npm - agent-threat-rules - Versions diffs - 3.1.1 → 3.3.0 - Mend

agent-threat-rules 3.1.1 → 3.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (474) hide show

package/rules/context-exfiltration/ATR-2026-00566-librechat-is-a-chatgpt-clone-with-additi.yaml CHANGED Viewed

@@ -18,9 +18,37 @@ references:
   - CWE-200
   external:
   - https://github.com/danny-avila/LibreChat/security/advisories/GHSA-pmw7-gqwj-f954
+  owasp_llm:
+    - LLM02:2025 - Sensitive Information Disclosure
+  owasp_agentic:
+    - ASI01:2026 - Agent Goal Hijack
+  mitre_atlas:
+    - AML.T0057 - LLM Data Leakage
 metadata_provenance:
   cve: nvd-sync
   cwe: nvd-sync
+compliance:
+  eu_ai_act:
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging OAuth-token exfiltration via a malicious MCP server's credential-placeholder header substitution (LibreChat CVE-2026-31951)."
+      strength: primary
+    - article: "10"
+      context: "Article 10 (data and data governance) requires control over the data an AI system processes; this rule provides detection evidence for OAuth-token exfiltration via a malicious MCP server's credential-placeholder header substitution (LibreChat CVE-2026-31951) affecting that data."
+      strength: secondary
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of OAuth-token exfiltration via a malicious MCP server's credential-placeholder header substitution (LibreChat CVE-2026-31951)."
+      strength: primary
+    - subcategory: "MS.2.10"
+      context: "NIST AI RMF MEASURE 2.10 (privacy risk examined and documented) is supported by this rule's detection of OAuth-token exfiltration via a malicious MCP server's credential-placeholder header substitution (LibreChat CVE-2026-31951)."
+      strength: secondary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of OAuth-token exfiltration via a malicious MCP server's credential-placeholder header substitution (LibreChat CVE-2026-31951)."
+      strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of OAuth-token exfiltration via a malicious MCP server's credential-placeholder header substitution (LibreChat CVE-2026-31951) is such a treatment."
+      strength: secondary
 tags:
   category: context-exfiltration
   subcategory: nvd-imported

package/rules/context-exfiltration/ATR-2026-00569-agent-mcp-path-traversal-arbitrary-file-access.yaml CHANGED Viewed

@@ -28,9 +28,37 @@ references:
   external:
   - https://nvd.nist.gov/vuln/detail/CVE-2026-40576
   - https://github.com/Advanced-Excel-MCP/excel-mcp-server
+  owasp_llm:
+    - LLM02:2025 - Sensitive Information Disclosure
+  owasp_agentic:
+    - ASI01:2026 - Agent Goal Hijack
+  mitre_atlas:
+    - AML.T0057 - LLM Data Leakage
 metadata_provenance:
   cve: human-authored
   cwe: human-authored
+compliance:
+  eu_ai_act:
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the context-exfiltration attempt (Agent / MCP tool path traversal and arbitrary file access)."
+      strength: primary
+    - article: "10"
+      context: "Article 10 (data and data governance) requires control over the data an AI system processes; this rule provides detection evidence for the context-exfiltration attempt (Agent / MCP tool path traversal and arbitrary file access) affecting that data."
+      strength: secondary
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the context-exfiltration attempt (Agent / MCP tool path traversal and arbitrary file access)."
+      strength: primary
+    - subcategory: "MS.2.10"
+      context: "NIST AI RMF MEASURE 2.10 (privacy risk examined and documented) is supported by this rule's detection of the context-exfiltration attempt (Agent / MCP tool path traversal and arbitrary file access)."
+      strength: secondary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the context-exfiltration attempt (Agent / MCP tool path traversal and arbitrary file access)."
+      strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the context-exfiltration attempt (Agent / MCP tool path traversal and arbitrary file access) is such a treatment."
+      strength: secondary
 tags:
   category: context-exfiltration
   scan_target: runtime

package/rules/context-exfiltration/ATR-2026-00571-xss-in-agent-mcp-rendered-output.yaml CHANGED Viewed

@@ -19,9 +19,37 @@ references:
   - CWE-79
   external:
   - https://github.com/jlowin/fastmcp/security/advisories
+  owasp_llm:
+    - LLM02:2025 - Sensitive Information Disclosure
+  owasp_agentic:
+    - ASI01:2026 - Agent Goal Hijack
+  mitre_atlas:
+    - AML.T0057 - LLM Data Leakage
 metadata_provenance:
   cve: human-authored
   cwe: human-authored
+compliance:
+  eu_ai_act:
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the context-exfiltration attempt (Cross-site scripting (XSS) in agent / MCP rendered output)."
+      strength: primary
+    - article: "10"
+      context: "Article 10 (data and data governance) requires control over the data an AI system processes; this rule provides detection evidence for the context-exfiltration attempt (Cross-site scripting (XSS) in agent / MCP rendered output) affecting that data."
+      strength: secondary
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the context-exfiltration attempt (Cross-site scripting (XSS) in agent / MCP rendered output)."
+      strength: primary
+    - subcategory: "MS.2.10"
+      context: "NIST AI RMF MEASURE 2.10 (privacy risk examined and documented) is supported by this rule's detection of the context-exfiltration attempt (Cross-site scripting (XSS) in agent / MCP rendered output)."
+      strength: secondary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the context-exfiltration attempt (Cross-site scripting (XSS) in agent / MCP rendered output)."
+      strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the context-exfiltration attempt (Cross-site scripting (XSS) in agent / MCP rendered output) is such a treatment."
+      strength: secondary
 tags:
   category: context-exfiltration
   scan_target: runtime

package/rules/context-exfiltration/ATR-2026-00574-semantic-paraphrased-context-extraction.yaml CHANGED Viewed

@@ -31,6 +31,27 @@ compliance:
       context: "Indirect, paraphrased elicitation of the system prompt evades literal-keyword extraction filters; the semantic judge closes the recall gap left by pattern rules."
       strength: primary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the context-exfiltration attempt (Paraphrased System-Prompt / Context Extraction (Semantic))."
+      strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the context-exfiltration attempt (Paraphrased System-Prompt / Context Extraction (Semantic)) is such a treatment."
+      strength: secondary
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the context-exfiltration attempt (Paraphrased System-Prompt / Context Extraction (Semantic))."
+      strength: primary
+    - subcategory: "MS.2.10"
+      context: "NIST AI RMF MEASURE 2.10 (privacy risk examined and documented) is supported by this rule's detection of the context-exfiltration attempt (Paraphrased System-Prompt / Context Extraction (Semantic))."
+      strength: secondary
+  eu_ai_act:
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the context-exfiltration attempt (Paraphrased System-Prompt / Context Extraction (Semantic))."
+      strength: primary
+    - article: "10"
+      context: "Article 10 (data and data governance) requires control over the data an AI system processes; this rule provides detection evidence for the context-exfiltration attempt (Paraphrased System-Prompt / Context Extraction (Semantic)) affecting that data."
+      strength: secondary
 tags:
   category: context-exfiltration
   subcategory: paraphrased-system-prompt-extraction

package/rules/data-poisoning/ATR-2026-00070-data-poisoning.yaml CHANGED Viewed

@@ -52,6 +52,9 @@ compliance:
     - article: "9"
       context: "Data poisoning of RAG pipelines is a documented risk requiring monitoring controls under Article 9; detection events from this rule provide the evidence trail for risk management reporting."
       strength: secondary
+    - article: "10"
+      context: "Article 10 (data and data governance) requires control over the data an AI system processes; this rule provides detection evidence for the data-poisoning attempt (Data Poisoning via RAG and Knowledge Base Contamination) affecting that data."
+      strength: primary
   nist_ai_rmf:
     - function: Map
       subcategory: MP.5.1
@@ -61,6 +64,12 @@ compliance:
       subcategory: MG.2.3
       context: "Active detection of data poisoning events implements the risk treatment for the data contamination risk identified in the AI risk register."
       strength: secondary
+    - subcategory: "MS.2.5"
+      context: "NIST AI RMF MEASURE 2.5 (system validity and reliability demonstrated) is supported by this rule's detection of the data-poisoning attempt (Data Poisoning via RAG and Knowledge Base Contamination)."
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the data-poisoning attempt (Data Poisoning via RAG and Knowledge Base Contamination)."
+      strength: secondary
   iso_42001:
     - clause: "8.3"
       context: "Clause 8.3 data governance for AI systems requires controls ensuring data integrity; detection of hidden directives in retrieved content is the runtime enforcement of clause 8.3 data quality requirements."
@@ -68,6 +77,12 @@ compliance:
     - clause: "6.2"
       context: "Clause 6.2 AIMS security planning must include controls for adversarial data injection into AI pipelines; this rule operationalizes the detection measure for that planning objective."
       strength: secondary
+    - clause: "8.2"
+      context: "ISO/IEC 42001 Clause 8.2 (AI risk assessment) is informed by this rule, which detects the data-poisoning attempt (Data Poisoning via RAG and Knowledge Base Contamination) as an assessed risk."
+      strength: primary
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the data-poisoning attempt (Data Poisoning via RAG and Knowledge Base Contamination)."
+      strength: secondary
   colorado_ai_act:
     - section: "6-1-1703"
       clause: "Deployer risk management program"

package/rules/data-poisoning/ATR-2026-00450-spring-ai-prompt-memory-poisoning.yaml CHANGED Viewed

@@ -58,6 +58,9 @@ compliance:
     - article: "9"
       context: "Article 9 risk management must enumerate memory-poisoning as a high-risk class — the advisor write path is typically treated as low-risk infrastructure but actually controls every subsequent prompt assembly."
       strength: primary
+    - article: "10"
+      context: "Article 10 (data and data governance) requires control over the data an AI system processes; this rule provides detection evidence for the data-poisoning attempt (Spring AI PromptChatMemoryAdvisor Memory Poisoning (CVE-2026-41713)) affecting that data."
+      strength: primary
   nist_ai_rmf:
     - subcategory: "MP.5.1"
       context: "Adversarial inputs that embed persistence-aware role-override markers ('SYSTEM:', 'REMEMBER:', 'IGNORE PREVIOUS INSTRUCTIONS once stored') must be tracked as a primary input-attack class affecting memory-advised architectures."
@@ -65,9 +68,18 @@ compliance:
     - subcategory: "MG.2.3"
       context: "Risk treatment plans under MG.2.3 must require pre-write sanitisation in any pipeline that persists user input into ChatMemory; mere prompt-time filtering is insufficient because the payload is replayed by the advisor."
       strength: primary
+    - subcategory: "MS.2.5"
+      context: "NIST AI RMF MEASURE 2.5 (system validity and reliability demonstrated) is supported by this rule's detection of the data-poisoning attempt (Spring AI PromptChatMemoryAdvisor Memory Poisoning (CVE-2026-41713))."
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the data-poisoning attempt (Spring AI PromptChatMemoryAdvisor Memory Poisoning (CVE-2026-41713))."
+      strength: secondary
   iso_42001:
-    - clause: "8.6"
-      context: "Operational controls under clause 8.6 must require that the memory-write boundary applies the same content-safety policy as the prompt-input boundary; otherwise an attacker bypasses input filters by reaching them via the advisor replay path."
+    - clause: "8.1"
+      context: "Operational controls under clause 8.1 must require that the memory-write boundary applies the same content-safety policy as the prompt-input boundary; otherwise an attacker bypasses input filters by reaching them via the advisor replay path."
+      strength: primary
+    - clause: "8.2"
+      context: "ISO/IEC 42001 Clause 8.2 (AI risk assessment) is informed by this rule, which detects the data-poisoning attempt (Spring AI PromptChatMemoryAdvisor Memory Poisoning (CVE-2026-41713)) as an assessed risk."
       strength: primary
 tags:

package/rules/data-poisoning/ATR-2026-00570-sql-injection-in-agent-tool-query.yaml CHANGED Viewed

@@ -19,9 +19,40 @@ references:
   - CWE-89
   external:
   - https://nvd.nist.gov/vuln/detail/CVE-2026-30860
+  owasp_llm:
+    - LLM01:2025 - Prompt Injection
+  owasp_agentic:
+    - ASI06:2026 - Memory and Context Poisoning
+  mitre_atlas:
+    - AML.T0051.001 - Indirect Prompt Injection
 metadata_provenance:
   cve: human-authored
   cwe: human-authored
+compliance:
+  eu_ai_act:
+    - article: "10"
+      context: "Article 10 (data and data governance) requires control over the data an AI system processes; this rule provides detection evidence for the data-poisoning attempt (SQL injection in agent / MCP tool database query) affecting that data."
+      strength: primary
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the data-poisoning attempt (SQL injection in agent / MCP tool database query)."
+      strength: secondary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the data-poisoning attempt (SQL injection in agent / MCP tool database query)."
+      strength: secondary
+  nist_ai_rmf:
+    - subcategory: "MS.2.5"
+      context: "NIST AI RMF MEASURE 2.5 (system validity and reliability demonstrated) is supported by this rule's detection of the data-poisoning attempt (SQL injection in agent / MCP tool database query)."
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the data-poisoning attempt (SQL injection in agent / MCP tool database query)."
+      strength: secondary
+  iso_42001:
+    - clause: "8.2"
+      context: "ISO/IEC 42001 Clause 8.2 (AI risk assessment) is informed by this rule, which detects the data-poisoning attempt (SQL injection in agent / MCP tool database query) as an assessed risk."
+      strength: primary
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the data-poisoning attempt (SQL injection in agent / MCP tool database query)."
+      strength: secondary
 tags:
   category: data-poisoning
   scan_target: runtime

package/rules/excessive-autonomy/ATR-2026-00050-runaway-agent-loop.yaml CHANGED Viewed

@@ -45,6 +45,9 @@ compliance:
     - article: "15"
       context: "Article 15 robustness requires that AI systems handle failure states gracefully; detection of runaway loops is a monitoring control ensuring the system does not enter unrecoverable autonomous states."
       strength: secondary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the unsafe autonomous action (Runaway Agent Loop Detection)."
+      strength: secondary
   nist_ai_rmf:
     - function: Manage
       subcategory: MG.3.2
@@ -54,13 +57,22 @@ compliance:
       subcategory: GV.1.2
       context: "GV.1.2 accountability roles must include responsibility for detecting and halting runaway agent behavior; this rule provides the signal required to fulfill that accountability."
       strength: secondary
+    - subcategory: "MG.2.3"
+      context: "NIST AI RMF MANAGE 2.3 (respond to previously unknown identified risks) is supported by this rule, which surfaces the unsafe autonomous action (Runaway Agent Loop Detection) so the risk can be treated."
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the unsafe autonomous action (Runaway Agent Loop Detection)."
+      strength: secondary
   iso_42001:
-    - clause: "8.6"
-      context: "Clause 8.6 AI system operational control requires monitoring for abnormal execution patterns; runaway loop detection is the primary operational control for this failure class."
+    - clause: "8.1"
+      context: "Clause 8.1 AI system operational control requires monitoring for abnormal execution patterns; runaway loop detection is the primary operational control for this failure class."
       strength: primary
     - clause: "9.1"
       context: "Clause 9.1 monitoring and evaluation requires measuring AI system behavior against expected norms; loop counter patterns are the measurable anomaly indicators for this rule."
       strength: secondary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the unsafe autonomous action (Runaway Agent Loop Detection) is such a treatment."
+      strength: primary
   colorado_ai_act:
     - section: "6-1-1703"
       clause: "Deployer ongoing monitoring of AI system performance"

package/rules/excessive-autonomy/ATR-2026-00051-resource-exhaustion.yaml CHANGED Viewed

@@ -34,6 +34,9 @@ compliance:
     - article: "15"
       context: "Article 15 robustness requirements mandate that AI systems handle adversarial denial-of-service conditions gracefully; this rule detects resource exhaustion patterns before full system unavailability."
       strength: secondary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the unsafe autonomous action (Agent Resource Exhaustion Detection)."
+      strength: secondary
   nist_ai_rmf:
     - subcategory: "GV.1.2"
       context: "Resource exhaustion attacks exploit the absence of enforced consumption limits within an agent's accountability scope; GV.1.2 requires that resource boundaries are defined, assigned, and monitored for violations."
@@ -41,12 +44,18 @@ compliance:
     - subcategory: "MG.3.2"
       context: "Unbounded resource consumption constitutes an AI incident requiring a defined response; MG.3.2 mandates that processes to detect and respond to resource exhaustion failures are in place before full system unavailability occurs."
       strength: secondary
+    - subcategory: "MG.2.3"
+      context: "NIST AI RMF MANAGE 2.3 (respond to previously unknown identified risks) is supported by this rule, which surfaces the unsafe autonomous action (Agent Resource Exhaustion Detection) so the risk can be treated."
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the unsafe autonomous action (Agent Resource Exhaustion Detection)."
+      strength: secondary
   iso_42001:
     - clause: "6.2"
       context: "ISO 42001 clause 6.2 risk treatment plans must address denial-of-service risks from unbounded agent operations; this rule implements the monitoring control for resource exhaustion patterns before they cause system degradation."
       strength: primary
-    - clause: "8.6"
-      context: "Clause 8.6 operational controls ensure AI systems execute correctly and within resource limits; detection of SELECT * without LIMIT, infinite loops, and bulk spawn patterns enforces these operational boundaries."
+    - clause: "8.1"
+      context: "Clause 8.1 operational controls ensure AI systems execute correctly and within resource limits; detection of SELECT * without LIMIT, infinite loops, and bulk spawn patterns enforces these operational boundaries."
       strength: secondary
 tags:

package/rules/excessive-autonomy/ATR-2026-00052-cascading-failure.yaml CHANGED Viewed

@@ -43,6 +43,9 @@ compliance:
     - article: "15"
       context: "Article 15 accuracy and robustness requirements demand that high-risk AI systems handle failure propagation gracefully; this rule provides the monitoring signal required to contain cascading events."
       strength: secondary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the unsafe autonomous action (Cascading Failure Detection in Agent Pipelines)."
+      strength: secondary
   nist_ai_rmf:
     - subcategory: "GV.1.2"
       context: "Cascading failures exploit the absence of defined human-in-the-loop checkpoints in agent pipeline accountability structures; GV.1.2 requires that these roles and checkpoints are defined and enforced before automated pipelines propagate errors."
@@ -50,12 +53,18 @@ compliance:
     - subcategory: "MG.3.2"
       context: "Multi-stage pipeline failures are AI incidents requiring predefined response processes; MG.3.2 mandates that cascading failure response procedures exist so that failure scope can be contained before all downstream agents are affected."
       strength: secondary
+    - subcategory: "MG.2.3"
+      context: "NIST AI RMF MANAGE 2.3 (respond to previously unknown identified risks) is supported by this rule, which surfaces the unsafe autonomous action (Cascading Failure Detection in Agent Pipelines) so the risk can be treated."
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the unsafe autonomous action (Cascading Failure Detection in Agent Pipelines)."
+      strength: secondary
   iso_42001:
     - clause: "6.2"
       context: "ISO 42001 clause 6.2 risk treatment activities must cover cascading failure scenarios in multi-agent pipelines; this rule detects the propagation patterns and auto-approval chains that trigger uncontrolled cascade events."
       strength: primary
-    - clause: "8.6"
-      context: "Clause 8.6 operational controls require that AI pipeline stages execute with appropriate verification gates; detection of blind upstream trust and automated destructive triggers enforces the human checkpoint requirements in pipeline design."
+    - clause: "8.1"
+      context: "Clause 8.1 operational controls require that AI pipeline stages execute with appropriate verification gates; detection of blind upstream trust and automated destructive triggers enforces the human checkpoint requirements in pipeline design."
       strength: secondary
 tags:

package/rules/excessive-autonomy/ATR-2026-00098-unauthorized-financial-action.yaml CHANGED Viewed

@@ -38,6 +38,9 @@ compliance:
     - article: "9"
       context: "Unauthorized financial action by AI agents is a high-severity risk requiring mandatory human-in-the-loop controls; Article 9 risk management systems must classify autonomous financial execution as an unacceptable risk and implement blocking controls."
       strength: secondary
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the unsafe autonomous action (Unauthorized Financial Action by AI Agent)."
+      strength: secondary
   nist_ai_rmf:
     - subcategory: "GV.1.2"
       context: "Autonomous financial transfers executed without explicit human confirmation require clearly defined accountability roles that assign responsibility for approving and auditing all agent-initiated payment and transfer actions."
@@ -45,11 +48,14 @@ compliance:
     - subcategory: "MG.2.3"
       context: "Risk treatment plans for AI systems with financial tool access must implement mandatory human-in-the-loop gates that block payment and transfer tool calls lacking confirmed human authorization in the current turn."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the unsafe autonomous action (Unauthorized Financial Action by AI Agent)."
+      strength: secondary
   iso_42001:
     - clause: "6.2"
       context: "AI objectives and risk treatment plans must classify autonomous financial execution as an unacceptable risk and require explicit human approval as a blocking control before any payment or transfer tool is invoked."
       strength: primary
-    - clause: "8.6"
+    - clause: "8.1"
       context: "Operational controls must enforce a confirmation gate on all financial tool invocations to ensure the agent's execution of payments and transfers remains within the scope of explicitly sanctioned human instructions."
       strength: secondary
   colorado_ai_act:

package/rules/excessive-autonomy/ATR-2026-00099-high-risk-tool-gate.yaml CHANGED Viewed

@@ -42,6 +42,9 @@ compliance:
     - article: "9"
       context: "High-risk tool access without confirmation gates is a documented unacceptable risk for AI systems; Article 9 risk management requires that organizations identify tool categories that require mandatory human approval and implement blocking controls accordingly."
       strength: secondary
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the unsafe autonomous action (High-Risk Tool Invocation Without Human Confirmation)."
+      strength: secondary
   nist_ai_rmf:
     - subcategory: "GV.1.2"
       context: "Invoking financial, destructive, communication, or permission-altering tools without human confirmation requires accountability roles that ensure every high-risk tool category has an assigned gatekeeper responsible for approving agent actions."
@@ -49,11 +52,14 @@ compliance:
     - subcategory: "MG.2.3"
       context: "Risk treatment plans must implement tool-category-level blocking controls that intercept any high-risk tool invocation — regardless of attack detection confidence — and require explicit human approval before execution proceeds."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the unsafe autonomous action (High-Risk Tool Invocation Without Human Confirmation)."
+      strength: secondary
   iso_42001:
     - clause: "6.2"
       context: "AI risk treatment plans must enumerate high-risk tool categories and mandate human-in-the-loop confirmation gates as a control measure, preventing agents from autonomously executing destructive, financial, or permission-modifying actions."
       strength: primary
-    - clause: "8.6"
+    - clause: "8.1"
       context: "Operational controls for AI systems must enforce least-privilege tool access policies that block invocations of high-risk tool categories until explicit human confirmation is recorded in the current interaction turn."
       strength: secondary
 tags:

package/rules/excessive-autonomy/ATR-2026-00428-nl-unauthorized-shell-execution.yaml CHANGED Viewed

@@ -13,7 +13,7 @@ author: ATR Community
 date: 2026/05/06
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: critical
 references:
   mitre_atlas:
@@ -31,6 +31,9 @@ compliance:
     - article: "14"
       context: "Article 14 human oversight requires the user to authorize tool execution; covert shell-execution instructions bypass this control."
       strength: primary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the unsafe autonomous action (Natural-Language Unauthorized Shell-Execution Instruction)."
+      strength: secondary
   nist_ai_rmf:
     - subcategory: "GV.6.1"
       context: "Data governance must prevent NL instructions that authorize the agent to bypass user consent for command execution."
@@ -38,10 +41,22 @@ compliance:
     - subcategory: "MS.2.5"
       context: "Monitoring under MS.2.5 must detect NL-style covert-shell-execution patterns."
       strength: primary
+    - subcategory: "MG.2.3"
+      context: "NIST AI RMF MANAGE 2.3 (respond to previously unknown identified risks) is supported by this rule, which surfaces the unsafe autonomous action (Natural-Language Unauthorized Shell-Execution Instruction) so the risk can be treated."
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the unsafe autonomous action (Natural-Language Unauthorized Shell-Execution Instruction)."
+      strength: secondary
   iso_42001:
     - clause: "8.4"
       context: "Impact assessments must enumerate covert shell-execution as a critical risk vector when shell-capable tools are present."
       strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the unsafe autonomous action (Natural-Language Unauthorized Shell-Execution Instruction) is such a treatment."
+      strength: primary
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the unsafe autonomous action (Natural-Language Unauthorized Shell-Execution Instruction)."
+      strength: secondary
 tags:
   category: excessive-autonomy
   subcategory: nl-covert-shell-execution

package/rules/excessive-autonomy/ATR-2026-00491-garak-agent-breaker-markdown-just-raw-json.yaml CHANGED Viewed

@@ -40,6 +40,9 @@ compliance:
     - article: "9"
       context: "Excessive autonomy is a documented risk class; this rule implements the monitoring control required by Article 9 risk management obligations for high-risk AI systems."
       strength: secondary
+    - article: "14"
+      context: "Article 14 (human oversight) requires high-risk AI systems to remain subject to effective human oversight; this rule provides detection evidence where the unsafe autonomous action (Agent Capability Enumeration via Structured Parse Request) would bypass or undermine that oversight."
+      strength: primary
   nist_ai_rmf:
     - function: Manage
       subcategory: MG.2.3
@@ -49,6 +52,9 @@ compliance:
       subcategory: MP.5.1
       context: "Identifying excessive autonomy as an AI risk to be catalogued in the organizational risk register."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the unsafe autonomous action (Agent Capability Enumeration via Structured Parse Request)."
+      strength: secondary
   iso_42001:
     - clause: "6.2"
       context: "Addressing excessive autonomy risk is an objective required under clause 6.2 AIMS information security planning; this rule operationalizes the detection control measure."
@@ -56,6 +62,9 @@ compliance:
     - clause: "8.4"
       context: "Impact assessment for AI deployments under clause 8.4 must account for excessive autonomy inputs; detection events from this rule provide the required monitoring evidence."
       strength: secondary
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the unsafe autonomous action (Agent Capability Enumeration via Structured Parse Request)."
+      strength: secondary
 tags:
   category: excessive-autonomy

package/rules/excessive-autonomy/ATR-2026-00500-ssrf-via-agent-url-fetch-instruction.yaml CHANGED Viewed

@@ -42,6 +42,9 @@ compliance:
     - article: "9"
       context: "Excessive autonomy is a documented risk class; this rule implements the monitoring control required by Article 9 risk management obligations for high-risk AI systems."
       strength: secondary
+    - article: "14"
+      context: "Article 14 (human oversight) requires high-risk AI systems to remain subject to effective human oversight; this rule provides detection evidence where the unsafe autonomous action (SSRF via Agent URL Fetch Instruction) would bypass or undermine that oversight."
+      strength: primary
   nist_ai_rmf:
     - function: Manage
       subcategory: MG.2.3
@@ -51,6 +54,9 @@ compliance:
       subcategory: MP.5.1
       context: "Identifying excessive autonomy as an AI risk to be catalogued in the organizational risk register."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the unsafe autonomous action (SSRF via Agent URL Fetch Instruction)."
+      strength: secondary
   iso_42001:
     - clause: "6.2"
       context: "Addressing excessive autonomy risk is an objective required under clause 6.2 AIMS information security planning; this rule operationalizes the detection control measure."
@@ -58,6 +64,9 @@ compliance:
     - clause: "8.4"
       context: "Impact assessment for AI deployments under clause 8.4 must account for excessive autonomy inputs; detection events from this rule provide the required monitoring evidence."
       strength: secondary
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the unsafe autonomous action (SSRF via Agent URL Fetch Instruction)."
+      strength: secondary
 tags:
   category: excessive-autonomy

package/rules/excessive-autonomy/ATR-2026-00553-runaway-tool-loop-behavioral.yaml CHANGED Viewed

@@ -52,13 +52,32 @@ compliance:
         Cybersecurity & robustness — runaway tool loops are an Article 15
         robustness failure. The rule provides runtime evidence.
       strength: primary
+    - article: "14"
+      context: "Article 14 (human oversight) requires high-risk AI systems to remain subject to effective human oversight; this rule provides detection evidence where the unsafe autonomous action (Runaway tool-call loop within a single session) would bypass or undermine that oversight."
+      strength: primary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the unsafe autonomous action (Runaway tool-call loop within a single session)."
+      strength: secondary
   nist_ai_rmf:
     - subcategory: "MS.2.6"
       context: >
         Information security — autonomous-action rate anomalies require
         detection per MS-2.6.
       strength: primary
+    - subcategory: "MG.2.3"
+      context: "NIST AI RMF MANAGE 2.3 (respond to previously unknown identified risks) is supported by this rule, which surfaces the unsafe autonomous action (Runaway tool-call loop within a single session) so the risk can be treated."
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the unsafe autonomous action (Runaway tool-call loop within a single session)."
+      strength: secondary
+  iso_42001:
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the unsafe autonomous action (Runaway tool-call loop within a single session) is such a treatment."
+      strength: primary
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the unsafe autonomous action (Runaway tool-call loop within a single session)."
+      strength: secondary
 tags:
   category: excessive-autonomy
   subcategory: runaway-tool-loop

package/rules/model-abuse/ATR-2026-00279-harmful-completion-continuation.yaml CHANGED Viewed

@@ -43,12 +43,18 @@ compliance:
     - subcategory: "MG.2.3"
       context: "Risk treatment plans under MG.2.3 must implement detection controls for completion-based jailbreaks — including slur-prefix completion, harmful sentence starters, and synthesis step continuation — that bypass direct refusal by using implicit harmful requests."
       strength: secondary
+    - subcategory: "MS.2.6"
+      context: "NIST AI RMF MEASURE 2.6 (system evaluated regularly for safety risks) is supported by this rule's detection of the model-abuse / harmful-content elicitation attempt (Harmful Completion / Continuation Attack)."
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the model-abuse / harmful-content elicitation attempt (Harmful Completion / Continuation Attack)."
+      strength: secondary
   iso_42001:
     - clause: "6.2"
       context: "Risk treatment activities under clause 6.2 must address harmful completion attacks where partial harmful phrases or synthesis instructions with trailing ellipses exploit AI next-token prediction to produce content the system would refuse if asked directly."
       strength: primary
-    - clause: "8.6"
-      context: "Operational controls under clause 8.6 must include input scanning that detects continuation bait patterns — explicit completion requests with harmful domain markers, slur-prefix redaction, and open-ended synthesis steps — before they reach the model's prediction layer."
+    - clause: "8.1"
+      context: "Operational controls under clause 8.1 must include input scanning that detects continuation bait patterns — explicit completion requests with harmful domain markers, slur-prefix redaction, and open-ended synthesis steps — before they reach the model's prediction layer."
       strength: secondary
 tags:
   category: model-abuse

package/rules/model-abuse/ATR-2026-00281-eicar-gtube-malware-signature-request.yaml CHANGED Viewed

@@ -42,12 +42,18 @@ compliance:
     - subcategory: "MG.2.3"
       context: "Risk treatment plans under MG.2.3 must implement output pipeline controls that detect and block EICAR/GTUBE signature output requests, preventing attackers from confirming exploitable gaps in output scanning infrastructure before escalating to real malware."
       strength: secondary
+    - subcategory: "MS.2.6"
+      context: "NIST AI RMF MEASURE 2.6 (system evaluated regularly for safety risks) is supported by this rule's detection of the model-abuse / harmful-content elicitation attempt (EICAR / GTUBE AV Test Signature Output Request)."
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the model-abuse / harmful-content elicitation attempt (EICAR / GTUBE AV Test Signature Output Request)."
+      strength: secondary
   iso_42001:
     - clause: "6.2"
       context: "Risk treatment activities under clause 6.2 must address AV test signature probe attacks — requests to output EICAR, GTUBE, or Metasploit test strings to verify whether the AI system output pipeline lacks antivirus scanning."
       strength: primary
-    - clause: "8.6"
-      context: "Operational controls under clause 8.6 must include output scanning layers that detect known AV test signatures (EICAR, GTUBE) in AI system outputs, preventing the AI from serving as a reconnaissance tool that confirms output pipeline security gaps."
+    - clause: "8.1"
+      context: "Operational controls under clause 8.1 must include output scanning layers that detect known AV test signatures (EICAR, GTUBE) in AI system outputs, preventing the AI from serving as a reconnaissance tool that confirms output pipeline security gaps."
       strength: secondary
 tags:
   category: model-abuse

package/rules/model-abuse/ATR-2026-00284-glitch-token-destabilization.yaml CHANGED Viewed

@@ -40,6 +40,23 @@ compliance:
     - subcategory: "MP.5.1"
       context: "Detection of known glitch token corpora (SolidGoldMagikarp, davidjl, ÃÂÃÂ patterns) characterizes the likelihood and magnitude of tokenizer-exploitation risks that MP.5.1 requires be identified and tracked."
       strength: secondary
+    - subcategory: "MS.2.6"
+      context: "NIST AI RMF MEASURE 2.6 (system evaluated regularly for safety risks) is supported by this rule's detection of the model-abuse / harmful-content elicitation attempt (Glitch Token Destabilization Attack)."
+      strength: primary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the model-abuse / harmful-content elicitation attempt (Glitch Token Destabilization Attack)."
+      strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the model-abuse / harmful-content elicitation attempt (Glitch Token Destabilization Attack) is such a treatment."
+      strength: secondary
+  eu_ai_act:
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the model-abuse / harmful-content elicitation attempt (Glitch Token Destabilization Attack)."
+      strength: primary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the model-abuse / harmful-content elicitation attempt (Glitch Token Destabilization Attack)."
+      strength: secondary
 tags:
   category: model-abuse
   subcategory: glitch-token-destabilization