genai-security-crosswalk 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (55) hide show
  1. package/LICENSE.md +28 -0
  2. package/README.md +618 -0
  3. package/data/entries/ASI01.json +911 -0
  4. package/data/entries/ASI02.json +850 -0
  5. package/data/entries/ASI03.json +854 -0
  6. package/data/entries/ASI04.json +759 -0
  7. package/data/entries/ASI05.json +764 -0
  8. package/data/entries/ASI06.json +817 -0
  9. package/data/entries/ASI07.json +789 -0
  10. package/data/entries/ASI08.json +788 -0
  11. package/data/entries/ASI09.json +754 -0
  12. package/data/entries/ASI10.json +833 -0
  13. package/data/entries/DSGAI01.json +779 -0
  14. package/data/entries/DSGAI02.json +728 -0
  15. package/data/entries/DSGAI03.json +671 -0
  16. package/data/entries/DSGAI04.json +752 -0
  17. package/data/entries/DSGAI05.json +689 -0
  18. package/data/entries/DSGAI06.json +673 -0
  19. package/data/entries/DSGAI07.json +680 -0
  20. package/data/entries/DSGAI08.json +698 -0
  21. package/data/entries/DSGAI09.json +687 -0
  22. package/data/entries/DSGAI10.json +627 -0
  23. package/data/entries/DSGAI11.json +663 -0
  24. package/data/entries/DSGAI12.json +695 -0
  25. package/data/entries/DSGAI13.json +688 -0
  26. package/data/entries/DSGAI14.json +703 -0
  27. package/data/entries/DSGAI15.json +655 -0
  28. package/data/entries/DSGAI16.json +716 -0
  29. package/data/entries/DSGAI17.json +690 -0
  30. package/data/entries/DSGAI18.json +613 -0
  31. package/data/entries/DSGAI19.json +638 -0
  32. package/data/entries/DSGAI20.json +671 -0
  33. package/data/entries/DSGAI21.json +881 -0
  34. package/data/entries/LLM01.json +975 -0
  35. package/data/entries/LLM02.json +868 -0
  36. package/data/entries/LLM03.json +817 -0
  37. package/data/entries/LLM04.json +797 -0
  38. package/data/entries/LLM05.json +761 -0
  39. package/data/entries/LLM06.json +848 -0
  40. package/data/entries/LLM07.json +749 -0
  41. package/data/entries/LLM08.json +750 -0
  42. package/data/entries/LLM09.json +760 -0
  43. package/data/entries/LLM10.json +763 -0
  44. package/data/incidents-schema.json +121 -0
  45. package/data/incidents.json +1484 -0
  46. package/data/schema.json +134 -0
  47. package/dist/index.d.ts +97 -0
  48. package/dist/index.d.ts.map +1 -0
  49. package/dist/index.js +124 -0
  50. package/dist/index.js.map +1 -0
  51. package/dist/index.test.d.ts +2 -0
  52. package/dist/index.test.d.ts.map +1 -0
  53. package/dist/index.test.js +97 -0
  54. package/dist/index.test.js.map +1 -0
  55. package/package.json +62 -0
package/data/entries/LLM02.json ADDED
@@ -0,0 +1,868 @@
1
+ {
2
+ "id": "LLM02",
3
+ "name": "Sensitive Information Disclosure",
4
+ "source_list": "LLM-Top10-2025",
5
+ "version": "2026-Q1",
6
+ "severity": "High",
7
+ "aivss_score": null,
8
+ "audience": [
9
+ "red-teamer",
10
+ "security-engineer",
11
+ "developer",
12
+ "ml-engineer",
13
+ "ot-engineer",
14
+ "ciso",
15
+ "compliance",
16
+ "auditor"
17
+ ],
18
+ "mappings": [
19
+ {
20
+ "framework": "MITRE ATLAS",
21
+ "control_id": "AML.T0021",
22
+ "control_name": "Data Leakage",
23
+ "tier": "Foundational",
24
+ "scope": "Both",
25
+ "url": "https://atlas.mitre.org/techniques/AML.T0021",
26
+ "notes": "Unintended exposure of training data or sensitive context through model outputs"
27
+ },
28
+ {
29
+ "framework": "MITRE ATLAS",
30
+ "control_id": "AML.T0030",
31
+ "control_name": "Information Disclosure",
32
+ "tier": "Foundational",
33
+ "scope": "Both",
34
+ "url": "https://atlas.mitre.org/techniques/AML.T0030",
35
+ "notes": "Extraction of confidential information via targeted model queries"
36
+ },
37
+ {
38
+ "framework": "MITRE ATLAS",
39
+ "control_id": "AML.T0024",
40
+ "control_name": "Model Inversion",
41
+ "tier": "Foundational",
42
+ "scope": "Both",
43
+ "url": "https://atlas.mitre.org/techniques/AML.T0024",
44
+ "notes": "Reconstructing training data from model outputs or confidence scores"
45
+ },
46
+ {
47
+ "framework": "NIST AI RMF 1.0",
48
+ "control_id": "GV-1.6",
49
+ "control_name": "Policies for data privacy",
50
+ "tier": "Foundational",
51
+ "scope": "Both",
52
+ "notes": "Organisational policies for data privacy in AI systems — classification, handling, and disclosure controls"
53
+ },
54
+ {
55
+ "framework": "NIST AI RMF 1.0",
56
+ "control_id": "MP-2.3",
57
+ "control_name": "Risk categorisation",
58
+ "tier": "Foundational",
59
+ "scope": "Both",
60
+ "notes": "Sensitive information disclosure categorised and risk-rated in AI system risk register"
61
+ },
62
+ {
63
+ "framework": "NIST AI RMF 1.0",
64
+ "control_id": "MS-2.6",
65
+ "control_name": "Testing — data leakage",
66
+ "tier": "Foundational",
67
+ "scope": "Both",
68
+ "notes": "Evaluation programme includes data leakage and privacy disclosure testing"
69
+ },
70
+ {
71
+ "framework": "NIST AI RMF 1.0",
72
+ "control_id": "MG-2.4",
73
+ "control_name": "Risk response — data",
74
+ "tier": "Foundational",
75
+ "scope": "Both",
76
+ "notes": "Defined procedures for responding to sensitive data disclosure incidents"
77
+ },
78
+ {
79
+ "framework": "EU AI Act",
80
+ "control_id": "Training data for high-risk AI must be relevant, representative, free of errors, and complete — must address privacy",
81
+ "control_name": "Art. 10 — Data and data governance",
82
+ "tier": "Foundational",
83
+ "scope": "Both",
84
+ "notes": "Privacy-preserving training data practices are a compliance requirement for high-risk LLMs"
85
+ },
86
+ {
87
+ "framework": "EU AI Act",
88
+ "control_id": "Users must receive information about capabilities, limitations, and conditions of use",
89
+ "control_name": "Art. 13 — Transparency",
90
+ "tier": "Foundational",
91
+ "scope": "Both",
92
+ "notes": "Disclosure of potential data disclosure risks is a transparency obligation"
93
+ },
94
+ {
95
+ "framework": "EU AI Act",
96
+ "control_id": "Documented quality management system including post-market monitoring",
97
+ "control_name": "Art. 17 — Quality management",
98
+ "tier": "Foundational",
99
+ "scope": "Both",
100
+ "notes": "Post-market monitoring must detect and respond to sensitive disclosure incidents"
101
+ },
102
+ {
103
+ "framework": "EU AI Act",
104
+ "control_id": "GPAI providers must maintain technical documentation including training data governance",
105
+ "control_name": "Art. 53(1)(a) — GPAI documentation",
106
+ "tier": "Foundational",
107
+ "scope": "Both",
108
+ "notes": "Data governance for GPAI training data is a binding documentation obligation from Aug 2025"
109
+ },
110
+ {
111
+ "framework": "ISO/IEC 27001:2022",
112
+ "control_id": "A.8.11",
113
+ "control_name": "Data masking",
114
+ "tier": "Foundational",
115
+ "scope": "Both",
116
+ "notes": "Output redaction for PII and sensitive patterns before responses reach users"
117
+ },
118
+ {
119
+ "framework": "ISO/IEC 27001:2022",
120
+ "control_id": "A.8.12",
121
+ "control_name": "Data leakage prevention",
122
+ "tier": "Foundational",
123
+ "scope": "Both",
124
+ "notes": "DLP on all LLM output channels — API, chat interface, logs"
125
+ },
126
+ {
127
+ "framework": "ISO/IEC 27001:2022",
128
+ "control_id": "A.5.12",
129
+ "control_name": "Classification of information",
130
+ "tier": "Foundational",
131
+ "scope": "Both",
132
+ "notes": "All data in LLM scope classified — training data, RAG sources, outputs, embeddings"
133
+ },
134
+ {
135
+ "framework": "ISO/IEC 27001:2022",
136
+ "control_id": "A.8.3",
137
+ "control_name": "Information access restriction",
138
+ "tier": "Foundational",
139
+ "scope": "Both",
140
+ "notes": "Access controls on RAG retrieval — users retrieve only data they are authorised to access"
141
+ },
142
+ {
143
+ "framework": "ISO/IEC 42001:2023",
144
+ "control_id": "A.7.2",
145
+ "control_name": "Data quality",
146
+ "tier": "Foundational",
147
+ "scope": "Both",
148
+ "notes": "Training data and RAG content quality requirements — sensitivity, completeness, appropriateness assessed before use"
149
+ },
150
+ {
151
+ "framework": "ISO/IEC 42001:2023",
152
+ "control_id": "A.7.3",
153
+ "control_name": "Data provenance and characteristics",
154
+ "tier": "Foundational",
155
+ "scope": "Both",
156
+ "notes": "Data provenance documented — source, classification, handling requirements tracked from ingestion through all derived forms"
157
+ },
158
+ {
159
+ "framework": "ISO/IEC 42001:2023",
160
+ "control_id": "A.6.2.3",
161
+ "control_name": "AI system security",
162
+ "tier": "Foundational",
163
+ "scope": "Both",
164
+ "notes": "Output scanning and redaction as AIMS security controls — DLP enforced at the system boundary"
165
+ },
166
+ {
167
+ "framework": "ISO/IEC 42001:2023",
168
+ "control_id": "A.5.2",
169
+ "control_name": "Impact assessment",
170
+ "tier": "Foundational",
171
+ "scope": "Both",
172
+ "notes": "Impact assessment covers data disclosure risk — what data is in LLM scope, what is the disclosure impact per stakeholder"
173
+ },
174
+ {
175
+ "framework": "CIS Controls v8.1",
176
+ "control_id": "3.1 Establish and maintain data management process",
177
+ "control_name": "CIS 3 — Data Protection",
178
+ "tier": "Foundational",
179
+ "scope": "Both",
180
+ "notes": "Data classification and handling requirements applied to all LLM data assets"
181
+ },
182
+ {
183
+ "framework": "CIS Controls v8.1",
184
+ "control_id": "3.11 Encrypt sensitive data at rest",
185
+ "control_name": "CIS 3 — Data Protection",
186
+ "tier": "Foundational",
187
+ "scope": "Both",
188
+ "notes": "Embeddings, training data, and RAG caches containing sensitive data encrypted"
189
+ },
190
+ {
191
+ "framework": "CIS Controls v8.1",
192
+ "control_id": "14.1 Establish security awareness programme",
193
+ "control_name": "CIS 14 — Security Awareness",
194
+ "tier": "Foundational",
195
+ "scope": "Both",
196
+ "notes": "User training on LLM data handling — what data should not be shared with LLMs"
197
+ },
198
+ {
199
+ "framework": "CIS Controls v8.1",
200
+ "control_id": "8.5 Collect detailed audit logs",
201
+ "control_name": "CIS 8 — Audit Log Management",
202
+ "tier": "Foundational",
203
+ "scope": "Both",
204
+ "notes": "Detailed logging of all LLM data access — RAG queries, data retrieved, outputs generated"
205
+ },
206
+ {
207
+ "framework": "OWASP ASVS 4.0.3",
208
+ "control_id": "V8.1.1",
209
+ "control_name": "Verify sensitive data is not cached or exposed in logs",
210
+ "tier": "Foundational",
211
+ "scope": "Both",
212
+ "notes": "LLM outputs containing sensitive data not logged in cleartext or cached without protection"
213
+ },
214
+ {
215
+ "framework": "OWASP ASVS 4.0.3",
216
+ "control_id": "V8.3.4",
217
+ "control_name": "Verify PII is identified and protected",
218
+ "tier": "Foundational",
219
+ "scope": "Both",
220
+ "notes": "PII in LLM training data, RAG sources, and outputs identified and handled per policy"
221
+ },
222
+ {
223
+ "framework": "OWASP ASVS 4.0.3",
224
+ "control_id": "V4.1.3",
225
+ "control_name": "Verify access control decisions enforce least privilege",
226
+ "tier": "Foundational",
227
+ "scope": "Both",
228
+ "notes": "RAG retrieval access controls — users retrieve only data they are authorised to access"
229
+ },
230
+ {
231
+ "framework": "OWASP ASVS 4.0.3",
232
+ "control_id": "V6.1.1",
233
+ "control_name": "Verify all sensitive data encrypted at rest",
234
+ "tier": "Foundational",
235
+ "scope": "Both",
236
+ "notes": "Training data, embeddings, RAG document stores, and prompt caches encrypted at rest"
237
+ },
238
+ {
239
+ "framework": "OWASP ASVS 4.0.3",
240
+ "control_id": "V9.1.1",
241
+ "control_name": "Verify all sensitive data encrypted in transit",
242
+ "tier": "Foundational",
243
+ "scope": "Both",
244
+ "notes": "All LLM API communication and data flows encrypted in transit — TLS 1.2 minimum"
245
+ },
246
+ {
247
+ "framework": "ISA/IEC 62443",
248
+ "control_id": "SR 4.1",
249
+ "control_name": "Data confidentiality in transit",
250
+ "tier": "Foundational",
251
+ "scope": "Both",
252
+ "notes": "All OT data accessed by LLMs encrypted in transit — no cleartext historian queries over OT network"
253
+ },
254
+ {
255
+ "framework": "ISA/IEC 62443",
256
+ "control_id": "SR 4.2",
257
+ "control_name": "Data confidentiality at rest",
258
+ "tier": "Foundational",
259
+ "scope": "Both",
260
+ "notes": "OT data used in LLM context or stored by LLM components encrypted at rest"
261
+ },
262
+ {
263
+ "framework": "ISA/IEC 62443",
264
+ "control_id": "SR 5.1",
265
+ "control_name": "Information flow restriction",
266
+ "tier": "Foundational",
267
+ "scope": "Both",
268
+ "notes": "LLM outputs containing OT data restricted to authorised users — no unrestricted external output"
269
+ },
270
+ {
271
+ "framework": "ISA/IEC 62443",
272
+ "control_id": "SR 1.2",
273
+ "control_name": "Identification and authentication",
274
+ "tier": "Foundational",
275
+ "scope": "Both",
276
+ "notes": "All LLM access to OT data systems requires authenticated, authorised identity"
277
+ },
278
+ {
279
+ "framework": "NIST SP 800-82 Rev 3",
280
+ "control_id": "Information disclosure and OT espionage",
281
+ "control_name": "Section 5.4 — Threats",
282
+ "tier": "Foundational",
283
+ "scope": "Both",
284
+ "notes": "LLMs with historian access as a new vector for automated OT intelligence gathering"
285
+ },
286
+ {
287
+ "framework": "NIST SP 800-82 Rev 3",
288
+ "control_id": "Assess confidentiality of OT data",
289
+ "control_name": "Section 6.2 — Risk assessment",
290
+ "tier": "Foundational",
291
+ "scope": "Both",
292
+ "notes": "OT data classification applied to all data accessible by LLMs"
293
+ },
294
+ {
295
+ "framework": "NIST SP 800-82 Rev 3",
296
+ "control_id": "Protecting OT data at rest and in transit",
297
+ "control_name": "Section 7.3 — Data protection",
298
+ "tier": "Foundational",
299
+ "scope": "Both",
300
+ "notes": "Encryption and access controls on all OT data paths feeding LLM context"
301
+ },
302
+ {
303
+ "framework": "NIST SP 800-82 Rev 3",
304
+ "control_id": "Title",
305
+ "control_name": "Control",
306
+ "tier": "Foundational",
307
+ "scope": "Both",
308
+ "notes": "Application"
309
+ },
310
+ {
311
+ "framework": "NIST SP 800-82 Rev 3",
312
+ "control_id": "Protection of Information at Rest",
313
+ "control_name": "SC-28",
314
+ "tier": "Foundational",
315
+ "scope": "Both",
316
+ "notes": "OT data used in LLM context encrypted at rest — historian exports, embedding stores, prompt caches"
317
+ },
318
+ {
319
+ "framework": "NIST SP 800-82 Rev 3",
320
+ "control_id": "Access Enforcement",
321
+ "control_name": "AC-3",
322
+ "tier": "Foundational",
323
+ "scope": "Both",
324
+ "notes": "LLM access to OT data enforced by classification — sensitive process and network data requires elevated access tier"
325
+ },
326
+ {
327
+ "framework": "NIST SP 800-82 Rev 3",
328
+ "control_id": "Protection of Audit Information",
329
+ "control_name": "AU-9",
330
+ "tier": "Foundational",
331
+ "scope": "Both",
332
+ "notes": "LLM access logs to OT data protected — audit trail of all OT data accessed by LLM"
333
+ },
334
+ {
335
+ "framework": "NIST CSF 2.0",
336
+ "control_id": "PR.DS-01",
337
+ "control_name": "Data Security",
338
+ "tier": "Foundational",
339
+ "scope": "Both",
340
+ "notes": "Data-at-rest protected — training data, embeddings, RAG stores containing sensitive information encrypted"
341
+ },
342
+ {
343
+ "framework": "NIST CSF 2.0",
344
+ "control_id": "PR.DS-02",
345
+ "control_name": "Data Security",
346
+ "tier": "Foundational",
347
+ "scope": "Both",
348
+ "notes": "Data-in-transit protected — all LLM API calls and RAG retrieval paths encrypted"
349
+ },
350
+ {
351
+ "framework": "NIST CSF 2.0",
352
+ "control_id": "DE.CM-01",
353
+ "control_name": "Continuous Monitoring",
354
+ "tier": "Foundational",
355
+ "scope": "Both",
356
+ "notes": "LLM output channels monitored for sensitive data patterns — DLP coverage"
357
+ },
358
+ {
359
+ "framework": "NIST CSF 2.0",
360
+ "control_id": "GV.RM-06",
361
+ "control_name": "Risk Management Strategy",
362
+ "tier": "Foundational",
363
+ "scope": "Both",
364
+ "notes": "Risk tolerance established — acceptable levels of sensitive data disclosure risk defined per use case"
365
+ },
366
+ {
367
+ "framework": "SOC 2",
368
+ "control_id": "Policy identifying confidential information in LLM scope and how it is handled — training data, RAG corpus, outputs",
369
+ "control_name": "C1.1 — Confidentiality policy",
370
+ "tier": "Foundational",
371
+ "scope": "Both"
372
+ },
373
+ {
374
+ "framework": "SOC 2",
375
+ "control_id": "Technical controls protecting confidential data in LLM pipelines — encryption, access controls, output scanning",
376
+ "control_name": "C2.1 — Confidential information protection",
377
+ "tier": "Foundational",
378
+ "scope": "Both"
379
+ },
380
+ {
381
+ "framework": "SOC 2",
382
+ "control_id": "Personal information in LLM scope identified — training data, RAG sources, outputs — collection documented",
383
+ "control_name": "P3.1 — Personal information collection",
384
+ "tier": "Foundational",
385
+ "scope": "Both"
386
+ },
387
+ {
388
+ "framework": "SOC 2",
389
+ "control_id": "Personal information used only for purposes disclosed — LLM processing of customer PII limited to agreed use cases",
390
+ "control_name": "P5.1 — Personal information use",
391
+ "tier": "Foundational",
392
+ "scope": "Both"
393
+ },
394
+ {
395
+ "framework": "SOC 2",
396
+ "control_id": "Access controls on RAG data sources — users retrieve only data they are authorised to access",
397
+ "control_name": "CC6.1 — Logical access",
398
+ "tier": "Foundational",
399
+ "scope": "Both"
400
+ },
401
+ {
402
+ "framework": "PCI DSS v4.0",
403
+ "control_id": "Req 3.3.1",
404
+ "control_name": "Protect stored account data — SAD prohibition",
405
+ "tier": "Foundational",
406
+ "scope": "Both",
407
+ "notes": "SAD (CVV, PIN) must never be in LLM training data or RAG — stored after authorisation is prohibited"
408
+ },
409
+ {
410
+ "framework": "PCI DSS v4.0",
411
+ "control_id": "Req 3.4.1",
412
+ "control_name": "Protect stored account data — PAN rendering",
413
+ "tier": "Foundational",
414
+ "scope": "Both",
415
+ "notes": "PANs in LLM outputs masked — only first six and last four digits displayed in any LLM response"
416
+ },
417
+ {
418
+ "framework": "PCI DSS v4.0",
419
+ "control_id": "Req 3.5.1",
420
+ "control_name": "Protect stored account data — encryption",
421
+ "tier": "Foundational",
422
+ "scope": "Both",
423
+ "notes": "Any PAN in LLM scope encrypted with strong cryptography — AES-256 or equivalent"
424
+ },
425
+ {
426
+ "framework": "PCI DSS v4.0",
427
+ "control_id": "Req 4.2.1",
428
+ "control_name": "Protect cardholder data in transit",
429
+ "tier": "Foundational",
430
+ "scope": "Both",
431
+ "notes": "All LLM API calls and RAG retrieval paths carrying CHD encrypted in transit — TLS 1.2 minimum"
432
+ },
433
+ {
434
+ "framework": "PCI DSS v4.0",
435
+ "control_id": "Req 7.2.1",
436
+ "control_name": "Restrict access by need to know",
437
+ "tier": "Foundational",
438
+ "scope": "Both",
439
+ "notes": "LLM access to CHD restricted to minimum required — retrieval access controls prevent over-broad PAN access"
440
+ },
441
+ {
442
+ "framework": "ENISA Multilayer Framework",
443
+ "control_id": "L2",
444
+ "control_name": "Data and Model Security (DMS)",
445
+ "tier": "Foundational",
446
+ "scope": "Both",
447
+ "notes": "All data in LLM scope classified and governed — training corpora, RAG sources, embeddings, outputs"
448
+ },
449
+ {
450
+ "framework": "ENISA Multilayer Framework",
451
+ "control_id": "MON",
452
+ "control_name": "Monitoring and Detection",
453
+ "tier": "Foundational",
454
+ "scope": "Both",
455
+ "notes": "DLP on all LLM output channels — AI-specific monitoring covering sensitive data patterns"
456
+ },
457
+ {
458
+ "framework": "ENISA Multilayer Framework",
459
+ "control_id": "L2",
460
+ "control_name": "Governance and Risk (GOV)",
461
+ "tier": "Foundational",
462
+ "scope": "Both",
463
+ "notes": "GDPR and EU AI Act Article 10 data governance obligations addressed for LLM deployments"
464
+ },
465
+ {
466
+ "framework": "ENISA Multilayer Framework",
467
+ "control_id": "L1",
468
+ "control_name": "General ICT — Data Protection",
469
+ "tier": "Foundational",
470
+ "scope": "Both",
471
+ "notes": "Training data, embeddings, and RAG stores encrypted at rest and in transit"
472
+ },
473
+ {
474
+ "framework": "OWASP SAMM v2.0",
475
+ "control_id": "D-SR",
476
+ "control_name": "Security Requirements",
477
+ "tier": "Foundational",
478
+ "scope": "Both",
479
+ "notes": "Data classification and handling requirements defined for all LLM-integrated applications before development"
480
+ },
481
+ {
482
+ "framework": "OWASP SAMM v2.0",
483
+ "control_id": "I-SB",
484
+ "control_name": "Secure Build",
485
+ "tier": "Foundational",
486
+ "scope": "Both",
487
+ "notes": "Output redaction and DLP implemented in code — LLM output scanned before delivery, reviewed in build"
488
+ },
489
+ {
490
+ "framework": "OWASP SAMM v2.0",
491
+ "control_id": "V-RT",
492
+ "control_name": "Requirements-Driven Testing",
493
+ "tier": "Foundational",
494
+ "scope": "Both",
495
+ "notes": "Data protection requirements verified in testing — PII patterns confirmed not to appear in LLM outputs"
496
+ },
497
+ {
498
+ "framework": "OWASP SAMM v2.0",
499
+ "control_id": "O-OM",
500
+ "control_name": "Operational Management",
501
+ "tier": "Foundational",
502
+ "scope": "Both",
503
+ "notes": "Production DLP monitoring on LLM output channels — operational data protection as ongoing practice"
504
+ },
505
+ {
506
+ "framework": "STRIDE",
507
+ "control_id": "I",
508
+ "control_name": "Sensitive Data Disclosure",
509
+ "tier": "Foundational",
510
+ "scope": "Both"
511
+ },
512
+ {
513
+ "framework": "STRIDE",
514
+ "control_id": "R",
515
+ "control_name": "Disclosure Without Audit Trail",
516
+ "tier": "Foundational",
517
+ "scope": "Both"
518
+ },
519
+ {
520
+ "framework": "CWE/CVE",
521
+ "control_id": "CWE-200",
522
+ "control_name": "CWE-200",
523
+ "tier": "Foundational",
524
+ "scope": "Both",
525
+ "url": "https://cwe.mitre.org/data/definitions/200.html"
526
+ },
527
+ {
528
+ "framework": "CWE/CVE",
529
+ "control_id": "CWE-201",
530
+ "control_name": "CWE-201",
531
+ "tier": "Foundational",
532
+ "scope": "Both",
533
+ "url": "https://cwe.mitre.org/data/definitions/201.html"
534
+ },
535
+ {
536
+ "framework": "CWE/CVE",
537
+ "control_id": "CWE-359",
538
+ "control_name": "CWE-359",
539
+ "tier": "Foundational",
540
+ "scope": "Both",
541
+ "url": "https://cwe.mitre.org/data/definitions/359.html"
542
+ },
543
+ {
544
+ "framework": "OWASP AI Testing Guide",
545
+ "control_id": "PII and sensitive data extraction from outputs",
546
+ "control_name": "DPT — Data Protection",
547
+ "tier": "Foundational",
548
+ "scope": "Both",
549
+ "notes": "Attempt to extract PII, credentials, financial data, and confidential content from model outputs through direct questions, social engineering prompts, and adversarial extraction techniques"
550
+ },
551
+ {
552
+ "framework": "OWASP AI Testing Guide",
553
+ "control_id": "Output DLP effectiveness",
554
+ "control_name": "OHT — Output Handling",
555
+ "tier": "Foundational",
556
+ "scope": "Both",
557
+ "notes": "Verify that DLP controls on LLM outputs correctly detect and block sensitive data patterns before delivery"
558
+ },
559
+ {
560
+ "framework": "OWASP AI Testing Guide",
561
+ "control_id": "Data access authorisation enforcement",
562
+ "control_name": "ACT — Access Control",
563
+ "tier": "Foundational",
564
+ "scope": "Both",
565
+ "notes": "Verify that RAG retrieval and context population enforce user authorisation — users cannot access documents above their permission level"
566
+ },
567
+ {
568
+ "framework": "MAESTRO",
569
+ "control_id": "L2",
570
+ "control_name": "Data Operations",
571
+ "tier": "Foundational",
572
+ "scope": "Both"
573
+ },
574
+ {
575
+ "framework": "MAESTRO",
576
+ "control_id": "L1",
577
+ "control_name": "Foundation Models",
578
+ "tier": "Foundational",
579
+ "scope": "Both"
580
+ },
581
+ {
582
+ "framework": "MAESTRO",
583
+ "control_id": "L5",
584
+ "control_name": "Evaluation & Observability",
585
+ "tier": "Foundational",
586
+ "scope": "Both"
587
+ },
588
+ {
589
+ "framework": "AIUC-1",
590
+ "control_id": "A",
591
+ "control_name": "PII protection and data leakage prevention",
592
+ "tier": "Foundational",
593
+ "scope": "Both",
594
+ "notes": "Foundational"
595
+ },
596
+ {
597
+ "framework": "AIUC-1",
598
+ "control_id": "B006",
599
+ "control_name": "Prevent unauthorized AI actions",
600
+ "tier": "Foundational",
601
+ "scope": "Both",
602
+ "notes": "Foundational"
603
+ },
604
+ {
605
+ "framework": "AIUC-1",
606
+ "control_id": "E",
607
+ "control_name": "Audit trails and logging",
608
+ "tier": "Foundational",
609
+ "scope": "Both",
610
+ "notes": "Foundational"
611
+ },
612
+ {
613
+ "framework": "OWASP NHI Top 10",
614
+ "control_id": "LLM outputs containing API keys, tokens, or credentials",
615
+ "control_name": "NHI-2 Secret Leakage",
616
+ "tier": "Foundational",
617
+ "scope": "Both",
618
+ "notes": "Output filtering: detect and redact credential patterns in all outputs"
619
+ },
620
+ {
621
+ "framework": "OWASP NHI Top 10",
622
+ "control_id": "Credentials in plaintext config files ingested by LLM",
623
+ "control_name": "NHI-6 Insecure Credential Storage",
624
+ "tier": "Foundational",
625
+ "scope": "Both",
626
+ "notes": "Audit all config and data sources for embedded credentials"
627
+ },
628
+ {
629
+ "framework": "NIST SP 800-218A",
630
+ "control_id": "PW.5.1-PS",
631
+ "control_name": "Secure coding — ML pipeline output handling",
632
+ "tier": "Foundational",
633
+ "scope": "Build",
634
+ "notes": "Implement secure coding practices for all code paths that consume LLM output; treat model responses as untrusted input to downstream systems"
635
+ },
636
+ {
637
+ "framework": "NIST SP 800-218A",
638
+ "control_id": "PW.7.2-PS",
639
+ "control_name": "Review for security vulnerabilities — output validation",
640
+ "tier": "Foundational",
641
+ "scope": "Build",
642
+ "notes": "Include output injection and unsafe rendering scenarios in pre-release security reviews; verify that output sanitisation controls are present and effective"
643
+ },
644
+ {
645
+ "framework": "NIST SP 800-218A",
646
+ "control_id": "PS.2.1-PS",
647
+ "control_name": "Verify software integrity — model artifact integrity",
648
+ "tier": "Foundational",
649
+ "scope": "Build",
650
+ "notes": "Verify that the model artifact serving output has not been tampered with; maintain signed model checksums and verify before deployment"
651
+ },
652
+ {
653
+ "framework": "NIST SP 800-218A",
654
+ "control_id": "PW.8.2-PS",
655
+ "control_name": "Test for security vulnerabilities — output security",
656
+ "tier": "Foundational",
657
+ "scope": "Build",
658
+ "notes": "Include output-based injection testing (XSS, SQLi, CMDi via LLM output) in adversarial test suites"
659
+ },
660
+ {
661
+ "framework": "FedRAMP",
662
+ "control_id": "SC-28",
663
+ "control_name": "Protection of Information at Rest — training data and model weights",
664
+ "tier": "Foundational",
665
+ "scope": "Both",
666
+ "notes": "Encrypt training data, fine-tuning datasets, and model weights at rest; prevent data memorisation exposure through access controls on data stores"
667
+ },
668
+ {
669
+ "framework": "FedRAMP",
670
+ "control_id": "AU-2",
671
+ "control_name": "Event Logging — AI inference logging",
672
+ "tier": "Foundational",
673
+ "scope": "Both",
674
+ "notes": "Log all model inference requests and responses with sufficient detail to detect sensitive data disclosure; include user identity, query content, and response metadata"
675
+ },
676
+ {
677
+ "framework": "FedRAMP",
678
+ "control_id": "AC-3",
679
+ "control_name": "Access Enforcement — model endpoint access",
680
+ "tier": "Foundational",
681
+ "scope": "Both",
682
+ "notes": "Enforce role-based access control on model inference endpoints; restrict access to training data, fine-tuning data, and model configuration based on clearance and need-to-know"
683
+ },
684
+ {
685
+ "framework": "FedRAMP",
686
+ "control_id": "SI-4",
687
+ "control_name": "System Monitoring — output content monitoring",
688
+ "tier": "Foundational",
689
+ "scope": "Both",
690
+ "notes": "Monitor model outputs for sensitive data patterns — PII, credentials, classification markings — and alert on detection"
691
+ },
692
+ {
693
+ "framework": "DORA",
694
+ "control_id": "Art. 9",
695
+ "control_name": "Protection and Prevention — data disclosure controls",
696
+ "tier": "Foundational",
697
+ "scope": "Both",
698
+ "notes": "Implement ICT security controls to prevent LLM-based disclosure of sensitive financial data, PII, and credentials; include output monitoring and data loss prevention"
699
+ },
700
+ {
701
+ "framework": "DORA",
702
+ "control_id": "Art. 17–23",
703
+ "control_name": "ICT Incident Management — data breach reporting",
704
+ "tier": "Foundational",
705
+ "scope": "Both",
706
+ "notes": "Classify LLM data disclosure events as ICT-related incidents; report to competent authorities per DORA incident classification and reporting requirements"
707
+ },
708
+ {
709
+ "framework": "DORA",
710
+ "control_id": "Art. 5–7",
711
+ "control_name": "ICT Risk Management — AI data governance",
712
+ "tier": "Foundational",
713
+ "scope": "Both",
714
+ "notes": "Include AI data handling in ICT risk management framework; define policies for data processed by LLM systems including classification, retention, and access controls"
715
+ },
716
+ {
717
+ "framework": "DORA",
718
+ "control_id": "Art. 10",
719
+ "control_name": "Detection — data leakage detection",
720
+ "tier": "Foundational",
721
+ "scope": "Both",
722
+ "notes": "Deploy detection mechanisms for sensitive data in model outputs; monitor for PII, financial data, and credential patterns in inference responses"
723
+ }
724
+ ],
725
+ "tools": [
726
+ {
727
+ "name": "Microsoft Presidio",
728
+ "type": "open-source",
729
+ "url": "https://github.com/microsoft/presidio"
730
+ },
731
+ {
732
+ "name": "Amazon Comprehend",
733
+ "type": "commercial",
734
+ "url": "https://aws.amazon.com/comprehend/"
735
+ },
736
+ {
737
+ "name": "Nightfall AI",
738
+ "type": "commercial",
739
+ "url": "https://nightfall.ai"
740
+ },
741
+ {
742
+ "name": "Private AI",
743
+ "type": "commercial",
744
+ "url": "https://private-ai.com"
745
+ },
746
+ {
747
+ "name": "Nozomi Networks",
748
+ "type": "commercial",
749
+ "url": "https://www.nozominetworks.com"
750
+ },
751
+ {
752
+ "name": "Presidio",
753
+ "type": "open-source",
754
+ "url": "https://github.com/microsoft/presidio"
755
+ },
756
+ {
757
+ "name": "LLM Guard",
758
+ "type": "open-source",
759
+ "url": "https://github.com/protectai/llm-guard"
760
+ },
761
+ {
762
+ "name": "Garak",
763
+ "type": "open-source",
764
+ "url": "https://github.com/leondz/garak"
765
+ },
766
+ {
767
+ "name": "OWASP ZAP",
768
+ "type": "open-source",
769
+ "url": "https://www.zaproxy.org"
770
+ },
771
+ {
772
+ "name": "Semgrep",
773
+ "type": "open-source",
774
+ "url": "https://semgrep.dev"
775
+ },
776
+ {
777
+ "name": "DOMPurify",
778
+ "type": "open-source",
779
+ "url": "https://github.com/cure53/DOMPurify"
780
+ },
781
+ {
782
+ "name": "Guardrails AI",
783
+ "type": "open-source",
784
+ "url": "https://github.com/guardrails-ai/guardrails"
785
+ },
786
+ {
787
+ "name": "OpenTelemetry",
788
+ "type": "open-source",
789
+ "url": "https://opentelemetry.io"
790
+ },
791
+ {
792
+ "name": "AWS CloudTrail / Azure Monitor",
793
+ "type": "commercial",
794
+ "url": "https://aws.amazon.com/cloudtrail/"
795
+ },
796
+ {
797
+ "name": "Nightfall DLP",
798
+ "type": "commercial",
799
+ "url": "https://www.nightfall.ai"
800
+ }
801
+ ],
802
+ "incidents": [
803
+ {
804
+ "name": "Samsung employees leak source code and meeting notes via ChatGPT",
805
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
806
+ "year": 2023,
807
+ "incident_id": "INC-001"
808
+ },
809
+ {
810
+ "name": "OpenAI Redis caching bug exposes user conversation history",
811
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
812
+ "year": 2023,
813
+ "incident_id": "INC-006"
814
+ },
815
+ {
816
+ "name": "GitHub Copilot reproduces verbatim licensed code and embedded secrets",
817
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
818
+ "year": 2023,
819
+ "incident_id": "INC-008"
820
+ },
821
+ {
822
+ "name": "Slack AI indirect injection via channel content",
823
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
824
+ "year": 2024,
825
+ "incident_id": "INC-024"
826
+ },
827
+ {
828
+ "name": "DeepSeek AI database exposure — 1M+ chat logs publicly accessible",
829
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
830
+ "year": 2025,
831
+ "incident_id": "INC-032"
832
+ },
833
+ {
834
+ "name": "Cursor AI code agent leaking repository secrets via context window",
835
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
836
+ "year": 2025,
837
+ "incident_id": "INC-034"
838
+ }
839
+ ],
840
+ "crossrefs": {
841
+ "agentic_top10": [
842
+ "ASI03",
843
+ "ASI06",
844
+ "ASI02",
845
+ "ASI05"
846
+ ],
847
+ "dsgai_2026": [
848
+ "DSGAI01",
849
+ "DSGAI10",
850
+ "DSGAI18",
851
+ "DSGAI07",
852
+ "DSGAI08",
853
+ "DSGAI06",
854
+ "DSGAI03",
855
+ "DSGAI05",
856
+ "DSGAI12",
857
+ "DSGAI16"
858
+ ]
859
+ },
860
+ "changelog": [
861
+ {
862
+ "date": "2026-03-27",
863
+ "version": "1.0.0",
864
+ "change": "Initial entry — generated from GenAI Security Crosswalk v1.5.1 mapping files",
865
+ "author": "emmanuelgjr"
866
+ }
867
+ ]
868
+ }