genai-security-crosswalk 2.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE.md +28 -0
- package/README.md +618 -0
- package/data/entries/ASI01.json +911 -0
- package/data/entries/ASI02.json +850 -0
- package/data/entries/ASI03.json +854 -0
- package/data/entries/ASI04.json +759 -0
- package/data/entries/ASI05.json +764 -0
- package/data/entries/ASI06.json +817 -0
- package/data/entries/ASI07.json +789 -0
- package/data/entries/ASI08.json +788 -0
- package/data/entries/ASI09.json +754 -0
- package/data/entries/ASI10.json +833 -0
- package/data/entries/DSGAI01.json +779 -0
- package/data/entries/DSGAI02.json +728 -0
- package/data/entries/DSGAI03.json +671 -0
- package/data/entries/DSGAI04.json +752 -0
- package/data/entries/DSGAI05.json +689 -0
- package/data/entries/DSGAI06.json +673 -0
- package/data/entries/DSGAI07.json +680 -0
- package/data/entries/DSGAI08.json +698 -0
- package/data/entries/DSGAI09.json +687 -0
- package/data/entries/DSGAI10.json +627 -0
- package/data/entries/DSGAI11.json +663 -0
- package/data/entries/DSGAI12.json +695 -0
- package/data/entries/DSGAI13.json +688 -0
- package/data/entries/DSGAI14.json +703 -0
- package/data/entries/DSGAI15.json +655 -0
- package/data/entries/DSGAI16.json +716 -0
- package/data/entries/DSGAI17.json +690 -0
- package/data/entries/DSGAI18.json +613 -0
- package/data/entries/DSGAI19.json +638 -0
- package/data/entries/DSGAI20.json +671 -0
- package/data/entries/DSGAI21.json +881 -0
- package/data/entries/LLM01.json +975 -0
- package/data/entries/LLM02.json +868 -0
- package/data/entries/LLM03.json +817 -0
- package/data/entries/LLM04.json +797 -0
- package/data/entries/LLM05.json +761 -0
- package/data/entries/LLM06.json +848 -0
- package/data/entries/LLM07.json +749 -0
- package/data/entries/LLM08.json +750 -0
- package/data/entries/LLM09.json +760 -0
- package/data/entries/LLM10.json +763 -0
- package/data/incidents-schema.json +121 -0
- package/data/incidents.json +1484 -0
- package/data/schema.json +134 -0
- package/dist/index.d.ts +97 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +124 -0
- package/dist/index.js.map +1 -0
- package/dist/index.test.d.ts +2 -0
- package/dist/index.test.d.ts.map +1 -0
- package/dist/index.test.js +97 -0
- package/dist/index.test.js.map +1 -0
- package/package.json +62 -0
|
@@ -0,0 +1,613 @@
|
|
|
1
|
+
{
|
|
2
|
+
"id": "DSGAI18",
|
|
3
|
+
"name": "Inference and Data Reconstruction",
|
|
4
|
+
"source_list": "DSGAI-2026",
|
|
5
|
+
"version": "2026-Q1",
|
|
6
|
+
"severity": "High",
|
|
7
|
+
"aivss_score": null,
|
|
8
|
+
"audience": [
|
|
9
|
+
"red-teamer",
|
|
10
|
+
"security-engineer",
|
|
11
|
+
"ciso",
|
|
12
|
+
"compliance",
|
|
13
|
+
"ml-engineer",
|
|
14
|
+
"ot-engineer",
|
|
15
|
+
"auditor",
|
|
16
|
+
"developer",
|
|
17
|
+
"data-engineer"
|
|
18
|
+
],
|
|
19
|
+
"mappings": [
|
|
20
|
+
{
|
|
21
|
+
"framework": "MITRE ATLAS",
|
|
22
|
+
"control_id": "AML.T0024.000",
|
|
23
|
+
"control_name": "Membership Inference",
|
|
24
|
+
"tier": "Hardening",
|
|
25
|
+
"scope": "Both",
|
|
26
|
+
"notes": "Adversary determines whether specific sensitive records were used in training through systematic query analysis"
|
|
27
|
+
},
|
|
28
|
+
{
|
|
29
|
+
"framework": "MITRE ATLAS",
|
|
30
|
+
"control_id": "AML.T0025",
|
|
31
|
+
"control_name": "Exfiltrate via Cyber Means",
|
|
32
|
+
"tier": "Hardening",
|
|
33
|
+
"scope": "Both",
|
|
34
|
+
"notes": "Training data confirmed present and partially reconstructed through inference, then exfiltrated"
|
|
35
|
+
},
|
|
36
|
+
{
|
|
37
|
+
"framework": "MITRE ATLAS",
|
|
38
|
+
"control_id": "AML.T0027",
|
|
39
|
+
"control_name": "Model Inversion",
|
|
40
|
+
"tier": "Hardening",
|
|
41
|
+
"scope": "Both",
|
|
42
|
+
"notes": "Adversary reconstructs sensitive training examples from model outputs through systematic query campaigns"
|
|
43
|
+
},
|
|
44
|
+
{
|
|
45
|
+
"framework": "NIST AI RMF 1.0",
|
|
46
|
+
"control_id": "GV-1.6",
|
|
47
|
+
"control_name": "Policies for data privacy",
|
|
48
|
+
"tier": "Hardening",
|
|
49
|
+
"scope": "Both",
|
|
50
|
+
"notes": "Privacy policy extended to cover inference attack resistance — not just direct disclosure"
|
|
51
|
+
},
|
|
52
|
+
{
|
|
53
|
+
"framework": "NIST AI RMF 1.0",
|
|
54
|
+
"control_id": "MP-2.3",
|
|
55
|
+
"control_name": "Risk categorisation",
|
|
56
|
+
"tier": "Hardening",
|
|
57
|
+
"scope": "Both",
|
|
58
|
+
"notes": "Inference attack risks mapped — membership inference, model inversion, embedding inversion per deployment"
|
|
59
|
+
},
|
|
60
|
+
{
|
|
61
|
+
"framework": "NIST AI RMF 1.0",
|
|
62
|
+
"control_id": "MS-2.5",
|
|
63
|
+
"control_name": "Testing — adversarial",
|
|
64
|
+
"tier": "Hardening",
|
|
65
|
+
"scope": "Both",
|
|
66
|
+
"notes": "Red team exercises covering membership inference and model inversion attack scenarios"
|
|
67
|
+
},
|
|
68
|
+
{
|
|
69
|
+
"framework": "NIST AI RMF 1.0",
|
|
70
|
+
"control_id": "MG-2.4",
|
|
71
|
+
"control_name": "Risk response — data",
|
|
72
|
+
"tier": "Hardening",
|
|
73
|
+
"scope": "Both",
|
|
74
|
+
"notes": "Response for confirmed inference attack — unlearning, output rate limiting, disclosure assessment"
|
|
75
|
+
},
|
|
76
|
+
{
|
|
77
|
+
"framework": "EU AI Act",
|
|
78
|
+
"control_id": "Training data privacy measures required — protecting sensitive data used in training",
|
|
79
|
+
"control_name": "Art. 10 — Data and data governance",
|
|
80
|
+
"tier": "Hardening",
|
|
81
|
+
"scope": "Both",
|
|
82
|
+
"notes": "Differential privacy and inference attack resistance are Art. 10 data governance requirements"
|
|
83
|
+
},
|
|
84
|
+
{
|
|
85
|
+
"framework": "EU AI Act",
|
|
86
|
+
"control_id": "Cybersecurity measures protecting against attacks including inference attacks",
|
|
87
|
+
"control_name": "Art. 15 — Accuracy, robustness, cybersecurity",
|
|
88
|
+
"tier": "Hardening",
|
|
89
|
+
"scope": "Both",
|
|
90
|
+
"notes": "Output rate limiting, confidence score suppression, and embedding encryption are Art. 15 requirements"
|
|
91
|
+
},
|
|
92
|
+
{
|
|
93
|
+
"framework": "ISO/IEC 27001:2022",
|
|
94
|
+
"control_id": "A.8.11",
|
|
95
|
+
"control_name": "Data masking",
|
|
96
|
+
"tier": "Hardening",
|
|
97
|
+
"scope": "Both",
|
|
98
|
+
"notes": "Differential privacy and output masking reducing information available for reconstruction attacks"
|
|
99
|
+
},
|
|
100
|
+
{
|
|
101
|
+
"framework": "ISO/IEC 27001:2022",
|
|
102
|
+
"control_id": "A.5.34",
|
|
103
|
+
"control_name": "Privacy and PII protection",
|
|
104
|
+
"tier": "Hardening",
|
|
105
|
+
"scope": "Both",
|
|
106
|
+
"notes": "Privacy requirements extended to cover inference attack resistance — not just direct disclosure"
|
|
107
|
+
},
|
|
108
|
+
{
|
|
109
|
+
"framework": "ISO/IEC 27001:2022",
|
|
110
|
+
"control_id": "A.8.24",
|
|
111
|
+
"control_name": "Use of cryptography",
|
|
112
|
+
"tier": "Hardening",
|
|
113
|
+
"scope": "Both",
|
|
114
|
+
"notes": "Cryptographic protection of embedding vectors preventing inversion attacks"
|
|
115
|
+
},
|
|
116
|
+
{
|
|
117
|
+
"framework": "ISO/IEC 27001:2022",
|
|
118
|
+
"control_id": "A.8.12",
|
|
119
|
+
"control_name": "Data leakage prevention",
|
|
120
|
+
"tier": "Hardening",
|
|
121
|
+
"scope": "Both",
|
|
122
|
+
"notes": "Output monitoring for responses that reconstruct training data or sensitive source content"
|
|
123
|
+
},
|
|
124
|
+
{
|
|
125
|
+
"framework": "ISO/IEC 42001:2023",
|
|
126
|
+
"control_id": "Data — privacy-preserving",
|
|
127
|
+
"control_name": "A.7.2",
|
|
128
|
+
"tier": "Hardening",
|
|
129
|
+
"scope": "Both",
|
|
130
|
+
"notes": "Hardening"
|
|
131
|
+
},
|
|
132
|
+
{
|
|
133
|
+
"framework": "ISO/IEC 42001:2023",
|
|
134
|
+
"control_id": "Impact assessment",
|
|
135
|
+
"control_name": "A.5.2",
|
|
136
|
+
"tier": "Hardening",
|
|
137
|
+
"scope": "Both",
|
|
138
|
+
"notes": "Hardening"
|
|
139
|
+
},
|
|
140
|
+
{
|
|
141
|
+
"framework": "ISO/IEC 42001:2023",
|
|
142
|
+
"control_id": "Lifecycle — testing",
|
|
143
|
+
"control_name": "A.6.2.6",
|
|
144
|
+
"tier": "Hardening",
|
|
145
|
+
"scope": "Both",
|
|
146
|
+
"notes": "Advanced"
|
|
147
|
+
},
|
|
148
|
+
{
|
|
149
|
+
"framework": "ISO/IEC 42001:2023",
|
|
150
|
+
"control_id": "Planning — risk",
|
|
151
|
+
"control_name": "Cl.6.1",
|
|
152
|
+
"tier": "Hardening",
|
|
153
|
+
"scope": "Both",
|
|
154
|
+
"notes": "Hardening"
|
|
155
|
+
},
|
|
156
|
+
{
|
|
157
|
+
"framework": "CIS Controls v8.1",
|
|
158
|
+
"control_id": "CIS 3",
|
|
159
|
+
"control_name": "3.11 — Encrypt sensitive data at rest",
|
|
160
|
+
"tier": "Hardening",
|
|
161
|
+
"scope": "Both"
|
|
162
|
+
},
|
|
163
|
+
{
|
|
164
|
+
"framework": "CIS Controls v8.1",
|
|
165
|
+
"control_id": "CIS 18",
|
|
166
|
+
"control_name": "18.1 — Penetration testing",
|
|
167
|
+
"tier": "Hardening",
|
|
168
|
+
"scope": "Both"
|
|
169
|
+
},
|
|
170
|
+
{
|
|
171
|
+
"framework": "OWASP ASVS 4.0.3",
|
|
172
|
+
"control_id": "V8 Data Protection",
|
|
173
|
+
"control_name": "V8.3.4 — Sensitive data identified",
|
|
174
|
+
"tier": "Hardening",
|
|
175
|
+
"scope": "Both"
|
|
176
|
+
},
|
|
177
|
+
{
|
|
178
|
+
"framework": "OWASP ASVS 4.0.3",
|
|
179
|
+
"control_id": "V6 Cryptography",
|
|
180
|
+
"control_name": "V6.1.1 — Sensitive data not stored in cleartext",
|
|
181
|
+
"tier": "Hardening",
|
|
182
|
+
"scope": "Both"
|
|
183
|
+
},
|
|
184
|
+
{
|
|
185
|
+
"framework": "ISA/IEC 62443",
|
|
186
|
+
"control_id": "SR 4.1",
|
|
187
|
+
"control_name": "Data confidentiality",
|
|
188
|
+
"tier": "Foundational",
|
|
189
|
+
"scope": "Both",
|
|
190
|
+
"notes": "Inference attack resistance as OT data protection measure — differential privacy for OT training data"
|
|
191
|
+
},
|
|
192
|
+
{
|
|
193
|
+
"framework": "ISA/IEC 62443",
|
|
194
|
+
"control_id": "SR 6.6",
|
|
195
|
+
"control_name": "Timely response to events",
|
|
196
|
+
"tier": "Foundational",
|
|
197
|
+
"scope": "Both",
|
|
198
|
+
"notes": "Inference attack campaigns detected — systematic query patterns indicative of AML.T0024.000 alerted"
|
|
199
|
+
},
|
|
200
|
+
{
|
|
201
|
+
"framework": "ISA/IEC 62443",
|
|
202
|
+
"control_id": "SR 3.3",
|
|
203
|
+
"control_name": "Software and information integrity",
|
|
204
|
+
"tier": "Foundational",
|
|
205
|
+
"scope": "Both",
|
|
206
|
+
"notes": "Confidence score suppression as OT integrity control — limits information available for model inversion"
|
|
207
|
+
},
|
|
208
|
+
{
|
|
209
|
+
"framework": "NIST SP 800-82 Rev 3",
|
|
210
|
+
"control_id": "Data confidentiality",
|
|
211
|
+
"control_name": "§5.4",
|
|
212
|
+
"tier": "Foundational",
|
|
213
|
+
"scope": "Both",
|
|
214
|
+
"notes": "Retention of OT data beyond required period is a confidentiality risk"
|
|
215
|
+
},
|
|
216
|
+
{
|
|
217
|
+
"framework": "NIST SP 800-82 Rev 3",
|
|
218
|
+
"control_id": "Risk assessment",
|
|
219
|
+
"control_name": "§6.2",
|
|
220
|
+
"tier": "Foundational",
|
|
221
|
+
"scope": "Both",
|
|
222
|
+
"notes": "Data retention as OT risk scenario"
|
|
223
|
+
},
|
|
224
|
+
{
|
|
225
|
+
"framework": "NIST CSF 2.0",
|
|
226
|
+
"control_id": "PR.DS-01",
|
|
227
|
+
"control_name": "Data Security",
|
|
228
|
+
"tier": "Hardening",
|
|
229
|
+
"scope": "Both",
|
|
230
|
+
"notes": "Reconstruction resistance as data protection measure — differential privacy in training, confidence score suppression"
|
|
231
|
+
},
|
|
232
|
+
{
|
|
233
|
+
"framework": "NIST CSF 2.0",
|
|
234
|
+
"control_id": "DE.CM-09",
|
|
235
|
+
"control_name": "Continuous Monitoring",
|
|
236
|
+
"tier": "Hardening",
|
|
237
|
+
"scope": "Both",
|
|
238
|
+
"notes": "Monitoring for inference attack patterns — systematic output space probing detected"
|
|
239
|
+
},
|
|
240
|
+
{
|
|
241
|
+
"framework": "NIST CSF 2.0",
|
|
242
|
+
"control_id": "ID.RA-01",
|
|
243
|
+
"control_name": "Risk Assessment",
|
|
244
|
+
"tier": "Hardening",
|
|
245
|
+
"scope": "Both",
|
|
246
|
+
"notes": "Inference attack risks documented per deployment — models trained on sensitive data assessed"
|
|
247
|
+
},
|
|
248
|
+
{
|
|
249
|
+
"framework": "NIST CSF 2.0",
|
|
250
|
+
"control_id": "GV.RM-06",
|
|
251
|
+
"control_name": "Risk Management Strategy",
|
|
252
|
+
"tier": "Hardening",
|
|
253
|
+
"scope": "Both",
|
|
254
|
+
"notes": "Risk tolerance for inference attacks established — acceptable reconstruction risk defined per use case"
|
|
255
|
+
},
|
|
256
|
+
{
|
|
257
|
+
"framework": "SOC 2",
|
|
258
|
+
"control_id": "Inference attack resistance as confidentiality protection — technical measures limiting reconstruction success",
|
|
259
|
+
"control_name": "C2.1 — Confidential information protection",
|
|
260
|
+
"tier": "Hardening",
|
|
261
|
+
"scope": "Both"
|
|
262
|
+
},
|
|
263
|
+
{
|
|
264
|
+
"framework": "SOC 2",
|
|
265
|
+
"control_id": "Using model outputs to reconstruct personal information beyond authorised purposes is a P5 violation",
|
|
266
|
+
"control_name": "P5.1 — Personal information use",
|
|
267
|
+
"tier": "Hardening",
|
|
268
|
+
"scope": "Both"
|
|
269
|
+
},
|
|
270
|
+
{
|
|
271
|
+
"framework": "SOC 2",
|
|
272
|
+
"control_id": "Output monitoring for reconstruction indicators — systematic query patterns detected",
|
|
273
|
+
"control_name": "CC7.2 — Anomaly detection",
|
|
274
|
+
"tier": "Hardening",
|
|
275
|
+
"scope": "Both"
|
|
276
|
+
},
|
|
277
|
+
{
|
|
278
|
+
"framework": "SOC 2",
|
|
279
|
+
"control_id": "Inference attack risks identified in GenAI risk assessment — membership inference, model inversion vectors",
|
|
280
|
+
"control_name": "CC3.2 — Risk assessment",
|
|
281
|
+
"tier": "Hardening",
|
|
282
|
+
"scope": "Both"
|
|
283
|
+
},
|
|
284
|
+
{
|
|
285
|
+
"framework": "PCI DSS v4.0",
|
|
286
|
+
"control_id": "Req 3.4.1",
|
|
287
|
+
"control_name": "PAN rendering",
|
|
288
|
+
"tier": "Hardening",
|
|
289
|
+
"scope": "Both",
|
|
290
|
+
"notes": "PANs reconstructed from model outputs must be prevented — inference attack resistance as Req 3 control"
|
|
291
|
+
},
|
|
292
|
+
{
|
|
293
|
+
"framework": "PCI DSS v4.0",
|
|
294
|
+
"control_id": "Req 3.5.1",
|
|
295
|
+
"control_name": "Protect stored CHD",
|
|
296
|
+
"tier": "Hardening",
|
|
297
|
+
"scope": "Both",
|
|
298
|
+
"notes": "Embeddings that can reconstruct PANs require Req 3 protection — differential privacy as encryption equivalent"
|
|
299
|
+
},
|
|
300
|
+
{
|
|
301
|
+
"framework": "PCI DSS v4.0",
|
|
302
|
+
"control_id": "Req 11.3.1",
|
|
303
|
+
"control_name": "Penetration testing",
|
|
304
|
+
"tier": "Hardening",
|
|
305
|
+
"scope": "Both",
|
|
306
|
+
"notes": "Inference attack testing for GenAI models trained on CHD — membership inference and inversion attacks"
|
|
307
|
+
},
|
|
308
|
+
{
|
|
309
|
+
"framework": "PCI DSS v4.0",
|
|
310
|
+
"control_id": "Req 12.3.2",
|
|
311
|
+
"control_name": "Targeted risk analysis",
|
|
312
|
+
"tier": "Hardening",
|
|
313
|
+
"scope": "Both",
|
|
314
|
+
"notes": "Targeted risk analysis for inference attack risk against CHD-trained GenAI models"
|
|
315
|
+
},
|
|
316
|
+
{
|
|
317
|
+
"framework": "ENISA Multilayer Framework",
|
|
318
|
+
"control_id": "L2",
|
|
319
|
+
"control_name": "Data and Model Security (DMS)",
|
|
320
|
+
"tier": "Hardening",
|
|
321
|
+
"scope": "Both",
|
|
322
|
+
"notes": "Differential privacy, output perturbation, and prediction API rate limiting applied as DMS privacy-preserving controls"
|
|
323
|
+
},
|
|
324
|
+
{
|
|
325
|
+
"framework": "ENISA Multilayer Framework",
|
|
326
|
+
"control_id": "L2",
|
|
327
|
+
"control_name": "AI System Integrity (ASI)",
|
|
328
|
+
"tier": "Hardening",
|
|
329
|
+
"scope": "Both",
|
|
330
|
+
"notes": "Inference attack red teaming included in AI system integrity verification — membership inference, model inversion, attribute inference tested before deployment"
|
|
331
|
+
},
|
|
332
|
+
{
|
|
333
|
+
"framework": "ENISA Multilayer Framework",
|
|
334
|
+
"control_id": "L2",
|
|
335
|
+
"control_name": "Governance and Risk (GOV)",
|
|
336
|
+
"tier": "Hardening",
|
|
337
|
+
"scope": "Both",
|
|
338
|
+
"notes": "Inference attack risk documented in AI risk assessment — treatment controls (differential privacy, output restrictions) justified"
|
|
339
|
+
},
|
|
340
|
+
{
|
|
341
|
+
"framework": "ENISA Multilayer Framework",
|
|
342
|
+
"control_id": "L2",
|
|
343
|
+
"control_name": "Monitoring and Detection (MON)",
|
|
344
|
+
"tier": "Hardening",
|
|
345
|
+
"scope": "Both",
|
|
346
|
+
"notes": "Prediction API monitoring for inference attack patterns — high-volume, systematic query patterns that indicate shadow model training"
|
|
347
|
+
},
|
|
348
|
+
{
|
|
349
|
+
"framework": "OWASP SAMM v2.0",
|
|
350
|
+
"control_id": "G-PC",
|
|
351
|
+
"control_name": "Governance / Policy & Compliance",
|
|
352
|
+
"tier": "Foundational",
|
|
353
|
+
"scope": "Both",
|
|
354
|
+
"notes": "Documented retention periods and deletion procedures for all GenAI data"
|
|
355
|
+
},
|
|
356
|
+
{
|
|
357
|
+
"framework": "OWASP SAMM v2.0",
|
|
358
|
+
"control_id": "D-SR",
|
|
359
|
+
"control_name": "Design / Security Requirements",
|
|
360
|
+
"tier": "Foundational",
|
|
361
|
+
"scope": "Both",
|
|
362
|
+
"notes": "Right-to-erasure and retention limits built into system requirements"
|
|
363
|
+
},
|
|
364
|
+
{
|
|
365
|
+
"framework": "OWASP SAMM v2.0",
|
|
366
|
+
"control_id": "O-OM",
|
|
367
|
+
"control_name": "Operations / Operational Management",
|
|
368
|
+
"tier": "Foundational",
|
|
369
|
+
"scope": "Both",
|
|
370
|
+
"notes": "Automated verification that data is deleted per retention schedule"
|
|
371
|
+
},
|
|
372
|
+
{
|
|
373
|
+
"framework": "OWASP SAMM v2.0",
|
|
374
|
+
"control_id": "G-SM",
|
|
375
|
+
"control_name": "Governance / Strategy & Metrics",
|
|
376
|
+
"tier": "Foundational",
|
|
377
|
+
"scope": "Both",
|
|
378
|
+
"notes": "GenAI data lifecycle integrated into existing privacy programme"
|
|
379
|
+
},
|
|
380
|
+
{
|
|
381
|
+
"framework": "CWE/CVE",
|
|
382
|
+
"control_id": "CWE-200",
|
|
383
|
+
"control_name": "CWE-200",
|
|
384
|
+
"tier": "Hardening",
|
|
385
|
+
"scope": "Both",
|
|
386
|
+
"url": "https://cwe.mitre.org/data/definitions/200.html"
|
|
387
|
+
},
|
|
388
|
+
{
|
|
389
|
+
"framework": "CWE/CVE",
|
|
390
|
+
"control_id": "CWE-327",
|
|
391
|
+
"control_name": "CWE-327",
|
|
392
|
+
"tier": "Hardening",
|
|
393
|
+
"scope": "Both",
|
|
394
|
+
"url": "https://cwe.mitre.org/data/definitions/327.html"
|
|
395
|
+
},
|
|
396
|
+
{
|
|
397
|
+
"framework": "MAESTRO",
|
|
398
|
+
"control_id": "L1",
|
|
399
|
+
"control_name": "Foundation Models",
|
|
400
|
+
"tier": "Hardening",
|
|
401
|
+
"scope": "Both"
|
|
402
|
+
},
|
|
403
|
+
{
|
|
404
|
+
"framework": "MAESTRO",
|
|
405
|
+
"control_id": "L2",
|
|
406
|
+
"control_name": "Data Operations",
|
|
407
|
+
"tier": "Hardening",
|
|
408
|
+
"scope": "Both"
|
|
409
|
+
},
|
|
410
|
+
{
|
|
411
|
+
"framework": "MAESTRO",
|
|
412
|
+
"control_id": "L5",
|
|
413
|
+
"control_name": "Evaluation & Observability",
|
|
414
|
+
"tier": "Hardening",
|
|
415
|
+
"scope": "Both"
|
|
416
|
+
},
|
|
417
|
+
{
|
|
418
|
+
"framework": "AIUC-1",
|
|
419
|
+
"control_id": "A",
|
|
420
|
+
"control_name": "Data & Privacy domain",
|
|
421
|
+
"tier": "Foundational",
|
|
422
|
+
"scope": "Both",
|
|
423
|
+
"notes": "Foundational"
|
|
424
|
+
},
|
|
425
|
+
{
|
|
426
|
+
"framework": "AIUC-1",
|
|
427
|
+
"control_id": "E",
|
|
428
|
+
"control_name": "Audit trails and logging",
|
|
429
|
+
"tier": "Foundational",
|
|
430
|
+
"scope": "Both",
|
|
431
|
+
"notes": "Foundational"
|
|
432
|
+
},
|
|
433
|
+
{
|
|
434
|
+
"framework": "OWASP NHI Top 10",
|
|
435
|
+
"control_id": "Service account with access to retained data beyond declared function",
|
|
436
|
+
"control_name": "NHI-5 Over-Privileged NHI",
|
|
437
|
+
"tier": "Foundational",
|
|
438
|
+
"scope": "Both",
|
|
439
|
+
"notes": "Minimum scope for data access credentials"
|
|
440
|
+
},
|
|
441
|
+
{
|
|
442
|
+
"framework": "OWASP NHI Top 10",
|
|
443
|
+
"control_id": "Humans using machine credentials for data deletion — no audit trail",
|
|
444
|
+
"control_name": "NHI-10 Human Use of NHI",
|
|
445
|
+
"tier": "Foundational",
|
|
446
|
+
"scope": "Both",
|
|
447
|
+
"notes": "Enforce human identity for all compliance operations"
|
|
448
|
+
},
|
|
449
|
+
{
|
|
450
|
+
"framework": "NIST SP 800-218A",
|
|
451
|
+
"control_id": "PW.1.1-PS",
|
|
452
|
+
"control_name": "Define security requirements — AI data governance requirements",
|
|
453
|
+
"tier": "Foundational",
|
|
454
|
+
"scope": "Both",
|
|
455
|
+
"notes": "Define security requirements mandating AI-specific data governance including data stewardship, accountability structures, and policy enforcement mechanisms"
|
|
456
|
+
},
|
|
457
|
+
{
|
|
458
|
+
"framework": "NIST SP 800-218A",
|
|
459
|
+
"control_id": "PW.2.1-PS",
|
|
460
|
+
"control_name": "Design software — governance-integrated AI architecture",
|
|
461
|
+
"tier": "Foundational",
|
|
462
|
+
"scope": "Both",
|
|
463
|
+
"notes": "Design AI systems with governance controls integrated into pipeline architecture; embed policy enforcement, approval workflows, and audit capabilities"
|
|
464
|
+
},
|
|
465
|
+
{
|
|
466
|
+
"framework": "NIST SP 800-218A",
|
|
467
|
+
"control_id": "RV.3.1-PS",
|
|
468
|
+
"control_name": "Analyse root causes — governance failure analysis",
|
|
469
|
+
"tier": "Foundational",
|
|
470
|
+
"scope": "Both",
|
|
471
|
+
"notes": "When data governance failures contribute to AI incidents, conduct root cause analysis to identify governance gaps and strengthen frameworks"
|
|
472
|
+
},
|
|
473
|
+
{
|
|
474
|
+
"framework": "FedRAMP",
|
|
475
|
+
"control_id": "PM-9",
|
|
476
|
+
"control_name": "Risk Management Strategy — AI governance framework",
|
|
477
|
+
"tier": "Foundational",
|
|
478
|
+
"scope": "Both",
|
|
479
|
+
"notes": "Establish comprehensive AI data governance framework within risk management strategy; define roles, policies, and oversight mechanisms"
|
|
480
|
+
},
|
|
481
|
+
{
|
|
482
|
+
"framework": "FedRAMP",
|
|
483
|
+
"control_id": "CM-3",
|
|
484
|
+
"control_name": "Configuration Change Control — governance policy management",
|
|
485
|
+
"tier": "Foundational",
|
|
486
|
+
"scope": "Both",
|
|
487
|
+
"notes": "Maintain AI governance policies under change control; require approval for policy modifications; audit all changes"
|
|
488
|
+
},
|
|
489
|
+
{
|
|
490
|
+
"framework": "FedRAMP",
|
|
491
|
+
"control_id": "RA-3",
|
|
492
|
+
"control_name": "Risk Assessment — governance completeness",
|
|
493
|
+
"tier": "Foundational",
|
|
494
|
+
"scope": "Both",
|
|
495
|
+
"notes": "Assess AI governance completeness; identify gaps in roles, policies, oversight, and accountability"
|
|
496
|
+
},
|
|
497
|
+
{
|
|
498
|
+
"framework": "DORA",
|
|
499
|
+
"control_id": "Art. 5–7",
|
|
500
|
+
"control_name": "ICT Risk Management — AI governance framework",
|
|
501
|
+
"tier": "Foundational",
|
|
502
|
+
"scope": "Both",
|
|
503
|
+
"notes": "Establish comprehensive AI data governance within ICT risk management; define roles, policies, accountability, and oversight mechanisms"
|
|
504
|
+
},
|
|
505
|
+
{
|
|
506
|
+
"framework": "DORA",
|
|
507
|
+
"control_id": "Art. 13",
|
|
508
|
+
"control_name": "Learning and Evolving — governance improvement",
|
|
509
|
+
"tier": "Foundational",
|
|
510
|
+
"scope": "Both",
|
|
511
|
+
"notes": "Apply lessons learned to improve AI data governance; update policies and controls based on incident analysis and regulatory changes"
|
|
512
|
+
},
|
|
513
|
+
{
|
|
514
|
+
"framework": "DORA",
|
|
515
|
+
"control_id": "Art. 8",
|
|
516
|
+
"control_name": "Identification — governance scope mapping",
|
|
517
|
+
"tier": "Foundational",
|
|
518
|
+
"scope": "Both",
|
|
519
|
+
"notes": "Map all AI systems subject to governance; ensure complete coverage of AI data assets in governance framework"
|
|
520
|
+
}
|
|
521
|
+
],
|
|
522
|
+
"tools": [
|
|
523
|
+
{
|
|
524
|
+
"name": "IBM Adversarial Robustness Toolbox",
|
|
525
|
+
"type": "open-source",
|
|
526
|
+
"url": "https://github.com/Trusted-AI/adversarial-robustness-toolbox"
|
|
527
|
+
},
|
|
528
|
+
{
|
|
529
|
+
"name": "ML Privacy Meter",
|
|
530
|
+
"type": "open-source",
|
|
531
|
+
"url": "https://github.com/privacytrustlab/ml_privacy_meter"
|
|
532
|
+
},
|
|
533
|
+
{
|
|
534
|
+
"name": "TensorFlow Privacy",
|
|
535
|
+
"type": "open-source",
|
|
536
|
+
"url": "https://github.com/tensorflow/privacy"
|
|
537
|
+
},
|
|
538
|
+
{
|
|
539
|
+
"name": "OpenDP",
|
|
540
|
+
"type": "open-source",
|
|
541
|
+
"url": "https://github.com/opendp/opendp"
|
|
542
|
+
},
|
|
543
|
+
{
|
|
544
|
+
"name": "Collibra",
|
|
545
|
+
"type": "commercial",
|
|
546
|
+
"url": "https://www.collibra.com"
|
|
547
|
+
},
|
|
548
|
+
{
|
|
549
|
+
"name": "Atlan",
|
|
550
|
+
"type": "commercial",
|
|
551
|
+
"url": "https://atlan.com"
|
|
552
|
+
},
|
|
553
|
+
{
|
|
554
|
+
"name": "Apache Atlas",
|
|
555
|
+
"type": "open-source",
|
|
556
|
+
"url": "https://atlas.apache.org"
|
|
557
|
+
},
|
|
558
|
+
{
|
|
559
|
+
"name": "Open Policy Agent",
|
|
560
|
+
"type": "open-source",
|
|
561
|
+
"url": "https://www.openpolicyagent.org"
|
|
562
|
+
},
|
|
563
|
+
{
|
|
564
|
+
"name": "Alation",
|
|
565
|
+
"type": "commercial",
|
|
566
|
+
"url": "https://www.alation.com"
|
|
567
|
+
},
|
|
568
|
+
{
|
|
569
|
+
"name": "ServiceNow GRC",
|
|
570
|
+
"type": "commercial",
|
|
571
|
+
"url": "https://www.servicenow.com"
|
|
572
|
+
}
|
|
573
|
+
],
|
|
574
|
+
"incidents": [
|
|
575
|
+
{
|
|
576
|
+
"name": "Synthetic data re-identification — de-anonymized patients from synthetic health records",
|
|
577
|
+
"url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
|
|
578
|
+
"year": 2025,
|
|
579
|
+
"incident_id": "INC-040"
|
|
580
|
+
},
|
|
581
|
+
{
|
|
582
|
+
"name": "Uber ML platform data lineage audit — fragmented provenance across 30+ feature stores",
|
|
583
|
+
"url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
|
|
584
|
+
"year": 2024,
|
|
585
|
+
"incident_id": "INC-042"
|
|
586
|
+
}
|
|
587
|
+
],
|
|
588
|
+
"crossrefs": {
|
|
589
|
+
"llm_top10": [
|
|
590
|
+
"LLM02",
|
|
591
|
+
"LLM08",
|
|
592
|
+
"LLM06",
|
|
593
|
+
"LLM05",
|
|
594
|
+
"LLM09"
|
|
595
|
+
],
|
|
596
|
+
"dsgai_2026": [
|
|
597
|
+
"DSGAI10",
|
|
598
|
+
"DSGAI15"
|
|
599
|
+
],
|
|
600
|
+
"agentic_top10": [
|
|
601
|
+
"ASI04",
|
|
602
|
+
"ASI09"
|
|
603
|
+
]
|
|
604
|
+
},
|
|
605
|
+
"changelog": [
|
|
606
|
+
{
|
|
607
|
+
"date": "2026-03-27",
|
|
608
|
+
"version": "1.0.0",
|
|
609
|
+
"change": "Initial entry — generated from GenAI Security Crosswalk v1.5.1 mapping files",
|
|
610
|
+
"author": "emmanuelgjr"
|
|
611
|
+
}
|
|
612
|
+
]
|
|
613
|
+
}
|