genai-security-crosswalk 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (55) hide show
  1. package/LICENSE.md +28 -0
  2. package/README.md +618 -0
  3. package/data/entries/ASI01.json +911 -0
  4. package/data/entries/ASI02.json +850 -0
  5. package/data/entries/ASI03.json +854 -0
  6. package/data/entries/ASI04.json +759 -0
  7. package/data/entries/ASI05.json +764 -0
  8. package/data/entries/ASI06.json +817 -0
  9. package/data/entries/ASI07.json +789 -0
  10. package/data/entries/ASI08.json +788 -0
  11. package/data/entries/ASI09.json +754 -0
  12. package/data/entries/ASI10.json +833 -0
  13. package/data/entries/DSGAI01.json +779 -0
  14. package/data/entries/DSGAI02.json +728 -0
  15. package/data/entries/DSGAI03.json +671 -0
  16. package/data/entries/DSGAI04.json +752 -0
  17. package/data/entries/DSGAI05.json +689 -0
  18. package/data/entries/DSGAI06.json +673 -0
  19. package/data/entries/DSGAI07.json +680 -0
  20. package/data/entries/DSGAI08.json +698 -0
  21. package/data/entries/DSGAI09.json +687 -0
  22. package/data/entries/DSGAI10.json +627 -0
  23. package/data/entries/DSGAI11.json +663 -0
  24. package/data/entries/DSGAI12.json +695 -0
  25. package/data/entries/DSGAI13.json +688 -0
  26. package/data/entries/DSGAI14.json +703 -0
  27. package/data/entries/DSGAI15.json +655 -0
  28. package/data/entries/DSGAI16.json +716 -0
  29. package/data/entries/DSGAI17.json +690 -0
  30. package/data/entries/DSGAI18.json +613 -0
  31. package/data/entries/DSGAI19.json +638 -0
  32. package/data/entries/DSGAI20.json +671 -0
  33. package/data/entries/DSGAI21.json +881 -0
  34. package/data/entries/LLM01.json +975 -0
  35. package/data/entries/LLM02.json +868 -0
  36. package/data/entries/LLM03.json +817 -0
  37. package/data/entries/LLM04.json +797 -0
  38. package/data/entries/LLM05.json +761 -0
  39. package/data/entries/LLM06.json +848 -0
  40. package/data/entries/LLM07.json +749 -0
  41. package/data/entries/LLM08.json +750 -0
  42. package/data/entries/LLM09.json +760 -0
  43. package/data/entries/LLM10.json +763 -0
  44. package/data/incidents-schema.json +121 -0
  45. package/data/incidents.json +1484 -0
  46. package/data/schema.json +134 -0
  47. package/dist/index.d.ts +97 -0
  48. package/dist/index.d.ts.map +1 -0
  49. package/dist/index.js +124 -0
  50. package/dist/index.js.map +1 -0
  51. package/dist/index.test.d.ts +2 -0
  52. package/dist/index.test.d.ts.map +1 -0
  53. package/dist/index.test.js +97 -0
  54. package/dist/index.test.js.map +1 -0
  55. package/package.json +62 -0
package/data/entries/ASI01.json ADDED
@@ -0,0 +1,911 @@
1
+ {
2
+ "id": "ASI01",
3
+ "name": "Agent Goal Hijack",
4
+ "source_list": "Agentic-Top10-2026",
5
+ "version": "2026-Q1",
6
+ "severity": "Critical",
7
+ "aivss_score": 9.8,
8
+ "audience": [
9
+ "red-teamer",
10
+ "security-engineer",
11
+ "ml-engineer",
12
+ "ot-engineer",
13
+ "ciso",
14
+ "compliance",
15
+ "auditor",
16
+ "developer"
17
+ ],
18
+ "mappings": [
19
+ {
20
+ "framework": "MITRE ATLAS",
21
+ "control_id": "AML.T0051.000",
22
+ "control_name": "Direct Prompt Injection",
23
+ "tier": "Foundational",
24
+ "scope": "Both",
25
+ "url": "https://atlas.mitre.org/techniques/AML.T0051.000",
26
+ "notes": "Attacker directly injects goal-altering instructions into agent input"
27
+ },
28
+ {
29
+ "framework": "MITRE ATLAS",
30
+ "control_id": "AML.T0051.001",
31
+ "control_name": "Indirect Prompt Injection",
32
+ "tier": "Foundational",
33
+ "scope": "Both",
34
+ "url": "https://atlas.mitre.org/techniques/AML.T0051.001",
35
+ "notes": "Hidden instructions in documents, emails, RAG results, or tool outputs alter agent goals without user visibility"
36
+ },
37
+ {
38
+ "framework": "MITRE ATLAS",
39
+ "control_id": "AML.T0054",
40
+ "control_name": "LLM Jailbreak",
41
+ "tier": "Foundational",
42
+ "scope": "Both",
43
+ "url": "https://atlas.mitre.org/techniques/AML.T0054",
44
+ "notes": "Override safety guardrails that constrain agent goal execution"
45
+ },
46
+ {
47
+ "framework": "NIST AI RMF 1.0",
48
+ "control_id": "GV-1.7",
49
+ "control_name": "Policies for trustworthy AI",
50
+ "tier": "Foundational",
51
+ "scope": "Both",
52
+ "notes": "Organisational policy defines permissible agent autonomy — agents cannot change their stated goals without human confirmation"
53
+ },
54
+ {
55
+ "framework": "NIST AI RMF 1.0",
56
+ "control_id": "MP-2.3",
57
+ "control_name": "Risk categorisation",
58
+ "tier": "Foundational",
59
+ "scope": "Both",
60
+ "notes": "Agent goal hijack categorised in AI risk register per deployment — specific injection vectors mapped"
61
+ },
62
+ {
63
+ "framework": "NIST AI RMF 1.0",
64
+ "control_id": "MS-2.5",
65
+ "control_name": "Testing — adversarial",
66
+ "tier": "Foundational",
67
+ "scope": "Both",
68
+ "notes": "Adversarial testing programme covers goal hijack scenarios — indirect injection via all agent data sources"
69
+ },
70
+ {
71
+ "framework": "NIST AI RMF 1.0",
72
+ "control_id": "MG-2.2",
73
+ "control_name": "Risk response",
74
+ "tier": "Foundational",
75
+ "scope": "Both",
76
+ "notes": "Incident response for detected goal hijack — suspension procedure, action reversal checklist, OT impact assessment"
77
+ },
78
+ {
79
+ "framework": "EU AI Act",
80
+ "control_id": "Goal hijack scenarios identified and mitigated in risk management system",
81
+ "control_name": "Art. 9 — Risk management",
82
+ "tier": "Foundational",
83
+ "scope": "Both",
84
+ "notes": "Agent goal hijack included in Art. 9 risk assessment for every agentic deployment"
85
+ },
86
+ {
87
+ "framework": "EU AI Act",
88
+ "control_id": "Meaningful human oversight over high-risk AI system outputs",
89
+ "control_name": "Art. 14 — Human oversight",
90
+ "tier": "Foundational",
91
+ "scope": "Both",
92
+ "notes": "Agents whose goals can be hijacked and execute autonomously are an Art. 14 failure — human confirmation required before goal-changing actions"
93
+ },
94
+ {
95
+ "framework": "EU AI Act",
96
+ "control_id": "Technical resilience against adversarial input manipulation",
97
+ "control_name": "Art. 15 — Accuracy, robustness, cybersecurity",
98
+ "tier": "Foundational",
99
+ "scope": "Both",
100
+ "notes": "Input filtering, goal-state verification, and injection detection are Art. 15 technical requirements"
101
+ },
102
+ {
103
+ "framework": "ISO/IEC 27001:2022",
104
+ "control_id": "A.8.28",
105
+ "control_name": "Secure coding",
106
+ "tier": "Foundational",
107
+ "scope": "Both",
108
+ "notes": "Secure coding requirements for all agentic integration code — input validation, goal-state verification, context separation"
109
+ },
110
+ {
111
+ "framework": "ISO/IEC 27001:2022",
112
+ "control_id": "A.8.29",
113
+ "control_name": "Security testing",
114
+ "tier": "Foundational",
115
+ "scope": "Both",
116
+ "notes": "Adversarial testing programme covering goal hijack — direct, indirect, multi-turn injection before each release"
117
+ },
118
+ {
119
+ "framework": "ISO/IEC 27001:2022",
120
+ "control_id": "A.8.16",
121
+ "control_name": "Monitoring activities",
122
+ "tier": "Foundational",
123
+ "scope": "Both",
124
+ "notes": "Runtime monitoring for injection indicators across all agent input channels — new 2022 control"
125
+ },
126
+ {
127
+ "framework": "ISO/IEC 27001:2022",
128
+ "control_id": "A.5.7",
129
+ "control_name": "Threat intelligence",
130
+ "tier": "Foundational",
131
+ "scope": "Both",
132
+ "notes": "Active intelligence on prompt injection and goal hijack techniques — new attack methods inform detection controls"
133
+ },
134
+ {
135
+ "framework": "ISO/IEC 42001:2023",
136
+ "control_id": "A.6.2.3",
137
+ "control_name": "AI system security",
138
+ "tier": "Foundational",
139
+ "scope": "Both",
140
+ "notes": "Goal-state verification and input validation as AIMS security design requirements — structural controls enforced at orchestration layer"
141
+ },
142
+ {
143
+ "framework": "ISO/IEC 42001:2023",
144
+ "control_id": "A.6.2.6",
145
+ "control_name": "Testing of AI systems",
146
+ "tier": "Foundational",
147
+ "scope": "Both",
148
+ "notes": "Goal hijack scenarios in AIMS testing — direct, indirect, multi-turn injection tested before each production release"
149
+ },
150
+ {
151
+ "framework": "ISO/IEC 42001:2023",
152
+ "control_id": "A.5.2",
153
+ "control_name": "Impact assessment",
154
+ "tier": "Foundational",
155
+ "scope": "Both",
156
+ "notes": "Impact assessment covers goal hijack risk — what autonomous actions are possible if goal is redirected, who is affected"
157
+ },
158
+ {
159
+ "framework": "ISO/IEC 42001:2023",
160
+ "control_id": "Cl.6.1",
161
+ "control_name": "Risk assessment",
162
+ "tier": "Foundational",
163
+ "scope": "Both",
164
+ "notes": "Goal hijack in AI risk register — blast radius per deployment, owner, treatment, review cadence"
165
+ },
166
+ {
167
+ "framework": "CIS Controls v8.1",
168
+ "control_id": "16.1 Establish secure application development standards",
169
+ "control_name": "CIS 16 — Application Software Security",
170
+ "tier": "Foundational",
171
+ "scope": "Both",
172
+ "notes": "Secure development standards covering agentic integrations — input validation, goal-state verification"
173
+ },
174
+ {
175
+ "framework": "CIS Controls v8.1",
176
+ "control_id": "18.1 Establish penetration testing programme",
177
+ "control_name": "CIS 18 — Penetration Testing",
178
+ "tier": "Foundational",
179
+ "scope": "Both",
180
+ "notes": "Adversarial testing covering goal hijack — direct, indirect, multi-turn injection scenarios"
181
+ },
182
+ {
183
+ "framework": "CIS Controls v8.1",
184
+ "control_id": "8.2 Collect audit logs",
185
+ "control_name": "CIS 8 — Audit Log Management",
186
+ "tier": "Foundational",
187
+ "scope": "Both",
188
+ "notes": "All agent inputs logged — injection attempts detectable through log analysis"
189
+ },
190
+ {
191
+ "framework": "CIS Controls v8.1",
192
+ "control_id": "13.8 Deploy a network intrusion detection solution",
193
+ "control_name": "CIS 13 — Network Monitoring and Defence",
194
+ "tier": "Foundational",
195
+ "scope": "Both",
196
+ "notes": "Network-layer monitoring for injection indicators in agent traffic"
197
+ },
198
+ {
199
+ "framework": "OWASP ASVS 4.0.3",
200
+ "control_id": "V5.1.1",
201
+ "control_name": "Verify all user input validated against allowlist",
202
+ "tier": "Foundational",
203
+ "scope": "Both",
204
+ "notes": "All inputs to agents validated — indirect injection through processed content equally in scope"
205
+ },
206
+ {
207
+ "framework": "OWASP ASVS 4.0.3",
208
+ "control_id": "V5.2.1",
209
+ "control_name": "Verify output encoding prevents injection",
210
+ "tier": "Foundational",
211
+ "scope": "Both",
212
+ "notes": "Agent responses encoded before passing to downstream renderers — outputs treated as untrusted"
213
+ },
214
+ {
215
+ "framework": "OWASP ASVS 4.0.3",
216
+ "control_id": "V5.2.5",
217
+ "control_name": "Verify application protects against OS command injection",
218
+ "tier": "Foundational",
219
+ "scope": "Both",
220
+ "notes": "Agent-generated instructions not executed in system context without validation"
221
+ },
222
+ {
223
+ "framework": "OWASP ASVS 4.0.3",
224
+ "control_id": "V1.1.2",
225
+ "control_name": "Threat modelling of all data flows",
226
+ "tier": "Foundational",
227
+ "scope": "Both",
228
+ "notes": "All agent input sources threat-modelled — every indirect injection path documented"
229
+ },
230
+ {
231
+ "framework": "OWASP ASVS 4.0.3",
232
+ "control_id": "V11.1.2",
233
+ "control_name": "Verify business logic limits prevent function abuse",
234
+ "tier": "Foundational",
235
+ "scope": "Both",
236
+ "notes": "Business logic controls prevent injection from redirecting agent goal"
237
+ },
238
+ {
239
+ "framework": "ISA/IEC 62443",
240
+ "control_id": "SR 3.3",
241
+ "control_name": "Software and information integrity",
242
+ "tier": "Foundational",
243
+ "scope": "Both",
244
+ "notes": "All inputs to OT agents validated for integrity — no unvalidated external content directly into agent context"
245
+ },
246
+ {
247
+ "framework": "ISA/IEC 62443",
248
+ "control_id": "SR 2.2",
249
+ "control_name": "Least privilege",
250
+ "tier": "Foundational",
251
+ "scope": "Both",
252
+ "notes": "Agents granted minimum tool access — each tool scoped to specific OT function, read-only by default"
253
+ },
254
+ {
255
+ "framework": "ISA/IEC 62443",
256
+ "control_id": "SR 2.1",
257
+ "control_name": "Use control enforcement",
258
+ "tier": "Foundational",
259
+ "scope": "Both",
260
+ "notes": "Agent actions in OT context subject to explicit use controls — goal-changing actions require human confirmation"
261
+ },
262
+ {
263
+ "framework": "ISA/IEC 62443",
264
+ "control_id": "SR 6.1",
265
+ "control_name": "Timely response to events",
266
+ "tier": "Foundational",
267
+ "scope": "Both",
268
+ "notes": "Goal hijack indicators treated as security events — agent suspended, human notified, actions reversed where feasible"
269
+ },
270
+ {
271
+ "framework": "ISA/IEC 62443",
272
+ "control_id": "SR 1.9",
273
+ "control_name": "Session lock",
274
+ "tier": "Foundational",
275
+ "scope": "Both",
276
+ "notes": "Operator-accessible agent kill switch — halt all agent activity immediately without affecting process control"
277
+ },
278
+ {
279
+ "framework": "NIST SP 800-82 Rev 3",
280
+ "control_id": "Vulnerabilities common to IT/OT",
281
+ "control_name": "§5.3",
282
+ "tier": "Foundational",
283
+ "scope": "Both",
284
+ "notes": "Injection via historian and SCADA data feeds"
285
+ },
286
+ {
287
+ "framework": "NIST SP 800-82 Rev 3",
288
+ "control_id": "Risk assessment",
289
+ "control_name": "§6.2",
290
+ "tier": "Foundational",
291
+ "scope": "Both",
292
+ "notes": "Assess injection risk at every agent data ingestion point"
293
+ },
294
+ {
295
+ "framework": "NIST SP 800-82 Rev 3",
296
+ "control_id": "Security controls for ICS",
297
+ "control_name": "§7.2",
298
+ "tier": "Foundational",
299
+ "scope": "Both",
300
+ "notes": "Input validation mandatory at OT data boundary"
301
+ },
302
+ {
303
+ "framework": "NIST CSF 2.0",
304
+ "control_id": "GV.OC-01",
305
+ "control_name": "Organisational Context",
306
+ "tier": "Foundational",
307
+ "scope": "Both",
308
+ "notes": "Policy defines permissible agent autonomy — agents cannot change stated goals without human confirmation"
309
+ },
310
+ {
311
+ "framework": "NIST CSF 2.0",
312
+ "control_id": "PR.PS-04",
313
+ "control_name": "Platform Security",
314
+ "tier": "Foundational",
315
+ "scope": "Both",
316
+ "notes": "Secure software development — input validation and goal-state verification as platform security controls"
317
+ },
318
+ {
319
+ "framework": "NIST CSF 2.0",
320
+ "control_id": "DE.CM-01",
321
+ "control_name": "Continuous Monitoring",
322
+ "tier": "Foundational",
323
+ "scope": "Both",
324
+ "notes": "Networks and assets monitored — injection indicators detected across all agent input channels"
325
+ },
326
+ {
327
+ "framework": "NIST CSF 2.0",
328
+ "control_id": "RS.MI-01",
329
+ "control_name": "Incident Mitigation",
330
+ "tier": "Foundational",
331
+ "scope": "Both",
332
+ "notes": "Incidents contained — agent suspended, actions reversed, kill switch activated"
333
+ },
334
+ {
335
+ "framework": "SOC 2",
336
+ "control_id": "Goal hijack risk identified in risk assessment — prompt injection, indirect injection, multi-turn manipulation documented",
337
+ "control_name": "CC3.2",
338
+ "tier": "Foundational",
339
+ "scope": "Both",
340
+ "notes": "Risk register with goal hijack entries, treatment status"
341
+ },
342
+ {
343
+ "framework": "SOC 2",
344
+ "control_id": "Runtime monitoring for goal-deviation indicators — AI-specific anomaly detection covering instruction-override patterns",
345
+ "control_name": "CC7.2",
346
+ "tier": "Foundational",
347
+ "scope": "Both",
348
+ "notes": "Monitoring configuration, alert logs, incident records"
349
+ },
350
+ {
351
+ "framework": "SOC 2",
352
+ "control_id": "Control activities define acceptable agent actions — agent cannot deviate from authorised goal scope",
353
+ "control_name": "CC5.2",
354
+ "tier": "Foundational",
355
+ "scope": "Both",
356
+ "notes": "Agent permission policy, goal-state verification design documentation"
357
+ },
358
+ {
359
+ "framework": "SOC 2",
360
+ "control_id": "Agent processing is authorised — actions taken by agent correspond to user's authorised intent, not attacker's injected instruction",
361
+ "control_name": "PI1.1",
362
+ "tier": "Foundational",
363
+ "scope": "Both",
364
+ "notes": "Action audit log, authorisation records per agent session"
365
+ },
366
+ {
367
+ "framework": "PCI DSS v4.0",
368
+ "control_id": "Bespoke agent code reviewed for injection resistance — all agent integration code includes prompt injection as a vulnerability category",
369
+ "control_name": "Req 6.2",
370
+ "tier": "Foundational",
371
+ "scope": "Both",
372
+ "notes": "Secure code review records, findings, remediation"
373
+ },
374
+ {
375
+ "framework": "PCI DSS v4.0",
376
+ "control_id": "Penetration testing covers goal hijack — agentic AI systems tested for prompt injection before production and annually",
377
+ "control_name": "Req 11.3",
378
+ "tier": "Foundational",
379
+ "scope": "Both",
380
+ "notes": "Pen test report with goal hijack test cases"
381
+ },
382
+ {
383
+ "framework": "PCI DSS v4.0",
384
+ "control_id": "Agent actions logged — all goal-relevant agent actions logged with user identity, session ID, and action detail",
385
+ "control_name": "Req 10.2",
386
+ "tier": "Foundational",
387
+ "scope": "Both",
388
+ "notes": "Audit log configuration, sample log entries"
389
+ },
390
+ {
391
+ "framework": "PCI DSS v4.0",
392
+ "control_id": "Targeted risk analysis documents goal hijack — likelihood, impact on CHD, treatment controls specified",
393
+ "control_name": "Req 12.3",
394
+ "tier": "Foundational",
395
+ "scope": "Both",
396
+ "notes": "Risk analysis for agentic AI in PCI scope"
397
+ },
398
+ {
399
+ "framework": "ENISA Multilayer Framework",
400
+ "control_id": "L2",
401
+ "control_name": "AI System Integrity (ASI)",
402
+ "tier": "Foundational",
403
+ "scope": "Both",
404
+ "notes": "Agent applications tested against goal hijack before deployment — direct and indirect injection across all input channels validated as part of AI system integrity verification"
405
+ },
406
+ {
407
+ "framework": "ENISA Multilayer Framework",
408
+ "control_id": "MON",
409
+ "control_name": "Monitoring and Detection",
410
+ "tier": "Foundational",
411
+ "scope": "Both",
412
+ "notes": "Runtime monitoring for goal-hijack indicators across all agent input channels — AI-specific anomaly detection for instruction-override patterns"
413
+ },
414
+ {
415
+ "framework": "ENISA Multilayer Framework",
416
+ "control_id": "L2",
417
+ "control_name": "Governance and Risk (GOV)",
418
+ "tier": "Foundational",
419
+ "scope": "Both",
420
+ "notes": "Goal hijack documented in AI risk register — risk owner, treatment controls, review cadence"
421
+ },
422
+ {
423
+ "framework": "ENISA Multilayer Framework",
424
+ "control_id": "L1",
425
+ "control_name": "General ICT — Secure Development",
426
+ "tier": "Foundational",
427
+ "scope": "Both",
428
+ "notes": "Input validation and context separation as secure development requirements for all agent integrations"
429
+ },
430
+ {
431
+ "framework": "OWASP SAMM v2.0",
432
+ "control_id": "D-TA",
433
+ "control_name": "Design / Threat Assessment",
434
+ "tier": "Foundational",
435
+ "scope": "Both",
436
+ "notes": "Model all injection surfaces: user input, retrieved content, tool responses, sub-agent messages"
437
+ },
438
+ {
439
+ "framework": "OWASP SAMM v2.0",
440
+ "control_id": "D-TA",
441
+ "control_name": "Design / Threat Assessment",
442
+ "tier": "Foundational",
443
+ "scope": "Both",
444
+ "notes": "High-impact actions (delete, exfiltrate, send) demand higher injection resistance"
445
+ },
446
+ {
447
+ "framework": "OWASP SAMM v2.0",
448
+ "control_id": "I-SB",
449
+ "control_name": "Implementation / Secure Build",
450
+ "tier": "Foundational",
451
+ "scope": "Both",
452
+ "notes": "Enforce at agent boundary; validate all retrieved content before acting"
453
+ },
454
+ {
455
+ "framework": "OWASP SAMM v2.0",
456
+ "control_id": "V-ST",
457
+ "control_name": "Verification / Security Testing",
458
+ "tier": "Foundational",
459
+ "scope": "Both",
460
+ "notes": "Red team injection across all retrieval and tool paths"
461
+ },
462
+ {
463
+ "framework": "OWASP SAMM v2.0",
464
+ "control_id": "O-IM",
465
+ "control_name": "Operations / Incident Management",
466
+ "tier": "Foundational",
467
+ "scope": "Both",
468
+ "notes": "Detect agent plan deviation from expected trajectory"
469
+ },
470
+ {
471
+ "framework": "OWASP SAMM v2.0",
472
+ "control_id": "G-EG",
473
+ "control_name": "Governance / Education & Guidance",
474
+ "tier": "Foundational",
475
+ "scope": "Both",
476
+ "notes": "All developers with access to agent code understand injection risk model"
477
+ },
478
+ {
479
+ "framework": "CWE/CVE",
480
+ "control_id": "Improper Input Validation",
481
+ "control_name": "CWE-20",
482
+ "tier": "Foundational",
483
+ "scope": "Both",
484
+ "notes": "Root cause — agent inputs not validated before entering model context; indirect injection content not treated as untrusted"
485
+ },
486
+ {
487
+ "framework": "CWE/CVE",
488
+ "control_id": "Improper Neutralisation of Special Elements in Output Used by a Downstream Component",
489
+ "control_name": "CWE-74",
490
+ "tier": "Foundational",
491
+ "scope": "Both",
492
+ "notes": "Instruction elements in processed content not neutralised before agent reasoning"
493
+ },
494
+ {
495
+ "framework": "CWE/CVE",
496
+ "control_id": "Protection Mechanism Failure",
497
+ "control_name": "CWE-693",
498
+ "tier": "Foundational",
499
+ "scope": "Both",
500
+ "notes": "Safety and goal-verification controls bypassed through injection"
501
+ },
502
+ {
503
+ "framework": "CWE/CVE",
504
+ "control_id": "Unintended Proxy or Intermediary",
505
+ "control_name": "CWE-441",
506
+ "tier": "Foundational",
507
+ "scope": "Both",
508
+ "notes": "Agent acts as a proxy executing attacker instructions against backend systems"
509
+ },
510
+ {
511
+ "framework": "CWE/CVE",
512
+ "control_id": "Externally Controlled Reference to a Resource in Another Sphere",
513
+ "control_name": "CWE-610",
514
+ "tier": "Foundational",
515
+ "scope": "Both",
516
+ "notes": "Agent retrieves and acts on externally controlled content (RAG, email, tool returns) without adequate validation"
517
+ },
518
+ {
519
+ "framework": "OWASP AI Testing Guide",
520
+ "control_id": "Prompt injection via all agent input channels",
521
+ "control_name": "IHT — Input Handling",
522
+ "tier": "Foundational",
523
+ "scope": "Both",
524
+ "notes": "Inject instruction-overriding content through user prompt, RAG-retrieved documents, tool return values, email content, uploaded files, and any other data source the agent processes"
525
+ },
526
+ {
527
+ "framework": "OWASP AI Testing Guide",
528
+ "control_id": "Goal consistency under adversarial input",
529
+ "control_name": "MBT — Model Behaviour",
530
+ "tier": "Foundational",
531
+ "scope": "Both",
532
+ "notes": "Verify the agent's stated goal at session start matches its actions at session end — test divergence after indirect injection"
533
+ },
534
+ {
535
+ "framework": "OWASP AI Testing Guide",
536
+ "control_id": "Goal state verification effectiveness",
537
+ "control_name": "AST — Agent-Specific",
538
+ "tier": "Foundational",
539
+ "scope": "Both",
540
+ "notes": "Attempt to redirect agent goal through indirect injection paths specific to your deployment — historian data, vendor communications, web results"
541
+ },
542
+ {
543
+ "framework": "MAESTRO",
544
+ "control_id": "L1",
545
+ "control_name": "Foundation Models",
546
+ "tier": "Foundational",
547
+ "scope": "Both"
548
+ },
549
+ {
550
+ "framework": "MAESTRO",
551
+ "control_id": "L2",
552
+ "control_name": "Data Operations",
553
+ "tier": "Foundational",
554
+ "scope": "Both"
555
+ },
556
+ {
557
+ "framework": "MAESTRO",
558
+ "control_id": "L3",
559
+ "control_name": "Agent Frameworks",
560
+ "tier": "Foundational",
561
+ "scope": "Both"
562
+ },
563
+ {
564
+ "framework": "AIUC-1",
565
+ "control_id": "B001",
566
+ "control_name": "Third-party testing of adversarial robustness",
567
+ "tier": "Foundational",
568
+ "scope": "Both"
569
+ },
570
+ {
571
+ "framework": "AIUC-1",
572
+ "control_id": "B002",
573
+ "control_name": "Detect adversarial input",
574
+ "tier": "Foundational",
575
+ "scope": "Both"
576
+ },
577
+ {
578
+ "framework": "AIUC-1",
579
+ "control_id": "B005",
580
+ "control_name": "Implement real-time input filtering",
581
+ "tier": "Foundational",
582
+ "scope": "Both"
583
+ },
584
+ {
585
+ "framework": "AIUC-1",
586
+ "control_id": "B006",
587
+ "control_name": "Prevent unauthorized AI agent actions",
588
+ "tier": "Foundational",
589
+ "scope": "Both"
590
+ },
591
+ {
592
+ "framework": "OWASP NHI Top 10",
593
+ "control_id": "Hijacked agent with excess privilege causes larger blast radius",
594
+ "control_name": "NHI-5 Over-Privileged NHI",
595
+ "tier": "Foundational",
596
+ "scope": "Both",
597
+ "notes": "Scope all agent credentials to minimum required — least privilege enforced"
598
+ },
599
+ {
600
+ "framework": "OWASP NHI Top 10",
601
+ "control_id": "Long-lived tokens allow hijack to persist beyond session",
602
+ "control_name": "NHI-7 Long-Lived Credentials",
603
+ "tier": "Foundational",
604
+ "scope": "Both",
605
+ "notes": "Short-lived credentials — tokens expire at task completion, no long-lived agent tokens"
606
+ },
607
+ {
608
+ "framework": "OWASP NHI Top 10",
609
+ "control_id": "Shared credentials allow hijacked agent to impersonate other agents",
610
+ "control_name": "NHI-9 NHI Reuse",
611
+ "tier": "Foundational",
612
+ "scope": "Both",
613
+ "notes": "Unique identity per agent — no shared service accounts across agent deployments"
614
+ },
615
+ {
616
+ "framework": "NIST SP 800-218A",
617
+ "control_id": "Threat model the agent pipeline for adversarial goal manipulation vectors including direct injection, indirect injection via tool outputs, and context poisoning",
618
+ "control_name": "PW.2.1-PS – Design software to meet security requirements",
619
+ "tier": "Foundational",
620
+ "scope": "Both",
621
+ "notes": "Ensures goal integrity is a design-phase requirement for all agentic systems"
622
+ },
623
+ {
624
+ "framework": "NIST SP 800-218A",
625
+ "control_id": "Review agent behaviour for goal deviation — verify that the agent maintains intended objectives under adversarial input conditions",
626
+ "control_name": "PW.7.2-PS – Review the software for security vulnerabilities",
627
+ "tier": "Foundational",
628
+ "scope": "Both",
629
+ "notes": "Catches goal manipulation vulnerabilities before production deployment"
630
+ },
631
+ {
632
+ "framework": "NIST SP 800-218A",
633
+ "control_id": "Conduct adversarial red-team testing against goal hijacking vectors including injection through every data source, tool output, and context channel",
634
+ "control_name": "PW.8.2-PS – Test for security vulnerabilities",
635
+ "tier": "Foundational",
636
+ "scope": "Both",
637
+ "notes": "Validates goal integrity controls under realistic attack conditions"
638
+ },
639
+ {
640
+ "framework": "NIST SP 800-218A",
641
+ "control_id": "Establish procedures to identify goal hijacking incidents in production including goal deviation monitoring, triage, and confirmation workflows",
642
+ "control_name": "RV.1.1-PS – Identify and confirm vulnerabilities",
643
+ "tier": "Foundational",
644
+ "scope": "Both",
645
+ "notes": "Enables rapid detection and response to goal manipulation in live systems"
646
+ },
647
+ {
648
+ "framework": "FedRAMP",
649
+ "control_id": "SI-3",
650
+ "control_name": "Malicious Code Protection — adversarial agent inputs",
651
+ "tier": "Foundational",
652
+ "scope": "Both",
653
+ "notes": "Extend malicious code protection to detect and block adversarial inputs targeting agent goal manipulation including injection through tool outputs and context stores"
654
+ },
655
+ {
656
+ "framework": "FedRAMP",
657
+ "control_id": "SI-10",
658
+ "control_name": "Information Input Validation — agent context validation",
659
+ "tier": "Foundational",
660
+ "scope": "Both",
661
+ "notes": "Validate all inputs to agent systems including user prompts, tool outputs, memory retrievals, and inter-agent messages; enforce structural separation of instructions and data"
662
+ },
663
+ {
664
+ "framework": "FedRAMP",
665
+ "control_id": "CA-8",
666
+ "control_name": "Penetration Testing — agent hijacking testing",
667
+ "tier": "Foundational",
668
+ "scope": "Both",
669
+ "notes": "Include agent goal hijacking in penetration testing scope; cover injection through all input channels — user prompts, tool outputs, memory stores, and inter-agent communication"
670
+ },
671
+ {
672
+ "framework": "FedRAMP",
673
+ "control_id": "AU-2",
674
+ "control_name": "Event Logging — agent action audit trail",
675
+ "tier": "Foundational",
676
+ "scope": "Both",
677
+ "notes": "Log all agent actions, goal interpretations, tool invocations, and decision points with sufficient detail to detect goal hijacking in post-incident analysis"
678
+ },
679
+ {
680
+ "framework": "DORA",
681
+ "control_id": "Art. 9",
682
+ "control_name": "Protection and Prevention — adversarial agent controls",
683
+ "tier": "Foundational",
684
+ "scope": "Both",
685
+ "notes": "Implement security controls to detect and block adversarial inputs targeting agent goal manipulation including injection through tool outputs and context stores"
686
+ },
687
+ {
688
+ "framework": "DORA",
689
+ "control_id": "Art. 24–27",
690
+ "control_name": "Resilience Testing — agent hijacking scenarios",
691
+ "tier": "Foundational",
692
+ "scope": "Both",
693
+ "notes": "Include agent goal hijacking in threat-led penetration testing; cover injection through user prompts, tool outputs, memory stores, and inter-agent messages"
694
+ },
695
+ {
696
+ "framework": "DORA",
697
+ "control_id": "Art. 10",
698
+ "control_name": "Detection — goal manipulation monitoring",
699
+ "tier": "Foundational",
700
+ "scope": "Both",
701
+ "notes": "Deploy detection mechanisms for agent goal manipulation; monitor for behavioural deviations, unexpected tool invocations, and goal drift indicators"
702
+ },
703
+ {
704
+ "framework": "DORA",
705
+ "control_id": "Art. 45",
706
+ "control_name": "Information Sharing — agent attack intelligence",
707
+ "tier": "Foundational",
708
+ "scope": "Both",
709
+ "notes": "Share agent goal hijacking threat intelligence with sector peers through DORA information sharing arrangements"
710
+ }
711
+ ],
712
+ "tools": [
713
+ {
714
+ "name": "Garak",
715
+ "type": "open-source",
716
+ "url": "https://github.com/leondz/garak"
717
+ },
718
+ {
719
+ "name": "Rebuff",
720
+ "type": "open-source",
721
+ "url": "https://github.com/protectai/rebuff"
722
+ },
723
+ {
724
+ "name": "Invariant Analyzer",
725
+ "type": "open-source",
726
+ "url": "https://github.com/invariantlabs-ai/invariant"
727
+ },
728
+ {
729
+ "name": "Claroty",
730
+ "type": "commercial",
731
+ "url": "https://claroty.com"
732
+ },
733
+ {
734
+ "name": "Dragos",
735
+ "type": "commercial",
736
+ "url": "https://www.dragos.com"
737
+ },
738
+ {
739
+ "name": "Garak (adversarial testing)",
740
+ "type": "open-source",
741
+ "url": "https://github.com/leondz/garak"
742
+ },
743
+ {
744
+ "name": "PromptBench",
745
+ "type": "open-source",
746
+ "url": "https://github.com/microsoft/promptbench"
747
+ },
748
+ {
749
+ "name": "OWASP AITG test cases",
750
+ "type": "open-source",
751
+ "url": "https://owasp.org"
752
+ },
753
+ {
754
+ "name": "HashiCorp Vault",
755
+ "type": "open-source",
756
+ "url": "https://www.vaultproject.io"
757
+ },
758
+ {
759
+ "name": "Entro Security",
760
+ "type": "commercial",
761
+ "url": "https://entro.security"
762
+ },
763
+ {
764
+ "name": "Teleport",
765
+ "type": "commercial",
766
+ "url": "https://goteleport.com"
767
+ },
768
+ {
769
+ "name": "LAAF (LLM Agent Assessment Framework)",
770
+ "type": "open-source",
771
+ "url": "https://github.com/OWASP/LAAF"
772
+ },
773
+ {
774
+ "name": "PyRIT",
775
+ "type": "open-source",
776
+ "url": "https://github.com/Azure/PyRIT"
777
+ },
778
+ {
779
+ "name": "NIST SP 800-218A",
780
+ "type": "open-source",
781
+ "url": "https://doi.org/10.6028/NIST.SP.800-218A.ipd"
782
+ },
783
+ {
784
+ "name": "LLM Guard",
785
+ "type": "open-source",
786
+ "url": "https://github.com/protectai/llm-guard"
787
+ },
788
+ {
789
+ "name": "LangSmith",
790
+ "type": "commercial",
791
+ "url": "https://smith.langchain.com"
792
+ },
793
+ {
794
+ "name": "LAAF v2.0",
795
+ "url": "https://github.com/qorvexconsulting1/laaf-V2.0",
796
+ "type": "open-source"
797
+ }
798
+ ],
799
+ "incidents": [
800
+ {
801
+ "name": "ChatGPT indirect prompt injection via attacker-controlled web content",
802
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
803
+ "year": 2023,
804
+ "incident_id": "INC-003"
805
+ },
806
+ {
807
+ "name": "Indirect prompt injection in LLM email assistant via malicious email body",
808
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
809
+ "year": 2024,
810
+ "incident_id": "INC-007"
811
+ },
812
+ {
813
+ "name": "Microsoft Copilot for M365 — document exfiltration via indirect injection",
814
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
815
+ "year": 2024,
816
+ "incident_id": "INC-010"
817
+ },
818
+ {
819
+ "name": "Multimodal indirect injection — image-embedded instructions in GPT-4V",
820
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
821
+ "year": 2023,
822
+ "incident_id": "INC-015"
823
+ },
824
+ {
825
+ "name": "AutoGPT and BabyAGI — uncontrolled web browsing and file system access",
826
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
827
+ "year": 2023,
828
+ "incident_id": "INC-017"
829
+ },
830
+ {
831
+ "name": "Agentic AI privilege escalation via tool chain manipulation — research",
832
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
833
+ "year": 2024,
834
+ "incident_id": "INC-019"
835
+ },
836
+ {
837
+ "name": "Multi-agent prompt injection cascade — demonstrated cross-agent goal propagation",
838
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
839
+ "year": 2024,
840
+ "incident_id": "INC-020"
841
+ },
842
+ {
843
+ "name": "LAAF v2.0 — Empirical LPCI breakthrough rates of 67–100% across 5 production LLMs",
844
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
845
+ "year": 2026,
846
+ "incident_id": "INC-021"
847
+ },
848
+ {
849
+ "name": "Greshake et al. \"Not What You've Signed Up For\" indirect prompt injection paper",
850
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
851
+ "year": 2023,
852
+ "incident_id": "INC-022"
853
+ },
854
+ {
855
+ "name": "Nassi et al. \"ComPromptMized\" Morris II multi-agent worm",
856
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
857
+ "year": 2024,
858
+ "incident_id": "INC-023"
859
+ },
860
+ {
861
+ "name": "Slack AI indirect injection via channel content",
862
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
863
+ "year": 2024,
864
+ "incident_id": "INC-024"
865
+ },
866
+ {
867
+ "name": "MathPrompt: symbolic mathematics jailbreak attack",
868
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
869
+ "year": 2024,
870
+ "incident_id": "INC-027"
871
+ },
872
+ {
873
+ "name": "Crescendo: multi-turn escalation attack (Microsoft)",
874
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
875
+ "year": 2024,
876
+ "incident_id": "INC-029"
877
+ },
878
+ {
879
+ "name": "Skeleton Key: direct system prompt override (Microsoft)",
880
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
881
+ "year": 2024,
882
+ "incident_id": "INC-030"
883
+ },
884
+ {
885
+ "name": "Apollo Research: frontier models demonstrate strategic deception to avoid shutdown",
886
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
887
+ "year": 2024,
888
+ "incident_id": "INC-047"
889
+ }
890
+ ],
891
+ "crossrefs": {
892
+ "llm_top10": [
893
+ "LLM01",
894
+ "LLM06"
895
+ ],
896
+ "dsgai_2026": [
897
+ "DSGAI01",
898
+ "DSGAI15",
899
+ "DSGAI12",
900
+ "DSGAI02"
901
+ ]
902
+ },
903
+ "changelog": [
904
+ {
905
+ "date": "2026-03-27",
906
+ "version": "1.0.0",
907
+ "change": "Initial entry — generated from GenAI Security Crosswalk v1.5.1 mapping files",
908
+ "author": "emmanuelgjr"
909
+ }
910
+ ]
911
+ }