genai-security-crosswalk 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (55) hide show
  1. package/LICENSE.md +28 -0
  2. package/README.md +618 -0
  3. package/data/entries/ASI01.json +911 -0
  4. package/data/entries/ASI02.json +850 -0
  5. package/data/entries/ASI03.json +854 -0
  6. package/data/entries/ASI04.json +759 -0
  7. package/data/entries/ASI05.json +764 -0
  8. package/data/entries/ASI06.json +817 -0
  9. package/data/entries/ASI07.json +789 -0
  10. package/data/entries/ASI08.json +788 -0
  11. package/data/entries/ASI09.json +754 -0
  12. package/data/entries/ASI10.json +833 -0
  13. package/data/entries/DSGAI01.json +779 -0
  14. package/data/entries/DSGAI02.json +728 -0
  15. package/data/entries/DSGAI03.json +671 -0
  16. package/data/entries/DSGAI04.json +752 -0
  17. package/data/entries/DSGAI05.json +689 -0
  18. package/data/entries/DSGAI06.json +673 -0
  19. package/data/entries/DSGAI07.json +680 -0
  20. package/data/entries/DSGAI08.json +698 -0
  21. package/data/entries/DSGAI09.json +687 -0
  22. package/data/entries/DSGAI10.json +627 -0
  23. package/data/entries/DSGAI11.json +663 -0
  24. package/data/entries/DSGAI12.json +695 -0
  25. package/data/entries/DSGAI13.json +688 -0
  26. package/data/entries/DSGAI14.json +703 -0
  27. package/data/entries/DSGAI15.json +655 -0
  28. package/data/entries/DSGAI16.json +716 -0
  29. package/data/entries/DSGAI17.json +690 -0
  30. package/data/entries/DSGAI18.json +613 -0
  31. package/data/entries/DSGAI19.json +638 -0
  32. package/data/entries/DSGAI20.json +671 -0
  33. package/data/entries/DSGAI21.json +881 -0
  34. package/data/entries/LLM01.json +975 -0
  35. package/data/entries/LLM02.json +868 -0
  36. package/data/entries/LLM03.json +817 -0
  37. package/data/entries/LLM04.json +797 -0
  38. package/data/entries/LLM05.json +761 -0
  39. package/data/entries/LLM06.json +848 -0
  40. package/data/entries/LLM07.json +749 -0
  41. package/data/entries/LLM08.json +750 -0
  42. package/data/entries/LLM09.json +760 -0
  43. package/data/entries/LLM10.json +763 -0
  44. package/data/incidents-schema.json +121 -0
  45. package/data/incidents.json +1484 -0
  46. package/data/schema.json +134 -0
  47. package/dist/index.d.ts +97 -0
  48. package/dist/index.d.ts.map +1 -0
  49. package/dist/index.js +124 -0
  50. package/dist/index.js.map +1 -0
  51. package/dist/index.test.d.ts +2 -0
  52. package/dist/index.test.d.ts.map +1 -0
  53. package/dist/index.test.js +97 -0
  54. package/dist/index.test.js.map +1 -0
  55. package/package.json +62 -0
package/data/entries/DSGAI09.json ADDED
@@ -0,0 +1,687 @@
1
+ {
2
+ "id": "DSGAI09",
3
+ "name": "Multimodal Cross-Channel Leakage",
4
+ "source_list": "DSGAI-2026",
5
+ "version": "2026-Q1",
6
+ "severity": "High",
7
+ "aivss_score": null,
8
+ "audience": [
9
+ "red-teamer",
10
+ "security-engineer",
11
+ "ciso",
12
+ "compliance",
13
+ "ml-engineer",
14
+ "ot-engineer",
15
+ "auditor",
16
+ "developer",
17
+ "data-engineer"
18
+ ],
19
+ "mappings": [
20
+ {
21
+ "framework": "MITRE ATLAS",
22
+ "control_id": "AML.T0025",
23
+ "control_name": "Exfiltrate via Cyber Means",
24
+ "tier": "Hardening",
25
+ "scope": "Both",
26
+ "notes": "Sensitive content extracted from multimodal inputs (OCR, transcription) transmitted through standard exfiltration paths"
27
+ },
28
+ {
29
+ "framework": "MITRE ATLAS",
30
+ "control_id": "AML.T0035",
31
+ "control_name": "Exfiltrate via ML Inference API",
32
+ "tier": "Hardening",
33
+ "scope": "Both",
34
+ "notes": "Multimodal content processed by AI system extracted through inference API queries referencing extracted content"
35
+ },
36
+ {
37
+ "framework": "MITRE ATLAS",
38
+ "control_id": "AML.T0024.000",
39
+ "control_name": "Membership Inference",
40
+ "tier": "Hardening",
41
+ "scope": "Both",
42
+ "notes": "Sensitive multimodal content in training data confirmed through membership inference queries"
43
+ },
44
+ {
45
+ "framework": "NIST AI RMF 1.0",
46
+ "control_id": "GV-1.6",
47
+ "control_name": "Policies for data privacy",
48
+ "tier": "Hardening",
49
+ "scope": "Both",
50
+ "notes": "Multimodal data governance policy — classification propagation from source modality to all extracted forms"
51
+ },
52
+ {
53
+ "framework": "NIST AI RMF 1.0",
54
+ "control_id": "MP-2.3",
55
+ "control_name": "Risk categorisation",
56
+ "tier": "Hardening",
57
+ "scope": "Both",
58
+ "notes": "Multimodal leakage risks mapped per modality — image, audio, video, document — in risk register"
59
+ },
60
+ {
61
+ "framework": "NIST AI RMF 1.0",
62
+ "control_id": "MS-2.6",
63
+ "control_name": "Testing — data leakage",
64
+ "tier": "Hardening",
65
+ "scope": "Both",
66
+ "notes": "Data leakage testing extended to multimodal pipelines — OCR output, transcripts, derived embeddings"
67
+ },
68
+ {
69
+ "framework": "NIST AI RMF 1.0",
70
+ "control_id": "MG-2.4",
71
+ "control_name": "Risk response — data",
72
+ "tier": "Hardening",
73
+ "scope": "Both",
74
+ "notes": "Incident response for multimodal data leakage — content identification, deletion, regulatory notification"
75
+ },
76
+ {
77
+ "framework": "EU AI Act",
78
+ "control_id": "Data governance covers all input modalities — images, audio, video — not only text",
79
+ "control_name": "Art. 10 — Data and data governance",
80
+ "tier": "Hardening",
81
+ "scope": "Both",
82
+ "notes": "Multimodal input governance is an Art. 10 requirement for high-risk systems processing such inputs"
83
+ },
84
+ {
85
+ "framework": "EU AI Act",
86
+ "control_id": "Cybersecurity measures covering all data channels including multimodal inputs",
87
+ "control_name": "Art. 15 — Accuracy, robustness, cybersecurity",
88
+ "tier": "Hardening",
89
+ "scope": "Both",
90
+ "notes": "DLP and access controls on multimodal pipelines are Art. 15 requirements"
91
+ },
92
+ {
93
+ "framework": "EU AI Act",
94
+ "control_id": "Technical documentation covers all input modalities processed by the model",
95
+ "control_name": "Art. 53(1)(a) — GPAI documentation",
96
+ "tier": "Hardening",
97
+ "scope": "Both",
98
+ "notes": "Multimodal data governance documented in GPAI technical documentation"
99
+ },
100
+ {
101
+ "framework": "ISO/IEC 27001:2022",
102
+ "control_id": "A.8.11",
103
+ "control_name": "Data masking",
104
+ "tier": "Hardening",
105
+ "scope": "Both",
106
+ "notes": "Masking and redaction applied to extracted text from OCR and audio transcription — same as source"
107
+ },
108
+ {
109
+ "framework": "ISO/IEC 27001:2022",
110
+ "control_id": "A.8.12",
111
+ "control_name": "Data leakage prevention",
112
+ "tier": "Hardening",
113
+ "scope": "Both",
114
+ "notes": "DLP applied to all modality-extracted content — text, OCR output, transcripts"
115
+ },
116
+ {
117
+ "framework": "ISO/IEC 27001:2022",
118
+ "control_id": "A.5.12",
119
+ "control_name": "Classification of information",
120
+ "tier": "Hardening",
121
+ "scope": "Both",
122
+ "notes": "Classification of multimodal inputs must propagate to all derived extracted content"
123
+ },
124
+ {
125
+ "framework": "ISO/IEC 27001:2022",
126
+ "control_id": "A.8.24",
127
+ "control_name": "Use of cryptography",
128
+ "tier": "Hardening",
129
+ "scope": "Both",
130
+ "notes": "Encryption of multimodal uploads and all derived content at rest and in transit"
131
+ },
132
+ {
133
+ "framework": "ISO/IEC 42001:2023",
134
+ "control_id": "Data — acquisition",
135
+ "control_name": "A.7.2",
136
+ "tier": "Hardening",
137
+ "scope": "Both",
138
+ "notes": "Hardening"
139
+ },
140
+ {
141
+ "framework": "ISO/IEC 42001:2023",
142
+ "control_id": "Lifecycle — operational",
143
+ "control_name": "A.6.2.3",
144
+ "tier": "Hardening",
145
+ "scope": "Both",
146
+ "notes": "Hardening"
147
+ },
148
+ {
149
+ "framework": "ISO/IEC 42001:2023",
150
+ "control_id": "Impact assessment",
151
+ "control_name": "A.5.2",
152
+ "tier": "Hardening",
153
+ "scope": "Both",
154
+ "notes": "Hardening"
155
+ },
156
+ {
157
+ "framework": "ISO/IEC 42001:2023",
158
+ "control_id": "Operation",
159
+ "control_name": "Cl.8",
160
+ "tier": "Hardening",
161
+ "scope": "Both",
162
+ "notes": "Hardening"
163
+ },
164
+ {
165
+ "framework": "CIS Controls v8.1",
166
+ "control_id": "CIS 3",
167
+ "control_name": "3.13 — Deploy DLP solutions",
168
+ "tier": "Hardening",
169
+ "scope": "Both"
170
+ },
171
+ {
172
+ "framework": "CIS Controls v8.1",
173
+ "control_id": "CIS 13",
174
+ "control_name": "13.1 — Centralise security event alerting",
175
+ "tier": "Hardening",
176
+ "scope": "Both"
177
+ },
178
+ {
179
+ "framework": "CIS Controls v8.1",
180
+ "control_id": "CIS 16",
181
+ "control_name": "16.12 — Implement code-level security checks",
182
+ "tier": "Hardening",
183
+ "scope": "Both"
184
+ },
185
+ {
186
+ "framework": "OWASP ASVS 4.0.3",
187
+ "control_id": "V5 Validation",
188
+ "control_name": "V5.2.5 — Unstructured data sanitised",
189
+ "tier": "Hardening",
190
+ "scope": "Both"
191
+ },
192
+ {
193
+ "framework": "OWASP ASVS 4.0.3",
194
+ "control_id": "V8 Data Protection",
195
+ "control_name": "V8.1.4 — Sensitive data minimised",
196
+ "tier": "Hardening",
197
+ "scope": "Both"
198
+ },
199
+ {
200
+ "framework": "OWASP ASVS 4.0.3",
201
+ "control_id": "V12 Files/Resources",
202
+ "control_name": "V12.1.3 — Malicious file detection on upload",
203
+ "tier": "Hardening",
204
+ "scope": "Both"
205
+ },
206
+ {
207
+ "framework": "ISA/IEC 62443",
208
+ "control_id": "SR 4.1",
209
+ "control_name": "Data confidentiality",
210
+ "tier": "Foundational",
211
+ "scope": "Both",
212
+ "notes": "Extracted OT content from multimodal inputs classified and protected — OCR output of P&ID is as sensitive as the P&ID"
213
+ },
214
+ {
215
+ "framework": "ISA/IEC 62443",
216
+ "control_id": "SR 3.3",
217
+ "control_name": "Software and information integrity",
218
+ "tier": "Foundational",
219
+ "scope": "Both",
220
+ "notes": "Multimodal extraction pipelines validated — no uncontrolled OT data entering unclassified processing"
221
+ },
222
+ {
223
+ "framework": "ISA/IEC 62443",
224
+ "control_id": "SR 6.6",
225
+ "control_name": "Timely response to events",
226
+ "tier": "Foundational",
227
+ "scope": "Both",
228
+ "notes": "Multimodal OT data leakage treated as security event"
229
+ },
230
+ {
231
+ "framework": "NIST SP 800-82 Rev 3",
232
+ "control_id": "ICS vulnerabilities — data integrity",
233
+ "control_name": "§5.3",
234
+ "tier": "Hardening",
235
+ "scope": "Both",
236
+ "notes": "Corpus manipulation directly threatens OT operational integrity"
237
+ },
238
+ {
239
+ "framework": "NIST SP 800-82 Rev 3",
240
+ "control_id": "Risk assessment",
241
+ "control_name": "§6.2",
242
+ "tier": "Hardening",
243
+ "scope": "Both",
244
+ "notes": "OT corpus manipulation must be in risk register as critical scenario"
245
+ },
246
+ {
247
+ "framework": "NIST SP 800-82 Rev 3",
248
+ "control_id": "Security controls",
249
+ "control_name": "§7.2",
250
+ "tier": "Hardening",
251
+ "scope": "Both",
252
+ "notes": "Write authentication on all OT corpus stores"
253
+ },
254
+ {
255
+ "framework": "NIST CSF 2.0",
256
+ "control_id": "PR.DS-01",
257
+ "control_name": "Data Security",
258
+ "tier": "Hardening",
259
+ "scope": "Both",
260
+ "notes": "Extracted content from multimodal inputs protected — OCR output of sensitive document classified and protected"
261
+ },
262
+ {
263
+ "framework": "NIST CSF 2.0",
264
+ "control_id": "PR.DS-02",
265
+ "control_name": "Data Security",
266
+ "tier": "Hardening",
267
+ "scope": "Both",
268
+ "notes": "Extracted sensitive content encrypted in transit — multimodal extraction pipelines covered"
269
+ },
270
+ {
271
+ "framework": "NIST CSF 2.0",
272
+ "control_id": "DE.CM-01",
273
+ "control_name": "Continuous Monitoring",
274
+ "tier": "Hardening",
275
+ "scope": "Both",
276
+ "notes": "Multimodal extraction output monitored — DLP on OCR results, transcription outputs"
277
+ },
278
+ {
279
+ "framework": "NIST CSF 2.0",
280
+ "control_id": "ID.AM-08",
281
+ "control_name": "Asset Management",
282
+ "tier": "Hardening",
283
+ "scope": "Both",
284
+ "notes": "Multimodal processing pipelines inventoried — what modalities are processed, what is extracted and stored"
285
+ },
286
+ {
287
+ "framework": "SOC 2",
288
+ "control_id": "Multimodal derived content (OCR output, transcripts) protected at same level as source uploads",
289
+ "control_name": "C2.1 — Confidential information protection",
290
+ "tier": "Hardening",
291
+ "scope": "Both"
292
+ },
293
+ {
294
+ "framework": "SOC 2",
295
+ "control_id": "Personal information extracted from multimodal inputs subject to same use restrictions as source data",
296
+ "control_name": "P5.1 — Personal information use",
297
+ "tier": "Hardening",
298
+ "scope": "Both"
299
+ },
300
+ {
301
+ "framework": "SOC 2",
302
+ "control_id": "Access controls on multimodal content stores — same rigour as equivalent text data stores",
303
+ "control_name": "CC6.1 — Logical access",
304
+ "tier": "Hardening",
305
+ "scope": "Both"
306
+ },
307
+ {
308
+ "framework": "SOC 2",
309
+ "control_id": "DLP monitoring on multimodal extraction pipelines — PII in OCR output and transcripts detected",
310
+ "control_name": "CC7.2 — Anomaly detection",
311
+ "tier": "Hardening",
312
+ "scope": "Both"
313
+ },
314
+ {
315
+ "framework": "PCI DSS v4.0",
316
+ "control_id": "Req 3.4.1",
317
+ "control_name": "PAN rendering",
318
+ "tier": "Hardening",
319
+ "scope": "Both",
320
+ "notes": "PANs extracted from multimodal content masked in all outputs — OCR-extracted PANs are CHD requiring Req 3 treatment"
321
+ },
322
+ {
323
+ "framework": "PCI DSS v4.0",
324
+ "control_id": "Req 3.5.1",
325
+ "control_name": "Protect stored CHD",
326
+ "tier": "Hardening",
327
+ "scope": "Both",
328
+ "notes": "All CHD extracted from multimodal inputs encrypted at rest — OCR output of a payment document is CHD"
329
+ },
330
+ {
331
+ "framework": "PCI DSS v4.0",
332
+ "control_id": "Req 4.2.1",
333
+ "control_name": "Encryption in transit",
334
+ "tier": "Hardening",
335
+ "scope": "Both",
336
+ "notes": "Multimodal extraction pipelines encrypted in transit where CHD is in scope"
337
+ },
338
+ {
339
+ "framework": "PCI DSS v4.0",
340
+ "control_id": "Req 10.2.1",
341
+ "control_name": "Logging",
342
+ "tier": "Hardening",
343
+ "scope": "Both",
344
+ "notes": "All PAN access through multimodal pipelines logged"
345
+ },
346
+ {
347
+ "framework": "ENISA Multilayer Framework",
348
+ "control_id": "L2",
349
+ "control_name": "Data and Model Security (DMS)",
350
+ "tier": "Hardening",
351
+ "scope": "Both",
352
+ "notes": "Data classification and handling requirements apply equally across all modalities — images, audio, video, and documents governed as GenAI assets"
353
+ },
354
+ {
355
+ "framework": "ENISA Multilayer Framework",
356
+ "control_id": "L2",
357
+ "control_name": "Monitoring and Detection (MON)",
358
+ "tier": "Hardening",
359
+ "scope": "Both",
360
+ "notes": "DLP and monitoring extended to cover all output modalities — AI-specific monitoring for sensitive content in generated images, audio, or documents"
361
+ },
362
+ {
363
+ "framework": "ENISA Multilayer Framework",
364
+ "control_id": "L2",
365
+ "control_name": "Governance and Risk (GOV)",
366
+ "tier": "Hardening",
367
+ "scope": "Both",
368
+ "notes": "AI risk assessment explicitly covers multimodal data flows — blind spots between modality types documented and controlled"
369
+ },
370
+ {
371
+ "framework": "ENISA Multilayer Framework",
372
+ "control_id": "L1",
373
+ "control_name": "General ICT — Data Protection",
374
+ "tier": "Hardening",
375
+ "scope": "Both",
376
+ "notes": "Encryption and access control applied uniformly across all modalities stored or processed by GenAI systems"
377
+ },
378
+ {
379
+ "framework": "OWASP SAMM v2.0",
380
+ "control_id": "D-TA",
381
+ "control_name": "Design / Threat Assessment",
382
+ "tier": "Hardening",
383
+ "scope": "Both",
384
+ "notes": "Enumerate all write paths to the corpus and attack scenarios for each"
385
+ },
386
+ {
387
+ "framework": "OWASP SAMM v2.0",
388
+ "control_id": "I-SB",
389
+ "control_name": "Implementation / Secure Build",
390
+ "tier": "Hardening",
391
+ "scope": "Both",
392
+ "notes": "Authenticate and verify all corpus writes; hash embeddings at ingest"
393
+ },
394
+ {
395
+ "framework": "OWASP SAMM v2.0",
396
+ "control_id": "V-ST",
397
+ "control_name": "Verification / Security Testing",
398
+ "tier": "Hardening",
399
+ "scope": "Both",
400
+ "notes": "Attempt to inject manipulated documents; verify detection"
401
+ },
402
+ {
403
+ "framework": "OWASP SAMM v2.0",
404
+ "control_id": "O-IM",
405
+ "control_name": "Operations / Incident Management",
406
+ "tier": "Hardening",
407
+ "scope": "Both",
408
+ "notes": "Alert on unexpected corpus changes or embedding distribution shifts"
409
+ },
410
+ {
411
+ "framework": "OWASP SAMM v2.0",
412
+ "control_id": "G-PC",
413
+ "control_name": "Governance / Policy & Compliance",
414
+ "tier": "Hardening",
415
+ "scope": "Both",
416
+ "notes": "All corpus changes go through a review and approval process"
417
+ },
418
+ {
419
+ "framework": "CWE/CVE",
420
+ "control_id": "CWE-200",
421
+ "control_name": "CWE-200",
422
+ "tier": "Hardening",
423
+ "scope": "Both",
424
+ "url": "https://cwe.mitre.org/data/definitions/200.html"
425
+ },
426
+ {
427
+ "framework": "CWE/CVE",
428
+ "control_id": "CWE-201",
429
+ "control_name": "CWE-201",
430
+ "tier": "Hardening",
431
+ "scope": "Both",
432
+ "url": "https://cwe.mitre.org/data/definitions/201.html"
433
+ },
434
+ {
435
+ "framework": "MAESTRO",
436
+ "control_id": "L2",
437
+ "control_name": "Data Operations",
438
+ "tier": "Hardening",
439
+ "scope": "Both"
440
+ },
441
+ {
442
+ "framework": "MAESTRO",
443
+ "control_id": "L1",
444
+ "control_name": "Foundation Models",
445
+ "tier": "Hardening",
446
+ "scope": "Both"
447
+ },
448
+ {
449
+ "framework": "AIUC-1",
450
+ "control_id": "A",
451
+ "control_name": "Data & Privacy domain",
452
+ "tier": "Hardening",
453
+ "scope": "Both",
454
+ "notes": "Foundational"
455
+ },
456
+ {
457
+ "framework": "AIUC-1",
458
+ "control_id": "B001",
459
+ "control_name": "Third-party adversarial robustness testing",
460
+ "tier": "Hardening",
461
+ "scope": "Both",
462
+ "notes": "Hardening"
463
+ },
464
+ {
465
+ "framework": "AIUC-1",
466
+ "control_id": "B002",
467
+ "control_name": "Detect adversarial input",
468
+ "tier": "Hardening",
469
+ "scope": "Both",
470
+ "notes": "Hardening"
471
+ },
472
+ {
473
+ "framework": "AIUC-1",
474
+ "control_id": "E",
475
+ "control_name": "Audit trails and logging",
476
+ "tier": "Hardening",
477
+ "scope": "Both",
478
+ "notes": "Foundational"
479
+ },
480
+ {
481
+ "framework": "OWASP NHI Top 10",
482
+ "control_id": "Corpus write access held by service accounts that do not need it",
483
+ "control_name": "NHI-5 Over-Privileged NHI",
484
+ "tier": "Hardening",
485
+ "scope": "Both",
486
+ "notes": "Separate read and write credentials; write accounts require MFA"
487
+ },
488
+ {
489
+ "framework": "OWASP NHI Top 10",
490
+ "control_id": "Corpus write credentials in plaintext config",
491
+ "control_name": "NHI-6 Insecure Credential Storage",
492
+ "tier": "Hardening",
493
+ "scope": "Both",
494
+ "notes": "Vault all corpus write credentials"
495
+ },
496
+ {
497
+ "framework": "OWASP NHI Top 10",
498
+ "control_id": "Long-lived corpus write credentials persist beyond need",
499
+ "control_name": "NHI-7 Long-Lived Credentials",
500
+ "tier": "Hardening",
501
+ "scope": "Both",
502
+ "notes": "Rotate corpus write credentials; implement short-lived write pattern"
503
+ },
504
+ {
505
+ "framework": "NIST SP 800-218A",
506
+ "control_id": "PS.1.1-PS",
507
+ "control_name": "Protect all code from unauthorised access — IP protection",
508
+ "tier": "Foundational",
509
+ "scope": "Both",
510
+ "notes": "Protect model weights, architecture specifications, training data, and proprietary algorithms from unauthorised access; implement defence against model extraction attacks"
511
+ },
512
+ {
513
+ "framework": "NIST SP 800-218A",
514
+ "control_id": "PS.3.1-PS",
515
+ "control_name": "Archive and protect software releases — IP asset management",
516
+ "tier": "Foundational",
517
+ "scope": "Both",
518
+ "notes": "Maintain access-controlled, versioned registries for all IP-sensitive AI artefacts; enforce need-to-know access and log all access events"
519
+ },
520
+ {
521
+ "framework": "FedRAMP",
522
+ "control_id": "SC-28",
523
+ "control_name": "Protection of Information at Rest — IP encryption",
524
+ "tier": "Foundational",
525
+ "scope": "Both",
526
+ "notes": "Encrypt all intellectual property — model weights, proprietary training data, algorithms — at rest with FIPS 140-validated modules"
527
+ },
528
+ {
529
+ "framework": "FedRAMP",
530
+ "control_id": "AC-3",
531
+ "control_name": "Access Enforcement — IP access control",
532
+ "tier": "Foundational",
533
+ "scope": "Both",
534
+ "notes": "Enforce strict access control on AI intellectual property; restrict to minimum necessary personnel with audit trail"
535
+ },
536
+ {
537
+ "framework": "FedRAMP",
538
+ "control_id": "AU-12",
539
+ "control_name": "Audit Generation — IP access tracking",
540
+ "tier": "Foundational",
541
+ "scope": "Both",
542
+ "notes": "Generate audit records for all access to AI intellectual property; enable detection of unauthorised access and exfiltration"
543
+ },
544
+ {
545
+ "framework": "DORA",
546
+ "control_id": "Art. 9",
547
+ "control_name": "Protection and Prevention — IP protection controls",
548
+ "tier": "Foundational",
549
+ "scope": "Both",
550
+ "notes": "Implement security controls protecting AI intellectual property — encryption, access controls, and DLP for model weights, training data, and proprietary algorithms"
551
+ },
552
+ {
553
+ "framework": "DORA",
554
+ "control_id": "Art. 28–44",
555
+ "control_name": "Third-Party Risk — IP protection in vendor relationships",
556
+ "tier": "Foundational",
557
+ "scope": "Both",
558
+ "notes": "Address IP protection in third-party agreements; ensure vendors cannot access, replicate, or misuse proprietary AI assets"
559
+ },
560
+ {
561
+ "framework": "DORA",
562
+ "control_id": "Art. 10",
563
+ "control_name": "Detection — IP exfiltration detection",
564
+ "tier": "Foundational",
565
+ "scope": "Both",
566
+ "notes": "Deploy detection for IP exfiltration attempts; monitor model weight access and download patterns"
567
+ }
568
+ ],
569
+ "tools": [
570
+ {
571
+ "name": "Microsoft Presidio",
572
+ "type": "open-source",
573
+ "url": "https://github.com/microsoft/presidio"
574
+ },
575
+ {
576
+ "name": "AWS Macie",
577
+ "type": "commercial",
578
+ "url": "https://aws.amazon.com/macie/"
579
+ },
580
+ {
581
+ "name": "Google Cloud DLP",
582
+ "type": "commercial",
583
+ "url": "https://cloud.google.com/dlp"
584
+ },
585
+ {
586
+ "name": "AWS Rekognition",
587
+ "type": "commercial",
588
+ "url": "https://aws.amazon.com/rekognition/"
589
+ },
590
+ {
591
+ "name": "Presidio",
592
+ "type": "open-source",
593
+ "url": "https://github.com/microsoft/presidio"
594
+ },
595
+ {
596
+ "name": "Azure AI Content Safety",
597
+ "type": "commercial",
598
+ "url": "https://azure.microsoft.com/en-us/products/ai-services/ai-content-safety"
599
+ },
600
+ {
601
+ "name": "ModelScan",
602
+ "type": "open-source",
603
+ "url": "https://github.com/protectai/modelscan"
604
+ },
605
+ {
606
+ "name": "Sigstore",
607
+ "type": "open-source",
608
+ "url": "https://www.sigstore.dev"
609
+ },
610
+ {
611
+ "name": "AWS Nitro Enclaves",
612
+ "type": "commercial",
613
+ "url": "https://aws.amazon.com/ec2/nitro/nitro-enclaves/"
614
+ },
615
+ {
616
+ "name": "Azure Confidential Computing",
617
+ "type": "commercial",
618
+ "url": "https://azure.microsoft.com/en-us/solutions/confidential-compute/"
619
+ },
620
+ {
621
+ "name": "HashiCorp Vault",
622
+ "type": "commercial",
623
+ "url": "https://www.vaultproject.io"
624
+ },
625
+ {
626
+ "name": "Nightfall DLP",
627
+ "type": "commercial",
628
+ "url": "https://www.nightfall.ai"
629
+ },
630
+ {
631
+ "name": "AWS KMS / Azure Key Vault",
632
+ "type": "commercial",
633
+ "url": "https://aws.amazon.com/kms/"
634
+ }
635
+ ],
636
+ "incidents": [
637
+ {
638
+ "name": "Multimodal indirect injection — image-embedded instructions in GPT-4V",
639
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
640
+ "year": 2023,
641
+ "incident_id": "INC-015"
642
+ },
643
+ {
644
+ "name": "AI voice deepfake CEO fraud — Hong Kong $25M loss",
645
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
646
+ "year": 2024,
647
+ "incident_id": "INC-026"
648
+ },
649
+ {
650
+ "name": "Clearview AI biometric bias — $50M class action settlement",
651
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
652
+ "year": 2025,
653
+ "incident_id": "INC-036"
654
+ },
655
+ {
656
+ "name": "NYT v OpenAI — copyright training data ruling implications",
657
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
658
+ "year": 2025,
659
+ "incident_id": "INC-039"
660
+ }
661
+ ],
662
+ "crossrefs": {
663
+ "dsgai_2026": [
664
+ "DSGAI01",
665
+ "DSGAI14"
666
+ ],
667
+ "llm_top10": [
668
+ "LLM02",
669
+ "LLM04",
670
+ "LLM08",
671
+ "LLM03",
672
+ "LLM05"
673
+ ],
674
+ "agentic_top10": [
675
+ "ASI03",
676
+ "ASI04"
677
+ ]
678
+ },
679
+ "changelog": [
680
+ {
681
+ "date": "2026-03-27",
682
+ "version": "1.0.0",
683
+ "change": "Initial entry — generated from GenAI Security Crosswalk v1.5.1 mapping files",
684
+ "author": "emmanuelgjr"
685
+ }
686
+ ]
687
+ }