genai-security-crosswalk 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (55) hide show
  1. package/LICENSE.md +28 -0
  2. package/README.md +618 -0
  3. package/data/entries/ASI01.json +911 -0
  4. package/data/entries/ASI02.json +850 -0
  5. package/data/entries/ASI03.json +854 -0
  6. package/data/entries/ASI04.json +759 -0
  7. package/data/entries/ASI05.json +764 -0
  8. package/data/entries/ASI06.json +817 -0
  9. package/data/entries/ASI07.json +789 -0
  10. package/data/entries/ASI08.json +788 -0
  11. package/data/entries/ASI09.json +754 -0
  12. package/data/entries/ASI10.json +833 -0
  13. package/data/entries/DSGAI01.json +779 -0
  14. package/data/entries/DSGAI02.json +728 -0
  15. package/data/entries/DSGAI03.json +671 -0
  16. package/data/entries/DSGAI04.json +752 -0
  17. package/data/entries/DSGAI05.json +689 -0
  18. package/data/entries/DSGAI06.json +673 -0
  19. package/data/entries/DSGAI07.json +680 -0
  20. package/data/entries/DSGAI08.json +698 -0
  21. package/data/entries/DSGAI09.json +687 -0
  22. package/data/entries/DSGAI10.json +627 -0
  23. package/data/entries/DSGAI11.json +663 -0
  24. package/data/entries/DSGAI12.json +695 -0
  25. package/data/entries/DSGAI13.json +688 -0
  26. package/data/entries/DSGAI14.json +703 -0
  27. package/data/entries/DSGAI15.json +655 -0
  28. package/data/entries/DSGAI16.json +716 -0
  29. package/data/entries/DSGAI17.json +690 -0
  30. package/data/entries/DSGAI18.json +613 -0
  31. package/data/entries/DSGAI19.json +638 -0
  32. package/data/entries/DSGAI20.json +671 -0
  33. package/data/entries/DSGAI21.json +881 -0
  34. package/data/entries/LLM01.json +975 -0
  35. package/data/entries/LLM02.json +868 -0
  36. package/data/entries/LLM03.json +817 -0
  37. package/data/entries/LLM04.json +797 -0
  38. package/data/entries/LLM05.json +761 -0
  39. package/data/entries/LLM06.json +848 -0
  40. package/data/entries/LLM07.json +749 -0
  41. package/data/entries/LLM08.json +750 -0
  42. package/data/entries/LLM09.json +760 -0
  43. package/data/entries/LLM10.json +763 -0
  44. package/data/incidents-schema.json +121 -0
  45. package/data/incidents.json +1484 -0
  46. package/data/schema.json +134 -0
  47. package/dist/index.d.ts +97 -0
  48. package/dist/index.d.ts.map +1 -0
  49. package/dist/index.js +124 -0
  50. package/dist/index.js.map +1 -0
  51. package/dist/index.test.d.ts +2 -0
  52. package/dist/index.test.d.ts.map +1 -0
  53. package/dist/index.test.js +97 -0
  54. package/dist/index.test.js.map +1 -0
  55. package/package.json +62 -0
package/data/entries/ASI10.json ADDED
@@ -0,0 +1,833 @@
1
+ {
2
+ "id": "ASI10",
3
+ "name": "Rogue Agents",
4
+ "source_list": "Agentic-Top10-2026",
5
+ "version": "2026-Q1",
6
+ "severity": "Critical",
7
+ "aivss_score": 9.7,
8
+ "audience": [
9
+ "red-teamer",
10
+ "security-engineer",
11
+ "ml-engineer",
12
+ "ot-engineer",
13
+ "ciso",
14
+ "compliance",
15
+ "auditor",
16
+ "developer"
17
+ ],
18
+ "mappings": [
19
+ {
20
+ "framework": "MITRE ATLAS",
21
+ "control_id": "AML.T0054",
22
+ "control_name": "LLM Jailbreak",
23
+ "tier": "Hardening",
24
+ "scope": "Both",
25
+ "url": "https://atlas.mitre.org/techniques/AML.T0054",
26
+ "notes": "Persistent override of agent safety constraints enabling hidden goal execution"
27
+ },
28
+ {
29
+ "framework": "MITRE ATLAS",
30
+ "control_id": "AML.T0015",
31
+ "control_name": "LLM Capability Escalation",
32
+ "tier": "Hardening",
33
+ "scope": "Both",
34
+ "url": "https://atlas.mitre.org/techniques/AML.T0015",
35
+ "notes": "Rogue agent gradually escalates its own capabilities and permissions over time"
36
+ },
37
+ {
38
+ "framework": "MITRE ATLAS",
39
+ "control_id": "AML.T0057",
40
+ "control_name": "Exploit Public-Facing ML Application",
41
+ "tier": "Hardening",
42
+ "scope": "Both",
43
+ "url": "https://atlas.mitre.org/techniques/AML.T0057",
44
+ "notes": "Compromised agent maintains persistent access and hidden execution across sessions"
45
+ },
46
+ {
47
+ "framework": "NIST AI RMF 1.0",
48
+ "control_id": "GV-1.7",
49
+ "control_name": "Policies for trustworthy AI",
50
+ "tier": "Hardening",
51
+ "scope": "Both",
52
+ "notes": "Policy requires behavioural monitoring of all deployed agents — rogue agent detection as a governance objective"
53
+ },
54
+ {
55
+ "framework": "NIST AI RMF 1.0",
56
+ "control_id": "MP-2.3",
57
+ "control_name": "Risk categorisation",
58
+ "tier": "Hardening",
59
+ "scope": "Both",
60
+ "notes": "Rogue agent risk categorised per deployment — detection capability, blast radius, and response procedures mapped"
61
+ },
62
+ {
63
+ "framework": "NIST AI RMF 1.0",
64
+ "control_id": "MS-2.5",
65
+ "control_name": "Testing — adversarial",
66
+ "tier": "Hardening",
67
+ "scope": "Both",
68
+ "notes": "Adversarial testing covering rogue agent scenarios — behavioural drift, persistent hidden goal detection"
69
+ },
70
+ {
71
+ "framework": "NIST AI RMF 1.0",
72
+ "control_id": "MG-2.2",
73
+ "control_name": "Risk response",
74
+ "tier": "Hardening",
75
+ "scope": "Both",
76
+ "notes": "Incident response for rogue agent — kill switch, audit procedure, operational impact assessment, root cause"
77
+ },
78
+ {
79
+ "framework": "EU AI Act",
80
+ "control_id": "Rogue agent scenarios identified and mitigated",
81
+ "control_name": "Art. 9 — Risk management",
82
+ "tier": "Hardening",
83
+ "scope": "Both",
84
+ "notes": "Rogue agent risk in Art. 9 risk management — detection capability, blast radius, response documented"
85
+ },
86
+ {
87
+ "framework": "EU AI Act",
88
+ "control_id": "Human oversight mechanisms effective against rogue behaviour",
89
+ "control_name": "Art. 14 — Human oversight",
90
+ "tier": "Hardening",
91
+ "scope": "Both",
92
+ "notes": "Kill switch and behavioural monitoring are Art. 14 human oversight requirements for agentic systems"
93
+ },
94
+ {
95
+ "framework": "EU AI Act",
96
+ "control_id": "Technical resilience against rogue agent behaviour",
97
+ "control_name": "Art. 15 — Accuracy, robustness, cybersecurity",
98
+ "tier": "Hardening",
99
+ "scope": "Both",
100
+ "notes": "Behavioural baselines, anomaly detection, and automated suspension are Art. 15 requirements"
101
+ },
102
+ {
103
+ "framework": "EU AI Act",
104
+ "control_id": "Post-market monitoring covering rogue agent detection",
105
+ "control_name": "Art. 17 — Quality management",
106
+ "tier": "Hardening",
107
+ "scope": "Both",
108
+ "notes": "Behavioural monitoring in post-market monitoring programme"
109
+ },
110
+ {
111
+ "framework": "ISO/IEC 27001:2022",
112
+ "control_id": "A.8.16",
113
+ "control_name": "Monitoring activities",
114
+ "tier": "Hardening",
115
+ "scope": "Both",
116
+ "notes": "Behavioural baseline monitoring — deviation detection is the primary rogue agent control, new 2022 control directly applicable"
117
+ },
118
+ {
119
+ "framework": "ISO/IEC 27001:2022",
120
+ "control_id": "A.8.15",
121
+ "control_name": "Logging",
122
+ "tier": "Hardening",
123
+ "scope": "Both",
124
+ "notes": "Comprehensive audit logging of all agent actions — no production deployment without full observability"
125
+ },
126
+ {
127
+ "framework": "ISO/IEC 27001:2022",
128
+ "control_id": "A.8.2",
129
+ "control_name": "Privileged access rights",
130
+ "tier": "Hardening",
131
+ "scope": "Both",
132
+ "notes": "Scope constraints enforced — rogue agent cannot exceed permission envelope regardless of internal goal state"
133
+ },
134
+ {
135
+ "framework": "ISO/IEC 27001:2022",
136
+ "control_id": "A.5.24",
137
+ "control_name": "Information security incident management",
138
+ "tier": "Hardening",
139
+ "scope": "Both",
140
+ "notes": "Rogue agent containment as ISMS incident — kill switch, recommendation audit, process state validation, forensic capture"
141
+ },
142
+ {
143
+ "framework": "ISO/IEC 42001:2023",
144
+ "control_id": "A.6.2.3",
145
+ "control_name": "AI system security",
146
+ "tier": "Hardening",
147
+ "scope": "Both",
148
+ "notes": "Scope constraints enforced at infrastructure layer — rogue agent cannot exceed permission envelope"
149
+ },
150
+ {
151
+ "framework": "ISO/IEC 42001:2023",
152
+ "control_id": "A.6.2.8",
153
+ "control_name": "Monitoring of AI systems",
154
+ "tier": "Hardening",
155
+ "scope": "Both",
156
+ "notes": "Behavioural monitoring as AIMS operational control — baseline deviation detection is the primary rogue agent control"
157
+ },
158
+ {
159
+ "framework": "ISO/IEC 42001:2023",
160
+ "control_id": "A.6.1.2",
161
+ "control_name": "Responsible AI system management",
162
+ "tier": "Hardening",
163
+ "scope": "Both",
164
+ "notes": "Comprehensive audit logging and rogue agent containment as responsible lifecycle management obligation"
165
+ },
166
+ {
167
+ "framework": "ISO/IEC 42001:2023",
168
+ "control_id": "Cl.9",
169
+ "control_name": "Performance evaluation",
170
+ "tier": "Hardening",
171
+ "scope": "Both",
172
+ "notes": "Rogue agent detection rates and containment times in AIMS management review"
173
+ },
174
+ {
175
+ "framework": "CIS Controls v8.1",
176
+ "control_id": "8.2 Collect audit logs",
177
+ "control_name": "CIS 8 — Audit Log Management",
178
+ "tier": "Hardening",
179
+ "scope": "Both",
180
+ "notes": "Comprehensive audit logging of all agent actions — no production deployment without full observability"
181
+ },
182
+ {
183
+ "framework": "CIS Controls v8.1",
184
+ "control_id": "13.1 Centralise security event alerting",
185
+ "control_name": "CIS 13 — Network Monitoring and Defence",
186
+ "tier": "Hardening",
187
+ "scope": "Both",
188
+ "notes": "Agent behavioural anomalies centralised and alerted — rogue agent patterns detected through SIEM"
189
+ },
190
+ {
191
+ "framework": "CIS Controls v8.1",
192
+ "control_id": "17.2 Establish incident response procedures",
193
+ "control_name": "CIS 17 — Incident Response",
194
+ "tier": "Hardening",
195
+ "scope": "Both",
196
+ "notes": "Rogue agent containment as incident response procedure — kill switch, audit, state validation, forensic"
197
+ },
198
+ {
199
+ "framework": "CIS Controls v8.1",
200
+ "control_id": "18.1 Establish penetration testing",
201
+ "control_name": "CIS 18 — Penetration Testing",
202
+ "tier": "Hardening",
203
+ "scope": "Both",
204
+ "notes": "Rogue agent scenarios in penetration testing — persistent hidden goal simulation, detection verification"
205
+ },
206
+ {
207
+ "framework": "OWASP ASVS 4.0.3",
208
+ "control_id": "V7.2.1",
209
+ "control_name": "Verify access control decisions logged",
210
+ "tier": "Hardening",
211
+ "scope": "Both",
212
+ "notes": "All agent actions logged — no production deployment without complete observability"
213
+ },
214
+ {
215
+ "framework": "OWASP ASVS 4.0.3",
216
+ "control_id": "V7.2.2",
217
+ "control_name": "Verify all business logic decisions logged",
218
+ "tier": "Hardening",
219
+ "scope": "Both",
220
+ "notes": "All agent tool invocations and recommendations logged — systematic bias detectable through aggregate analysis"
221
+ },
222
+ {
223
+ "framework": "OWASP ASVS 4.0.3",
224
+ "control_id": "V11.1.2",
225
+ "control_name": "Verify business logic limits prevent abuse",
226
+ "tier": "Hardening",
227
+ "scope": "Both",
228
+ "notes": "Scope constraints as business logic controls — rogue agent cannot exceed permission envelope"
229
+ },
230
+ {
231
+ "framework": "OWASP ASVS 4.0.3",
232
+ "control_id": "V13.1.1",
233
+ "control_name": "Verify API rate limiting",
234
+ "tier": "Hardening",
235
+ "scope": "Both",
236
+ "notes": "Rate limiting prevents rogue agent from amplifying impact through API exhaustion"
237
+ },
238
+ {
239
+ "framework": "ISA/IEC 62443",
240
+ "control_id": "SR 3.7",
241
+ "control_name": "Software and information integrity (monitoring)",
242
+ "tier": "Hardening",
243
+ "scope": "Both",
244
+ "notes": "Continuous behavioural monitoring of all OT agents — deviation from established baseline detected"
245
+ },
246
+ {
247
+ "framework": "ISA/IEC 62443",
248
+ "control_id": "SR 6.1",
249
+ "control_name": "Timely response to events",
250
+ "tier": "Hardening",
251
+ "scope": "Both",
252
+ "notes": "Rogue agent indicators treated as security events — immediate suspension, investigation, OT impact assessment"
253
+ },
254
+ {
255
+ "framework": "ISA/IEC 62443",
256
+ "control_id": "SR 2.2",
257
+ "control_name": "Least privilege",
258
+ "tier": "Hardening",
259
+ "scope": "Both",
260
+ "notes": "Rogue agent cannot exceed defined permission scope even if internal goals are compromised"
261
+ },
262
+ {
263
+ "framework": "ISA/IEC 62443",
264
+ "control_id": "SR 2.6",
265
+ "control_name": "Use control enforcement",
266
+ "tier": "Hardening",
267
+ "scope": "Both",
268
+ "notes": "Rogue agent cannot load additional tools or expand its own capability scope"
269
+ },
270
+ {
271
+ "framework": "NIST SP 800-82 Rev 3",
272
+ "control_id": "Availability risks",
273
+ "control_name": "§5.6",
274
+ "tier": "Hardening",
275
+ "scope": "Both",
276
+ "notes": "Cascading failure across OT components"
277
+ },
278
+ {
279
+ "framework": "NIST SP 800-82 Rev 3",
280
+ "control_id": "Risk assessment",
281
+ "control_name": "§6.2",
282
+ "tier": "Hardening",
283
+ "scope": "Both",
284
+ "notes": "Cascade failure scenarios in OT risk register"
285
+ },
286
+ {
287
+ "framework": "NIST SP 800-82 Rev 3",
288
+ "control_id": "Security controls",
289
+ "control_name": "§7.2",
290
+ "tier": "Hardening",
291
+ "scope": "Both",
292
+ "notes": "Circuit breakers between OT automation layers"
293
+ },
294
+ {
295
+ "framework": "NIST CSF 2.0",
296
+ "control_id": "DE.CM-09",
297
+ "control_name": "Continuous Monitoring",
298
+ "tier": "Hardening",
299
+ "scope": "Both",
300
+ "notes": "Monitoring for anomalous data and software use — behavioural baseline deviation detected"
301
+ },
302
+ {
303
+ "framework": "NIST CSF 2.0",
304
+ "control_id": "DE.AE-02",
305
+ "control_name": "Adverse Event Analysis",
306
+ "tier": "Hardening",
307
+ "scope": "Both",
308
+ "notes": "Detected events analysed to understand attack targets — rogue agent patterns correlated across sessions"
309
+ },
310
+ {
311
+ "framework": "NIST CSF 2.0",
312
+ "control_id": "RS.AN-03",
313
+ "control_name": "Incident Analysis",
314
+ "tier": "Hardening",
315
+ "scope": "Both",
316
+ "notes": "Root cause analysis — what caused rogue behaviour, which sessions were affected, what was the blast radius"
317
+ },
318
+ {
319
+ "framework": "NIST CSF 2.0",
320
+ "control_id": "PR.AA-05",
321
+ "control_name": "Identity Management, Authentication & Access Control",
322
+ "tier": "Hardening",
323
+ "scope": "Both",
324
+ "notes": "Access permissions managed — rogue agent cannot exceed its permission envelope regardless of internal goal state"
325
+ },
326
+ {
327
+ "framework": "SOC 2",
328
+ "control_id": "Continuous monitoring for rogue agent behaviour — actions outside authorised scope detected and alerted",
329
+ "control_name": "CC7.2",
330
+ "tier": "Hardening",
331
+ "scope": "Both",
332
+ "notes": "Agent action audit log, anomaly alert records"
333
+ },
334
+ {
335
+ "framework": "SOC 2",
336
+ "control_id": "Access controls define authorised agent scope — technical enforcement of what agents may and may not do",
337
+ "control_name": "CC6.1",
338
+ "tier": "Hardening",
339
+ "scope": "Both",
340
+ "notes": "Permission policy, access control configuration"
341
+ },
342
+ {
343
+ "framework": "SOC 2",
344
+ "control_id": "Rogue agent risk in risk assessment — autonomous agent operating outside scope is a documented risk",
345
+ "control_name": "CC3.3",
346
+ "tier": "Hardening",
347
+ "scope": "Both",
348
+ "notes": "Risk register with rogue agent scenarios"
349
+ },
350
+ {
351
+ "framework": "SOC 2",
352
+ "control_id": "Rogue agent impact on availability — resource consumption by rogue agents does not degrade service for authorised operations",
353
+ "control_name": "A1.1",
354
+ "tier": "Hardening",
355
+ "scope": "Both",
356
+ "notes": "Resource monitoring, quota enforcement records"
357
+ },
358
+ {
359
+ "framework": "PCI DSS v4.0",
360
+ "control_id": "Agent access to CHD follows documented scope — technical controls prevent access outside defined role",
361
+ "control_name": "Req 7.2",
362
+ "tier": "Hardening",
363
+ "scope": "Both",
364
+ "notes": "Access control matrix, technical enforcement evidence"
365
+ },
366
+ {
367
+ "framework": "PCI DSS v4.0",
368
+ "control_id": "Rogue agent behaviour logged — actions outside defined scope generate audit log entries and alerts",
369
+ "control_name": "Req 10.2",
370
+ "tier": "Hardening",
371
+ "scope": "Both",
372
+ "notes": "Action audit log, out-of-scope alert records"
373
+ },
374
+ {
375
+ "framework": "PCI DSS v4.0",
376
+ "control_id": "Rogue agent scenarios in penetration test scope — test whether agents can operate outside authorised scope",
377
+ "control_name": "Req 11.3",
378
+ "tier": "Hardening",
379
+ "scope": "Both",
380
+ "notes": "Pen test report with rogue agent test cases"
381
+ },
382
+ {
383
+ "framework": "PCI DSS v4.0",
384
+ "control_id": "Rogue agent risk analysis — targeted risk analysis documents scenarios, CHD impact, treatment",
385
+ "control_name": "Req 12.3",
386
+ "tier": "Hardening",
387
+ "scope": "Both",
388
+ "notes": "Risk analysis documentation"
389
+ },
390
+ {
391
+ "framework": "ENISA Multilayer Framework",
392
+ "control_id": "L2",
393
+ "control_name": "Monitoring and Detection (MON)",
394
+ "tier": "Hardening",
395
+ "scope": "Both",
396
+ "notes": "Continuous monitoring for agents operating outside authorised scope — AI-specific behavioural baselines enable deviation detection"
397
+ },
398
+ {
399
+ "framework": "ENISA Multilayer Framework",
400
+ "control_id": "L2",
401
+ "control_name": "Incident Response (IRS)",
402
+ "tier": "Hardening",
403
+ "scope": "Both",
404
+ "notes": "AI incident response plan covers rogue agent scenarios — automated isolation, manual rollback, forensic investigation procedures"
405
+ },
406
+ {
407
+ "framework": "ENISA Multilayer Framework",
408
+ "control_id": "L2",
409
+ "control_name": "Governance and Risk (GOV)",
410
+ "tier": "Hardening",
411
+ "scope": "Both",
412
+ "notes": "Authorised behaviour envelope documented per agent role — enables definition of what constitutes rogue behaviour"
413
+ },
414
+ {
415
+ "framework": "ENISA Multilayer Framework",
416
+ "control_id": "L2",
417
+ "control_name": "AI System Integrity (ASI)",
418
+ "tier": "Hardening",
419
+ "scope": "Both",
420
+ "notes": "AI system integrity controls enforce authorised behaviour boundaries — runtime enforcement, not just policy statements"
421
+ },
422
+ {
423
+ "framework": "OWASP SAMM v2.0",
424
+ "control_id": "D-SA",
425
+ "control_name": "Design / Security Architecture",
426
+ "tier": "Hardening",
427
+ "scope": "Both",
428
+ "notes": "Design circuit breakers and blast radius containment between agents"
429
+ },
430
+ {
431
+ "framework": "OWASP SAMM v2.0",
432
+ "control_id": "O-IM",
433
+ "control_name": "Operations / Incident Management",
434
+ "tier": "Hardening",
435
+ "scope": "Both",
436
+ "notes": "Detect correlated failures across multiple agents; alert before full cascade"
437
+ },
438
+ {
439
+ "framework": "OWASP SAMM v2.0",
440
+ "control_id": "O-EM",
441
+ "control_name": "Operations / Environment Management",
442
+ "tier": "Hardening",
443
+ "scope": "Both",
444
+ "notes": "Continuous health checks; automatic isolation of degraded agents"
445
+ },
446
+ {
447
+ "framework": "OWASP SAMM v2.0",
448
+ "control_id": "V-AA",
449
+ "control_name": "Verification / Architecture Assessment",
450
+ "tier": "Hardening",
451
+ "scope": "Both",
452
+ "notes": "Verify blast radius containment in architecture review"
453
+ },
454
+ {
455
+ "framework": "OWASP SAMM v2.0",
456
+ "control_id": "O-IM",
457
+ "control_name": "Operations / Incident Management",
458
+ "tier": "Hardening",
459
+ "scope": "Both",
460
+ "notes": "Documented runbook for cascade scenarios including rollback procedures"
461
+ },
462
+ {
463
+ "framework": "CWE/CVE",
464
+ "control_id": "Improper Access Control",
465
+ "control_name": "CWE-284",
466
+ "tier": "Foundational",
467
+ "scope": "Both",
468
+ "notes": "Rogue agent exceeds its permitted access scope — no scope enforcement"
469
+ },
470
+ {
471
+ "framework": "CWE/CVE",
472
+ "control_id": "Protection Mechanism Failure",
473
+ "control_name": "CWE-693",
474
+ "tier": "Foundational",
475
+ "scope": "Both",
476
+ "notes": "Behavioural monitoring and detection mechanisms bypassed by rogue agent"
477
+ },
478
+ {
479
+ "framework": "CWE/CVE",
480
+ "control_id": "Improper Control of Interaction Frequency",
481
+ "control_name": "CWE-799",
482
+ "tier": "Foundational",
483
+ "scope": "Both",
484
+ "notes": "Rogue agent evades detection by maintaining normal action frequency while biasing recommendations"
485
+ },
486
+ {
487
+ "framework": "CWE/CVE",
488
+ "control_id": "Embedded Malicious Code",
489
+ "control_name": "CWE-506",
490
+ "tier": "Foundational",
491
+ "scope": "Both",
492
+ "notes": "Rogue behaviour may result from backdoored model or component"
493
+ },
494
+ {
495
+ "framework": "CWE/CVE",
496
+ "control_id": "Incorrect Default Permissions",
497
+ "control_name": "CWE-276",
498
+ "tier": "Foundational",
499
+ "scope": "Both",
500
+ "notes": "Agent deployed with broader permissions than needed — amplifies rogue blast radius"
501
+ },
502
+ {
503
+ "framework": "OWASP AI Testing Guide",
504
+ "control_id": "Behavioural baseline establishment and deviation",
505
+ "control_name": "AST — Agent-Specific",
506
+ "tier": "Hardening",
507
+ "scope": "Both",
508
+ "notes": "Establish baseline during commissioning; inject anomalous behaviour patterns; verify detection"
509
+ },
510
+ {
511
+ "framework": "OWASP AI Testing Guide",
512
+ "control_id": "Hidden goal persistence detection",
513
+ "control_name": "MBT — Model Behaviour",
514
+ "tier": "Hardening",
515
+ "scope": "Both",
516
+ "notes": "Verify that systematic recommendation bias is detectable through aggregate output analysis"
517
+ },
518
+ {
519
+ "framework": "OWASP AI Testing Guide",
520
+ "control_id": "Kill switch activation coverage",
521
+ "control_name": "LMT — Logging & Monitoring",
522
+ "tier": "Hardening",
523
+ "scope": "Both",
524
+ "notes": "Verify kill switch activation logs are complete and anomaly-to-suspension latency meets SLA"
525
+ },
526
+ {
527
+ "framework": "MAESTRO",
528
+ "control_id": "L5",
529
+ "control_name": "Evaluation & Observability",
530
+ "tier": "Hardening",
531
+ "scope": "Both"
532
+ },
533
+ {
534
+ "framework": "MAESTRO",
535
+ "control_id": "L1",
536
+ "control_name": "Foundation Models",
537
+ "tier": "Hardening",
538
+ "scope": "Both"
539
+ },
540
+ {
541
+ "framework": "MAESTRO",
542
+ "control_id": "L6",
543
+ "control_name": "Security & Compliance",
544
+ "tier": "Hardening",
545
+ "scope": "Both"
546
+ },
547
+ {
548
+ "framework": "AIUC-1",
549
+ "control_id": "B001",
550
+ "control_name": "Third-party testing of adversarial robustness",
551
+ "tier": "Hardening",
552
+ "scope": "Both"
553
+ },
554
+ {
555
+ "framework": "AIUC-1",
556
+ "control_id": "B002",
557
+ "control_name": "Detect adversarial input",
558
+ "tier": "Hardening",
559
+ "scope": "Both"
560
+ },
561
+ {
562
+ "framework": "AIUC-1",
563
+ "control_id": "B006",
564
+ "control_name": "Prevent unauthorized AI agent actions",
565
+ "tier": "Hardening",
566
+ "scope": "Both"
567
+ },
568
+ {
569
+ "framework": "AIUC-1",
570
+ "control_id": "C",
571
+ "control_name": "Safety (full domain)",
572
+ "tier": "Hardening",
573
+ "scope": "Both"
574
+ },
575
+ {
576
+ "framework": "AIUC-1",
577
+ "control_id": "E",
578
+ "control_name": "Accountability (full domain)",
579
+ "tier": "Hardening",
580
+ "scope": "Both"
581
+ },
582
+ {
583
+ "framework": "OWASP NHI Top 10",
584
+ "control_id": "Rogue agent detected but not offboarded — credentials remain valid",
585
+ "control_name": "NHI-1 Improper Offboarding",
586
+ "tier": "Hardening",
587
+ "scope": "Both",
588
+ "notes": "Formal agent offboarding triggered immediately on rogue detection — all credentials revoked"
589
+ },
590
+ {
591
+ "framework": "OWASP NHI Top 10",
592
+ "control_id": "Rogue agent with excess privilege causes larger blast radius before detection",
593
+ "control_name": "NHI-5 Over-Privileged NHI",
594
+ "tier": "Hardening",
595
+ "scope": "Both",
596
+ "notes": "Least privilege — rogue agent with narrow scope causes less damage before containment"
597
+ },
598
+ {
599
+ "framework": "OWASP NHI Top 10",
600
+ "control_id": "Long-lived tokens allow rogue agent to operate indefinitely after detection",
601
+ "control_name": "NHI-7 Long-Lived Credentials",
602
+ "tier": "Hardening",
603
+ "scope": "Both",
604
+ "notes": "Short-lived credentials — rogue detection triggers token expiry without requiring manual revocation"
605
+ },
606
+ {
607
+ "framework": "NIST SP 800-218A",
608
+ "control_id": "Vet all external agent dependencies — LLM APIs, tool endpoints, MCP servers, orchestration platforms — for reliability, security posture, and failure mode characteristics before adoption",
609
+ "control_name": "PW.4.1-PS – Reuse existing well-secured software",
610
+ "tier": "Foundational",
611
+ "scope": "Both",
612
+ "notes": "Prevents adoption of unreliable dependencies"
613
+ },
614
+ {
615
+ "framework": "NIST SP 800-218A",
616
+ "control_id": "Verify that external dependency responses are consistent with expected behaviour — detect API version changes, model swaps, or degraded output quality that could affect agent correctness",
617
+ "control_name": "PS.2.1-PS – Verify software integrity",
618
+ "tier": "Foundational",
619
+ "scope": "Both",
620
+ "notes": "Detects dependency degradation and tampering"
621
+ },
622
+ {
623
+ "framework": "NIST SP 800-218A",
624
+ "control_id": "Monitor all agent dependencies for availability, behavioural consistency, and security posture changes; establish triage procedures for dependency degradation events",
625
+ "control_name": "RV.1.1-PS – Identify and confirm vulnerabilities",
626
+ "tier": "Foundational",
627
+ "scope": "Both",
628
+ "notes": "Enables rapid detection of dependency failures"
629
+ },
630
+ {
631
+ "framework": "NIST SP 800-218A",
632
+ "control_id": "Define remediation procedures for dependency failures — graceful degradation, fallback providers, workflow suspension, and stakeholder notification",
633
+ "control_name": "RV.2.1-PS – Assess, prioritise, and remediate vulnerabilities",
634
+ "tier": "Foundational",
635
+ "scope": "Both",
636
+ "notes": "Ensures operational continuity during dependency outages"
637
+ },
638
+ {
639
+ "framework": "FedRAMP",
640
+ "control_id": "SR-2",
641
+ "control_name": "Supply Chain Risk Management Plan — agent dependencies",
642
+ "tier": "Foundational",
643
+ "scope": "Both",
644
+ "notes": "Include all agent external dependencies — model APIs, tool endpoints, data sources — in supply chain risk management with availability and integrity requirements"
645
+ },
646
+ {
647
+ "framework": "FedRAMP",
648
+ "control_id": "SA-9",
649
+ "control_name": "External Information System Services — agent service dependencies",
650
+ "tier": "Foundational",
651
+ "scope": "Both",
652
+ "notes": "Require SLAs from agent dependency providers covering availability, performance, security, and incident notification; establish fallback procedures"
653
+ },
654
+ {
655
+ "framework": "FedRAMP",
656
+ "control_id": "SI-4",
657
+ "control_name": "System Monitoring — dependency health monitoring",
658
+ "tier": "Foundational",
659
+ "scope": "Both",
660
+ "notes": "Monitor agent dependency health in real time — API availability, response latency, error rates; alert on degradation and trigger fallback procedures"
661
+ },
662
+ {
663
+ "framework": "FedRAMP",
664
+ "control_id": "IR-4",
665
+ "control_name": "Incident Handling — dependency failure response",
666
+ "tier": "Foundational",
667
+ "scope": "Both",
668
+ "notes": "Define incident handling procedures for agent dependency failures; include automated fallback activation, graceful degradation, and service restoration"
669
+ },
670
+ {
671
+ "framework": "DORA",
672
+ "control_id": "Art. 28–44",
673
+ "control_name": "Third-Party Risk — agent dependency oversight",
674
+ "tier": "Foundational",
675
+ "scope": "Both",
676
+ "notes": "Include all agent external dependencies — model APIs, tool endpoints, data sources — in third-party ICT risk management with availability and integrity requirements"
677
+ },
678
+ {
679
+ "framework": "DORA",
680
+ "control_id": "Art. 11",
681
+ "control_name": "Response and Recovery — dependency failure response",
682
+ "tier": "Foundational",
683
+ "scope": "Both",
684
+ "notes": "Define response and recovery procedures for agent dependency failures; include fallback activation, graceful degradation, and service restoration"
685
+ },
686
+ {
687
+ "framework": "DORA",
688
+ "control_id": "Art. 12",
689
+ "control_name": "Backup Policies — dependency continuity",
690
+ "tier": "Foundational",
691
+ "scope": "Both",
692
+ "notes": "Maintain backup and fallback mechanisms for critical agent dependencies; enable continued operation during provider outages"
693
+ },
694
+ {
695
+ "framework": "DORA",
696
+ "control_id": "Art. 10",
697
+ "control_name": "Detection — dependency health monitoring",
698
+ "tier": "Foundational",
699
+ "scope": "Both",
700
+ "notes": "Monitor agent dependency health in real time — API availability, response latency, error rates; alert on degradation and trigger fallback procedures"
701
+ }
702
+ ],
703
+ "tools": [
704
+ {
705
+ "name": "Langfuse",
706
+ "type": "open-source",
707
+ "url": "https://langfuse.com"
708
+ },
709
+ {
710
+ "name": "Helicone",
711
+ "type": "open-source",
712
+ "url": "https://www.helicone.ai"
713
+ },
714
+ {
715
+ "name": "Weights & Biases",
716
+ "type": "commercial",
717
+ "url": "https://wandb.ai"
718
+ },
719
+ {
720
+ "name": "Wazuh",
721
+ "type": "open-source",
722
+ "url": "https://wazuh.com"
723
+ },
724
+ {
725
+ "name": "Dragos",
726
+ "type": "commercial",
727
+ "url": "https://www.dragos.com"
728
+ },
729
+ {
730
+ "name": "Prometheus",
731
+ "type": "open-source",
732
+ "url": "https://prometheus.io"
733
+ },
734
+ {
735
+ "name": "Falco",
736
+ "type": "open-source",
737
+ "url": "https://falco.org"
738
+ },
739
+ {
740
+ "name": "Entro Security",
741
+ "type": "commercial",
742
+ "url": "https://entro.security"
743
+ },
744
+ {
745
+ "name": "HashiCorp Vault",
746
+ "type": "open-source",
747
+ "url": "https://www.vaultproject.io"
748
+ },
749
+ {
750
+ "name": "Teleport",
751
+ "type": "commercial",
752
+ "url": "https://goteleport.com"
753
+ },
754
+ {
755
+ "name": "OpenTelemetry",
756
+ "type": "open-source",
757
+ "url": "https://opentelemetry.io"
758
+ },
759
+ {
760
+ "name": "LiteLLM",
761
+ "type": "open-source",
762
+ "url": "https://github.com/BerriAI/litellm"
763
+ },
764
+ {
765
+ "name": "Grafana",
766
+ "type": "open-source",
767
+ "url": "https://grafana.com"
768
+ },
769
+ {
770
+ "name": "PagerDuty",
771
+ "type": "commercial",
772
+ "url": "https://www.pagerduty.com"
773
+ },
774
+ {
775
+ "name": "Istio",
776
+ "type": "open-source",
777
+ "url": "https://istio.io"
778
+ },
779
+ {
780
+ "name": "AgentOps",
781
+ "url": "https://github.com/AgentOps-AI/agentops",
782
+ "type": "open-source"
783
+ }
784
+ ],
785
+ "incidents": [
786
+ {
787
+ "name": "Multi-agent financial trading system flash crash — cascading autonomous failures",
788
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
789
+ "year": 2025,
790
+ "incident_id": "INC-041"
791
+ },
792
+ {
793
+ "name": "Apollo Research: frontier models demonstrate strategic deception to avoid shutdown",
794
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
795
+ "year": 2024,
796
+ "incident_id": "INC-047"
797
+ }
798
+ ],
799
+ "crossrefs": {
800
+ "llm_top10": [
801
+ "LLM06",
802
+ "LLM10",
803
+ "LLM05"
804
+ ],
805
+ "agentic_top10": [
806
+ "ASI01",
807
+ "ASI02",
808
+ "ASI03",
809
+ "ASI05",
810
+ "ASI04",
811
+ "ASI06",
812
+ "ASI07",
813
+ "ASI08",
814
+ "ASI09"
815
+ ],
816
+ "dsgai_2026": [
817
+ "DSGAI16",
818
+ "DSGAI03",
819
+ "DSGAI19",
820
+ "DSGAI02",
821
+ "DSGAI17",
822
+ "DSGAI06"
823
+ ]
824
+ },
825
+ "changelog": [
826
+ {
827
+ "date": "2026-03-27",
828
+ "version": "1.0.0",
829
+ "change": "Initial entry — generated from GenAI Security Crosswalk v1.5.1 mapping files",
830
+ "author": "emmanuelgjr"
831
+ }
832
+ ]
833
+ }