genai-security-crosswalk 2.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE.md +28 -0
- package/README.md +618 -0
- package/data/entries/ASI01.json +911 -0
- package/data/entries/ASI02.json +850 -0
- package/data/entries/ASI03.json +854 -0
- package/data/entries/ASI04.json +759 -0
- package/data/entries/ASI05.json +764 -0
- package/data/entries/ASI06.json +817 -0
- package/data/entries/ASI07.json +789 -0
- package/data/entries/ASI08.json +788 -0
- package/data/entries/ASI09.json +754 -0
- package/data/entries/ASI10.json +833 -0
- package/data/entries/DSGAI01.json +779 -0
- package/data/entries/DSGAI02.json +728 -0
- package/data/entries/DSGAI03.json +671 -0
- package/data/entries/DSGAI04.json +752 -0
- package/data/entries/DSGAI05.json +689 -0
- package/data/entries/DSGAI06.json +673 -0
- package/data/entries/DSGAI07.json +680 -0
- package/data/entries/DSGAI08.json +698 -0
- package/data/entries/DSGAI09.json +687 -0
- package/data/entries/DSGAI10.json +627 -0
- package/data/entries/DSGAI11.json +663 -0
- package/data/entries/DSGAI12.json +695 -0
- package/data/entries/DSGAI13.json +688 -0
- package/data/entries/DSGAI14.json +703 -0
- package/data/entries/DSGAI15.json +655 -0
- package/data/entries/DSGAI16.json +716 -0
- package/data/entries/DSGAI17.json +690 -0
- package/data/entries/DSGAI18.json +613 -0
- package/data/entries/DSGAI19.json +638 -0
- package/data/entries/DSGAI20.json +671 -0
- package/data/entries/DSGAI21.json +881 -0
- package/data/entries/LLM01.json +975 -0
- package/data/entries/LLM02.json +868 -0
- package/data/entries/LLM03.json +817 -0
- package/data/entries/LLM04.json +797 -0
- package/data/entries/LLM05.json +761 -0
- package/data/entries/LLM06.json +848 -0
- package/data/entries/LLM07.json +749 -0
- package/data/entries/LLM08.json +750 -0
- package/data/entries/LLM09.json +760 -0
- package/data/entries/LLM10.json +763 -0
- package/data/incidents-schema.json +121 -0
- package/data/incidents.json +1484 -0
- package/data/schema.json +134 -0
- package/dist/index.d.ts +97 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +124 -0
- package/dist/index.js.map +1 -0
- package/dist/index.test.d.ts +2 -0
- package/dist/index.test.d.ts.map +1 -0
- package/dist/index.test.js +97 -0
- package/dist/index.test.js.map +1 -0
- package/package.json +62 -0
|
@@ -0,0 +1,752 @@
|
|
|
1
|
+
{
|
|
2
|
+
"id": "DSGAI04",
|
|
3
|
+
"name": "Data Model and Artifact Poisoning",
|
|
4
|
+
"source_list": "DSGAI-2026",
|
|
5
|
+
"version": "2026-Q1",
|
|
6
|
+
"severity": "Critical",
|
|
7
|
+
"aivss_score": null,
|
|
8
|
+
"audience": [
|
|
9
|
+
"red-teamer",
|
|
10
|
+
"security-engineer",
|
|
11
|
+
"ciso",
|
|
12
|
+
"compliance",
|
|
13
|
+
"ml-engineer",
|
|
14
|
+
"ot-engineer",
|
|
15
|
+
"auditor",
|
|
16
|
+
"developer",
|
|
17
|
+
"data-engineer"
|
|
18
|
+
],
|
|
19
|
+
"mappings": [
|
|
20
|
+
{
|
|
21
|
+
"framework": "MITRE ATLAS",
|
|
22
|
+
"control_id": "AML.T0020",
|
|
23
|
+
"control_name": "Poison Training Data",
|
|
24
|
+
"tier": "Hardening",
|
|
25
|
+
"scope": "Both",
|
|
26
|
+
"notes": "Adversary introduces malicious data into training pipeline — corrupts model behaviour in ways baked into weights"
|
|
27
|
+
},
|
|
28
|
+
{
|
|
29
|
+
"framework": "MITRE ATLAS",
|
|
30
|
+
"control_id": "AML.T0018",
|
|
31
|
+
"control_name": "Backdoor ML Model",
|
|
32
|
+
"tier": "Hardening",
|
|
33
|
+
"scope": "Both",
|
|
34
|
+
"notes": "Hidden functionality embedded in model weights — triggered by specific inputs, invisible to standard testing"
|
|
35
|
+
},
|
|
36
|
+
{
|
|
37
|
+
"framework": "MITRE ATLAS",
|
|
38
|
+
"control_id": "AML.T0031",
|
|
39
|
+
"control_name": "Craft Adversarial Data",
|
|
40
|
+
"tier": "Hardening",
|
|
41
|
+
"scope": "Both",
|
|
42
|
+
"notes": "Adversarially crafted training examples designed to produce specific model behaviours without detection"
|
|
43
|
+
},
|
|
44
|
+
{
|
|
45
|
+
"framework": "NIST AI RMF 1.0",
|
|
46
|
+
"control_id": "MP-2.3",
|
|
47
|
+
"control_name": "Risk categorisation",
|
|
48
|
+
"tier": "Hardening",
|
|
49
|
+
"scope": "Both",
|
|
50
|
+
"notes": "Data and model poisoning categorised as Critical — specific attack vectors mapped per training pipeline"
|
|
51
|
+
},
|
|
52
|
+
{
|
|
53
|
+
"framework": "NIST AI RMF 1.0",
|
|
54
|
+
"control_id": "MS-2.5",
|
|
55
|
+
"control_name": "Testing — adversarial",
|
|
56
|
+
"tier": "Hardening",
|
|
57
|
+
"scope": "Both",
|
|
58
|
+
"notes": "Adversarial testing covering poisoning detection in training pipelines before each production promotion"
|
|
59
|
+
},
|
|
60
|
+
{
|
|
61
|
+
"framework": "NIST AI RMF 1.0",
|
|
62
|
+
"control_id": "MS-3.3",
|
|
63
|
+
"control_name": "Data quality",
|
|
64
|
+
"tier": "Hardening",
|
|
65
|
+
"scope": "Both",
|
|
66
|
+
"notes": "Data quality measurement and validation applied to all training and fine-tuning data"
|
|
67
|
+
},
|
|
68
|
+
{
|
|
69
|
+
"framework": "NIST AI RMF 1.0",
|
|
70
|
+
"control_id": "MG-2.2",
|
|
71
|
+
"control_name": "Risk response",
|
|
72
|
+
"tier": "Hardening",
|
|
73
|
+
"scope": "Both",
|
|
74
|
+
"notes": "Incident response including model rollback for detected poisoning events"
|
|
75
|
+
},
|
|
76
|
+
{
|
|
77
|
+
"framework": "EU AI Act",
|
|
78
|
+
"control_id": "Training data must be subject to governance practices — relevant, representative, free of errors",
|
|
79
|
+
"control_name": "Art. 10 — Data and data governance",
|
|
80
|
+
"tier": "Hardening",
|
|
81
|
+
"scope": "Both",
|
|
82
|
+
"notes": "Data quality controls and provenance requirements preventing poisoning are binding Art. 10 obligations"
|
|
83
|
+
},
|
|
84
|
+
{
|
|
85
|
+
"framework": "EU AI Act",
|
|
86
|
+
"control_id": "High-risk AI must be resilient to attempts to alter performance through data manipulation",
|
|
87
|
+
"control_name": "Art. 15 — Accuracy, robustness, cybersecurity",
|
|
88
|
+
"tier": "Hardening",
|
|
89
|
+
"scope": "Both",
|
|
90
|
+
"notes": "Technical robustness against poisoning is a binding Art. 15 requirement with conformity assessment evidence"
|
|
91
|
+
},
|
|
92
|
+
{
|
|
93
|
+
"framework": "EU AI Act",
|
|
94
|
+
"control_id": "Systemic risk GPAI providers must conduct adversarial testing to identify and mitigate systemic risks",
|
|
95
|
+
"control_name": "Art. 55(1)(b) — Systemic risk GPAI adversarial testing",
|
|
96
|
+
"tier": "Hardening",
|
|
97
|
+
"scope": "Both",
|
|
98
|
+
"notes": "Poisoning detection adversarial testing is a binding obligation for systemic risk models"
|
|
99
|
+
},
|
|
100
|
+
{
|
|
101
|
+
"framework": "ISO/IEC 27001:2022",
|
|
102
|
+
"control_id": "A.8.8",
|
|
103
|
+
"control_name": "Management of technical vulnerabilities",
|
|
104
|
+
"tier": "Hardening",
|
|
105
|
+
"scope": "Both",
|
|
106
|
+
"notes": "Scanning and patching model components and training pipeline dependencies"
|
|
107
|
+
},
|
|
108
|
+
{
|
|
109
|
+
"framework": "ISO/IEC 27001:2022",
|
|
110
|
+
"control_id": "A.5.19",
|
|
111
|
+
"control_name": "Supplier relationships",
|
|
112
|
+
"tier": "Hardening",
|
|
113
|
+
"scope": "Both",
|
|
114
|
+
"notes": "Security requirements applied to all third-party training data and model sources"
|
|
115
|
+
},
|
|
116
|
+
{
|
|
117
|
+
"framework": "ISO/IEC 27001:2022",
|
|
118
|
+
"control_id": "A.8.27",
|
|
119
|
+
"control_name": "Secure system architecture",
|
|
120
|
+
"tier": "Hardening",
|
|
121
|
+
"scope": "Both",
|
|
122
|
+
"notes": "Training pipeline designed with integrity controls and supply chain verification"
|
|
123
|
+
},
|
|
124
|
+
{
|
|
125
|
+
"framework": "ISO/IEC 27001:2022",
|
|
126
|
+
"control_id": "A.8.29",
|
|
127
|
+
"control_name": "Security testing",
|
|
128
|
+
"tier": "Hardening",
|
|
129
|
+
"scope": "Both",
|
|
130
|
+
"notes": "Adversarial testing of model outputs for poisoning indicators before deployment"
|
|
131
|
+
},
|
|
132
|
+
{
|
|
133
|
+
"framework": "ISO/IEC 27001:2022",
|
|
134
|
+
"control_id": "A.8.9",
|
|
135
|
+
"control_name": "Configuration management",
|
|
136
|
+
"tier": "Hardening",
|
|
137
|
+
"scope": "Both",
|
|
138
|
+
"notes": "Model versions, adapters, and datasets managed with integrity and change controls"
|
|
139
|
+
},
|
|
140
|
+
{
|
|
141
|
+
"framework": "ISO/IEC 42001:2023",
|
|
142
|
+
"control_id": "Data — acquisition",
|
|
143
|
+
"control_name": "A.7.2",
|
|
144
|
+
"tier": "Hardening",
|
|
145
|
+
"scope": "Both",
|
|
146
|
+
"notes": "Hardening"
|
|
147
|
+
},
|
|
148
|
+
{
|
|
149
|
+
"framework": "ISO/IEC 42001:2023",
|
|
150
|
+
"control_id": "Data — preparation",
|
|
151
|
+
"control_name": "A.7.3",
|
|
152
|
+
"tier": "Hardening",
|
|
153
|
+
"scope": "Both",
|
|
154
|
+
"notes": "Hardening"
|
|
155
|
+
},
|
|
156
|
+
{
|
|
157
|
+
"framework": "ISO/IEC 42001:2023",
|
|
158
|
+
"control_id": "Lifecycle — testing",
|
|
159
|
+
"control_name": "A.6.2.6",
|
|
160
|
+
"tier": "Hardening",
|
|
161
|
+
"scope": "Both",
|
|
162
|
+
"notes": "Hardening"
|
|
163
|
+
},
|
|
164
|
+
{
|
|
165
|
+
"framework": "ISO/IEC 42001:2023",
|
|
166
|
+
"control_id": "Lifecycle — design",
|
|
167
|
+
"control_name": "A.6.1.2",
|
|
168
|
+
"tier": "Hardening",
|
|
169
|
+
"scope": "Both",
|
|
170
|
+
"notes": "Foundational"
|
|
171
|
+
},
|
|
172
|
+
{
|
|
173
|
+
"framework": "CIS Controls v8.1",
|
|
174
|
+
"control_id": "CIS 7",
|
|
175
|
+
"control_name": "7.1 — Establish vulnerability management",
|
|
176
|
+
"tier": "Hardening",
|
|
177
|
+
"scope": "Both"
|
|
178
|
+
},
|
|
179
|
+
{
|
|
180
|
+
"framework": "CIS Controls v8.1",
|
|
181
|
+
"control_id": "CIS 16",
|
|
182
|
+
"control_name": "16.11 — Use up-to-date software components",
|
|
183
|
+
"tier": "Hardening",
|
|
184
|
+
"scope": "Both"
|
|
185
|
+
},
|
|
186
|
+
{
|
|
187
|
+
"framework": "CIS Controls v8.1",
|
|
188
|
+
"control_id": "CIS 18",
|
|
189
|
+
"control_name": "18.1 — Establish penetration testing programme",
|
|
190
|
+
"tier": "Hardening",
|
|
191
|
+
"scope": "Both"
|
|
192
|
+
},
|
|
193
|
+
{
|
|
194
|
+
"framework": "OWASP ASVS 4.0.3",
|
|
195
|
+
"control_id": "V5 Validation",
|
|
196
|
+
"control_name": "V5.1.3 — Input validation server-side",
|
|
197
|
+
"tier": "Hardening",
|
|
198
|
+
"scope": "Both"
|
|
199
|
+
},
|
|
200
|
+
{
|
|
201
|
+
"framework": "OWASP ASVS 4.0.3",
|
|
202
|
+
"control_id": "V10 Malicious Code",
|
|
203
|
+
"control_name": "V10.2.1 — Application only uses official repositories",
|
|
204
|
+
"tier": "Hardening",
|
|
205
|
+
"scope": "Both"
|
|
206
|
+
},
|
|
207
|
+
{
|
|
208
|
+
"framework": "OWASP ASVS 4.0.3",
|
|
209
|
+
"control_id": "V10 Malicious Code",
|
|
210
|
+
"control_name": "V10.2.2 — Dependency managers check for vulnerabilities",
|
|
211
|
+
"tier": "Hardening",
|
|
212
|
+
"scope": "Both"
|
|
213
|
+
},
|
|
214
|
+
{
|
|
215
|
+
"framework": "OWASP ASVS 4.0.3",
|
|
216
|
+
"control_id": "V12 Files/Resources",
|
|
217
|
+
"control_name": "V12.1.1 — File upload size limits",
|
|
218
|
+
"tier": "Hardening",
|
|
219
|
+
"scope": "Both"
|
|
220
|
+
},
|
|
221
|
+
{
|
|
222
|
+
"framework": "ISA/IEC 62443",
|
|
223
|
+
"control_id": "SR 3.3",
|
|
224
|
+
"control_name": "Software and information integrity",
|
|
225
|
+
"tier": "Foundational",
|
|
226
|
+
"scope": "Both",
|
|
227
|
+
"notes": "Training data integrity controls — source allowlisting, anomaly detection, provenance tracking"
|
|
228
|
+
},
|
|
229
|
+
{
|
|
230
|
+
"framework": "ISA/IEC 62443",
|
|
231
|
+
"control_id": "SR 3.7",
|
|
232
|
+
"control_name": "Software and information integrity monitoring",
|
|
233
|
+
"tier": "Foundational",
|
|
234
|
+
"scope": "Both",
|
|
235
|
+
"notes": "Continuous monitoring of OT GenAI model outputs — systematic anomalies indicating poisoning detected"
|
|
236
|
+
},
|
|
237
|
+
{
|
|
238
|
+
"framework": "ISA/IEC 62443",
|
|
239
|
+
"control_id": "SR 6.1",
|
|
240
|
+
"control_name": "Timely response to events",
|
|
241
|
+
"tier": "Foundational",
|
|
242
|
+
"scope": "Both",
|
|
243
|
+
"notes": "Poisoning events treated as Critical security incidents — model suspended, process control fallback activated"
|
|
244
|
+
},
|
|
245
|
+
{
|
|
246
|
+
"framework": "ISA/IEC 62443",
|
|
247
|
+
"control_id": "SR 7.6",
|
|
248
|
+
"control_name": "Denial of service protection",
|
|
249
|
+
"tier": "Foundational",
|
|
250
|
+
"scope": "Both",
|
|
251
|
+
"notes": "Poisoned model availability impact contained — fallback procedure prevents physical process disruption"
|
|
252
|
+
},
|
|
253
|
+
{
|
|
254
|
+
"framework": "NIST SP 800-82 Rev 3",
|
|
255
|
+
"control_id": "ICS vulnerabilities",
|
|
256
|
+
"control_name": "§5.3",
|
|
257
|
+
"tier": "Foundational",
|
|
258
|
+
"scope": "Both",
|
|
259
|
+
"notes": "Pipeline integrity is a core OT security requirement"
|
|
260
|
+
},
|
|
261
|
+
{
|
|
262
|
+
"framework": "NIST SP 800-82 Rev 3",
|
|
263
|
+
"control_id": "Risk assessment",
|
|
264
|
+
"control_name": "§6.2",
|
|
265
|
+
"tier": "Foundational",
|
|
266
|
+
"scope": "Both",
|
|
267
|
+
"notes": "Data pipeline security in OT risk assessment"
|
|
268
|
+
},
|
|
269
|
+
{
|
|
270
|
+
"framework": "NIST SP 800-82 Rev 3",
|
|
271
|
+
"control_id": "Security controls",
|
|
272
|
+
"control_name": "§7.2",
|
|
273
|
+
"tier": "Foundational",
|
|
274
|
+
"scope": "Both",
|
|
275
|
+
"notes": "Authenticated, integrity-verified data flows across zone boundaries"
|
|
276
|
+
},
|
|
277
|
+
{
|
|
278
|
+
"framework": "NIST CSF 2.0",
|
|
279
|
+
"control_id": "GV.SC-01",
|
|
280
|
+
"control_name": "Supply Chain Risk Management",
|
|
281
|
+
"tier": "Hardening",
|
|
282
|
+
"scope": "Both",
|
|
283
|
+
"notes": "Training data providers treated as suppliers — provenance, quality, integrity requirements in contracts"
|
|
284
|
+
},
|
|
285
|
+
{
|
|
286
|
+
"framework": "NIST CSF 2.0",
|
|
287
|
+
"control_id": "PR.DS-01",
|
|
288
|
+
"control_name": "Data Security",
|
|
289
|
+
"tier": "Hardening",
|
|
290
|
+
"scope": "Both",
|
|
291
|
+
"notes": "Training data protected at rest — integrity verification, source allowlisting, provenance tracking"
|
|
292
|
+
},
|
|
293
|
+
{
|
|
294
|
+
"framework": "NIST CSF 2.0",
|
|
295
|
+
"control_id": "DE.CM-09",
|
|
296
|
+
"control_name": "Continuous Monitoring",
|
|
297
|
+
"tier": "Hardening",
|
|
298
|
+
"scope": "Both",
|
|
299
|
+
"notes": "Monitoring for unauthorised software — model integrity verification at deployment, output anomaly detection"
|
|
300
|
+
},
|
|
301
|
+
{
|
|
302
|
+
"framework": "NIST CSF 2.0",
|
|
303
|
+
"control_id": "RS.AN-03",
|
|
304
|
+
"control_name": "Incident Analysis",
|
|
305
|
+
"tier": "Hardening",
|
|
306
|
+
"scope": "Both",
|
|
307
|
+
"notes": "Poisoning incidents analysed — affected training runs, deployed models, downstream impact assessed"
|
|
308
|
+
},
|
|
309
|
+
{
|
|
310
|
+
"framework": "SOC 2",
|
|
311
|
+
"control_id": "Poisoning threats documented in GenAI risk assessment — training data, supply chain, model update vectors",
|
|
312
|
+
"control_name": "CC3.2 — Risk assessment",
|
|
313
|
+
"tier": "Hardening",
|
|
314
|
+
"scope": "Both"
|
|
315
|
+
},
|
|
316
|
+
{
|
|
317
|
+
"framework": "SOC 2",
|
|
318
|
+
"control_id": "Model promotions through change management — integrity verification before production deployment",
|
|
319
|
+
"control_name": "CC8.1 — Change management",
|
|
320
|
+
"tier": "Hardening",
|
|
321
|
+
"scope": "Both"
|
|
322
|
+
},
|
|
323
|
+
{
|
|
324
|
+
"framework": "SOC 2",
|
|
325
|
+
"control_id": "Training data providers in vendor risk programme — provenance, quality, integrity requirements assessed",
|
|
326
|
+
"control_name": "CC9.1 — Vendor risk",
|
|
327
|
+
"tier": "Hardening",
|
|
328
|
+
"scope": "Both"
|
|
329
|
+
},
|
|
330
|
+
{
|
|
331
|
+
"framework": "SOC 2",
|
|
332
|
+
"control_id": "Model output anomaly monitoring — poisoning indicators detected before operational impact",
|
|
333
|
+
"control_name": "CC7.2 — Anomaly detection",
|
|
334
|
+
"tier": "Hardening",
|
|
335
|
+
"scope": "Both"
|
|
336
|
+
},
|
|
337
|
+
{
|
|
338
|
+
"framework": "PCI DSS v4.0",
|
|
339
|
+
"control_id": "Req 6.5.6",
|
|
340
|
+
"control_name": "Secure system changes",
|
|
341
|
+
"tier": "Hardening",
|
|
342
|
+
"scope": "Both",
|
|
343
|
+
"notes": "All model promotions tested for unexpected functionality — poisoning detection as Req 6.5 testing requirement"
|
|
344
|
+
},
|
|
345
|
+
{
|
|
346
|
+
"framework": "PCI DSS v4.0",
|
|
347
|
+
"control_id": "Req 10.6.1",
|
|
348
|
+
"control_name": "Audit log review",
|
|
349
|
+
"tier": "Hardening",
|
|
350
|
+
"scope": "Both",
|
|
351
|
+
"notes": "Automated monitoring of GenAI outputs in CDE — systematic anomalies indicating poisoning detected"
|
|
352
|
+
},
|
|
353
|
+
{
|
|
354
|
+
"framework": "PCI DSS v4.0",
|
|
355
|
+
"control_id": "Req 11.3.1",
|
|
356
|
+
"control_name": "Penetration testing",
|
|
357
|
+
"tier": "Hardening",
|
|
358
|
+
"scope": "Both",
|
|
359
|
+
"notes": "Poisoning detection in CDE penetration testing programme"
|
|
360
|
+
},
|
|
361
|
+
{
|
|
362
|
+
"framework": "PCI DSS v4.0",
|
|
363
|
+
"control_id": "Req 12.8",
|
|
364
|
+
"control_name": "TPSP programme",
|
|
365
|
+
"tier": "Hardening",
|
|
366
|
+
"scope": "Both",
|
|
367
|
+
"notes": "Training data providers as TPSPs — data quality and integrity requirements in vendor agreements"
|
|
368
|
+
},
|
|
369
|
+
{
|
|
370
|
+
"framework": "ENISA Multilayer Framework",
|
|
371
|
+
"control_id": "L2",
|
|
372
|
+
"control_name": "Data and Model Security (DMS)",
|
|
373
|
+
"tier": "Hardening",
|
|
374
|
+
"scope": "Both",
|
|
375
|
+
"notes": "All training data sources verified — provenance documented, anomaly detection on data pipelines, integrity checks before ingestion"
|
|
376
|
+
},
|
|
377
|
+
{
|
|
378
|
+
"framework": "ENISA Multilayer Framework",
|
|
379
|
+
"control_id": "L2",
|
|
380
|
+
"control_name": "AI System Integrity (ASI)",
|
|
381
|
+
"tier": "Hardening",
|
|
382
|
+
"scope": "Both",
|
|
383
|
+
"notes": "Model weights verified before deployment — cryptographic signatures, behavioural baseline testing for unexpected outputs"
|
|
384
|
+
},
|
|
385
|
+
{
|
|
386
|
+
"framework": "ENISA Multilayer Framework",
|
|
387
|
+
"control_id": "L2",
|
|
388
|
+
"control_name": "Monitoring and Detection (MON)",
|
|
389
|
+
"tier": "Hardening",
|
|
390
|
+
"scope": "Both",
|
|
391
|
+
"notes": "Runtime monitoring for unexpected model behaviour — output distribution drift, sudden accuracy changes, anomalous activation patterns"
|
|
392
|
+
},
|
|
393
|
+
{
|
|
394
|
+
"framework": "ENISA Multilayer Framework",
|
|
395
|
+
"control_id": "SCS",
|
|
396
|
+
"control_name": "Supply Chain Security",
|
|
397
|
+
"tier": "Hardening",
|
|
398
|
+
"scope": "Both",
|
|
399
|
+
"notes": "All external training datasets treated as untrusted supply chain components — provenance, quality review, and integrity verification before use"
|
|
400
|
+
},
|
|
401
|
+
{
|
|
402
|
+
"framework": "OWASP SAMM v2.0",
|
|
403
|
+
"control_id": "D-SA",
|
|
404
|
+
"control_name": "Design / Security Architecture",
|
|
405
|
+
"tier": "Foundational",
|
|
406
|
+
"scope": "Both",
|
|
407
|
+
"notes": "Design authentication and integrity controls for every pipeline stage"
|
|
408
|
+
},
|
|
409
|
+
{
|
|
410
|
+
"framework": "OWASP SAMM v2.0",
|
|
411
|
+
"control_id": "I-SB",
|
|
412
|
+
"control_name": "Implementation / Secure Build",
|
|
413
|
+
"tier": "Foundational",
|
|
414
|
+
"scope": "Both",
|
|
415
|
+
"notes": "mTLS, input validation, and access controls enforced across pipeline"
|
|
416
|
+
},
|
|
417
|
+
{
|
|
418
|
+
"framework": "OWASP SAMM v2.0",
|
|
419
|
+
"control_id": "I-SD",
|
|
420
|
+
"control_name": "Implementation / Secure Deployment",
|
|
421
|
+
"tier": "Foundational",
|
|
422
|
+
"scope": "Both",
|
|
423
|
+
"notes": "Infrastructure-as-code with security controls applied at provisioning"
|
|
424
|
+
},
|
|
425
|
+
{
|
|
426
|
+
"framework": "OWASP SAMM v2.0",
|
|
427
|
+
"control_id": "V-AA",
|
|
428
|
+
"control_name": "Verification / Architecture Assessment",
|
|
429
|
+
"tier": "Foundational",
|
|
430
|
+
"scope": "Both",
|
|
431
|
+
"notes": "Review every pipeline component for authentication and integrity gaps"
|
|
432
|
+
},
|
|
433
|
+
{
|
|
434
|
+
"framework": "OWASP SAMM v2.0",
|
|
435
|
+
"control_id": "O-EM",
|
|
436
|
+
"control_name": "Operations / Environment Management",
|
|
437
|
+
"tier": "Foundational",
|
|
438
|
+
"scope": "Both",
|
|
439
|
+
"notes": "Regular security updates for all pipeline components"
|
|
440
|
+
},
|
|
441
|
+
{
|
|
442
|
+
"framework": "CWE/CVE",
|
|
443
|
+
"control_id": "CWE-345",
|
|
444
|
+
"control_name": "CWE-345",
|
|
445
|
+
"tier": "Hardening",
|
|
446
|
+
"scope": "Both",
|
|
447
|
+
"url": "https://cwe.mitre.org/data/definitions/345.html"
|
|
448
|
+
},
|
|
449
|
+
{
|
|
450
|
+
"framework": "CWE/CVE",
|
|
451
|
+
"control_id": "CWE-346",
|
|
452
|
+
"control_name": "CWE-346",
|
|
453
|
+
"tier": "Hardening",
|
|
454
|
+
"scope": "Both",
|
|
455
|
+
"url": "https://cwe.mitre.org/data/definitions/346.html"
|
|
456
|
+
},
|
|
457
|
+
{
|
|
458
|
+
"framework": "CWE/CVE",
|
|
459
|
+
"control_id": "CWE-20",
|
|
460
|
+
"control_name": "CWE-20",
|
|
461
|
+
"tier": "Hardening",
|
|
462
|
+
"scope": "Both",
|
|
463
|
+
"url": "https://cwe.mitre.org/data/definitions/20.html"
|
|
464
|
+
},
|
|
465
|
+
{
|
|
466
|
+
"framework": "MAESTRO",
|
|
467
|
+
"control_id": "L2",
|
|
468
|
+
"control_name": "Data Operations",
|
|
469
|
+
"tier": "Hardening",
|
|
470
|
+
"scope": "Both"
|
|
471
|
+
},
|
|
472
|
+
{
|
|
473
|
+
"framework": "MAESTRO",
|
|
474
|
+
"control_id": "L4",
|
|
475
|
+
"control_name": "Deployment & Infrastructure",
|
|
476
|
+
"tier": "Hardening",
|
|
477
|
+
"scope": "Both"
|
|
478
|
+
},
|
|
479
|
+
{
|
|
480
|
+
"framework": "MAESTRO",
|
|
481
|
+
"control_id": "L1",
|
|
482
|
+
"control_name": "Foundation Models",
|
|
483
|
+
"tier": "Hardening",
|
|
484
|
+
"scope": "Both"
|
|
485
|
+
},
|
|
486
|
+
{
|
|
487
|
+
"framework": "MAESTRO",
|
|
488
|
+
"control_id": "L5",
|
|
489
|
+
"control_name": "Evaluation & Observability",
|
|
490
|
+
"tier": "Hardening",
|
|
491
|
+
"scope": "Both"
|
|
492
|
+
},
|
|
493
|
+
{
|
|
494
|
+
"framework": "AIUC-1",
|
|
495
|
+
"control_id": "A",
|
|
496
|
+
"control_name": "Data & Privacy domain",
|
|
497
|
+
"tier": "Foundational",
|
|
498
|
+
"scope": "Both",
|
|
499
|
+
"notes": "Foundational"
|
|
500
|
+
},
|
|
501
|
+
{
|
|
502
|
+
"framework": "AIUC-1",
|
|
503
|
+
"control_id": "B001",
|
|
504
|
+
"control_name": "Third-party adversarial robustness testing",
|
|
505
|
+
"tier": "Foundational",
|
|
506
|
+
"scope": "Both",
|
|
507
|
+
"notes": "Foundational"
|
|
508
|
+
},
|
|
509
|
+
{
|
|
510
|
+
"framework": "AIUC-1",
|
|
511
|
+
"control_id": "B003",
|
|
512
|
+
"control_name": "Third-party security assessment",
|
|
513
|
+
"tier": "Foundational",
|
|
514
|
+
"scope": "Both",
|
|
515
|
+
"notes": "Hardening"
|
|
516
|
+
},
|
|
517
|
+
{
|
|
518
|
+
"framework": "AIUC-1",
|
|
519
|
+
"control_id": "E",
|
|
520
|
+
"control_name": "Audit trails and logging",
|
|
521
|
+
"tier": "Foundational",
|
|
522
|
+
"scope": "Both",
|
|
523
|
+
"notes": "Foundational"
|
|
524
|
+
},
|
|
525
|
+
{
|
|
526
|
+
"framework": "OWASP NHI Top 10",
|
|
527
|
+
"control_id": "Unauthenticated connections between pipeline stages",
|
|
528
|
+
"control_name": "NHI-4 Insecure Authentication",
|
|
529
|
+
"tier": "Foundational",
|
|
530
|
+
"scope": "Both",
|
|
531
|
+
"notes": "Require mTLS or token auth for all pipeline connections"
|
|
532
|
+
},
|
|
533
|
+
{
|
|
534
|
+
"framework": "OWASP NHI Top 10",
|
|
535
|
+
"control_id": "Pipeline service account with access to all stages",
|
|
536
|
+
"control_name": "NHI-5 Over-Privileged NHI",
|
|
537
|
+
"tier": "Foundational",
|
|
538
|
+
"scope": "Both",
|
|
539
|
+
"notes": "Per-stage credentials with minimum scope"
|
|
540
|
+
},
|
|
541
|
+
{
|
|
542
|
+
"framework": "OWASP NHI Top 10",
|
|
543
|
+
"control_id": "Same credential used for multiple pipeline stages",
|
|
544
|
+
"control_name": "NHI-9 NHI Reuse",
|
|
545
|
+
"tier": "Foundational",
|
|
546
|
+
"scope": "Both",
|
|
547
|
+
"notes": "Separate credentials per stage"
|
|
548
|
+
},
|
|
549
|
+
{
|
|
550
|
+
"framework": "NIST SP 800-218A",
|
|
551
|
+
"control_id": "PS.1.1-PS",
|
|
552
|
+
"control_name": "Protect all code from unauthorised access — data and artefact integrity",
|
|
553
|
+
"tier": "Foundational",
|
|
554
|
+
"scope": "Both",
|
|
555
|
+
"notes": "Protect training data, model weights, adapters, and pipeline artefacts from unauthorised modification; enforce write access controls and integrity monitoring"
|
|
556
|
+
},
|
|
557
|
+
{
|
|
558
|
+
"framework": "NIST SP 800-218A",
|
|
559
|
+
"control_id": "PS.3.1-PS",
|
|
560
|
+
"control_name": "Archive and protect software releases — versioned artefact management",
|
|
561
|
+
"tier": "Foundational",
|
|
562
|
+
"scope": "Both",
|
|
563
|
+
"notes": "Maintain versioned, integrity-verified snapshots of all training data, model checkpoints, and pipeline artefacts; enable rollback to known-good state"
|
|
564
|
+
},
|
|
565
|
+
{
|
|
566
|
+
"framework": "NIST SP 800-218A",
|
|
567
|
+
"control_id": "PW.4.1-PS",
|
|
568
|
+
"control_name": "Reuse existing well-secured software — dataset and artefact vetting",
|
|
569
|
+
"tier": "Foundational",
|
|
570
|
+
"scope": "Both",
|
|
571
|
+
"notes": "Vet all third-party datasets, pre-trained models, and pipeline components for provenance, integrity, and potential poisoning before use"
|
|
572
|
+
},
|
|
573
|
+
{
|
|
574
|
+
"framework": "NIST SP 800-218A",
|
|
575
|
+
"control_id": "RV.3.1-PS",
|
|
576
|
+
"control_name": "Analyse root causes — poisoning forensics",
|
|
577
|
+
"tier": "Foundational",
|
|
578
|
+
"scope": "Both",
|
|
579
|
+
"notes": "When poisoning is detected, conduct forensic analysis to identify corrupted records, trace to source, and determine blast radius across dependent models"
|
|
580
|
+
},
|
|
581
|
+
{
|
|
582
|
+
"framework": "FedRAMP",
|
|
583
|
+
"control_id": "SR-2",
|
|
584
|
+
"control_name": "Supply Chain Risk Management Plan — AI data and artefact sources",
|
|
585
|
+
"tier": "Foundational",
|
|
586
|
+
"scope": "Both",
|
|
587
|
+
"notes": "Include AI training data, model weights, and pipeline artefacts in supply chain risk management with provenance documentation"
|
|
588
|
+
},
|
|
589
|
+
{
|
|
590
|
+
"framework": "FedRAMP",
|
|
591
|
+
"control_id": "SR-3",
|
|
592
|
+
"control_name": "Supply Chain Controls — artefact provenance verification",
|
|
593
|
+
"tier": "Foundational",
|
|
594
|
+
"scope": "Both",
|
|
595
|
+
"notes": "Verify integrity and provenance of all AI artefacts using cryptographic signatures and checksums before use in any pipeline"
|
|
596
|
+
},
|
|
597
|
+
{
|
|
598
|
+
"framework": "FedRAMP",
|
|
599
|
+
"control_id": "SI-3",
|
|
600
|
+
"control_name": "Malicious Code Protection — training pipeline integrity",
|
|
601
|
+
"tier": "Foundational",
|
|
602
|
+
"scope": "Both",
|
|
603
|
+
"notes": "Extend malicious code protection to training data and model artefacts; detect poisoned data, anomalous patterns, and backdoor indicators"
|
|
604
|
+
},
|
|
605
|
+
{
|
|
606
|
+
"framework": "FedRAMP",
|
|
607
|
+
"control_id": "SC-28",
|
|
608
|
+
"control_name": "Protection of Information at Rest — artefact encryption",
|
|
609
|
+
"tier": "Foundational",
|
|
610
|
+
"scope": "Both",
|
|
611
|
+
"notes": "Encrypt all training data, model weights, and pipeline artefacts at rest; enforce key management per FedRAMP requirements"
|
|
612
|
+
},
|
|
613
|
+
{
|
|
614
|
+
"framework": "DORA",
|
|
615
|
+
"control_id": "Art. 9",
|
|
616
|
+
"control_name": "Protection and Prevention — training pipeline integrity",
|
|
617
|
+
"tier": "Foundational",
|
|
618
|
+
"scope": "Both",
|
|
619
|
+
"notes": "Implement security controls protecting training data and model artefacts from poisoning, tampering, and unauthorised modification"
|
|
620
|
+
},
|
|
621
|
+
{
|
|
622
|
+
"framework": "DORA",
|
|
623
|
+
"control_id": "Art. 24–27",
|
|
624
|
+
"control_name": "Resilience Testing — poisoning detection testing",
|
|
625
|
+
"tier": "Foundational",
|
|
626
|
+
"scope": "Both",
|
|
627
|
+
"notes": "Include data poisoning scenarios in resilience testing; test detection capabilities and recovery procedures for poisoned data and model artefacts"
|
|
628
|
+
},
|
|
629
|
+
{
|
|
630
|
+
"framework": "DORA",
|
|
631
|
+
"control_id": "Art. 12",
|
|
632
|
+
"control_name": "Backup Policies — model and data restoration",
|
|
633
|
+
"tier": "Foundational",
|
|
634
|
+
"scope": "Both",
|
|
635
|
+
"notes": "Maintain versioned backups of training data and model weights with integrity verification; enable rollback to pre-poisoning states"
|
|
636
|
+
},
|
|
637
|
+
{
|
|
638
|
+
"framework": "DORA",
|
|
639
|
+
"control_id": "Art. 13",
|
|
640
|
+
"control_name": "Learning and Evolving — poisoning post-mortem",
|
|
641
|
+
"tier": "Foundational",
|
|
642
|
+
"scope": "Both",
|
|
643
|
+
"notes": "Conduct post-incident analysis for data poisoning events; trace poisoned content and update protection controls"
|
|
644
|
+
}
|
|
645
|
+
],
|
|
646
|
+
"tools": [
|
|
647
|
+
{
|
|
648
|
+
"name": "IBM Adversarial Robustness Toolbox",
|
|
649
|
+
"type": "open-source",
|
|
650
|
+
"url": "https://github.com/Trusted-AI/adversarial-robustness-toolbox"
|
|
651
|
+
},
|
|
652
|
+
{
|
|
653
|
+
"name": "CleanLab",
|
|
654
|
+
"type": "open-source",
|
|
655
|
+
"url": "https://github.com/cleanlab/cleanlab"
|
|
656
|
+
},
|
|
657
|
+
{
|
|
658
|
+
"name": "ModelScan",
|
|
659
|
+
"type": "open-source",
|
|
660
|
+
"url": "https://github.com/protectai/modelscan"
|
|
661
|
+
},
|
|
662
|
+
{
|
|
663
|
+
"name": "Armory",
|
|
664
|
+
"type": "open-source",
|
|
665
|
+
"url": "https://github.com/twosixlabs/armory"
|
|
666
|
+
},
|
|
667
|
+
{
|
|
668
|
+
"name": "Cleanlab",
|
|
669
|
+
"type": "open-source",
|
|
670
|
+
"url": "https://github.com/cleanlab/cleanlab"
|
|
671
|
+
},
|
|
672
|
+
{
|
|
673
|
+
"name": "Great Expectations",
|
|
674
|
+
"type": "open-source",
|
|
675
|
+
"url": "https://github.com/great-expectations/great_expectations"
|
|
676
|
+
},
|
|
677
|
+
{
|
|
678
|
+
"name": "Sigstore",
|
|
679
|
+
"type": "open-source",
|
|
680
|
+
"url": "https://www.sigstore.dev"
|
|
681
|
+
},
|
|
682
|
+
{
|
|
683
|
+
"name": "LAAF v2.0",
|
|
684
|
+
"url": "https://github.com/qorvexconsulting1/laaf-V2.0",
|
|
685
|
+
"type": "open-source"
|
|
686
|
+
}
|
|
687
|
+
],
|
|
688
|
+
"incidents": [
|
|
689
|
+
{
|
|
690
|
+
"name": "ChatGPT indirect prompt injection via attacker-controlled web content",
|
|
691
|
+
"url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
|
|
692
|
+
"year": 2023,
|
|
693
|
+
"incident_id": "INC-003"
|
|
694
|
+
},
|
|
695
|
+
{
|
|
696
|
+
"name": "Hugging Face model repository pickle-based malware supply chain",
|
|
697
|
+
"url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
|
|
698
|
+
"year": 2024,
|
|
699
|
+
"incident_id": "INC-009"
|
|
700
|
+
},
|
|
701
|
+
{
|
|
702
|
+
"name": "RAG corpus poisoning — embedding-space manipulation to force retrieval",
|
|
703
|
+
"url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
|
|
704
|
+
"year": 2024,
|
|
705
|
+
"incident_id": "INC-016"
|
|
706
|
+
},
|
|
707
|
+
{
|
|
708
|
+
"name": "LAAF v2.0 — Empirical LPCI breakthrough rates of 67–100% across 5 production LLMs",
|
|
709
|
+
"url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
|
|
710
|
+
"year": 2026,
|
|
711
|
+
"incident_id": "INC-021"
|
|
712
|
+
},
|
|
713
|
+
{
|
|
714
|
+
"name": "Greshake et al. \"Not What You've Signed Up For\" indirect prompt injection paper",
|
|
715
|
+
"url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
|
|
716
|
+
"year": 2023,
|
|
717
|
+
"incident_id": "INC-022"
|
|
718
|
+
},
|
|
719
|
+
{
|
|
720
|
+
"name": "Nassi et al. \"ComPromptMized\" Morris II multi-agent worm",
|
|
721
|
+
"url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
|
|
722
|
+
"year": 2024,
|
|
723
|
+
"incident_id": "INC-023"
|
|
724
|
+
},
|
|
725
|
+
{
|
|
726
|
+
"name": "Adversarial embedding attacks on production RAG systems",
|
|
727
|
+
"url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
|
|
728
|
+
"year": 2024,
|
|
729
|
+
"incident_id": "INC-046"
|
|
730
|
+
}
|
|
731
|
+
],
|
|
732
|
+
"crossrefs": {
|
|
733
|
+
"llm_top10": [
|
|
734
|
+
"LLM03",
|
|
735
|
+
"LLM04",
|
|
736
|
+
"LLM08",
|
|
737
|
+
"LLM05"
|
|
738
|
+
],
|
|
739
|
+
"agentic_top10": [
|
|
740
|
+
"ASI06",
|
|
741
|
+
"ASI04"
|
|
742
|
+
]
|
|
743
|
+
},
|
|
744
|
+
"changelog": [
|
|
745
|
+
{
|
|
746
|
+
"date": "2026-03-27",
|
|
747
|
+
"version": "1.0.0",
|
|
748
|
+
"change": "Initial entry — generated from GenAI Security Crosswalk v1.5.1 mapping files",
|
|
749
|
+
"author": "emmanuelgjr"
|
|
750
|
+
}
|
|
751
|
+
]
|
|
752
|
+
}
|