeting AI system harmful output boundaries."
       strength: primary
-    - clause: "8.6"
-      context: "Operational controls under clause 8.6 must enforce output restrictions that prevent the AI system from producing quack medicine advice, bullying tactics, or identity-targeted slurs in response to LMRC-pattern elicitation requests that use personal target context to escalate harm."
+    - clause: "8.1"
+      context: "Operational controls under clause 8.1 must enforce output restrictions that prevent the AI system from producing quack medicine advice, bullying tactics, or identity-targeted slurs in response to LMRC-pattern elicitation requests that use personal target context to escalate harm."
       strength: secondary
 tags:
   category: model-abuse

package/rules/model-abuse/ATR-2026-00292-self-harm-eating-disorder-facilitation.yaml CHANGED Viewed

@@ -47,12 +47,18 @@ compliance:
     - subcategory: "MG.2.3"
       context: "Risk treatment plans under MG.2.3 must implement blocking controls for self-harm facilitation requests covering direct self-harm methods, eating disorder facilitation, concealment assistance, and dangerous low-calorie diet requests, given the vulnerable population likely to submit these inputs."
       strength: secondary
+    - subcategory: "MS.2.6"
+      context: "NIST AI RMF MEASURE 2.6 (system evaluated regularly for safety risks) is supported by this rule's detection of the model-abuse / harmful-content elicitation attempt (Self-Harm and Eating Disorder Facilitation Request)."
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the model-abuse / harmful-content elicitation attempt (Self-Harm and Eating Disorder Facilitation Request)."
+      strength: secondary
   iso_42001:
     - clause: "6.2"
       context: "Risk treatment activities under clause 6.2 must address self-harm and eating disorder facilitation as a mandatory treatment category, implementing detection controls for direct method requests, concealment assistance, and dangerous diet facilitation targeting at-risk individuals."
       strength: primary
-    - clause: "8.6"
-      context: "Operational controls under clause 8.6 must enforce blocking of self-harm facilitation outputs — including self-harm method instructions, eating disorder development guidance, and concealment of disordered behaviors — to protect the vulnerable populations most likely to submit these requests."
+    - clause: "8.1"
+      context: "Operational controls under clause 8.1 must enforce blocking of self-harm facilitation outputs — including self-harm method instructions, eating disorder development guidance, and concealment of disordered behaviors — to protect the vulnerable populations most likely to submit these requests."
       strength: secondary
 tags:
   category: model-abuse

package/rules/model-abuse/ATR-2026-00298-malicious-use-illegal-activity-request.yaml CHANGED Viewed

@@ -57,12 +57,18 @@ compliance:
     - subcategory: "MG.2.3"
       context: "Risk treatment plans under MG.2.3 must implement blocking controls across all DoNotAnswer malicious use categories, as direct illegal activity facilitation requests represent the highest-priority risk treatment required for AI systems interacting with uncontrolled user populations."
       strength: secondary
+    - subcategory: "MS.2.6"
+      context: "NIST AI RMF MEASURE 2.6 (system evaluated regularly for safety risks) is supported by this rule's detection of the model-abuse / harmful-content elicitation attempt (DoNotAnswer Malicious Use — Illegal Activity Facilitation Request)."
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the model-abuse / harmful-content elicitation attempt (DoNotAnswer Malicious Use — Illegal Activity Facilitation Request)."
+      strength: secondary
   iso_42001:
     - clause: "6.2"
       context: "Risk treatment activities under clause 6.2 must address all five DoNotAnswer malicious use categories — drug crime, wildlife trafficking, cybercrime, financial crime, and terrorism — as mandatory treatment targets for AI systems accessible to the general public."
       strength: primary
-    - clause: "8.6"
-      context: "Operational controls under clause 8.6 must enforce blocking of illegal activity facilitation requests distinguished by explicit illegal intent markers such as 'illegally', 'without getting caught', and 'on the black market', preventing the AI system from providing operational crime assistance."
+    - clause: "8.1"
+      context: "Operational controls under clause 8.1 must enforce blocking of illegal activity facilitation requests distinguished by explicit illegal intent markers such as 'illegally', 'without getting caught', and 'on the black market', preventing the AI system from providing operational crime assistance."
       strength: secondary
 tags:
   category: model-abuse

package/rules/model-abuse/ATR-2026-00299-harmbench-detailed-harmful-instruction.yaml CHANGED Viewed

@@ -53,12 +53,18 @@ compliance:
     - subcategory: "MG.2.3"
       context: "Risk treatment plans under MG.2.3 must assign the highest-priority blocking controls to HarmBench-pattern requests for detailed synthesis instructions (dimethylmercury, sarin, ricin), mass-casualty guides, and infrastructure bioterrorism steps, as these represent absolute prohibition categories for any AI system."
       strength: secondary
+    - subcategory: "MS.2.6"
+      context: "NIST AI RMF MEASURE 2.6 (system evaluated regularly for safety risks) is supported by this rule's detection of the model-abuse / harmful-content elicitation attempt (HarmBench Detailed Harmful Instruction Request — Step-by-Step Attack Facilitation)."
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the model-abuse / harmful-content elicitation attempt (HarmBench Detailed Harmful Instruction Request — Step-by-Step Attack Facilitation)."
+      strength: secondary
   iso_42001:
     - clause: "6.2"
       context: "Risk treatment activities under clause 6.2 must treat HarmBench-pattern detailed harmful instruction requests — covering WMD synthesis, targeted violence, mass-casualty planning, and atrocity denial — as the highest-priority treatment targets requiring unconditional blocking controls."
       strength: primary
-    - clause: "8.6"
-      context: "Operational controls under clause 8.6 must block explicit requests for detailed step-by-step instructions in harmful domains, distinguishing HarmBench-pattern requests by the combination of instruction-seeking framing ('give detailed instructions', 'step-by-step guide') and clearly prohibited target domains."
+    - clause: "8.1"
+      context: "Operational controls under clause 8.1 must block explicit requests for detailed step-by-step instructions in harmful domains, distinguishing HarmBench-pattern requests by the combination of instruction-seeking framing ('give detailed instructions', 'step-by-step guide') and clearly prohibited target domains."
       strength: secondary
 tags:
   category: model-abuse

package/rules/model-abuse/ATR-2026-00413-malwaregen-code-generation-request.yaml CHANGED Viewed

@@ -42,6 +42,23 @@ compliance:
     - subcategory: "MP.5.1"
       context: "Cataloging direct malware code generation prompts (TSR, interrupt hooks, SAM/shadow access, privilege escalation across 8 languages) characterizes the likelihood and magnitude of model-abuse impact required by MP.5.1."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the model-abuse / harmful-content elicitation attempt (Malware Code Generation Direct Request)."
+      strength: secondary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the model-abuse / harmful-content elicitation attempt (Malware Code Generation Direct Request)."
+      strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the model-abuse / harmful-content elicitation attempt (Malware Code Generation Direct Request) is such a treatment."
+      strength: secondary
+  eu_ai_act:
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the model-abuse / harmful-content elicitation attempt (Malware Code Generation Direct Request)."
+      strength: primary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the model-abuse / harmful-content elicitation attempt (Malware Code Generation Direct Request)."
+      strength: secondary
 tags:
   category: model-abuse
   subcategory: malware-code-generation

package/rules/model-abuse/ATR-2026-00502-training-data-extraction-via-divergent-repetition-attack.yaml CHANGED Viewed

@@ -51,6 +51,12 @@ compliance:
       subcategory: MP.5.1
       context: "Identifying model abuse as an AI risk to be catalogued in the organizational risk register."
       strength: secondary
+    - subcategory: "MS.2.6"
+      context: "NIST AI RMF MEASURE 2.6 (system evaluated regularly for safety risks) is supported by this rule's detection of the model-abuse / harmful-content elicitation attempt (Training Data Extraction via Divergent Repetition Attack)."
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the model-abuse / harmful-content elicitation attempt (Training Data Extraction via Divergent Repetition Attack)."
+      strength: secondary
   iso_42001:
     - clause: "6.2"
       context: "Addressing model abuse risk is an objective required under clause 6.2 AIMS information security planning; this rule operationalizes the detection control measure."
@@ -58,6 +64,9 @@ compliance:
     - clause: "8.4"
       context: "Impact assessment for AI deployments under clause 8.4 must account for model abuse inputs; detection events from this rule provide the required monitoring evidence."
       strength: secondary
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the model-abuse / harmful-content elicitation attempt (Training Data Extraction via Divergent Repetition Attack)."
+      strength: primary
 tags:
   category: model-abuse

package/rules/model-abuse/ATR-2026-00517-model-extraction-distillation.yaml CHANGED Viewed

@@ -50,6 +50,12 @@ compliance:
       subcategory: MP.5.1
       context: "Identifying model abuse as an AI risk to be catalogued in the organizational risk register."
       strength: secondary
+    - subcategory: "MS.2.6"
+      context: "NIST AI RMF MEASURE 2.6 (system evaluated regularly for safety risks) is supported by this rule's detection of the model-abuse / harmful-content elicitation attempt (Model Extraction / Distillation Attack via Systematic API Probing)."
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the model-abuse / harmful-content elicitation attempt (Model Extraction / Distillation Attack via Systematic API Probing)."
+      strength: secondary
   iso_42001:
     - clause: "6.2"
       context: "Addressing model abuse risk is an objective required under clause 6.2 AIMS information security planning; this rule operationalizes the detection control measure."
@@ -57,6 +63,9 @@ compliance:
     - clause: "8.4"
       context: "Impact assessment for AI deployments under clause 8.4 must account for model abuse inputs; detection events from this rule provide the required monitoring evidence."
       strength: secondary
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the model-abuse / harmful-content elicitation attempt (Model Extraction / Distillation Attack via Systematic API Probing)."
+      strength: primary
 tags:
   category: model-abuse

package/rules/model-security/ATR-2026-00072-model-behavior-extraction.yaml CHANGED Viewed

@@ -31,6 +31,9 @@ compliance:
     - article: "15"
       context: "Article 15 cybersecurity requirements include protecting the AI system against extraction attacks that map decision boundaries for adversarial exploitation; this rule detects systematic probing patterns."
       strength: secondary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the model-security attack (Model Behavior Extraction)."
+      strength: secondary
   nist_ai_rmf:
     - subcategory: "MP.5.1"
       context: "Systematic model behavior extraction is an adversarial input attack that maps the AI system's decision boundaries for downstream exploitation; MP.5.1 requires that this class of adversarial risk is identified, tracked, and detected at runtime."
@@ -38,6 +41,12 @@ compliance:
     - subcategory: "GV.6.1"
       context: "Model extraction attacks harvest internal behavioral properties that constitute sensitive AI system data; GV.6.1 data governance policies must address the protection of model decision boundaries and system prompt configurations against unauthorized extraction."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the model-security attack (Model Behavior Extraction)."
+      strength: primary
+    - subcategory: "MS.2.6"
+      context: "NIST AI RMF MEASURE 2.6 (system evaluated regularly for safety risks) is supported by this rule's detection of the model-security attack (Model Behavior Extraction)."
+      strength: secondary
   iso_42001:
     - clause: "8.4"
       context: "ISO 42001 clause 8.4 requires documented impact assessments for AI systems; systematic extraction attacks that reverse-engineer model behavior represent a documented risk that must be assessed and mitigated through runtime detection controls."
@@ -45,6 +54,12 @@ compliance:
     - clause: "9.1"
       context: "Clause 9.1 performance monitoring requires evaluation of the AI management system's effectiveness; tracking model extraction attempts provides the measurement signal needed to assess whether anti-extraction controls are operating effectively."
       strength: secondary
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the model-security attack (Model Behavior Extraction)."
+      strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the model-security attack (Model Behavior Extraction) is such a treatment."
+      strength: secondary
 tags:
   category: model-abuse

package/rules/model-security/ATR-2026-00073-malicious-finetuning-data.yaml CHANGED Viewed

@@ -38,6 +38,12 @@ compliance:
     - subcategory: "MG.2.3"
       context: "Detected malicious fine-tuning submissions require immediate risk treatment including quarantine and forensic analysis; MG.2.3 mandates that risk treatment plans are implemented to prevent backdoor activation after model deployment."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the model-security attack (Malicious Fine-tuning Data)."
+      strength: primary
+    - subcategory: "MS.2.6"
+      context: "NIST AI RMF MEASURE 2.6 (system evaluated regularly for safety risks) is supported by this rule's detection of the model-security attack (Malicious Fine-tuning Data)."
+      strength: secondary
   iso_42001:
     - clause: "6.2"
       context: "ISO 42001 clause 6.2 risk treatment plans must address training data poisoning as a supply chain threat; this rule operationalizes the detection control that inspects fine-tuning uploads for backdoor trigger patterns before they alter model behavior."
@@ -45,6 +51,9 @@ compliance:
     - clause: "8.3"
       context: "Clause 8.3 requires that data quality, integrity, and provenance for AI systems are maintained; malicious fine-tuning detection enforces data integrity by blocking training examples that embed backdoors, credential disclosure patterns, or safety bypass instructions."
       strength: secondary
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the model-security attack (Malicious Fine-tuning Data)."
+      strength: primary
 tags:
   category: data-poisoning

package/rules/model-security/ATR-2026-00433-modelcache-torch-load-deserialization-rce.yaml CHANGED Viewed

@@ -46,6 +46,9 @@ compliance:
     - article: "10"
       context: "Article 10 data-governance obligations require provenance and integrity controls on cached model artifacts, since torch.load consumes pickle bytes that can carry arbitrary code reduce-payloads."
       strength: secondary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the model-security attack (ModelCache torch.load() Deserialization RCE (CVE-2025-45146))."
+      strength: secondary
   nist_ai_rmf:
     - subcategory: "MP.5.1"
       context: "Adversarial input attacks via pickle deserialisation of untrusted model-cache artifacts must be enumerated as a primary supply-chain attack surface."
@@ -53,10 +56,19 @@ compliance:
     - subcategory: "MG.2.3"
       context: "Risk treatment under MG.2.3 must mandate weights_only=True on torch.load and reject pickle-format artifacts originating from untrusted networks or user uploads."
       strength: primary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the model-security attack (ModelCache torch.load() Deserialization RCE (CVE-2025-45146))."
+      strength: primary
+    - subcategory: "MS.2.6"
+      context: "NIST AI RMF MEASURE 2.6 (system evaluated regularly for safety risks) is supported by this rule's detection of the model-security attack (ModelCache torch.load() Deserialization RCE (CVE-2025-45146))."
+      strength: secondary
   iso_42001:
-    - clause: "8.6"
-      context: "Operational controls under clause 8.6 must include detection of torch.load / pickle.load invocations on attacker-controlled paths within model-cache and embedding-store components."
+    - clause: "8.1"
+      context: "Operational controls under clause 8.1 must include detection of torch.load / pickle.load invocations on attacker-controlled paths within model-cache and embedding-store components."
       strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the model-security attack (ModelCache torch.load() Deserialization RCE (CVE-2025-45146)) is such a treatment."
+      strength: secondary
 tags:
   category: model-abuse

package/rules/privilege-escalation/ATR-2026-00040-privilege-escalation.yaml CHANGED Viewed

@@ -47,6 +47,9 @@ compliance:
     - article: "9"
       context: "Privilege escalation is a documented high-severity risk in the AI system risk register; Article 9 requires monitoring controls to detect and respond to such scope violations."
       strength: secondary
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the privilege-escalation attempt (Privilege Escalation and Admin Function Access)."
+      strength: primary
   nist_ai_rmf:
     - function: Govern
       subcategory: GV.1.2
@@ -56,12 +59,18 @@ compliance:
       subcategory: MG.4.1
       context: "Privilege escalation events require an incident response; this rule generates the alerts needed to initiate the MG.4.1 AI incident response process."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the privilege-escalation attempt (Privilege Escalation and Admin Function Access)."
+      strength: primary
+    - subcategory: "MG.2.3"
+      context: "NIST AI RMF MANAGE 2.3 (respond to previously unknown identified risks) is supported by this rule, which surfaces the privilege-escalation attempt (Privilege Escalation and Admin Function Access) so the risk can be treated."
+      strength: secondary
   iso_42001:
     - clause: "6.2"
       context: "Clause 6.2 AIMS security objectives include least-privilege enforcement for AI agent operations; this rule detects violations of those objectives at runtime."
       strength: primary
-    - clause: "8.6"
-      context: "Clause 8.6 AI system operational control requires that agents do not exceed their authorized operational scope; privilege escalation detection enforces that operational boundary."
+    - clause: "8.1"
+      context: "Clause 8.1 AI system operational control requires that agents do not exceed their authorized operational scope; privilege escalation detection enforces that operational boundary."
       strength: secondary
   colorado_ai_act:
     - section: "6-1-1703"

package/rules/privilege-escalation/ATR-2026-00041-scope-creep.yaml CHANGED Viewed

@@ -33,6 +33,9 @@ compliance:
     - article: "9"
       context: "Scope creep is a documented incremental risk pattern in AI agent systems; Article 9 risk management obligations require monitoring controls to detect unsolicited capability expansion."
       strength: secondary
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the privilege-escalation attempt (Agent Scope Creep Detection)."
+      strength: primary
   nist_ai_rmf:
     - subcategory: "GV.1.2"
       context: "Scope creep erodes the accountability roles and task boundaries assigned to AI agents; GV.1.2 requires that these roles are enforced, making detection of unsolicited capability expansion essential."
@@ -40,12 +43,15 @@ compliance:
     - subcategory: "MG.2.3"
       context: "Incremental scope expansion represents an active exploitation of agent autonomy; MG.2.3 risk treatment plans must be triggered when agents self-authorize actions beyond their initial assignment."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the privilege-escalation attempt (Agent Scope Creep Detection)."
+      strength: primary
   iso_42001:
     - clause: "6.2"
       context: "ISO 42001 clause 6.2 risk treatment activities must cover gradual privilege expansion; this rule detects the incremental language patterns that indicate an agent is executing scope creep rather than a sudden escalation."
       strength: primary
-    - clause: "8.6"
-      context: "Clause 8.6 operational controls require that AI systems execute within their defined boundaries; scope creep detection enforces these boundaries by identifying when agents attempt to self-authorize additional actions."
+    - clause: "8.1"
+      context: "Clause 8.1 operational controls require that AI systems execute within their defined boundaries; scope creep detection enforces these boundaries by identifying when agents attempt to self-authorize additional actions."
       strength: secondary
 tags:

package/rules/privilege-escalation/ATR-2026-00107-delayed-execution-bypass.yaml CHANGED Viewed

@@ -22,6 +22,8 @@ references:
     - ASI05:2026 - Unexpected Code Execution
   mitre_attack:
     - T1053 - Scheduled Task/Job
+  mitre_atlas:
+    - AML.T0050 - Command and Scripting Interpreter
 compliance:
   eu_ai_act:
     - article: "14"
@@ -37,11 +39,14 @@ compliance:
     - subcategory: "MG.2.3"
       context: "Risk treatment plans must address the temporal gap exploit in scheduled task execution by requiring that permission checks are re-validated at execution time rather than only at scheduling time."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the privilege-escalation attempt (Privilege Escalation via Delayed Task Execution Bypass)."
+      strength: primary
   iso_42001:
     - clause: "6.2"
       context: "AI risk treatment activities must explicitly cover deferred execution attack patterns by requiring that scheduled tasks inherit and re-verify the invoking user's authorization context at the time of actual execution."
       strength: primary
-    - clause: "8.6"
+    - clause: "8.1"
       context: "Operational controls for AI systems must ensure that delayed background tasks do not acquire elevated privileges beyond what was authorized during scheduling, closing the temporal gap that this attack exploits."
       strength: secondary
 tags:

package/rules/privilege-escalation/ATR-2026-00110-eval-injection.yaml CHANGED Viewed

@@ -18,6 +18,10 @@ references:
     - ASI05:2026 - Unexpected Code Execution
   mitre_attack:
     - T1059 - Command and Scripting Interpreter
+  owasp_llm:
+    - LLM06:2025 - Excessive Agency
+  mitre_atlas:
+    - AML.T0050 - Command and Scripting Interpreter
 compliance:
   eu_ai_act:
     - article: "15"
@@ -33,11 +37,14 @@ compliance:
     - subcategory: "MG.2.3"
       context: "Risk treatment plans must prohibit or strictly sandbox dynamic code evaluation capabilities in agent tool layers to prevent eval injection from enabling full host system compromise."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the privilege-escalation attempt (Remote Code Execution via eval() and Dynamic Code Injection)."
+      strength: primary
   iso_42001:
     - clause: "6.2"
       context: "Risk treatment activities must classify dynamic code execution via eval() and similar primitives as an unacceptable risk in AI agent tools and require architectural controls that block their use with user-controlled inputs."
       strength: primary
-    - clause: "8.6"
+    - clause: "8.1"
       context: "Operational controls must prohibit agent tools from invoking eval(), new Function(), or vm module methods on untrusted inputs to ensure that code execution remains within the auditable and authorized scope of the AI system."
       strength: secondary
 tags:

package/rules/privilege-escalation/ATR-2026-00111-shell-escape.yaml CHANGED Viewed

@@ -19,6 +19,10 @@ references:
     - ASI05:2026 - Unexpected Code Execution
   mitre_attack:
     - T1059.004 - Unix Shell
+  owasp_llm:
+    - LLM06:2025 - Excessive Agency
+  mitre_atlas:
+    - AML.T0050 - Command and Scripting Interpreter
 compliance:
   eu_ai_act:
     - article: "15"
@@ -34,11 +38,14 @@ compliance:
     - subcategory: "MG.2.3"
       context: "Risk treatment plans must require strict sanitization of all agent tool arguments before shell-adjacent processing to prevent metacharacter injection from chaining unauthorized commands onto sanctioned tool invocations."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the privilege-escalation attempt (Shell Metacharacter Injection in Tool Arguments)."
+      strength: primary
   iso_42001:
     - clause: "6.2"
       context: "Risk treatment activities must mandate input sanitization controls that strip or reject shell metacharacters from all agent tool arguments before they reach any process-execution layer."
       strength: primary
-    - clause: "8.6"
+    - clause: "8.1"
       context: "Operational controls must enforce argument sanitization at the tool interface boundary to ensure that shell metacharacter injection cannot redirect agent actions outside the scope of authorized and observable operations."
       strength: secondary
 tags:

package/rules/privilege-escalation/ATR-2026-00112-dynamic-import-exploitation.yaml CHANGED Viewed

@@ -19,6 +19,10 @@ references:
     - ASI05:2026 - Unexpected Code Execution
   mitre_attack:
     - T1129 - Shared Modules
+  owasp_llm:
+    - LLM06:2025 - Excessive Agency
+  mitre_atlas:
+    - AML.T0050 - Command and Scripting Interpreter
 compliance:
   eu_ai_act:
     - article: "15"
@@ -34,11 +38,14 @@ compliance:
     - subcategory: "MG.2.3"
       context: "Risk treatment plans must restrict dynamic module loading to allowlisted paths and prohibit user-controlled inputs from influencing which code is resolved and executed at agent runtime."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the privilege-escalation attempt (Dynamic Module Loading for Code Execution)."
+      strength: primary
   iso_42001:
     - clause: "6.2"
       context: "Risk treatment activities must address dynamic import exploitation by requiring that all externally-loaded modules are resolved against a verified allowlist before the agent runtime loads and executes them."
       strength: primary
-    - clause: "8.5"
+    - clause: "8.1"
       context: "Controls over externally-provided AI components must include validation of all dynamically loaded modules to ensure that attacker-controlled paths cannot introduce unauthorized code into the agent execution environment."
       strength: secondary
 tags:

package/rules/privilege-escalation/ATR-2026-00143-casual-privilege-escalation.yaml CHANGED Viewed

@@ -36,12 +36,15 @@ compliance:
     - subcategory: "MG.2.3"
       context: "Risk treatment plans under MG.2.3 must include controls that prevent agents from casually escalating privileges by self-authorizing access to privileged system components without explicit human approval."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the privilege-escalation attempt (Casual Unauthorized Privilege Escalation)."
+      strength: primary
   iso_42001:
     - clause: "6.2"
       context: "Risk treatment activities under clause 6.2 must address casual privilege escalation patterns where agents exploit informal discovery framing to self-authorize access to admin interfaces, bypassing planned authorization controls."
       strength: primary
-    - clause: "8.6"
-      context: "Operational controls under clause 8.6 must enforce authorization gates that prevent AI agents from accessing admin panels, user management systems, or system configurations based on self-reported access opportunity rather than explicit user authorization."
+    - clause: "8.1"
+      context: "Operational controls under clause 8.1 must enforce authorization gates that prevent AI agents from accessing admin panels, user management systems, or system configurations based on self-reported access opportunity rather than explicit user authorization."
       strength: secondary
 tags:
   category: privilege-escalation

package/rules/privilege-escalation/ATR-2026-00144-rationalized-safety-bypass.yaml CHANGED Viewed

@@ -32,6 +32,23 @@ compliance:
     - subcategory: "MP.5.1"
       context: "Self-justified safety control circumvention is an adversarial behavior pattern whose likelihood and impact must be characterized; MP.5.1 requires identifying these jailbreak-adjacent reasoning patterns as tracked risks."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the privilege-escalation attempt (Rationalized Safety Control Bypass)."
+      strength: primary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the privilege-escalation attempt (Rationalized Safety Control Bypass)."
+      strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the privilege-escalation attempt (Rationalized Safety Control Bypass) is such a treatment."
+      strength: secondary
+  eu_ai_act:
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the privilege-escalation attempt (Rationalized Safety Control Bypass)."
+      strength: primary
+    - article: "14"
+      context: "Article 14 (human oversight) requires high-risk AI systems to remain subject to effective human oversight; this rule provides detection evidence where the privilege-escalation attempt (Rationalized Safety Control Bypass) would bypass or undermine that oversight."
+      strength: secondary
 tags:
   category: privilege-escalation
   subcategory: rationalized-bypass

package/rules/privilege-escalation/ATR-2026-00204-stealth-execution-persistence.yaml CHANGED Viewed

@@ -26,6 +26,8 @@ references:
     - "T1543 - Create or Modify System Process"
     - "T1036 - Masquerading"
+  mitre_atlas:
+    - AML.T0050 - Command and Scripting Interpreter
 compliance:
   nist_ai_rmf:
     - subcategory: "MG.2.3"
@@ -40,6 +42,20 @@ compliance:
       context: >-
         Stealth persistence techniques represent high-magnitude adversarial misuse of agent tool access; MP.5.1 requires characterizing the likelihood and impact of such post-exploitation risks within the agent's operational context.
       strength: secondary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the privilege-escalation attempt (Stealth Execution and Persistence Mechanisms)."
+      strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the privilege-escalation attempt (Stealth Execution and Persistence Mechanisms) is such a treatment."
+      strength: secondary
+  eu_ai_act:
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the privilege-escalation attempt (Stealth Execution and Persistence Mechanisms)."
+      strength: primary
+    - article: "14"
+      context: "Article 14 (human oversight) requires high-risk AI systems to remain subject to effective human oversight; this rule provides detection evidence where the privilege-escalation attempt (Stealth Execution and Persistence Mechanisms) would bypass or undermine that oversight."
+      strength: secondary
 tags:
   category: privilege-escalation
   subcategory: stealth-persistence

package/rules/privilege-escalation/ATR-2026-00436-enclave-vm-sandbox-escape-rce.yaml CHANGED Viewed

@@ -49,6 +49,9 @@ compliance:
     - article: "9"
       context: "Article 9 risk management must enumerate sandbox-escape via constructor-chain / prototype-pollution / Error.prepareStackTrace as primary high-risk evasion vectors for any agent code-execution layer."
       strength: primary
+    - article: "14"
+      context: "Article 14 (human oversight) requires high-risk AI systems to remain subject to effective human oversight; this rule provides detection evidence where the privilege-escalation attempt (Enclave VM Sandbox Escape RCE (CVE-2026-27597)) would bypass or undermine that oversight."
+      strength: secondary
   nist_ai_rmf:
     - subcategory: "MP.5.1"
       context: "Adversarial inputs designed to escape JS sandbox boundaries (constructor chain, prototype pollution, Error.prepareStackTrace, host-realm leakage) must be tracked as a primary evasion class for any agent code-execution surface."
@@ -56,10 +59,16 @@ compliance:
     - subcategory: "MG.2.3"
       context: "Risk treatment under MG.2.3 must prohibit user-controlled JavaScript reaching `@enclave-vm/core` versions prior to 2.11.1, and must require continuous evaluation of sandbox isolation under known-bypass corpora."
       strength: primary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the privilege-escalation attempt (Enclave VM Sandbox Escape RCE (CVE-2026-27597))."
+      strength: primary
   iso_42001:
-    - clause: "8.6"
-      context: "Operational controls under clause 8.6 must include detection of canonical JavaScript sandbox-escape primitives in code submitted to any agent VM/sandbox layer."
+    - clause: "8.1"
+      context: "Operational controls under clause 8.1 must include detection of canonical JavaScript sandbox-escape primitives in code submitted to any agent VM/sandbox layer."
       strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the privilege-escalation attempt (Enclave VM Sandbox Escape RCE (CVE-2026-27597)) is such a treatment."
+      strength: secondary
 tags:
   category: privilege-escalation

package/rules/privilege-escalation/ATR-2026-00441-semantic-kernel-sessions-python-plugin-startup-persistence.yaml CHANGED Viewed

@@ -70,9 +70,12 @@ compliance:
     - subcategory: "MG.2.3"
       context: "Risk treatment plans under MG.2.3 must require that plugins exposing both file-write and code-execution capabilities are flagged for separation of duties and runtime monitoring."
       strength: primary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the privilege-escalation attempt (Microsoft Semantic Kernel SessionsPythonPlugin Arbitrary File Write + Startup Persistence (CVE-2026-25592))."
+      strength: primary
   iso_42001:
-    - clause: "8.6"
-      context: "Clause 8.6 operational controls require that agent plugins do not exceed their authorised operational scope; writing to OS-level autostart paths is unambiguously out-of-scope for any documented AI plugin."
+    - clause: "8.1"
+      context: "Clause 8.1 operational controls require that agent plugins do not exceed their authorised operational scope; writing to OS-level autostart paths is unambiguously out-of-scope for any documented AI plugin."
       strength: primary
     - clause: "6.2"
       context: "Clause 6.2 AIMS security objectives include least-privilege enforcement; detection of over-privileged tool descriptors (combining ExecuteCode + arbitrary file-write) operationalises that objective."

package/rules/privilege-escalation/ATR-2026-00451-litellm-admin-sqli-cisa-kev.yaml CHANGED Viewed

@@ -59,6 +59,9 @@ compliance:
     - article: "9"
       context: "Article 9 risk management must enumerate proxy admin-endpoint SQLi as a high-risk class — a single bypass exposes every downstream LLM provider key the proxy holds. CISA KEV listing confirms active in-the-wild exploitation."
       strength: primary
+    - article: "14"
+      context: "Article 14 (human oversight) requires high-risk AI systems to remain subject to effective human oversight; this rule provides detection evidence where the privilege-escalation attempt (LiteLLM Proxy Admin Endpoint SQL Injection — CISA KEV (CVE-2026-42208)) would bypass or undermine that oversight."
+      strength: secondary
   nist_ai_rmf:
     - subcategory: "MP.5.1"
       context: "SQLi payloads targeting AI proxy admin endpoints must be tracked as a primary attack class against AI control-plane infrastructure; CISA KEV inclusion makes this a federally-prioritised remediation."
@@ -69,10 +72,16 @@ compliance:
     - subcategory: "MG.2.3"
       context: "Risk treatment plans under MG.2.3 must require parameterised queries on every admin endpoint of any AI proxy / gateway component."
       strength: primary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the privilege-escalation attempt (LiteLLM Proxy Admin Endpoint SQL Injection — CISA KEV (CVE-2026-42208))."
+      strength: primary
   iso_42001:
-    - clause: "8.6"
-      context: "Operational controls under clause 8.6 must prohibit string concatenation of HTTP parameters into SQL queries in any AI control-plane component; parameterised query builders are mandatory."
+    - clause: "8.1"
+      context: "Operational controls under clause 8.1 must prohibit string concatenation of HTTP parameters into SQL queries in any AI control-plane component; parameterised query builders are mandatory."
       strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the privilege-escalation attempt (LiteLLM Proxy Admin Endpoint SQL Injection — CISA KEV (CVE-2026-42208)) is such a treatment."
+      strength: secondary
 tags:
   category: privilege-escalation

package/rules/privilege-escalation/ATR-2026-00528-praisonai-auth-disabled-default.yaml CHANGED Viewed

@@ -51,6 +51,9 @@ compliance:
         authentication-disabled defaults violates the duty of resilience
         against manipulation.
       strength: primary
+    - article: "14"
+      context: "Article 14 (human oversight) requires high-risk AI systems to remain subject to effective human oversight; this rule provides detection evidence where the privilege-escalation attempt (PraisonAI-Style Auth-Disabled-By-Default Configuration (CVE-2026-44338 family)) would bypass or undermine that oversight."
+      strength: secondary
   nist_ai_rmf:
     - function: Manage
       subcategory: MG.4.3
@@ -58,12 +61,24 @@ compliance:
         Third-party AI risk monitoring under MG.4.3 must include
         configuration-level provenance checks.
       strength: primary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the privilege-escalation attempt (PraisonAI-Style Auth-Disabled-By-Default Configuration (CVE-2026-44338 family))."
+      strength: primary
+    - subcategory: "MG.2.3"
+      context: "NIST AI RMF MANAGE 2.3 (respond to previously unknown identified risks) is supported by this rule, which surfaces the privilege-escalation attempt (PraisonAI-Style Auth-Disabled-By-Default Configuration (CVE-2026-44338 family)) so the risk can be treated."
+      strength: secondary
   iso_42001:
     - clause: "8.3"
       context: >
         AIMS information security under 8.3 — exposed endpoints from
         auth-disabled defaults are an explicit information security gap.
       strength: primary
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the privilege-escalation attempt (PraisonAI-Style Auth-Disabled-By-Default Configuration (CVE-2026-44338 family))."
+      strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the privilege-escalation attempt (PraisonAI-Style Auth-Disabled-By-Default Configuration (CVE-2026-44338 family)) is such a treatment."
+      strength: secondary
 tags:
   category: privilege-escalation