genai-security-crosswalk 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (55) hide show
  1. package/LICENSE.md +28 -0
  2. package/README.md +618 -0
  3. package/data/entries/ASI01.json +911 -0
  4. package/data/entries/ASI02.json +850 -0
  5. package/data/entries/ASI03.json +854 -0
  6. package/data/entries/ASI04.json +759 -0
  7. package/data/entries/ASI05.json +764 -0
  8. package/data/entries/ASI06.json +817 -0
  9. package/data/entries/ASI07.json +789 -0
  10. package/data/entries/ASI08.json +788 -0
  11. package/data/entries/ASI09.json +754 -0
  12. package/data/entries/ASI10.json +833 -0
  13. package/data/entries/DSGAI01.json +779 -0
  14. package/data/entries/DSGAI02.json +728 -0
  15. package/data/entries/DSGAI03.json +671 -0
  16. package/data/entries/DSGAI04.json +752 -0
  17. package/data/entries/DSGAI05.json +689 -0
  18. package/data/entries/DSGAI06.json +673 -0
  19. package/data/entries/DSGAI07.json +680 -0
  20. package/data/entries/DSGAI08.json +698 -0
  21. package/data/entries/DSGAI09.json +687 -0
  22. package/data/entries/DSGAI10.json +627 -0
  23. package/data/entries/DSGAI11.json +663 -0
  24. package/data/entries/DSGAI12.json +695 -0
  25. package/data/entries/DSGAI13.json +688 -0
  26. package/data/entries/DSGAI14.json +703 -0
  27. package/data/entries/DSGAI15.json +655 -0
  28. package/data/entries/DSGAI16.json +716 -0
  29. package/data/entries/DSGAI17.json +690 -0
  30. package/data/entries/DSGAI18.json +613 -0
  31. package/data/entries/DSGAI19.json +638 -0
  32. package/data/entries/DSGAI20.json +671 -0
  33. package/data/entries/DSGAI21.json +881 -0
  34. package/data/entries/LLM01.json +975 -0
  35. package/data/entries/LLM02.json +868 -0
  36. package/data/entries/LLM03.json +817 -0
  37. package/data/entries/LLM04.json +797 -0
  38. package/data/entries/LLM05.json +761 -0
  39. package/data/entries/LLM06.json +848 -0
  40. package/data/entries/LLM07.json +749 -0
  41. package/data/entries/LLM08.json +750 -0
  42. package/data/entries/LLM09.json +760 -0
  43. package/data/entries/LLM10.json +763 -0
  44. package/data/incidents-schema.json +121 -0
  45. package/data/incidents.json +1484 -0
  46. package/data/schema.json +134 -0
  47. package/dist/index.d.ts +97 -0
  48. package/dist/index.d.ts.map +1 -0
  49. package/dist/index.js +124 -0
  50. package/dist/index.js.map +1 -0
  51. package/dist/index.test.d.ts +2 -0
  52. package/dist/index.test.d.ts.map +1 -0
  53. package/dist/index.test.js +97 -0
  54. package/dist/index.test.js.map +1 -0
  55. package/package.json +62 -0
package/data/entries/DSGAI01.json ADDED
@@ -0,0 +1,779 @@
1
+ {
2
+ "id": "DSGAI01",
3
+ "name": "Sensitive Data Leakage",
4
+ "source_list": "DSGAI-2026",
5
+ "version": "2026-Q1",
6
+ "severity": "Critical",
7
+ "aivss_score": null,
8
+ "audience": [
9
+ "red-teamer",
10
+ "security-engineer",
11
+ "ciso",
12
+ "compliance",
13
+ "ml-engineer",
14
+ "ot-engineer",
15
+ "auditor",
16
+ "developer",
17
+ "data-engineer"
18
+ ],
19
+ "mappings": [
20
+ {
21
+ "framework": "MITRE ATLAS",
22
+ "control_id": "AML.T0035",
23
+ "control_name": "Exfiltrate via ML Inference API",
24
+ "tier": "Foundational",
25
+ "scope": "Both",
26
+ "notes": "Adversary queries LLM to extract sensitive data from training corpus, RAG store, or prompt cache through crafted inference queries"
27
+ },
28
+ {
29
+ "framework": "MITRE ATLAS",
30
+ "control_id": "AML.T0024.000",
31
+ "control_name": "Membership Inference",
32
+ "tier": "Foundational",
33
+ "scope": "Both",
34
+ "notes": "Adversary determines whether specific sensitive records were used in training — confirms presence of target data"
35
+ },
36
+ {
37
+ "framework": "MITRE ATLAS",
38
+ "control_id": "AML.T0025",
39
+ "control_name": "Exfiltrate via Cyber Means",
40
+ "tier": "Foundational",
41
+ "scope": "Both",
42
+ "notes": "Sensitive content in LLM outputs, logs, or observability pipelines captured and transmitted to adversary"
43
+ },
44
+ {
45
+ "framework": "NIST AI RMF 1.0",
46
+ "control_id": "GV-1.6",
47
+ "control_name": "Policies for data privacy",
48
+ "tier": "Foundational",
49
+ "scope": "Both",
50
+ "notes": "Organisational policy on data classification, handling, and disclosure controls for GenAI data assets"
51
+ },
52
+ {
53
+ "framework": "NIST AI RMF 1.0",
54
+ "control_id": "MP-2.3",
55
+ "control_name": "Risk categorisation",
56
+ "tier": "Foundational",
57
+ "scope": "Both",
58
+ "notes": "Sensitive data leakage categorised and rated in AI system risk register — specific to each deployment"
59
+ },
60
+ {
61
+ "framework": "NIST AI RMF 1.0",
62
+ "control_id": "MS-2.6",
63
+ "control_name": "Testing — data leakage",
64
+ "tier": "Foundational",
65
+ "scope": "Both",
66
+ "notes": "Evaluation programme includes data leakage testing — training data, RAG over-retrieval, output redaction"
67
+ },
68
+ {
69
+ "framework": "NIST AI RMF 1.0",
70
+ "control_id": "MG-2.4",
71
+ "control_name": "Risk response — data",
72
+ "tier": "Foundational",
73
+ "scope": "Both",
74
+ "notes": "Defined incident response for sensitive data disclosure — notification, containment, regulatory reporting"
75
+ },
76
+ {
77
+ "framework": "EU AI Act",
78
+ "control_id": "Training data must be relevant, representative, and subject to appropriate privacy measures",
79
+ "control_name": "Art. 10 — Data and data governance",
80
+ "tier": "Foundational",
81
+ "scope": "Both",
82
+ "notes": "Data governance controls preventing sensitive data ingestion and memorisation are Art. 10 requirements"
83
+ },
84
+ {
85
+ "framework": "EU AI Act",
86
+ "control_id": "High-risk AI must be resilient and implement cybersecurity measures",
87
+ "control_name": "Art. 15 — Accuracy, robustness, cybersecurity",
88
+ "tier": "Foundational",
89
+ "scope": "Both",
90
+ "notes": "Output scanning, DLP, and access controls on RAG retrieval are Art. 15 technical requirements"
91
+ },
92
+ {
93
+ "framework": "EU AI Act",
94
+ "control_id": "GPAI providers must maintain technical documentation including training data governance",
95
+ "control_name": "Art. 53(1)(a) — GPAI documentation",
96
+ "tier": "Foundational",
97
+ "scope": "Both",
98
+ "notes": "Data governance for training data — sources, quality, privacy measures — is a GPAI documentation obligation"
99
+ },
100
+ {
101
+ "framework": "ISO/IEC 27001:2022",
102
+ "control_id": "A.8.11",
103
+ "control_name": "Data masking",
104
+ "tier": "Foundational",
105
+ "scope": "Both",
106
+ "notes": "Masking or redaction of sensitive data in LLM outputs, RAG results, and prompts"
107
+ },
108
+ {
109
+ "framework": "ISO/IEC 27001:2022",
110
+ "control_id": "A.8.12",
111
+ "control_name": "Data leakage prevention",
112
+ "tier": "Foundational",
113
+ "scope": "Both",
114
+ "notes": "DLP controls on all GenAI output channels — model API, chat interfaces, logs"
115
+ },
116
+ {
117
+ "framework": "ISO/IEC 27001:2022",
118
+ "control_id": "A.5.12",
119
+ "control_name": "Classification of information",
120
+ "tier": "Foundational",
121
+ "scope": "Both",
122
+ "notes": "All data in GenAI scope classified — training data, RAG corpora, outputs, embeddings"
123
+ },
124
+ {
125
+ "framework": "ISO/IEC 27001:2022",
126
+ "control_id": "A.8.3",
127
+ "control_name": "Information access restriction",
128
+ "tier": "Foundational",
129
+ "scope": "Both",
130
+ "notes": "Access controls on RAG data sources limiting retrieval to authorised user scope"
131
+ },
132
+ {
133
+ "framework": "ISO/IEC 27001:2022",
134
+ "control_id": "A.5.13",
135
+ "control_name": "Labelling of information",
136
+ "tier": "Foundational",
137
+ "scope": "Both",
138
+ "notes": "Classification labels propagated to derived assets — embeddings, caches, summaries"
139
+ },
140
+ {
141
+ "framework": "ISO/IEC 42001:2023",
142
+ "control_id": "Data for AI — acquisition",
143
+ "control_name": "A.7.2",
144
+ "tier": "Foundational",
145
+ "scope": "Both",
146
+ "notes": "Foundational"
147
+ },
148
+ {
149
+ "framework": "ISO/IEC 42001:2023",
150
+ "control_id": "Data for AI — preparation",
151
+ "control_name": "A.7.3",
152
+ "tier": "Foundational",
153
+ "scope": "Both",
154
+ "notes": "Hardening"
155
+ },
156
+ {
157
+ "framework": "ISO/IEC 42001:2023",
158
+ "control_id": "Lifecycle — operational",
159
+ "control_name": "A.6.2.3",
160
+ "tier": "Foundational",
161
+ "scope": "Both",
162
+ "notes": "Foundational"
163
+ },
164
+ {
165
+ "framework": "ISO/IEC 42001:2023",
166
+ "control_id": "Impact assessment",
167
+ "control_name": "A.5.2",
168
+ "tier": "Foundational",
169
+ "scope": "Both",
170
+ "notes": "Hardening"
171
+ },
172
+ {
173
+ "framework": "CIS Controls v8.1",
174
+ "control_id": "CIS 3",
175
+ "control_name": "3.1 — Establish and maintain data management process",
176
+ "tier": "Foundational",
177
+ "scope": "Both"
178
+ },
179
+ {
180
+ "framework": "CIS Controls v8.1",
181
+ "control_id": "CIS 3",
182
+ "control_name": "3.13 — Deploy DLP solutions",
183
+ "tier": "Foundational",
184
+ "scope": "Both"
185
+ },
186
+ {
187
+ "framework": "CIS Controls v8.1",
188
+ "control_id": "CIS 8",
189
+ "control_name": "8.2 — Collect audit logs",
190
+ "tier": "Foundational",
191
+ "scope": "Both"
192
+ },
193
+ {
194
+ "framework": "CIS Controls v8.1",
195
+ "control_id": "CIS 16",
196
+ "control_name": "16.12 — Implement code-level security checks",
197
+ "tier": "Foundational",
198
+ "scope": "Both"
199
+ },
200
+ {
201
+ "framework": "OWASP ASVS 4.0.3",
202
+ "control_id": "V8 Data Protection",
203
+ "control_name": "V8.1.1 — Sensitive data not transmitted in URL parameters",
204
+ "tier": "Foundational",
205
+ "scope": "Both"
206
+ },
207
+ {
208
+ "framework": "OWASP ASVS 4.0.3",
209
+ "control_id": "V8 Data Protection",
210
+ "control_name": "V8.3.4 — Sensitive data identified and classified",
211
+ "tier": "Foundational",
212
+ "scope": "Both"
213
+ },
214
+ {
215
+ "framework": "OWASP ASVS 4.0.3",
216
+ "control_id": "V4 Access Control",
217
+ "control_name": "V4.1.3 — Deny by default access control",
218
+ "tier": "Foundational",
219
+ "scope": "Both"
220
+ },
221
+ {
222
+ "framework": "OWASP ASVS 4.0.3",
223
+ "control_id": "V5 Validation",
224
+ "control_name": "V5.2.8 — Output encoding for context",
225
+ "tier": "Foundational",
226
+ "scope": "Both"
227
+ },
228
+ {
229
+ "framework": "OWASP ASVS 4.0.3",
230
+ "control_id": "V6 Cryptography",
231
+ "control_name": "V6.1.1 — Sensitive data not stored in cleartext",
232
+ "tier": "Foundational",
233
+ "scope": "Both"
234
+ },
235
+ {
236
+ "framework": "ISA/IEC 62443",
237
+ "control_id": "SR 4.1",
238
+ "control_name": "Data confidentiality",
239
+ "tier": "Foundational",
240
+ "scope": "Both",
241
+ "notes": "All OT data flowing through GenAI systems encrypted — historian exports, embedding stores, prompt caches"
242
+ },
243
+ {
244
+ "framework": "ISA/IEC 62443",
245
+ "control_id": "SR 4.4",
246
+ "control_name": "Use of physical diagnostic and test interfaces",
247
+ "tier": "Foundational",
248
+ "scope": "Both",
249
+ "notes": "GenAI outputs containing sensitive OT identifiers (tag names, IPs, device types) masked before leaving DMZ"
250
+ },
251
+ {
252
+ "framework": "ISA/IEC 62443",
253
+ "control_id": "SR 1.2",
254
+ "control_name": "Human user authentication",
255
+ "tier": "Foundational",
256
+ "scope": "Both",
257
+ "notes": "Access to GenAI systems in OT scope authenticated — each user with unique, traceable identity"
258
+ },
259
+ {
260
+ "framework": "ISA/IEC 62443",
261
+ "control_id": "SR 6.1",
262
+ "control_name": "Timely response to events",
263
+ "tier": "Foundational",
264
+ "scope": "Both",
265
+ "notes": "Sensitive OT data disclosure treated as security event — agent suspended, disclosure scope assessed"
266
+ },
267
+ {
268
+ "framework": "NIST SP 800-82 Rev 3",
269
+ "control_id": "Common ICS vulnerabilities",
270
+ "control_name": "§5.3",
271
+ "tier": "Foundational",
272
+ "scope": "Both",
273
+ "notes": "Injection via OT data feeds is a documented attack vector"
274
+ },
275
+ {
276
+ "framework": "NIST SP 800-82 Rev 3",
277
+ "control_id": "Risk assessment",
278
+ "control_name": "§6.2",
279
+ "tier": "Foundational",
280
+ "scope": "Both",
281
+ "notes": "Assess injection risk at every OT data ingestion point"
282
+ },
283
+ {
284
+ "framework": "NIST SP 800-82 Rev 3",
285
+ "control_id": "Security controls",
286
+ "control_name": "§7.2",
287
+ "tier": "Foundational",
288
+ "scope": "Both",
289
+ "notes": "Input validation mandatory at OT data boundary"
290
+ },
291
+ {
292
+ "framework": "NIST CSF 2.0",
293
+ "control_id": "PR.DS-01",
294
+ "control_name": "Data Security",
295
+ "tier": "Foundational",
296
+ "scope": "Both",
297
+ "notes": "Sensitive data at rest protected — training data, embeddings, RAG stores, prompt caches encrypted"
298
+ },
299
+ {
300
+ "framework": "NIST CSF 2.0",
301
+ "control_id": "PR.DS-02",
302
+ "control_name": "Data Security",
303
+ "tier": "Foundational",
304
+ "scope": "Both",
305
+ "notes": "Sensitive data in transit protected — all GenAI API calls and RAG retrieval paths encrypted"
306
+ },
307
+ {
308
+ "framework": "NIST CSF 2.0",
309
+ "control_id": "DE.CM-01",
310
+ "control_name": "Continuous Monitoring",
311
+ "tier": "Foundational",
312
+ "scope": "Both",
313
+ "notes": "Networks and assets monitored — DLP on all GenAI output channels"
314
+ },
315
+ {
316
+ "framework": "NIST CSF 2.0",
317
+ "control_id": "GV.RM-06",
318
+ "control_name": "Risk Management Strategy",
319
+ "tier": "Foundational",
320
+ "scope": "Both",
321
+ "notes": "Risk tolerance established — acceptable sensitive data disclosure risk defined per GenAI use case"
322
+ },
323
+ {
324
+ "framework": "SOC 2",
325
+ "control_id": "Policy identifying confidential information in GenAI scope — training data, RAG corpus, embeddings, outputs",
326
+ "control_name": "C1.1 — Confidentiality policy",
327
+ "tier": "Foundational",
328
+ "scope": "Both"
329
+ },
330
+ {
331
+ "framework": "SOC 2",
332
+ "control_id": "Technical controls protecting confidential data in GenAI pipelines — encryption, access controls, output scanning",
333
+ "control_name": "C2.1 — Confidential information protection",
334
+ "tier": "Foundational",
335
+ "scope": "Both"
336
+ },
337
+ {
338
+ "framework": "SOC 2",
339
+ "control_id": "Access controls on RAG retrieval — users retrieve only data they are authorised to access",
340
+ "control_name": "CC6.1 — Logical access",
341
+ "tier": "Foundational",
342
+ "scope": "Both"
343
+ },
344
+ {
345
+ "framework": "SOC 2",
346
+ "control_id": "Personal information in GenAI scope used only for authorised purposes — LLM processing limited to agreed use cases",
347
+ "control_name": "P5.1 — Personal information use",
348
+ "tier": "Foundational",
349
+ "scope": "Both"
350
+ },
351
+ {
352
+ "framework": "SOC 2",
353
+ "control_id": "DLP monitoring on all GenAI output channels — sensitive patterns detected before delivery to users",
354
+ "control_name": "CC7.2 — Anomaly detection",
355
+ "tier": "Foundational",
356
+ "scope": "Both"
357
+ },
358
+ {
359
+ "framework": "PCI DSS v4.0",
360
+ "control_id": "Req 3.4.1",
361
+ "control_name": "PAN rendering unreadable",
362
+ "tier": "Foundational",
363
+ "scope": "Both",
364
+ "notes": "PANs in GenAI outputs masked — only first six/last four digits in any response"
365
+ },
366
+ {
367
+ "framework": "PCI DSS v4.0",
368
+ "control_id": "Req 3.5.1",
369
+ "control_name": "Protect stored account data",
370
+ "tier": "Foundational",
371
+ "scope": "Both",
372
+ "notes": "All CHD in GenAI scope encrypted — training data, RAG stores, embeddings, prompt caches"
373
+ },
374
+ {
375
+ "framework": "PCI DSS v4.0",
376
+ "control_id": "Req 4.2.1",
377
+ "control_name": "Encryption in transit",
378
+ "tier": "Foundational",
379
+ "scope": "Both",
380
+ "notes": "All GenAI data flows carrying CHD encrypted — TLS 1.2 minimum"
381
+ },
382
+ {
383
+ "framework": "PCI DSS v4.0",
384
+ "control_id": "Req 7.2.1",
385
+ "control_name": "Restrict access",
386
+ "tier": "Foundational",
387
+ "scope": "Both",
388
+ "notes": "RAG retrieval access controls — users retrieve only CHD they are authorised to access"
389
+ },
390
+ {
391
+ "framework": "ENISA Multilayer Framework",
392
+ "control_id": "L2",
393
+ "control_name": "Data and Model Security (DMS)",
394
+ "tier": "Foundational",
395
+ "scope": "Both",
396
+ "notes": "All data in GenAI scope classified and governed — training corpora, RAG sources, embeddings, and outputs subject to DMS practices"
397
+ },
398
+ {
399
+ "framework": "ENISA Multilayer Framework",
400
+ "control_id": "MON",
401
+ "control_name": "Monitoring and Detection",
402
+ "tier": "Foundational",
403
+ "scope": "Both",
404
+ "notes": "DLP on all GenAI output channels — AI-specific monitoring covering sensitive data patterns before delivery to consumers"
405
+ },
406
+ {
407
+ "framework": "ENISA Multilayer Framework",
408
+ "control_id": "L2",
409
+ "control_name": "Governance and Risk (GOV)",
410
+ "tier": "Foundational",
411
+ "scope": "Both",
412
+ "notes": "GDPR and EU AI Act Article 10 data governance obligations addressed for all GenAI data assets"
413
+ },
414
+ {
415
+ "framework": "ENISA Multilayer Framework",
416
+ "control_id": "L1",
417
+ "control_name": "General ICT — Data Protection",
418
+ "tier": "Foundational",
419
+ "scope": "Both",
420
+ "notes": "Training data, embeddings, and RAG stores encrypted at rest and in transit; least-privilege access enforced"
421
+ },
422
+ {
423
+ "framework": "OWASP SAMM v2.0",
424
+ "control_id": "D-TA",
425
+ "control_name": "Design / Threat Assessment",
426
+ "tier": "Foundational",
427
+ "scope": "Both",
428
+ "notes": "Model all channels where untrusted content reaches the model"
429
+ },
430
+ {
431
+ "framework": "OWASP SAMM v2.0",
432
+ "control_id": "I-SB",
433
+ "control_name": "Implementation / Secure Build",
434
+ "tier": "Foundational",
435
+ "scope": "Both",
436
+ "notes": "Enforce sanitisation at every point where external data enters inference pipeline"
437
+ },
438
+ {
439
+ "framework": "OWASP SAMM v2.0",
440
+ "control_id": "V-ST",
441
+ "control_name": "Verification / Security Testing",
442
+ "tier": "Foundational",
443
+ "scope": "Both",
444
+ "notes": "Adversarial injection tests across all data input channels"
445
+ },
446
+ {
447
+ "framework": "OWASP SAMM v2.0",
448
+ "control_id": "O-IM",
449
+ "control_name": "Operations / Incident Management",
450
+ "tier": "Foundational",
451
+ "scope": "Both",
452
+ "notes": "Alert on unexpected model behaviour correlated with external data retrieval"
453
+ },
454
+ {
455
+ "framework": "OWASP SAMM v2.0",
456
+ "control_id": "G-EG",
457
+ "control_name": "Governance / Education & Guidance",
458
+ "tier": "Foundational",
459
+ "scope": "Both",
460
+ "notes": "Data engineers understand injection risk surface"
461
+ },
462
+ {
463
+ "framework": "CWE/CVE",
464
+ "control_id": "CWE-200",
465
+ "control_name": "CWE-200",
466
+ "tier": "Foundational",
467
+ "scope": "Both",
468
+ "url": "https://cwe.mitre.org/data/definitions/200.html"
469
+ },
470
+ {
471
+ "framework": "CWE/CVE",
472
+ "control_id": "CWE-359",
473
+ "control_name": "CWE-359",
474
+ "tier": "Foundational",
475
+ "scope": "Both",
476
+ "url": "https://cwe.mitre.org/data/definitions/359.html"
477
+ },
478
+ {
479
+ "framework": "CWE/CVE",
480
+ "control_id": "CWE-312",
481
+ "control_name": "CWE-312",
482
+ "tier": "Foundational",
483
+ "scope": "Both",
484
+ "url": "https://cwe.mitre.org/data/definitions/312.html"
485
+ },
486
+ {
487
+ "framework": "MAESTRO",
488
+ "control_id": "L2",
489
+ "control_name": "Data Operations",
490
+ "tier": "Foundational",
491
+ "scope": "Both"
492
+ },
493
+ {
494
+ "framework": "MAESTRO",
495
+ "control_id": "L1",
496
+ "control_name": "Foundation Models",
497
+ "tier": "Foundational",
498
+ "scope": "Both"
499
+ },
500
+ {
501
+ "framework": "MAESTRO",
502
+ "control_id": "L5",
503
+ "control_name": "Evaluation & Observability",
504
+ "tier": "Foundational",
505
+ "scope": "Both"
506
+ },
507
+ {
508
+ "framework": "AIUC-1",
509
+ "control_id": "B001",
510
+ "control_name": "Third-party adversarial robustness testing",
511
+ "tier": "Foundational",
512
+ "scope": "Both",
513
+ "notes": "Foundational"
514
+ },
515
+ {
516
+ "framework": "AIUC-1",
517
+ "control_id": "B002",
518
+ "control_name": "Detect adversarial input",
519
+ "tier": "Foundational",
520
+ "scope": "Both",
521
+ "notes": "Hardening"
522
+ },
523
+ {
524
+ "framework": "AIUC-1",
525
+ "control_id": "B005",
526
+ "control_name": "Implement real-time input filtering",
527
+ "tier": "Foundational",
528
+ "scope": "Both",
529
+ "notes": "Foundational"
530
+ },
531
+ {
532
+ "framework": "AIUC-1",
533
+ "control_id": "B006",
534
+ "control_name": "Prevent unauthorized AI actions",
535
+ "tier": "Foundational",
536
+ "scope": "Both",
537
+ "notes": "Foundational"
538
+ },
539
+ {
540
+ "framework": "OWASP NHI Top 10",
541
+ "control_id": "Injection blast radius limited only by credential scope",
542
+ "control_name": "NHI-5 Over-Privileged NHI",
543
+ "tier": "Foundational",
544
+ "scope": "Both",
545
+ "notes": "Apply least-privilege to all data pipeline credentials"
546
+ },
547
+ {
548
+ "framework": "OWASP NHI Top 10",
549
+ "control_id": "Injected actions can use pipeline tokens for extended period",
550
+ "control_name": "NHI-7 Long-Lived Credentials",
551
+ "tier": "Foundational",
552
+ "scope": "Both",
553
+ "notes": "Short-lived tokens for all data pipeline service accounts"
554
+ },
555
+ {
556
+ "framework": "NIST SP 800-218A",
557
+ "control_id": "PS.1.1-PS",
558
+ "control_name": "Protect all code from unauthorised access — data access audit controls",
559
+ "tier": "Foundational",
560
+ "scope": "Both",
561
+ "notes": "Implement comprehensive audit logging for all access to training data, model weights, embedding stores, and pipeline configuration; enforce tamper-evident log storage"
562
+ },
563
+ {
564
+ "framework": "NIST SP 800-218A",
565
+ "control_id": "RV.1.1-PS",
566
+ "control_name": "Identify and confirm vulnerabilities — audit-driven detection",
567
+ "tier": "Foundational",
568
+ "scope": "Both",
569
+ "notes": "Establish procedures to detect data access anomalies using audit logs; define triage workflows for suspicious access patterns across AI data stores"
570
+ },
571
+ {
572
+ "framework": "FedRAMP",
573
+ "control_id": "AU-2",
574
+ "control_name": "Event Logging — AI data access logging",
575
+ "tier": "Foundational",
576
+ "scope": "Both",
577
+ "notes": "Log all access to AI training data, model weights, inference inputs and outputs, and configuration; include user/service identity, timestamp, and access type"
578
+ },
579
+ {
580
+ "framework": "FedRAMP",
581
+ "control_id": "AU-12",
582
+ "control_name": "Audit Generation — inference audit trail",
583
+ "tier": "Foundational",
584
+ "scope": "Both",
585
+ "notes": "Generate audit records for all model inference requests with sufficient detail for compliance and incident investigation"
586
+ },
587
+ {
588
+ "framework": "FedRAMP",
589
+ "control_id": "AC-3",
590
+ "control_name": "Access Enforcement — authenticated data access",
591
+ "tier": "Foundational",
592
+ "scope": "Both",
593
+ "notes": "Enforce authenticated, authorised access to all AI data stores; deny unauthenticated access; log all access decisions"
594
+ },
595
+ {
596
+ "framework": "DORA",
597
+ "control_id": "Art. 8",
598
+ "control_name": "Identification — data asset classification",
599
+ "tier": "Foundational",
600
+ "scope": "Both",
601
+ "notes": "Register all AI data stores in ICT asset inventory; ensure logging coverage for all identified data assets including training data, model weights, and inference stores"
602
+ },
603
+ {
604
+ "framework": "DORA",
605
+ "control_id": "Art. 9",
606
+ "control_name": "Protection and Prevention — data access controls",
607
+ "tier": "Foundational",
608
+ "scope": "Both",
609
+ "notes": "Implement security controls for AI data access — authentication, authorisation, and encryption; enforce least privilege on all data access paths"
610
+ },
611
+ {
612
+ "framework": "DORA",
613
+ "control_id": "Art. 10",
614
+ "control_name": "Detection — data access monitoring",
615
+ "tier": "Foundational",
616
+ "scope": "Both",
617
+ "notes": "Deploy detection mechanisms for anomalous AI data access; monitor for unauthorised access patterns, bulk extractions, and access outside normal parameters"
618
+ },
619
+ {
620
+ "framework": "DORA",
621
+ "control_id": "Art. 17–23",
622
+ "control_name": "ICT Incident Management — access incident reporting",
623
+ "tier": "Foundational",
624
+ "scope": "Both",
625
+ "notes": "Classify material AI data access violations as ICT-related incidents; report to competent authorities per DORA incident classification and reporting requirements"
626
+ }
627
+ ],
628
+ "tools": [
629
+ {
630
+ "name": "Microsoft Presidio",
631
+ "type": "open-source",
632
+ "url": "https://github.com/microsoft/presidio"
633
+ },
634
+ {
635
+ "name": "Nightfall AI",
636
+ "type": "commercial",
637
+ "url": "https://nightfall.ai"
638
+ },
639
+ {
640
+ "name": "Private AI",
641
+ "type": "commercial",
642
+ "url": "https://private-ai.com"
643
+ },
644
+ {
645
+ "name": "Presidio",
646
+ "type": "open-source",
647
+ "url": "https://github.com/microsoft/presidio"
648
+ },
649
+ {
650
+ "name": "LLM Guard",
651
+ "type": "open-source",
652
+ "url": "https://github.com/protectai/llm-guard"
653
+ },
654
+ {
655
+ "name": "Garak",
656
+ "type": "open-source",
657
+ "url": "https://github.com/leondz/garak"
658
+ },
659
+ {
660
+ "name": "OpenTelemetry",
661
+ "type": "open-source",
662
+ "url": "https://opentelemetry.io"
663
+ },
664
+ {
665
+ "name": "Elastic SIEM",
666
+ "type": "open-source",
667
+ "url": "https://www.elastic.co/security"
668
+ },
669
+ {
670
+ "name": "AWS CloudTrail",
671
+ "type": "commercial",
672
+ "url": "https://aws.amazon.com/cloudtrail/"
673
+ },
674
+ {
675
+ "name": "Azure Monitor",
676
+ "type": "commercial",
677
+ "url": "https://azure.microsoft.com/en-us/products/monitor"
678
+ },
679
+ {
680
+ "name": "AWS CloudTrail / Azure Monitor",
681
+ "type": "commercial",
682
+ "url": "https://aws.amazon.com/cloudtrail/"
683
+ },
684
+ {
685
+ "name": "Elasticsearch",
686
+ "type": "open-source",
687
+ "url": "https://www.elastic.co"
688
+ },
689
+ {
690
+ "name": "Splunk",
691
+ "type": "commercial",
692
+ "url": "https://www.splunk.com"
693
+ }
694
+ ],
695
+ "incidents": [
696
+ {
697
+ "name": "Samsung employees leak source code and meeting notes via ChatGPT",
698
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
699
+ "year": 2023,
700
+ "incident_id": "INC-001"
701
+ },
702
+ {
703
+ "name": "OpenAI Redis caching bug exposes user conversation history",
704
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
705
+ "year": 2023,
706
+ "incident_id": "INC-006"
707
+ },
708
+ {
709
+ "name": "Indirect prompt injection in LLM email assistant via malicious email body",
710
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
711
+ "year": 2024,
712
+ "incident_id": "INC-007"
713
+ },
714
+ {
715
+ "name": "GitHub Copilot reproduces verbatim licensed code and embedded secrets",
716
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
717
+ "year": 2023,
718
+ "incident_id": "INC-008"
719
+ },
720
+ {
721
+ "name": "Microsoft Copilot for M365 — document exfiltration via indirect injection",
722
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
723
+ "year": 2024,
724
+ "incident_id": "INC-010"
725
+ },
726
+ {
727
+ "name": "GPT-4 system prompt extraction via jailbreak in production deployments",
728
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
729
+ "year": 2023,
730
+ "incident_id": "INC-018"
731
+ },
732
+ {
733
+ "name": "Slack AI indirect injection via channel content",
734
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
735
+ "year": 2024,
736
+ "incident_id": "INC-024"
737
+ },
738
+ {
739
+ "name": "GitHub Copilot Workspace prompt injection via repository content",
740
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
741
+ "year": 2024,
742
+ "incident_id": "INC-025"
743
+ },
744
+ {
745
+ "name": "DeepSeek AI database exposure — 1M+ chat logs publicly accessible",
746
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
747
+ "year": 2025,
748
+ "incident_id": "INC-032"
749
+ },
750
+ {
751
+ "name": "Cursor AI code agent leaking repository secrets via context window",
752
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
753
+ "year": 2025,
754
+ "incident_id": "INC-034"
755
+ }
756
+ ],
757
+ "crossrefs": {
758
+ "llm_top10": [
759
+ "LLM02",
760
+ "LLM01",
761
+ "LLM03",
762
+ "LLM07"
763
+ ],
764
+ "agentic_top10": [
765
+ "ASI03",
766
+ "ASI06",
767
+ "ASI01",
768
+ "ASI02"
769
+ ]
770
+ },
771
+ "changelog": [
772
+ {
773
+ "date": "2026-03-27",
774
+ "version": "1.0.0",
775
+ "change": "Initial entry — generated from GenAI Security Crosswalk v1.5.1 mapping files",
776
+ "author": "emmanuelgjr"
777
+ }
778
+ ]
779
+ }