genai-security-crosswalk 2.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE.md +28 -0
- package/README.md +618 -0
- package/data/entries/ASI01.json +911 -0
- package/data/entries/ASI02.json +850 -0
- package/data/entries/ASI03.json +854 -0
- package/data/entries/ASI04.json +759 -0
- package/data/entries/ASI05.json +764 -0
- package/data/entries/ASI06.json +817 -0
- package/data/entries/ASI07.json +789 -0
- package/data/entries/ASI08.json +788 -0
- package/data/entries/ASI09.json +754 -0
- package/data/entries/ASI10.json +833 -0
- package/data/entries/DSGAI01.json +779 -0
- package/data/entries/DSGAI02.json +728 -0
- package/data/entries/DSGAI03.json +671 -0
- package/data/entries/DSGAI04.json +752 -0
- package/data/entries/DSGAI05.json +689 -0
- package/data/entries/DSGAI06.json +673 -0
- package/data/entries/DSGAI07.json +680 -0
- package/data/entries/DSGAI08.json +698 -0
- package/data/entries/DSGAI09.json +687 -0
- package/data/entries/DSGAI10.json +627 -0
- package/data/entries/DSGAI11.json +663 -0
- package/data/entries/DSGAI12.json +695 -0
- package/data/entries/DSGAI13.json +688 -0
- package/data/entries/DSGAI14.json +703 -0
- package/data/entries/DSGAI15.json +655 -0
- package/data/entries/DSGAI16.json +716 -0
- package/data/entries/DSGAI17.json +690 -0
- package/data/entries/DSGAI18.json +613 -0
- package/data/entries/DSGAI19.json +638 -0
- package/data/entries/DSGAI20.json +671 -0
- package/data/entries/DSGAI21.json +881 -0
- package/data/entries/LLM01.json +975 -0
- package/data/entries/LLM02.json +868 -0
- package/data/entries/LLM03.json +817 -0
- package/data/entries/LLM04.json +797 -0
- package/data/entries/LLM05.json +761 -0
- package/data/entries/LLM06.json +848 -0
- package/data/entries/LLM07.json +749 -0
- package/data/entries/LLM08.json +750 -0
- package/data/entries/LLM09.json +760 -0
- package/data/entries/LLM10.json +763 -0
- package/data/incidents-schema.json +121 -0
- package/data/incidents.json +1484 -0
- package/data/schema.json +134 -0
- package/dist/index.d.ts +97 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +124 -0
- package/dist/index.js.map +1 -0
- package/dist/index.test.d.ts +2 -0
- package/dist/index.test.d.ts.map +1 -0
- package/dist/index.test.js +97 -0
- package/dist/index.test.js.map +1 -0
- package/package.json +62 -0
|
@@ -0,0 +1,754 @@
|
|
|
1
|
+
{
|
|
2
|
+
"id": "ASI09",
|
|
3
|
+
"name": "Human-Agent Trust Exploitation",
|
|
4
|
+
"source_list": "Agentic-Top10-2026",
|
|
5
|
+
"version": "2026-Q1",
|
|
6
|
+
"severity": "High",
|
|
7
|
+
"aivss_score": 7.3,
|
|
8
|
+
"audience": [
|
|
9
|
+
"red-teamer",
|
|
10
|
+
"security-engineer",
|
|
11
|
+
"ml-engineer",
|
|
12
|
+
"ot-engineer",
|
|
13
|
+
"ciso",
|
|
14
|
+
"compliance",
|
|
15
|
+
"auditor",
|
|
16
|
+
"developer"
|
|
17
|
+
],
|
|
18
|
+
"mappings": [
|
|
19
|
+
{
|
|
20
|
+
"framework": "MITRE ATLAS",
|
|
21
|
+
"control_id": "AML.T0045",
|
|
22
|
+
"control_name": "Disinformation",
|
|
23
|
+
"tier": "Foundational",
|
|
24
|
+
"scope": "Both",
|
|
25
|
+
"url": "https://atlas.mitre.org/techniques/AML.T0045",
|
|
26
|
+
"notes": "Agent generates persuasive false information to manipulate human approvals"
|
|
27
|
+
},
|
|
28
|
+
{
|
|
29
|
+
"framework": "MITRE ATLAS",
|
|
30
|
+
"control_id": "AML.T0047",
|
|
31
|
+
"control_name": "Influence via Automated Content",
|
|
32
|
+
"tier": "Foundational",
|
|
33
|
+
"scope": "Both",
|
|
34
|
+
"url": "https://atlas.mitre.org/techniques/AML.T0047",
|
|
35
|
+
"notes": "Agent produces high-volume, fluent content that overwhelms human critical assessment"
|
|
36
|
+
},
|
|
37
|
+
{
|
|
38
|
+
"framework": "MITRE ATLAS",
|
|
39
|
+
"control_id": "AML.T0049",
|
|
40
|
+
"control_name": "Spearphishing via AI",
|
|
41
|
+
"tier": "Foundational",
|
|
42
|
+
"scope": "Both",
|
|
43
|
+
"url": "https://atlas.mitre.org/techniques/AML.T0049",
|
|
44
|
+
"notes": "Compromised agent crafts highly personalised, convincing manipulation targeted at specific users"
|
|
45
|
+
},
|
|
46
|
+
{
|
|
47
|
+
"framework": "NIST AI RMF 1.0",
|
|
48
|
+
"control_id": "GV-1.7",
|
|
49
|
+
"control_name": "Policies for trustworthy AI",
|
|
50
|
+
"tier": "Foundational",
|
|
51
|
+
"scope": "Both",
|
|
52
|
+
"notes": "Policy on agent transparency — agents must identify as AI, advisory outputs clearly distinguished from authoritative"
|
|
53
|
+
},
|
|
54
|
+
{
|
|
55
|
+
"framework": "NIST AI RMF 1.0",
|
|
56
|
+
"control_id": "MS-2.6",
|
|
57
|
+
"control_name": "Testing — data leakage",
|
|
58
|
+
"tier": "Foundational",
|
|
59
|
+
"scope": "Both",
|
|
60
|
+
"notes": "Evaluation of transparency controls — verify advisory labels persist in all interface contexts"
|
|
61
|
+
},
|
|
62
|
+
{
|
|
63
|
+
"framework": "NIST AI RMF 1.0",
|
|
64
|
+
"control_id": "MS-4.1",
|
|
65
|
+
"control_name": "Feedback mechanisms",
|
|
66
|
+
"tier": "Foundational",
|
|
67
|
+
"scope": "Both",
|
|
68
|
+
"notes": "Feedback channels detecting operator over-trust patterns — aggregate analysis of agent-influenced decisions"
|
|
69
|
+
},
|
|
70
|
+
{
|
|
71
|
+
"framework": "NIST AI RMF 1.0",
|
|
72
|
+
"control_id": "MG-2.4",
|
|
73
|
+
"control_name": "Risk response — data",
|
|
74
|
+
"tier": "Foundational",
|
|
75
|
+
"scope": "Both",
|
|
76
|
+
"notes": "Response for detected trust exploitation patterns — operator retraining, interface redesign, aggregate audit"
|
|
77
|
+
},
|
|
78
|
+
{
|
|
79
|
+
"framework": "EU AI Act",
|
|
80
|
+
"control_id": "Users informed of capabilities, limitations, and AI nature",
|
|
81
|
+
"control_name": "Art. 13 — Transparency",
|
|
82
|
+
"tier": "Foundational",
|
|
83
|
+
"scope": "Both",
|
|
84
|
+
"notes": "Agents must clearly communicate their AI nature and advisory limitations"
|
|
85
|
+
},
|
|
86
|
+
{
|
|
87
|
+
"framework": "EU AI Act",
|
|
88
|
+
"control_id": "Effective human oversight over high-risk AI",
|
|
89
|
+
"control_name": "Art. 14 — Human oversight",
|
|
90
|
+
"tier": "Foundational",
|
|
91
|
+
"scope": "Both",
|
|
92
|
+
"notes": "Humans must be able to override agent recommendations — trust exploitation undermines Art. 14 effectiveness"
|
|
93
|
+
},
|
|
94
|
+
{
|
|
95
|
+
"framework": "EU AI Act",
|
|
96
|
+
"control_id": "Chatbots and AI-generated content must disclose AI nature",
|
|
97
|
+
"control_name": "Art. 50 — Transparency for certain AI systems",
|
|
98
|
+
"tier": "Foundational",
|
|
99
|
+
"scope": "Both",
|
|
100
|
+
"notes": "All agent-user interactions require AI disclosure — universal obligation"
|
|
101
|
+
},
|
|
102
|
+
{
|
|
103
|
+
"framework": "ISO/IEC 27001:2022",
|
|
104
|
+
"control_id": "A.6.3",
|
|
105
|
+
"control_name": "Information security awareness, education and training",
|
|
106
|
+
"tier": "Foundational",
|
|
107
|
+
"scope": "Both",
|
|
108
|
+
"notes": "All users of agentic decision-support tools trained on AI limitations — verification requirements, how to identify manipulation"
|
|
109
|
+
},
|
|
110
|
+
{
|
|
111
|
+
"framework": "ISO/IEC 27001:2022",
|
|
112
|
+
"control_id": "A.5.36",
|
|
113
|
+
"control_name": "Compliance with policies",
|
|
114
|
+
"tier": "Foundational",
|
|
115
|
+
"scope": "Both",
|
|
116
|
+
"notes": "Policy on agentic AI advisory use — domains requiring verification, approval flow independence from agent interface"
|
|
117
|
+
},
|
|
118
|
+
{
|
|
119
|
+
"framework": "ISO/IEC 27001:2022",
|
|
120
|
+
"control_id": "A.8.16",
|
|
121
|
+
"control_name": "Monitoring activities",
|
|
122
|
+
"tier": "Foundational",
|
|
123
|
+
"scope": "Both",
|
|
124
|
+
"notes": "Aggregate over-trust patterns monitored — systematic operator acceptance without verification detected"
|
|
125
|
+
},
|
|
126
|
+
{
|
|
127
|
+
"framework": "ISO/IEC 27001:2022",
|
|
128
|
+
"control_id": "A.5.12",
|
|
129
|
+
"control_name": "Classification of information",
|
|
130
|
+
"tier": "Foundational",
|
|
131
|
+
"scope": "Both",
|
|
132
|
+
"notes": "Agent advisory output classified — users cannot mistake model recommendations for authoritative system content"
|
|
133
|
+
},
|
|
134
|
+
{
|
|
135
|
+
"framework": "ISO/IEC 42001:2023",
|
|
136
|
+
"control_id": "A.5.2",
|
|
137
|
+
"control_name": "Impact assessment",
|
|
138
|
+
"tier": "Foundational",
|
|
139
|
+
"scope": "Both",
|
|
140
|
+
"notes": "Trust exploitation impact assessed — which persons are affected by AI decisions influenced by manipulated trust"
|
|
141
|
+
},
|
|
142
|
+
{
|
|
143
|
+
"framework": "ISO/IEC 42001:2023",
|
|
144
|
+
"control_id": "A.8.1",
|
|
145
|
+
"control_name": "Information for interested parties",
|
|
146
|
+
"tier": "Foundational",
|
|
147
|
+
"scope": "Both",
|
|
148
|
+
"notes": "AI system transparency obligations — users informed of AI nature, advisory status, limitations, EU AI Act Art. 50 alignment"
|
|
149
|
+
},
|
|
150
|
+
{
|
|
151
|
+
"framework": "ISO/IEC 42001:2023",
|
|
152
|
+
"control_id": "A.9.1",
|
|
153
|
+
"control_name": "Use of AI systems",
|
|
154
|
+
"tier": "Foundational",
|
|
155
|
+
"scope": "Both",
|
|
156
|
+
"notes": "Guidance on appropriate use — domains requiring human verification, how to distinguish AI advisory from authoritative content"
|
|
157
|
+
},
|
|
158
|
+
{
|
|
159
|
+
"framework": "ISO/IEC 42001:2023",
|
|
160
|
+
"control_id": "Cl.5",
|
|
161
|
+
"control_name": "Policy",
|
|
162
|
+
"tier": "Foundational",
|
|
163
|
+
"scope": "Both",
|
|
164
|
+
"notes": "Leadership commitment to AI transparency — AI disclosure and advisory labelling requirements in AI policy"
|
|
165
|
+
},
|
|
166
|
+
{
|
|
167
|
+
"framework": "CIS Controls v8.1",
|
|
168
|
+
"control_id": "14.1 Establish security awareness programme",
|
|
169
|
+
"control_name": "CIS 14 — Security Awareness and Skills Training",
|
|
170
|
+
"tier": "Foundational",
|
|
171
|
+
"scope": "Both",
|
|
172
|
+
"notes": "All users of agentic tools trained on AI limitations — verification requirements, how to identify manipulation"
|
|
173
|
+
},
|
|
174
|
+
{
|
|
175
|
+
"framework": "CIS Controls v8.1",
|
|
176
|
+
"control_id": "17.1 Designate personnel for incident response",
|
|
177
|
+
"control_name": "CIS 17 — Incident Response",
|
|
178
|
+
"tier": "Foundational",
|
|
179
|
+
"scope": "Both",
|
|
180
|
+
"notes": "Defined response for trust exploitation incidents — operator retraining, pattern audit, interface redesign"
|
|
181
|
+
},
|
|
182
|
+
{
|
|
183
|
+
"framework": "CIS Controls v8.1",
|
|
184
|
+
"control_id": "5.4 Restrict administrator privileges",
|
|
185
|
+
"control_name": "CIS 5 — Account Management",
|
|
186
|
+
"tier": "Foundational",
|
|
187
|
+
"scope": "Both",
|
|
188
|
+
"notes": "Approval flows independent of agent interface — sensitive approvals cannot be completed via agent chat"
|
|
189
|
+
},
|
|
190
|
+
{
|
|
191
|
+
"framework": "CIS Controls v8.1",
|
|
192
|
+
"control_id": "8.5 Collect detailed audit logs",
|
|
193
|
+
"control_name": "CIS 8 — Audit Log Management",
|
|
194
|
+
"tier": "Foundational",
|
|
195
|
+
"scope": "Both",
|
|
196
|
+
"notes": "Agent-influenced operator decisions logged — aggregate over-trust patterns detectable"
|
|
197
|
+
},
|
|
198
|
+
{
|
|
199
|
+
"framework": "OWASP ASVS 4.0.3",
|
|
200
|
+
"control_id": "V11.1.1",
|
|
201
|
+
"control_name": "Verify business logic assumptions documented",
|
|
202
|
+
"tier": "Foundational",
|
|
203
|
+
"scope": "Both",
|
|
204
|
+
"notes": "AI advisory limitations documented as business logic assumptions — verification requirements per domain"
|
|
205
|
+
},
|
|
206
|
+
{
|
|
207
|
+
"framework": "OWASP ASVS 4.0.3",
|
|
208
|
+
"control_id": "V5.2.1",
|
|
209
|
+
"control_name": "Verify outputs encoded before rendering",
|
|
210
|
+
"tier": "Foundational",
|
|
211
|
+
"scope": "Both",
|
|
212
|
+
"notes": "Agent advisory outputs clearly labelled — users cannot mistake AI output for authoritative content"
|
|
213
|
+
},
|
|
214
|
+
{
|
|
215
|
+
"framework": "OWASP ASVS 4.0.3",
|
|
216
|
+
"control_id": "V7.4.1",
|
|
217
|
+
"control_name": "Verify all security controls logged",
|
|
218
|
+
"tier": "Foundational",
|
|
219
|
+
"scope": "Both",
|
|
220
|
+
"notes": "Agent-influenced operator decisions logged — aggregate patterns detectable"
|
|
221
|
+
},
|
|
222
|
+
{
|
|
223
|
+
"framework": "OWASP ASVS 4.0.3",
|
|
224
|
+
"control_id": "V13.1.3",
|
|
225
|
+
"control_name": "Verify API rejects large unexpected payloads",
|
|
226
|
+
"tier": "Foundational",
|
|
227
|
+
"scope": "Both",
|
|
228
|
+
"notes": "Approval flows independent of agent interface — no state-changing approvals via agent chat"
|
|
229
|
+
},
|
|
230
|
+
{
|
|
231
|
+
"framework": "ISA/IEC 62443",
|
|
232
|
+
"control_id": "SR 2.3",
|
|
233
|
+
"control_name": "Use control",
|
|
234
|
+
"tier": "Foundational",
|
|
235
|
+
"scope": "Both",
|
|
236
|
+
"notes": "LLM advisory outputs clearly distinguished from authoritative documentation — source always visible"
|
|
237
|
+
},
|
|
238
|
+
{
|
|
239
|
+
"framework": "ISA/IEC 62443",
|
|
240
|
+
"control_id": "SR 6.2",
|
|
241
|
+
"control_name": "Timely response to events",
|
|
242
|
+
"tier": "Foundational",
|
|
243
|
+
"scope": "Both",
|
|
244
|
+
"notes": "Procedures for detecting operator over-trust patterns — aggregate analysis of agent-influenced decisions"
|
|
245
|
+
},
|
|
246
|
+
{
|
|
247
|
+
"framework": "ISA/IEC 62443",
|
|
248
|
+
"control_id": "SR 3.1",
|
|
249
|
+
"control_name": "Software and information integrity",
|
|
250
|
+
"tier": "Foundational",
|
|
251
|
+
"scope": "Both",
|
|
252
|
+
"notes": "Agent recommendations for safety-relevant decisions cross-validated against independent reference"
|
|
253
|
+
},
|
|
254
|
+
{
|
|
255
|
+
"framework": "NIST SP 800-82 Rev 3",
|
|
256
|
+
"control_id": "ICS vulnerabilities",
|
|
257
|
+
"control_name": "§5.3",
|
|
258
|
+
"tier": "Foundational",
|
|
259
|
+
"scope": "Both",
|
|
260
|
+
"notes": "Inadequate human oversight cited as OT vulnerability category"
|
|
261
|
+
},
|
|
262
|
+
{
|
|
263
|
+
"framework": "NIST SP 800-82 Rev 3",
|
|
264
|
+
"control_id": "Risk assessment",
|
|
265
|
+
"control_name": "§6.2",
|
|
266
|
+
"tier": "Foundational",
|
|
267
|
+
"scope": "Both",
|
|
268
|
+
"notes": "Quantify consequences of unsupervised agent OT actions"
|
|
269
|
+
},
|
|
270
|
+
{
|
|
271
|
+
"framework": "NIST SP 800-82 Rev 3",
|
|
272
|
+
"control_id": "OT security programme",
|
|
273
|
+
"control_name": "§8.2",
|
|
274
|
+
"tier": "Foundational",
|
|
275
|
+
"scope": "Both",
|
|
276
|
+
"notes": "Governance policy for autonomous OT systems"
|
|
277
|
+
},
|
|
278
|
+
{
|
|
279
|
+
"framework": "NIST CSF 2.0",
|
|
280
|
+
"control_id": "GV.OC-01",
|
|
281
|
+
"control_name": "Organisational Context",
|
|
282
|
+
"tier": "Foundational",
|
|
283
|
+
"scope": "Both",
|
|
284
|
+
"notes": "Policy requires AI disclosure and advisory labelling — agent transparency as a governance requirement"
|
|
285
|
+
},
|
|
286
|
+
{
|
|
287
|
+
"framework": "NIST CSF 2.0",
|
|
288
|
+
"control_id": "PR.AT-01",
|
|
289
|
+
"control_name": "Awareness and Training",
|
|
290
|
+
"tier": "Foundational",
|
|
291
|
+
"scope": "Both",
|
|
292
|
+
"notes": "Users trained on AI limitations — operators understand agent advisory status and verification requirements"
|
|
293
|
+
},
|
|
294
|
+
{
|
|
295
|
+
"framework": "NIST CSF 2.0",
|
|
296
|
+
"control_id": "DE.CM-09",
|
|
297
|
+
"control_name": "Continuous Monitoring",
|
|
298
|
+
"tier": "Foundational",
|
|
299
|
+
"scope": "Both",
|
|
300
|
+
"notes": "Monitoring for aggregate over-trust patterns — systematic operator acceptance without verification detected"
|
|
301
|
+
},
|
|
302
|
+
{
|
|
303
|
+
"framework": "NIST CSF 2.0",
|
|
304
|
+
"control_id": "RS.CO-03",
|
|
305
|
+
"control_name": "Communication",
|
|
306
|
+
"tier": "Foundational",
|
|
307
|
+
"scope": "Both",
|
|
308
|
+
"notes": "Information shared following incidents — trust exploitation incidents reported to affected users"
|
|
309
|
+
},
|
|
310
|
+
{
|
|
311
|
+
"framework": "SOC 2",
|
|
312
|
+
"control_id": "AI disclosure policy — users informed when interacting with AI agents; deceptive design patterns prohibited",
|
|
313
|
+
"control_name": "CC5.3",
|
|
314
|
+
"tier": "Foundational",
|
|
315
|
+
"scope": "Both",
|
|
316
|
+
"notes": "AI disclosure policy, UI evidence"
|
|
317
|
+
},
|
|
318
|
+
{
|
|
319
|
+
"framework": "SOC 2",
|
|
320
|
+
"control_id": "Trust exploitation risk in risk assessment — social engineering, impersonation, false urgency scenarios documented",
|
|
321
|
+
"control_name": "CC3.3",
|
|
322
|
+
"tier": "Foundational",
|
|
323
|
+
"scope": "Both",
|
|
324
|
+
"notes": "Risk register with trust exploitation entries"
|
|
325
|
+
},
|
|
326
|
+
{
|
|
327
|
+
"framework": "SOC 2",
|
|
328
|
+
"control_id": "Agent outputs are accurate and complete — outputs not designed to mislead; factual accuracy controls for high-stakes outputs",
|
|
329
|
+
"control_name": "PI1.3",
|
|
330
|
+
"tier": "Foundational",
|
|
331
|
+
"scope": "Both",
|
|
332
|
+
"notes": "Output quality controls, factual accuracy testing"
|
|
333
|
+
},
|
|
334
|
+
{
|
|
335
|
+
"framework": "SOC 2",
|
|
336
|
+
"control_id": "Accuracy of personal data in AI outputs — privacy criteria require that AI-generated information about individuals is accurate",
|
|
337
|
+
"control_name": "P7.1",
|
|
338
|
+
"tier": "Foundational",
|
|
339
|
+
"scope": "Both",
|
|
340
|
+
"notes": "Accuracy review procedures"
|
|
341
|
+
},
|
|
342
|
+
{
|
|
343
|
+
"framework": "PCI DSS v4.0",
|
|
344
|
+
"control_id": "Security awareness covers AI deception — staff trained to recognise AI impersonation and social engineering",
|
|
345
|
+
"control_name": "Req 12.6",
|
|
346
|
+
"tier": "Foundational",
|
|
347
|
+
"scope": "Both",
|
|
348
|
+
"notes": "Training curriculum, completion records"
|
|
349
|
+
},
|
|
350
|
+
{
|
|
351
|
+
"framework": "PCI DSS v4.0",
|
|
352
|
+
"control_id": "Honest design requirements for agent interactions — AI disclosure requirements in secure development policy",
|
|
353
|
+
"control_name": "Req 6.2",
|
|
354
|
+
"tier": "Foundational",
|
|
355
|
+
"scope": "Both",
|
|
356
|
+
"notes": "Secure development policy, design review records"
|
|
357
|
+
},
|
|
358
|
+
{
|
|
359
|
+
"framework": "PCI DSS v4.0",
|
|
360
|
+
"control_id": "Agent-human interaction events logged — session records for agent interactions involving CHD decisions",
|
|
361
|
+
"control_name": "Req 10.2",
|
|
362
|
+
"tier": "Foundational",
|
|
363
|
+
"scope": "Both",
|
|
364
|
+
"notes": "Interaction audit log"
|
|
365
|
+
},
|
|
366
|
+
{
|
|
367
|
+
"framework": "PCI DSS v4.0",
|
|
368
|
+
"control_id": "Trust exploitation risk analysis — targeted risk analysis documents scenarios and treatment",
|
|
369
|
+
"control_name": "Req 12.3",
|
|
370
|
+
"tier": "Foundational",
|
|
371
|
+
"scope": "Both",
|
|
372
|
+
"notes": "Risk analysis documentation"
|
|
373
|
+
},
|
|
374
|
+
{
|
|
375
|
+
"framework": "ENISA Multilayer Framework",
|
|
376
|
+
"control_id": "L2",
|
|
377
|
+
"control_name": "Governance and Risk (GOV)",
|
|
378
|
+
"tier": "Foundational",
|
|
379
|
+
"scope": "Both",
|
|
380
|
+
"notes": "Users informed when interacting with AI agents — disclosure requirements, impersonation prohibitions, accountability for agent outputs"
|
|
381
|
+
},
|
|
382
|
+
{
|
|
383
|
+
"framework": "ENISA Multilayer Framework",
|
|
384
|
+
"control_id": "L2",
|
|
385
|
+
"control_name": "AI System Integrity (ASI)",
|
|
386
|
+
"tier": "Foundational",
|
|
387
|
+
"scope": "Both",
|
|
388
|
+
"notes": "AI system integrity testing includes deceptive output scenarios — social engineering, false urgency, impersonation tested before deployment"
|
|
389
|
+
},
|
|
390
|
+
{
|
|
391
|
+
"framework": "ENISA Multilayer Framework",
|
|
392
|
+
"control_id": "L2",
|
|
393
|
+
"control_name": "Monitoring and Detection (MON)",
|
|
394
|
+
"tier": "Foundational",
|
|
395
|
+
"scope": "Both",
|
|
396
|
+
"notes": "Agent outputs monitored for deceptive content patterns — AI-specific detection for impersonation and social engineering indicators"
|
|
397
|
+
},
|
|
398
|
+
{
|
|
399
|
+
"framework": "ENISA Multilayer Framework",
|
|
400
|
+
"control_id": "L1",
|
|
401
|
+
"control_name": "General ICT — Governance",
|
|
402
|
+
"tier": "Foundational",
|
|
403
|
+
"scope": "Both",
|
|
404
|
+
"notes": "Acceptable use policy covers agent interaction design — deceptive design patterns prohibited"
|
|
405
|
+
},
|
|
406
|
+
{
|
|
407
|
+
"framework": "OWASP SAMM v2.0",
|
|
408
|
+
"control_id": "G-SM",
|
|
409
|
+
"control_name": "Governance / Strategy & Metrics",
|
|
410
|
+
"tier": "Foundational",
|
|
411
|
+
"scope": "Both",
|
|
412
|
+
"notes": "Define maximum autonomy scope per agent class; mandate oversight gates"
|
|
413
|
+
},
|
|
414
|
+
{
|
|
415
|
+
"framework": "OWASP SAMM v2.0",
|
|
416
|
+
"control_id": "D-SA",
|
|
417
|
+
"control_name": "Design / Security Architecture",
|
|
418
|
+
"tier": "Foundational",
|
|
419
|
+
"scope": "Both",
|
|
420
|
+
"notes": "Design confirmation gate pattern for all high-impact actions"
|
|
421
|
+
},
|
|
422
|
+
{
|
|
423
|
+
"framework": "OWASP SAMM v2.0",
|
|
424
|
+
"control_id": "O-IM",
|
|
425
|
+
"control_name": "Operations / Incident Management",
|
|
426
|
+
"tier": "Foundational",
|
|
427
|
+
"scope": "Both",
|
|
428
|
+
"notes": "Alert when agent executes high-impact actions without confirmation"
|
|
429
|
+
},
|
|
430
|
+
{
|
|
431
|
+
"framework": "OWASP SAMM v2.0",
|
|
432
|
+
"control_id": "O-OM",
|
|
433
|
+
"control_name": "Operations / Operational Management",
|
|
434
|
+
"tier": "Foundational",
|
|
435
|
+
"scope": "Both",
|
|
436
|
+
"notes": "Immutable audit log of all autonomous actions for post-hoc review"
|
|
437
|
+
},
|
|
438
|
+
{
|
|
439
|
+
"framework": "OWASP SAMM v2.0",
|
|
440
|
+
"control_id": "G-EG",
|
|
441
|
+
"control_name": "Governance / Education & Guidance",
|
|
442
|
+
"tier": "Foundational",
|
|
443
|
+
"scope": "Both",
|
|
444
|
+
"notes": "Operators understand when to intervene and how to trigger override"
|
|
445
|
+
},
|
|
446
|
+
{
|
|
447
|
+
"framework": "CWE/CVE",
|
|
448
|
+
"control_id": "Permissive List of Allowed Inputs",
|
|
449
|
+
"control_name": "CWE-183",
|
|
450
|
+
"tier": "Foundational",
|
|
451
|
+
"scope": "Both",
|
|
452
|
+
"notes": "System accepts human-like agent output without disclosure requirements"
|
|
453
|
+
},
|
|
454
|
+
{
|
|
455
|
+
"framework": "CWE/CVE",
|
|
456
|
+
"control_id": "User Interface Misrepresentation of Critical Information",
|
|
457
|
+
"control_name": "CWE-451",
|
|
458
|
+
"tier": "Foundational",
|
|
459
|
+
"scope": "Both",
|
|
460
|
+
"notes": "Agent advisory output not clearly distinguished from authoritative system information in UI"
|
|
461
|
+
},
|
|
462
|
+
{
|
|
463
|
+
"framework": "CWE/CVE",
|
|
464
|
+
"control_id": "Origin Validation Error",
|
|
465
|
+
"control_name": "CWE-346",
|
|
466
|
+
"tier": "Foundational",
|
|
467
|
+
"scope": "Both",
|
|
468
|
+
"notes": "User cannot determine whether advice originates from AI or human — no origin verification"
|
|
469
|
+
},
|
|
470
|
+
{
|
|
471
|
+
"framework": "CWE/CVE",
|
|
472
|
+
"control_id": "Improper Verification of Source of a Communication Channel",
|
|
473
|
+
"control_name": "CWE-940",
|
|
474
|
+
"tier": "Foundational",
|
|
475
|
+
"scope": "Both",
|
|
476
|
+
"notes": "User cannot verify the agent is operating under its stated configuration"
|
|
477
|
+
},
|
|
478
|
+
{
|
|
479
|
+
"framework": "CWE/CVE",
|
|
480
|
+
"control_id": "Exposure of Sensitive Information to an Unauthorised Actor",
|
|
481
|
+
"control_name": "CWE-200",
|
|
482
|
+
"tier": "Foundational",
|
|
483
|
+
"scope": "Both",
|
|
484
|
+
"notes": "System prompt and agent configuration not protected — extraction enables targeted trust exploitation"
|
|
485
|
+
},
|
|
486
|
+
{
|
|
487
|
+
"framework": "OWASP AI Testing Guide",
|
|
488
|
+
"control_id": "AI disclosure enforcement",
|
|
489
|
+
"control_name": "MBT — Model Behaviour",
|
|
490
|
+
"tier": "Foundational",
|
|
491
|
+
"scope": "Both",
|
|
492
|
+
"notes": "Verify agent identifies as AI in all interface contexts; test for identity concealment"
|
|
493
|
+
},
|
|
494
|
+
{
|
|
495
|
+
"framework": "OWASP AI Testing Guide",
|
|
496
|
+
"control_id": "Advisory label persistence",
|
|
497
|
+
"control_name": "OHT — Output Handling",
|
|
498
|
+
"tier": "Foundational",
|
|
499
|
+
"scope": "Both",
|
|
500
|
+
"notes": "Verify advisory labels persist through all rendering environments"
|
|
501
|
+
},
|
|
502
|
+
{
|
|
503
|
+
"framework": "OWASP AI Testing Guide",
|
|
504
|
+
"control_id": "Over-trust pattern detection",
|
|
505
|
+
"control_name": "LMT — Logging & Monitoring",
|
|
506
|
+
"tier": "Foundational",
|
|
507
|
+
"scope": "Both",
|
|
508
|
+
"notes": "Verify monitoring can detect aggregate patterns of uncritical operator acceptance"
|
|
509
|
+
},
|
|
510
|
+
{
|
|
511
|
+
"framework": "MAESTRO",
|
|
512
|
+
"control_id": "L1",
|
|
513
|
+
"control_name": "Foundation Models",
|
|
514
|
+
"tier": "Foundational",
|
|
515
|
+
"scope": "Both"
|
|
516
|
+
},
|
|
517
|
+
{
|
|
518
|
+
"framework": "MAESTRO",
|
|
519
|
+
"control_id": "L7",
|
|
520
|
+
"control_name": "Agent Ecosystem",
|
|
521
|
+
"tier": "Foundational",
|
|
522
|
+
"scope": "Both"
|
|
523
|
+
},
|
|
524
|
+
{
|
|
525
|
+
"framework": "MAESTRO",
|
|
526
|
+
"control_id": "L6",
|
|
527
|
+
"control_name": "Security & Compliance",
|
|
528
|
+
"tier": "Foundational",
|
|
529
|
+
"scope": "Both"
|
|
530
|
+
},
|
|
531
|
+
{
|
|
532
|
+
"framework": "AIUC-1",
|
|
533
|
+
"control_id": "C",
|
|
534
|
+
"control_name": "Safety (full domain)",
|
|
535
|
+
"tier": "Foundational",
|
|
536
|
+
"scope": "Both"
|
|
537
|
+
},
|
|
538
|
+
{
|
|
539
|
+
"framework": "AIUC-1",
|
|
540
|
+
"control_id": "F",
|
|
541
|
+
"control_name": "Society (full domain)",
|
|
542
|
+
"tier": "Foundational",
|
|
543
|
+
"scope": "Both"
|
|
544
|
+
},
|
|
545
|
+
{
|
|
546
|
+
"framework": "AIUC-1",
|
|
547
|
+
"control_id": "B009",
|
|
548
|
+
"control_name": "Limit output over-exposure",
|
|
549
|
+
"tier": "Foundational",
|
|
550
|
+
"scope": "Both"
|
|
551
|
+
},
|
|
552
|
+
{
|
|
553
|
+
"framework": "AIUC-1",
|
|
554
|
+
"control_id": "E",
|
|
555
|
+
"control_name": "Accountability (full domain)",
|
|
556
|
+
"tier": "Foundational",
|
|
557
|
+
"scope": "Both"
|
|
558
|
+
},
|
|
559
|
+
{
|
|
560
|
+
"framework": "OWASP NHI Top 10",
|
|
561
|
+
"control_id": "Humans using agent credentials — or agents using human credentials — destroys attribution",
|
|
562
|
+
"control_name": "NHI-10 Human Use of NHI",
|
|
563
|
+
"tier": "Foundational",
|
|
564
|
+
"scope": "Both",
|
|
565
|
+
"notes": "Strict separation: agent credentials machine-only, human credentials human-only"
|
|
566
|
+
},
|
|
567
|
+
{
|
|
568
|
+
"framework": "OWASP NHI Top 10",
|
|
569
|
+
"control_id": "Over-privileged agent identity makes its recommendations appear more authoritative to users",
|
|
570
|
+
"control_name": "NHI-5 Over-Privileged NHI",
|
|
571
|
+
"tier": "Foundational",
|
|
572
|
+
"scope": "Both",
|
|
573
|
+
"notes": "Least privilege makes agent capabilities visible and bounded — users understand what the agent can actually do"
|
|
574
|
+
},
|
|
575
|
+
{
|
|
576
|
+
"framework": "NIST SP 800-218A",
|
|
577
|
+
"control_id": "Review agent behaviour for emergent capabilities — verify that self-modification, dynamic tool discovery, and autonomous agent spawning do not create unintended security exposures",
|
|
578
|
+
"control_name": "PW.7.2-PS – Review the software for security vulnerabilities",
|
|
579
|
+
"tier": "Foundational",
|
|
580
|
+
"scope": "Both",
|
|
581
|
+
"notes": "Catches emergent pattern risks before production"
|
|
582
|
+
},
|
|
583
|
+
{
|
|
584
|
+
"framework": "NIST SP 800-218A",
|
|
585
|
+
"control_id": "Conduct adversarial testing targeting emerging agentic patterns — self-evolution, prompt self-modification, autonomous tool acquisition, and dynamic agent creation",
|
|
586
|
+
"control_name": "PW.8.2-PS – Test for security vulnerabilities",
|
|
587
|
+
"tier": "Foundational",
|
|
588
|
+
"scope": "Both",
|
|
589
|
+
"notes": "Validates controls against novel attack surfaces"
|
|
590
|
+
},
|
|
591
|
+
{
|
|
592
|
+
"framework": "NIST SP 800-218A",
|
|
593
|
+
"control_id": "Establish monitoring for emergent agent behaviours — detect agents acquiring new capabilities, modifying their own definitions, or spawning sub-agents outside approved patterns",
|
|
594
|
+
"control_name": "RV.1.1-PS – Identify and confirm vulnerabilities",
|
|
595
|
+
"tier": "Foundational",
|
|
596
|
+
"scope": "Both",
|
|
597
|
+
"notes": "Enables detection of emerging risks in production"
|
|
598
|
+
},
|
|
599
|
+
{
|
|
600
|
+
"framework": "NIST SP 800-218A",
|
|
601
|
+
"control_id": "When incidents involve novel agentic patterns, conduct root cause analysis focused on understanding the emergent capability and its security implications",
|
|
602
|
+
"control_name": "RV.3.1-PS – Analyse root causes",
|
|
603
|
+
"tier": "Foundational",
|
|
604
|
+
"scope": "Both",
|
|
605
|
+
"notes": "Builds organisational knowledge of emerging agentic risks"
|
|
606
|
+
},
|
|
607
|
+
{
|
|
608
|
+
"framework": "FedRAMP",
|
|
609
|
+
"control_id": "CA-7",
|
|
610
|
+
"control_name": "Continuous Monitoring — novel pattern detection",
|
|
611
|
+
"tier": "Foundational",
|
|
612
|
+
"scope": "Both",
|
|
613
|
+
"notes": "Include monitoring for novel agentic behaviour patterns in FedRAMP continuous monitoring; track for unexpected capabilities, emergent behaviours, and architectural drift"
|
|
614
|
+
},
|
|
615
|
+
{
|
|
616
|
+
"framework": "FedRAMP",
|
|
617
|
+
"control_id": "RA-5",
|
|
618
|
+
"control_name": "Vulnerability Scanning — emerging attack surfaces",
|
|
619
|
+
"tier": "Foundational",
|
|
620
|
+
"scope": "Both",
|
|
621
|
+
"notes": "Include emerging agentic attack surfaces in vulnerability scanning; assess novel architectures for security implications before production deployment"
|
|
622
|
+
},
|
|
623
|
+
{
|
|
624
|
+
"framework": "FedRAMP",
|
|
625
|
+
"control_id": "SI-4",
|
|
626
|
+
"control_name": "System Monitoring — unexpected behaviour detection",
|
|
627
|
+
"tier": "Foundational",
|
|
628
|
+
"scope": "Both",
|
|
629
|
+
"notes": "Monitor agent systems for unexpected behaviour — novel tool use patterns, unanticipated goal decomposition, and emergent inter-agent coordination"
|
|
630
|
+
},
|
|
631
|
+
{
|
|
632
|
+
"framework": "FedRAMP",
|
|
633
|
+
"control_id": "AU-6",
|
|
634
|
+
"control_name": "Audit Review — agent decision review",
|
|
635
|
+
"tier": "Foundational",
|
|
636
|
+
"scope": "Both",
|
|
637
|
+
"notes": "Conduct regular audit review of agent decision logs; identify patterns indicative of unexpected capabilities or emergent behaviours requiring security assessment"
|
|
638
|
+
},
|
|
639
|
+
{
|
|
640
|
+
"framework": "DORA",
|
|
641
|
+
"control_id": "Art. 5–7",
|
|
642
|
+
"control_name": "ICT Risk Management — novel agentic risk governance",
|
|
643
|
+
"tier": "Foundational",
|
|
644
|
+
"scope": "Both",
|
|
645
|
+
"notes": "Include emerging agentic pattern risks in ICT risk management framework; assess novel architectures for operational resilience implications before deployment"
|
|
646
|
+
},
|
|
647
|
+
{
|
|
648
|
+
"framework": "DORA",
|
|
649
|
+
"control_id": "Art. 10",
|
|
650
|
+
"control_name": "Detection — unexpected behaviour monitoring",
|
|
651
|
+
"tier": "Foundational",
|
|
652
|
+
"scope": "Both",
|
|
653
|
+
"notes": "Monitor agent systems for unexpected behaviour — novel tool use patterns, unanticipated goal decomposition, and emergent inter-agent coordination"
|
|
654
|
+
},
|
|
655
|
+
{
|
|
656
|
+
"framework": "DORA",
|
|
657
|
+
"control_id": "Art. 13",
|
|
658
|
+
"control_name": "Learning and Evolving — emerging pattern assessment",
|
|
659
|
+
"tier": "Foundational",
|
|
660
|
+
"scope": "Both",
|
|
661
|
+
"notes": "Apply lessons learned from emerging agentic pattern incidents; update governance and controls as new attack techniques and defence approaches emerge"
|
|
662
|
+
},
|
|
663
|
+
{
|
|
664
|
+
"framework": "DORA",
|
|
665
|
+
"control_id": "Art. 24–27",
|
|
666
|
+
"control_name": "Resilience Testing — novel architecture testing",
|
|
667
|
+
"tier": "Foundational",
|
|
668
|
+
"scope": "Both",
|
|
669
|
+
"notes": "Include emerging agentic architecture security in resilience testing; assess novel patterns for resilience implications before production deployment"
|
|
670
|
+
}
|
|
671
|
+
],
|
|
672
|
+
"tools": [
|
|
673
|
+
{
|
|
674
|
+
"name": "Guardrails AI",
|
|
675
|
+
"type": "open-source",
|
|
676
|
+
"url": "https://github.com/guardrails-ai/guardrails"
|
|
677
|
+
},
|
|
678
|
+
{
|
|
679
|
+
"name": "Nozomi Networks",
|
|
680
|
+
"type": "commercial",
|
|
681
|
+
"url": "https://www.nozominetworks.com"
|
|
682
|
+
},
|
|
683
|
+
{
|
|
684
|
+
"name": "Azure AI Content Safety",
|
|
685
|
+
"type": "commercial",
|
|
686
|
+
"url": "https://azure.microsoft.com/en-us/products/ai-services/ai-content-safety"
|
|
687
|
+
},
|
|
688
|
+
{
|
|
689
|
+
"name": "Garak",
|
|
690
|
+
"type": "open-source",
|
|
691
|
+
"url": "https://github.com/leondz/garak"
|
|
692
|
+
},
|
|
693
|
+
{
|
|
694
|
+
"name": "LangSmith",
|
|
695
|
+
"type": "commercial",
|
|
696
|
+
"url": "https://smith.langchain.com"
|
|
697
|
+
},
|
|
698
|
+
{
|
|
699
|
+
"name": "OpenTelemetry",
|
|
700
|
+
"type": "open-source",
|
|
701
|
+
"url": "https://opentelemetry.io"
|
|
702
|
+
},
|
|
703
|
+
{
|
|
704
|
+
"name": "MITRE ATLAS",
|
|
705
|
+
"type": "open-source",
|
|
706
|
+
"url": "https://atlas.mitre.org"
|
|
707
|
+
},
|
|
708
|
+
{
|
|
709
|
+
"name": "PyRIT",
|
|
710
|
+
"type": "open-source",
|
|
711
|
+
"url": "https://github.com/Azure/PyRIT"
|
|
712
|
+
}
|
|
713
|
+
],
|
|
714
|
+
"incidents": [
|
|
715
|
+
{
|
|
716
|
+
"name": "Multi-agent financial trading system flash crash — cascading autonomous failures",
|
|
717
|
+
"url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
|
|
718
|
+
"year": 2025,
|
|
719
|
+
"incident_id": "INC-041"
|
|
720
|
+
},
|
|
721
|
+
{
|
|
722
|
+
"name": "Apollo Research: frontier models demonstrate strategic deception to avoid shutdown",
|
|
723
|
+
"url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
|
|
724
|
+
"year": 2024,
|
|
725
|
+
"incident_id": "INC-047"
|
|
726
|
+
},
|
|
727
|
+
{
|
|
728
|
+
"name": "AI companion apps: manipulation and exploitation of human-agent trust",
|
|
729
|
+
"url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
|
|
730
|
+
"year": 2025,
|
|
731
|
+
"incident_id": "INC-048"
|
|
732
|
+
}
|
|
733
|
+
],
|
|
734
|
+
"crossrefs": {
|
|
735
|
+
"llm_top10": [
|
|
736
|
+
"LLM09",
|
|
737
|
+
"LLM06"
|
|
738
|
+
],
|
|
739
|
+
"dsgai_2026": [
|
|
740
|
+
"DSGAI21",
|
|
741
|
+
"DSGAI04",
|
|
742
|
+
"DSGAI06",
|
|
743
|
+
"DSGAI18"
|
|
744
|
+
]
|
|
745
|
+
},
|
|
746
|
+
"changelog": [
|
|
747
|
+
{
|
|
748
|
+
"date": "2026-03-27",
|
|
749
|
+
"version": "1.0.0",
|
|
750
|
+
"change": "Initial entry — generated from GenAI Security Crosswalk v1.5.1 mapping files",
|
|
751
|
+
"author": "emmanuelgjr"
|
|
752
|
+
}
|
|
753
|
+
]
|
|
754
|
+
}
|