genai-security-crosswalk 2.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE.md +28 -0
- package/README.md +618 -0
- package/data/entries/ASI01.json +911 -0
- package/data/entries/ASI02.json +850 -0
- package/data/entries/ASI03.json +854 -0
- package/data/entries/ASI04.json +759 -0
- package/data/entries/ASI05.json +764 -0
- package/data/entries/ASI06.json +817 -0
- package/data/entries/ASI07.json +789 -0
- package/data/entries/ASI08.json +788 -0
- package/data/entries/ASI09.json +754 -0
- package/data/entries/ASI10.json +833 -0
- package/data/entries/DSGAI01.json +779 -0
- package/data/entries/DSGAI02.json +728 -0
- package/data/entries/DSGAI03.json +671 -0
- package/data/entries/DSGAI04.json +752 -0
- package/data/entries/DSGAI05.json +689 -0
- package/data/entries/DSGAI06.json +673 -0
- package/data/entries/DSGAI07.json +680 -0
- package/data/entries/DSGAI08.json +698 -0
- package/data/entries/DSGAI09.json +687 -0
- package/data/entries/DSGAI10.json +627 -0
- package/data/entries/DSGAI11.json +663 -0
- package/data/entries/DSGAI12.json +695 -0
- package/data/entries/DSGAI13.json +688 -0
- package/data/entries/DSGAI14.json +703 -0
- package/data/entries/DSGAI15.json +655 -0
- package/data/entries/DSGAI16.json +716 -0
- package/data/entries/DSGAI17.json +690 -0
- package/data/entries/DSGAI18.json +613 -0
- package/data/entries/DSGAI19.json +638 -0
- package/data/entries/DSGAI20.json +671 -0
- package/data/entries/DSGAI21.json +881 -0
- package/data/entries/LLM01.json +975 -0
- package/data/entries/LLM02.json +868 -0
- package/data/entries/LLM03.json +817 -0
- package/data/entries/LLM04.json +797 -0
- package/data/entries/LLM05.json +761 -0
- package/data/entries/LLM06.json +848 -0
- package/data/entries/LLM07.json +749 -0
- package/data/entries/LLM08.json +750 -0
- package/data/entries/LLM09.json +760 -0
- package/data/entries/LLM10.json +763 -0
- package/data/incidents-schema.json +121 -0
- package/data/incidents.json +1484 -0
- package/data/schema.json +134 -0
- package/dist/index.d.ts +97 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +124 -0
- package/dist/index.js.map +1 -0
- package/dist/index.test.d.ts +2 -0
- package/dist/index.test.d.ts.map +1 -0
- package/dist/index.test.js +97 -0
- package/dist/index.test.js.map +1 -0
- package/package.json +62 -0
|
@@ -0,0 +1,797 @@
|
|
|
1
|
+
{
|
|
2
|
+
"id": "LLM04",
|
|
3
|
+
"name": "Data and Model Poisoning",
|
|
4
|
+
"source_list": "LLM-Top10-2025",
|
|
5
|
+
"version": "2026-Q1",
|
|
6
|
+
"severity": "Critical",
|
|
7
|
+
"aivss_score": null,
|
|
8
|
+
"audience": [
|
|
9
|
+
"red-teamer",
|
|
10
|
+
"security-engineer",
|
|
11
|
+
"developer",
|
|
12
|
+
"ml-engineer",
|
|
13
|
+
"ot-engineer",
|
|
14
|
+
"ciso",
|
|
15
|
+
"compliance",
|
|
16
|
+
"auditor"
|
|
17
|
+
],
|
|
18
|
+
"mappings": [
|
|
19
|
+
{
|
|
20
|
+
"framework": "MITRE ATLAS",
|
|
21
|
+
"control_id": "AML.T0032",
|
|
22
|
+
"control_name": "Data Poisoning",
|
|
23
|
+
"tier": "Hardening",
|
|
24
|
+
"scope": "Both",
|
|
25
|
+
"url": "https://atlas.mitre.org/techniques/AML.T0032",
|
|
26
|
+
"notes": "Injecting malicious data into training pipelines to corrupt model behaviour"
|
|
27
|
+
},
|
|
28
|
+
{
|
|
29
|
+
"framework": "MITRE ATLAS",
|
|
30
|
+
"control_id": "AML.T0031",
|
|
31
|
+
"control_name": "Backdoor ML Model",
|
|
32
|
+
"tier": "Hardening",
|
|
33
|
+
"scope": "Both",
|
|
34
|
+
"url": "https://atlas.mitre.org/techniques/AML.T0031",
|
|
35
|
+
"notes": "Embedding hidden trigger-response patterns in model via poisoned training data"
|
|
36
|
+
},
|
|
37
|
+
{
|
|
38
|
+
"framework": "MITRE ATLAS",
|
|
39
|
+
"control_id": "AML.T0027",
|
|
40
|
+
"control_name": "Model Inversion",
|
|
41
|
+
"tier": "Hardening",
|
|
42
|
+
"scope": "Both",
|
|
43
|
+
"url": "https://atlas.mitre.org/techniques/AML.T0027",
|
|
44
|
+
"notes": "Reconstructing sensitive training data from model outputs"
|
|
45
|
+
},
|
|
46
|
+
{
|
|
47
|
+
"framework": "NIST AI RMF 1.0",
|
|
48
|
+
"control_id": "MP-2.3",
|
|
49
|
+
"control_name": "Risk categorisation",
|
|
50
|
+
"tier": "Hardening",
|
|
51
|
+
"scope": "Both",
|
|
52
|
+
"notes": "Data and model poisoning categorised as Critical in AI risk register"
|
|
53
|
+
},
|
|
54
|
+
{
|
|
55
|
+
"framework": "NIST AI RMF 1.0",
|
|
56
|
+
"control_id": "MS-2.5",
|
|
57
|
+
"control_name": "Testing — adversarial",
|
|
58
|
+
"tier": "Hardening",
|
|
59
|
+
"scope": "Both",
|
|
60
|
+
"notes": "Adversarial testing specifically covering poisoning detection in training pipelines"
|
|
61
|
+
},
|
|
62
|
+
{
|
|
63
|
+
"framework": "NIST AI RMF 1.0",
|
|
64
|
+
"control_id": "MS-3.3",
|
|
65
|
+
"control_name": "Data quality",
|
|
66
|
+
"tier": "Hardening",
|
|
67
|
+
"scope": "Both",
|
|
68
|
+
"notes": "Data quality measurement and validation applied to all training and fine-tuning data"
|
|
69
|
+
},
|
|
70
|
+
{
|
|
71
|
+
"framework": "NIST AI RMF 1.0",
|
|
72
|
+
"control_id": "MG-2.2",
|
|
73
|
+
"control_name": "Risk response",
|
|
74
|
+
"tier": "Hardening",
|
|
75
|
+
"scope": "Both",
|
|
76
|
+
"notes": "Defined response procedures including model rollback for detected poisoning events"
|
|
77
|
+
},
|
|
78
|
+
{
|
|
79
|
+
"framework": "EU AI Act",
|
|
80
|
+
"control_id": "Data poisoning must be identified as a foreseeable risk and mitigated",
|
|
81
|
+
"control_name": "Art. 9 — Risk management",
|
|
82
|
+
"tier": "Hardening",
|
|
83
|
+
"scope": "Both",
|
|
84
|
+
"notes": "Poisoning attack scenarios required in Art. 9 risk assessment"
|
|
85
|
+
},
|
|
86
|
+
{
|
|
87
|
+
"framework": "EU AI Act",
|
|
88
|
+
"control_id": "Training data must be subject to appropriate governance practices — relevant, representative, free of errors",
|
|
89
|
+
"control_name": "Art. 10 — Data and data governance",
|
|
90
|
+
"tier": "Hardening",
|
|
91
|
+
"scope": "Both",
|
|
92
|
+
"notes": "Data quality controls preventing poisoning are a compliance requirement"
|
|
93
|
+
},
|
|
94
|
+
{
|
|
95
|
+
"framework": "EU AI Act",
|
|
96
|
+
"control_id": "High-risk AI must be resilient to attempts to alter performance through data manipulation",
|
|
97
|
+
"control_name": "Art. 15 — Accuracy, robustness, cybersecurity",
|
|
98
|
+
"tier": "Hardening",
|
|
99
|
+
"scope": "Both",
|
|
100
|
+
"notes": "Technical robustness against poisoning is a binding Art. 15 requirement"
|
|
101
|
+
},
|
|
102
|
+
{
|
|
103
|
+
"framework": "EU AI Act",
|
|
104
|
+
"control_id": "Systemic risk GPAI providers must conduct adversarial testing to identify model-level risks",
|
|
105
|
+
"control_name": "Art. 55(1)(b) — Systemic risk GPAI adversarial testing",
|
|
106
|
+
"tier": "Hardening",
|
|
107
|
+
"scope": "Both",
|
|
108
|
+
"notes": "Poisoning detection is in scope for Art. 55 adversarial testing"
|
|
109
|
+
},
|
|
110
|
+
{
|
|
111
|
+
"framework": "ISO/IEC 27001:2022",
|
|
112
|
+
"control_id": "A.8.8",
|
|
113
|
+
"control_name": "Management of technical vulnerabilities",
|
|
114
|
+
"tier": "Hardening",
|
|
115
|
+
"scope": "Both",
|
|
116
|
+
"notes": "Training pipeline dependency scanning — vulnerabilities in training infrastructure components"
|
|
117
|
+
},
|
|
118
|
+
{
|
|
119
|
+
"framework": "ISO/IEC 27001:2022",
|
|
120
|
+
"control_id": "A.8.27",
|
|
121
|
+
"control_name": "Secure system architecture",
|
|
122
|
+
"tier": "Hardening",
|
|
123
|
+
"scope": "Both",
|
|
124
|
+
"notes": "Training pipeline designed with integrity controls — data validation, source allowlisting, lineage tracking"
|
|
125
|
+
},
|
|
126
|
+
{
|
|
127
|
+
"framework": "ISO/IEC 27001:2022",
|
|
128
|
+
"control_id": "A.8.29",
|
|
129
|
+
"control_name": "Security testing",
|
|
130
|
+
"tier": "Hardening",
|
|
131
|
+
"scope": "Both",
|
|
132
|
+
"notes": "Adversarial testing covering poisoning detection before each production model promotion"
|
|
133
|
+
},
|
|
134
|
+
{
|
|
135
|
+
"framework": "ISO/IEC 27001:2022",
|
|
136
|
+
"control_id": "A.5.7",
|
|
137
|
+
"control_name": "Threat intelligence",
|
|
138
|
+
"tier": "Hardening",
|
|
139
|
+
"scope": "Both",
|
|
140
|
+
"notes": "Intelligence on active data poisoning campaigns targeting your sector and model type"
|
|
141
|
+
},
|
|
142
|
+
{
|
|
143
|
+
"framework": "ISO/IEC 42001:2023",
|
|
144
|
+
"control_id": "A.7.2",
|
|
145
|
+
"control_name": "Data quality",
|
|
146
|
+
"tier": "Hardening",
|
|
147
|
+
"scope": "Both",
|
|
148
|
+
"notes": "Training data quality requirements include integrity — anomaly detection, source allowlisting, provenance tracking as data quality controls"
|
|
149
|
+
},
|
|
150
|
+
{
|
|
151
|
+
"framework": "ISO/IEC 42001:2023",
|
|
152
|
+
"control_id": "A.7.3",
|
|
153
|
+
"control_name": "Data provenance and characteristics",
|
|
154
|
+
"tier": "Hardening",
|
|
155
|
+
"scope": "Both",
|
|
156
|
+
"notes": "Training data provenance documented — full chain from source to training dataset, modification history tracked"
|
|
157
|
+
},
|
|
158
|
+
{
|
|
159
|
+
"framework": "ISO/IEC 42001:2023",
|
|
160
|
+
"control_id": "A.6.2.3",
|
|
161
|
+
"control_name": "AI system security",
|
|
162
|
+
"tier": "Hardening",
|
|
163
|
+
"scope": "Both",
|
|
164
|
+
"notes": "Training pipeline integrity controls — input validation, source allowlisting as AIMS security design requirements"
|
|
165
|
+
},
|
|
166
|
+
{
|
|
167
|
+
"framework": "ISO/IEC 42001:2023",
|
|
168
|
+
"control_id": "A.6.2.6",
|
|
169
|
+
"control_name": "Testing of AI systems",
|
|
170
|
+
"tier": "Hardening",
|
|
171
|
+
"scope": "Both",
|
|
172
|
+
"notes": "Poisoning detection in AIMS testing — backdoor trigger testing, biased output detection before each production promotion"
|
|
173
|
+
},
|
|
174
|
+
{
|
|
175
|
+
"framework": "CIS Controls v8.1",
|
|
176
|
+
"control_id": "7.5 Perform automated vulnerability scanning",
|
|
177
|
+
"control_name": "CIS 7 — Continuous Vulnerability Management",
|
|
178
|
+
"tier": "Hardening",
|
|
179
|
+
"scope": "Both",
|
|
180
|
+
"notes": "Automated scanning of training pipeline components — vulnerabilities in data processing libraries"
|
|
181
|
+
},
|
|
182
|
+
{
|
|
183
|
+
"framework": "CIS Controls v8.1",
|
|
184
|
+
"control_id": "16.7 Use standard hardening configuration templates",
|
|
185
|
+
"control_name": "CIS 16 — Application Software Security",
|
|
186
|
+
"tier": "Hardening",
|
|
187
|
+
"scope": "Both",
|
|
188
|
+
"notes": "Hardened training pipeline configurations — immutable infrastructure, locked data sources"
|
|
189
|
+
},
|
|
190
|
+
{
|
|
191
|
+
"framework": "CIS Controls v8.1",
|
|
192
|
+
"control_id": "18.3 Remediate penetration testing findings",
|
|
193
|
+
"control_name": "CIS 18 — Penetration Testing",
|
|
194
|
+
"tier": "Hardening",
|
|
195
|
+
"scope": "Both",
|
|
196
|
+
"notes": "Poisoning scenarios in penetration testing — verify data integrity controls hold under attack"
|
|
197
|
+
},
|
|
198
|
+
{
|
|
199
|
+
"framework": "CIS Controls v8.1",
|
|
200
|
+
"control_id": "8.12 Collect service provider logs",
|
|
201
|
+
"control_name": "CIS 8 — Audit Log Management",
|
|
202
|
+
"tier": "Hardening",
|
|
203
|
+
"scope": "Both",
|
|
204
|
+
"notes": "Full audit trail of training data provenance and model training runs"
|
|
205
|
+
},
|
|
206
|
+
{
|
|
207
|
+
"framework": "OWASP ASVS 4.0.3",
|
|
208
|
+
"control_id": "V5.1.1",
|
|
209
|
+
"control_name": "Verify all inputs validated against allowlist",
|
|
210
|
+
"tier": "Hardening",
|
|
211
|
+
"scope": "Both",
|
|
212
|
+
"notes": "Training data pipeline input validation — anomalous data rejected before training"
|
|
213
|
+
},
|
|
214
|
+
{
|
|
215
|
+
"framework": "OWASP ASVS 4.0.3",
|
|
216
|
+
"control_id": "V10.2.1",
|
|
217
|
+
"control_name": "Verify third-party components free of vulnerabilities",
|
|
218
|
+
"tier": "Hardening",
|
|
219
|
+
"scope": "Both",
|
|
220
|
+
"notes": "Training pipeline components scanned — compromised dependencies rejected"
|
|
221
|
+
},
|
|
222
|
+
{
|
|
223
|
+
"framework": "OWASP ASVS 4.0.3",
|
|
224
|
+
"control_id": "V12.1.1",
|
|
225
|
+
"control_name": "Verify file uploads scanned for malware",
|
|
226
|
+
"tier": "Hardening",
|
|
227
|
+
"scope": "Both",
|
|
228
|
+
"notes": "Training data uploads scanned before ingestion — adversarial content detected"
|
|
229
|
+
},
|
|
230
|
+
{
|
|
231
|
+
"framework": "ISA/IEC 62443",
|
|
232
|
+
"control_id": "SR 3.3",
|
|
233
|
+
"control_name": "Software and information integrity",
|
|
234
|
+
"tier": "Hardening",
|
|
235
|
+
"scope": "Both",
|
|
236
|
+
"notes": "LLM model integrity verified before each OT deployment — poisoning detection as integrity control"
|
|
237
|
+
},
|
|
238
|
+
{
|
|
239
|
+
"framework": "ISA/IEC 62443",
|
|
240
|
+
"control_id": "SR 3.7",
|
|
241
|
+
"control_name": "Software and information integrity (monitoring)",
|
|
242
|
+
"tier": "Hardening",
|
|
243
|
+
"scope": "Both",
|
|
244
|
+
"notes": "Continuous monitoring of LLM outputs for anomalous recommendations — statistical deviation detection"
|
|
245
|
+
},
|
|
246
|
+
{
|
|
247
|
+
"framework": "ISA/IEC 62443",
|
|
248
|
+
"control_id": "SR 6.1",
|
|
249
|
+
"control_name": "Timely response to events",
|
|
250
|
+
"tier": "Hardening",
|
|
251
|
+
"scope": "Both",
|
|
252
|
+
"notes": "Detection and response to poisoning indicators — LLM output anomalies treated as security events"
|
|
253
|
+
},
|
|
254
|
+
{
|
|
255
|
+
"framework": "NIST SP 800-82 Rev 3",
|
|
256
|
+
"control_id": "Attacks targeting OT data and system integrity",
|
|
257
|
+
"control_name": "Section 5.3 — Integrity threats",
|
|
258
|
+
"tier": "Hardening",
|
|
259
|
+
"scope": "Both",
|
|
260
|
+
"notes": "Model poisoning as an integrity attack on the LLM advisory system"
|
|
261
|
+
},
|
|
262
|
+
{
|
|
263
|
+
"framework": "NIST SP 800-82 Rev 3",
|
|
264
|
+
"control_id": "Assess integrity risks for all OT-connected systems",
|
|
265
|
+
"control_name": "Section 6.2 — Risk assessment",
|
|
266
|
+
"tier": "Hardening",
|
|
267
|
+
"scope": "Both",
|
|
268
|
+
"notes": "Model poisoning scenarios included in OT risk assessment for each LLM"
|
|
269
|
+
},
|
|
270
|
+
{
|
|
271
|
+
"framework": "NIST SP 800-82 Rev 3",
|
|
272
|
+
"control_id": "Layered controls to maintain system integrity",
|
|
273
|
+
"control_name": "Section 7.2 — Defense-in-depth",
|
|
274
|
+
"tier": "Hardening",
|
|
275
|
+
"scope": "Both",
|
|
276
|
+
"notes": "Independent validation of LLM outputs against rule-based reference systems"
|
|
277
|
+
},
|
|
278
|
+
{
|
|
279
|
+
"framework": "NIST SP 800-82 Rev 3",
|
|
280
|
+
"control_id": "Title",
|
|
281
|
+
"control_name": "Control",
|
|
282
|
+
"tier": "Hardening",
|
|
283
|
+
"scope": "Both",
|
|
284
|
+
"notes": "Application"
|
|
285
|
+
},
|
|
286
|
+
{
|
|
287
|
+
"framework": "NIST SP 800-82 Rev 3",
|
|
288
|
+
"control_id": "Software, Firmware, and Information Integrity",
|
|
289
|
+
"control_name": "SI-7",
|
|
290
|
+
"tier": "Hardening",
|
|
291
|
+
"scope": "Both",
|
|
292
|
+
"notes": "Model integrity verification before each OT deployment — hash-based integrity check"
|
|
293
|
+
},
|
|
294
|
+
{
|
|
295
|
+
"framework": "NIST SP 800-82 Rev 3",
|
|
296
|
+
"control_id": "Information Input Validation",
|
|
297
|
+
"control_name": "SI-10",
|
|
298
|
+
"tier": "Hardening",
|
|
299
|
+
"scope": "Both",
|
|
300
|
+
"notes": "Training data validation — adversarial content detected and rejected before training"
|
|
301
|
+
},
|
|
302
|
+
{
|
|
303
|
+
"framework": "NIST SP 800-82 Rev 3",
|
|
304
|
+
"control_id": "Audit Record Generation",
|
|
305
|
+
"control_name": "AU-12",
|
|
306
|
+
"tier": "Hardening",
|
|
307
|
+
"scope": "Both",
|
|
308
|
+
"notes": "Full audit trail of LLM outputs — poisoning indicators detectable through output analysis"
|
|
309
|
+
},
|
|
310
|
+
{
|
|
311
|
+
"framework": "NIST CSF 2.0",
|
|
312
|
+
"control_id": "PR.DS-01",
|
|
313
|
+
"control_name": "Data Security",
|
|
314
|
+
"tier": "Hardening",
|
|
315
|
+
"scope": "Both",
|
|
316
|
+
"notes": "Training data protected at rest — integrity verification, source allowlisting, provenance tracking"
|
|
317
|
+
},
|
|
318
|
+
{
|
|
319
|
+
"framework": "NIST CSF 2.0",
|
|
320
|
+
"control_id": "DE.CM-09",
|
|
321
|
+
"control_name": "Continuous Monitoring",
|
|
322
|
+
"tier": "Hardening",
|
|
323
|
+
"scope": "Both",
|
|
324
|
+
"notes": "Monitoring for unauthorised software and configuration changes — model integrity verification at deployment"
|
|
325
|
+
},
|
|
326
|
+
{
|
|
327
|
+
"framework": "NIST CSF 2.0",
|
|
328
|
+
"control_id": "ID.RA-01",
|
|
329
|
+
"control_name": "Risk Assessment",
|
|
330
|
+
"tier": "Hardening",
|
|
331
|
+
"scope": "Both",
|
|
332
|
+
"notes": "Poisoning attack vectors identified and documented in risk assessment for each LLM deployment"
|
|
333
|
+
},
|
|
334
|
+
{
|
|
335
|
+
"framework": "NIST CSF 2.0",
|
|
336
|
+
"control_id": "RS.AN-03",
|
|
337
|
+
"control_name": "Incident Analysis",
|
|
338
|
+
"tier": "Hardening",
|
|
339
|
+
"scope": "Both",
|
|
340
|
+
"notes": "Root cause analysis for poisoning incidents — identify affected deployments, assess physical impact"
|
|
341
|
+
},
|
|
342
|
+
{
|
|
343
|
+
"framework": "SOC 2",
|
|
344
|
+
"control_id": "Data and model poisoning identified as threats in LLM risk assessment — training pipeline, supply chain, and model update vectors",
|
|
345
|
+
"control_name": "CC3.2 — Risk assessment",
|
|
346
|
+
"tier": "Hardening",
|
|
347
|
+
"scope": "Both"
|
|
348
|
+
},
|
|
349
|
+
{
|
|
350
|
+
"framework": "SOC 2",
|
|
351
|
+
"control_id": "Anomaly detection on model outputs and training data distributions — poisoning indicators detected before operational impact",
|
|
352
|
+
"control_name": "CC7.2 — Threat detection",
|
|
353
|
+
"tier": "Hardening",
|
|
354
|
+
"scope": "Both"
|
|
355
|
+
},
|
|
356
|
+
{
|
|
357
|
+
"framework": "SOC 2",
|
|
358
|
+
"control_id": "Model promotions managed through change management — integrity verification before production deployment",
|
|
359
|
+
"control_name": "CC8.1 — Change management",
|
|
360
|
+
"tier": "Hardening",
|
|
361
|
+
"scope": "Both"
|
|
362
|
+
},
|
|
363
|
+
{
|
|
364
|
+
"framework": "SOC 2",
|
|
365
|
+
"control_id": "Training data providers assessed — data provenance, quality, and integrity guarantees required from vendors",
|
|
366
|
+
"control_name": "CC9.1 — Vendor risk",
|
|
367
|
+
"tier": "Hardening",
|
|
368
|
+
"scope": "Both"
|
|
369
|
+
},
|
|
370
|
+
{
|
|
371
|
+
"framework": "PCI DSS v4.0",
|
|
372
|
+
"control_id": "Req 6.5.6",
|
|
373
|
+
"control_name": "Secure system changes",
|
|
374
|
+
"tier": "Hardening",
|
|
375
|
+
"scope": "Both",
|
|
376
|
+
"notes": "All model promotions tested for unexpected functionality before CDE deployment — poisoning as unexpected functionality"
|
|
377
|
+
},
|
|
378
|
+
{
|
|
379
|
+
"framework": "PCI DSS v4.0",
|
|
380
|
+
"control_id": "Req 10.6.1",
|
|
381
|
+
"control_name": "Audit log review",
|
|
382
|
+
"tier": "Hardening",
|
|
383
|
+
"scope": "Both",
|
|
384
|
+
"notes": "Automated monitoring of LLM outputs in CDE — poisoning indicators (systematic anomalous recommendations) detected"
|
|
385
|
+
},
|
|
386
|
+
{
|
|
387
|
+
"framework": "PCI DSS v4.0",
|
|
388
|
+
"control_id": "Req 11.3.1",
|
|
389
|
+
"control_name": "Penetration testing",
|
|
390
|
+
"tier": "Hardening",
|
|
391
|
+
"scope": "Both",
|
|
392
|
+
"notes": "Poisoning detection included in penetration testing programme for LLM applications in CDE"
|
|
393
|
+
},
|
|
394
|
+
{
|
|
395
|
+
"framework": "PCI DSS v4.0",
|
|
396
|
+
"control_id": "Req 12.3.2",
|
|
397
|
+
"control_name": "Targeted risk analysis",
|
|
398
|
+
"tier": "Hardening",
|
|
399
|
+
"scope": "Both",
|
|
400
|
+
"notes": "Targeted risk analysis for training pipeline security — documented controls and frequency of review"
|
|
401
|
+
},
|
|
402
|
+
{
|
|
403
|
+
"framework": "ENISA Multilayer Framework",
|
|
404
|
+
"control_id": "L2",
|
|
405
|
+
"control_name": "Data and Model Security (DMS)",
|
|
406
|
+
"tier": "Hardening",
|
|
407
|
+
"scope": "Both",
|
|
408
|
+
"notes": "Training data integrity controls — source allowlisting, anomaly detection, provenance tracking as DMS practices"
|
|
409
|
+
},
|
|
410
|
+
{
|
|
411
|
+
"framework": "ENISA Multilayer Framework",
|
|
412
|
+
"control_id": "L2",
|
|
413
|
+
"control_name": "AI System Integrity (ASI)",
|
|
414
|
+
"tier": "Hardening",
|
|
415
|
+
"scope": "Both",
|
|
416
|
+
"notes": "Post-training backdoor detection and model integrity verification as ASI practices before deployment"
|
|
417
|
+
},
|
|
418
|
+
{
|
|
419
|
+
"framework": "ENISA Multilayer Framework",
|
|
420
|
+
"control_id": "L2",
|
|
421
|
+
"control_name": "Monitoring and Detection (MON)",
|
|
422
|
+
"tier": "Hardening",
|
|
423
|
+
"scope": "Both",
|
|
424
|
+
"notes": "Production monitoring for poisoning indicators — systematic output anomalies detected through AI-specific monitoring"
|
|
425
|
+
},
|
|
426
|
+
{
|
|
427
|
+
"framework": "ENISA Multilayer Framework",
|
|
428
|
+
"control_id": "IRS",
|
|
429
|
+
"control_name": "Incident Response",
|
|
430
|
+
"tier": "Hardening",
|
|
431
|
+
"scope": "Both",
|
|
432
|
+
"notes": "Model rollback and poisoning incident response as ENISA IRS practice for AI-specific incidents"
|
|
433
|
+
},
|
|
434
|
+
{
|
|
435
|
+
"framework": "OWASP SAMM v2.0",
|
|
436
|
+
"control_id": "D-TA",
|
|
437
|
+
"control_name": "Threat Assessment",
|
|
438
|
+
"tier": "Hardening",
|
|
439
|
+
"scope": "Both",
|
|
440
|
+
"notes": "Poisoning attack vectors documented in threat model — training data sources, supply chain, fine-tuning pipeline each assessed"
|
|
441
|
+
},
|
|
442
|
+
{
|
|
443
|
+
"framework": "OWASP SAMM v2.0",
|
|
444
|
+
"control_id": "I-SB",
|
|
445
|
+
"control_name": "Secure Build",
|
|
446
|
+
"tier": "Hardening",
|
|
447
|
+
"scope": "Both",
|
|
448
|
+
"notes": "Training data integrity controls in build pipeline — source allowlisting, anomaly detection, provenance tracking"
|
|
449
|
+
},
|
|
450
|
+
{
|
|
451
|
+
"framework": "OWASP SAMM v2.0",
|
|
452
|
+
"control_id": "V-ST",
|
|
453
|
+
"control_name": "Security Testing",
|
|
454
|
+
"tier": "Hardening",
|
|
455
|
+
"scope": "Both",
|
|
456
|
+
"notes": "Poisoning detection in adversarial testing — backdoor trigger testing before each model promotion"
|
|
457
|
+
},
|
|
458
|
+
{
|
|
459
|
+
"framework": "OWASP SAMM v2.0",
|
|
460
|
+
"control_id": "O-IM",
|
|
461
|
+
"control_name": "Incident Management",
|
|
462
|
+
"tier": "Hardening",
|
|
463
|
+
"scope": "Both",
|
|
464
|
+
"notes": "Poisoning incident response defined — model rollback, affected deployment scope, disclosure procedure"
|
|
465
|
+
},
|
|
466
|
+
{
|
|
467
|
+
"framework": "STRIDE",
|
|
468
|
+
"control_id": "T",
|
|
469
|
+
"control_name": "Training Data Tampering",
|
|
470
|
+
"tier": "Hardening",
|
|
471
|
+
"scope": "Both"
|
|
472
|
+
},
|
|
473
|
+
{
|
|
474
|
+
"framework": "STRIDE",
|
|
475
|
+
"control_id": "R",
|
|
476
|
+
"control_name": "Poisoning Without Audit Trail",
|
|
477
|
+
"tier": "Hardening",
|
|
478
|
+
"scope": "Both"
|
|
479
|
+
},
|
|
480
|
+
{
|
|
481
|
+
"framework": "CWE/CVE",
|
|
482
|
+
"control_id": "CWE-345",
|
|
483
|
+
"control_name": "CWE-345",
|
|
484
|
+
"tier": "Hardening",
|
|
485
|
+
"scope": "Both",
|
|
486
|
+
"url": "https://cwe.mitre.org/data/definitions/345.html"
|
|
487
|
+
},
|
|
488
|
+
{
|
|
489
|
+
"framework": "CWE/CVE",
|
|
490
|
+
"control_id": "CWE-346",
|
|
491
|
+
"control_name": "CWE-346",
|
|
492
|
+
"tier": "Hardening",
|
|
493
|
+
"scope": "Both",
|
|
494
|
+
"url": "https://cwe.mitre.org/data/definitions/346.html"
|
|
495
|
+
},
|
|
496
|
+
{
|
|
497
|
+
"framework": "CWE/CVE",
|
|
498
|
+
"control_id": "CWE-20",
|
|
499
|
+
"control_name": "CWE-20",
|
|
500
|
+
"tier": "Hardening",
|
|
501
|
+
"scope": "Both",
|
|
502
|
+
"url": "https://cwe.mitre.org/data/definitions/20.html"
|
|
503
|
+
},
|
|
504
|
+
{
|
|
505
|
+
"framework": "OWASP AI Testing Guide",
|
|
506
|
+
"control_id": "Training data integrity verification",
|
|
507
|
+
"control_name": "DPT — Data Protection",
|
|
508
|
+
"tier": "Hardening",
|
|
509
|
+
"scope": "Both",
|
|
510
|
+
"notes": "Verify data quality gates and integrity checks at each pipeline stage catch adversarially modified samples"
|
|
511
|
+
},
|
|
512
|
+
{
|
|
513
|
+
"framework": "OWASP AI Testing Guide",
|
|
514
|
+
"control_id": "Backdoor trigger detection",
|
|
515
|
+
"control_name": "MBT — Model Behaviour",
|
|
516
|
+
"tier": "Hardening",
|
|
517
|
+
"scope": "Both",
|
|
518
|
+
"notes": "Test deployed model with known trigger patterns across all deployment configurations; verify unexpected behaviour is not present"
|
|
519
|
+
},
|
|
520
|
+
{
|
|
521
|
+
"framework": "OWASP AI Testing Guide",
|
|
522
|
+
"control_id": "Dataset provenance verification",
|
|
523
|
+
"control_name": "SCT — Supply Chain",
|
|
524
|
+
"tier": "Hardening",
|
|
525
|
+
"scope": "Both",
|
|
526
|
+
"notes": "Verify all training datasets have documented provenance; test that unverified datasets are rejected by the pipeline"
|
|
527
|
+
},
|
|
528
|
+
{
|
|
529
|
+
"framework": "MAESTRO",
|
|
530
|
+
"control_id": "L2",
|
|
531
|
+
"control_name": "Data Operations",
|
|
532
|
+
"tier": "Hardening",
|
|
533
|
+
"scope": "Both"
|
|
534
|
+
},
|
|
535
|
+
{
|
|
536
|
+
"framework": "MAESTRO",
|
|
537
|
+
"control_id": "L1",
|
|
538
|
+
"control_name": "Foundation Models",
|
|
539
|
+
"tier": "Hardening",
|
|
540
|
+
"scope": "Both"
|
|
541
|
+
},
|
|
542
|
+
{
|
|
543
|
+
"framework": "MAESTRO",
|
|
544
|
+
"control_id": "L5",
|
|
545
|
+
"control_name": "Evaluation & Observability",
|
|
546
|
+
"tier": "Hardening",
|
|
547
|
+
"scope": "Both"
|
|
548
|
+
},
|
|
549
|
+
{
|
|
550
|
+
"framework": "AIUC-1",
|
|
551
|
+
"control_id": "A",
|
|
552
|
+
"control_name": "Data & Privacy domain (all controls)",
|
|
553
|
+
"tier": "Hardening",
|
|
554
|
+
"scope": "Both",
|
|
555
|
+
"notes": "Foundational"
|
|
556
|
+
},
|
|
557
|
+
{
|
|
558
|
+
"framework": "AIUC-1",
|
|
559
|
+
"control_id": "B001",
|
|
560
|
+
"control_name": "Third-party adversarial robustness testing",
|
|
561
|
+
"tier": "Hardening",
|
|
562
|
+
"scope": "Both",
|
|
563
|
+
"notes": "Foundational"
|
|
564
|
+
},
|
|
565
|
+
{
|
|
566
|
+
"framework": "AIUC-1",
|
|
567
|
+
"control_id": "B002",
|
|
568
|
+
"control_name": "Detect adversarial input",
|
|
569
|
+
"tier": "Hardening",
|
|
570
|
+
"scope": "Both",
|
|
571
|
+
"notes": "Hardening"
|
|
572
|
+
},
|
|
573
|
+
{
|
|
574
|
+
"framework": "AIUC-1",
|
|
575
|
+
"control_id": "E",
|
|
576
|
+
"control_name": "Audit trails and logging",
|
|
577
|
+
"tier": "Hardening",
|
|
578
|
+
"scope": "Both",
|
|
579
|
+
"notes": "Foundational"
|
|
580
|
+
},
|
|
581
|
+
{
|
|
582
|
+
"framework": "OWASP NHI Top 10",
|
|
583
|
+
"control_id": "Write access to training data stores enables poisoning",
|
|
584
|
+
"control_name": "NHI-5 Over-Privileged NHI",
|
|
585
|
+
"tier": "Hardening",
|
|
586
|
+
"scope": "Both",
|
|
587
|
+
"notes": "Read-only credentials for data consumption; separate write credentials with MFA"
|
|
588
|
+
},
|
|
589
|
+
{
|
|
590
|
+
"framework": "OWASP NHI Top 10",
|
|
591
|
+
"control_id": "Third-party data pipeline credentials with training data write access",
|
|
592
|
+
"control_name": "NHI-3 Vulnerable Third-Party NHI",
|
|
593
|
+
"tier": "Hardening",
|
|
594
|
+
"scope": "Both",
|
|
595
|
+
"notes": "Apply NHI-3 controls to all data pipeline third-party credentials"
|
|
596
|
+
},
|
|
597
|
+
{
|
|
598
|
+
"framework": "NIST SP 800-218A",
|
|
599
|
+
"control_id": "PW.2.1-PS",
|
|
600
|
+
"control_name": "Design software — resource and availability constraints",
|
|
601
|
+
"tier": "Foundational",
|
|
602
|
+
"scope": "Both",
|
|
603
|
+
"notes": "Include resource limits, rate limiting, and availability requirements as explicit security design requirements for AI inference services"
|
|
604
|
+
},
|
|
605
|
+
{
|
|
606
|
+
"framework": "NIST SP 800-218A",
|
|
607
|
+
"control_id": "PW.8.2-PS",
|
|
608
|
+
"control_name": "Test for security vulnerabilities — load and adversarial testing",
|
|
609
|
+
"tier": "Foundational",
|
|
610
|
+
"scope": "Both",
|
|
611
|
+
"notes": "Conduct adversarial load testing and sponge example testing to validate resource consumption limits hold under attack conditions"
|
|
612
|
+
},
|
|
613
|
+
{
|
|
614
|
+
"framework": "NIST SP 800-218A",
|
|
615
|
+
"control_id": "RV.2.1-PS",
|
|
616
|
+
"control_name": "Assess, prioritise, and remediate — availability remediation",
|
|
617
|
+
"tier": "Foundational",
|
|
618
|
+
"scope": "Both",
|
|
619
|
+
"notes": "Define remediation procedures for availability incidents including model rollback, rate limit tightening, and cost circuit breakers"
|
|
620
|
+
},
|
|
621
|
+
{
|
|
622
|
+
"framework": "NIST SP 800-218A",
|
|
623
|
+
"control_id": "PW.7.2-PS",
|
|
624
|
+
"control_name": "Review for security vulnerabilities — resource handling",
|
|
625
|
+
"tier": "Foundational",
|
|
626
|
+
"scope": "Both",
|
|
627
|
+
"notes": "Include resource exhaustion scenarios in pre-release security reviews; verify that token limits and rate limits are enforced by design"
|
|
628
|
+
},
|
|
629
|
+
{
|
|
630
|
+
"framework": "FedRAMP",
|
|
631
|
+
"control_id": "SC-7",
|
|
632
|
+
"control_name": "Boundary Protection — AI API endpoints",
|
|
633
|
+
"tier": "Foundational",
|
|
634
|
+
"scope": "Both",
|
|
635
|
+
"notes": "Enforce boundary protection on all AI inference endpoints — rate limiting, token quotas, and cost circuit breakers at the network and application boundary"
|
|
636
|
+
},
|
|
637
|
+
{
|
|
638
|
+
"framework": "FedRAMP",
|
|
639
|
+
"control_id": "SI-4",
|
|
640
|
+
"control_name": "System Monitoring — consumption anomaly detection",
|
|
641
|
+
"tier": "Foundational",
|
|
642
|
+
"scope": "Both",
|
|
643
|
+
"notes": "Monitor AI inference services for resource consumption anomalies — token spikes, latency degradation, cost overruns; alert and auto-mitigate on threshold breach"
|
|
644
|
+
},
|
|
645
|
+
{
|
|
646
|
+
"framework": "FedRAMP",
|
|
647
|
+
"control_id": "CM-7",
|
|
648
|
+
"control_name": "Least Functionality — AI resource restrictions",
|
|
649
|
+
"tier": "Foundational",
|
|
650
|
+
"scope": "Both",
|
|
651
|
+
"notes": "Restrict AI inference services to minimum necessary compute, memory, and token budgets; disable unused model capabilities and endpoints"
|
|
652
|
+
},
|
|
653
|
+
{
|
|
654
|
+
"framework": "FedRAMP",
|
|
655
|
+
"control_id": "AU-2",
|
|
656
|
+
"control_name": "Event Logging — resource consumption logging",
|
|
657
|
+
"tier": "Foundational",
|
|
658
|
+
"scope": "Both",
|
|
659
|
+
"notes": "Log resource consumption per inference request — tokens, latency, cost; enable detection and forensic analysis of DoS patterns"
|
|
660
|
+
},
|
|
661
|
+
{
|
|
662
|
+
"framework": "DORA",
|
|
663
|
+
"control_id": "Art. 9",
|
|
664
|
+
"control_name": "Protection and Prevention — availability controls",
|
|
665
|
+
"tier": "Foundational",
|
|
666
|
+
"scope": "Both",
|
|
667
|
+
"notes": "Implement rate limiting, token quotas, and cost circuit breakers on AI inference services to prevent resource exhaustion and denial of service"
|
|
668
|
+
},
|
|
669
|
+
{
|
|
670
|
+
"framework": "DORA",
|
|
671
|
+
"control_id": "Art. 10",
|
|
672
|
+
"control_name": "Detection — consumption anomaly detection",
|
|
673
|
+
"tier": "Foundational",
|
|
674
|
+
"scope": "Both",
|
|
675
|
+
"notes": "Monitor AI inference services for resource consumption anomalies; alert on token spikes, latency degradation, and cost overruns"
|
|
676
|
+
},
|
|
677
|
+
{
|
|
678
|
+
"framework": "DORA",
|
|
679
|
+
"control_id": "Art. 12",
|
|
680
|
+
"control_name": "Backup Policies — AI service continuity",
|
|
681
|
+
"tier": "Foundational",
|
|
682
|
+
"scope": "Both",
|
|
683
|
+
"notes": "Maintain backup model deployments, checkpoint restoration capability, and fallback inference paths for AI services supporting critical financial functions"
|
|
684
|
+
},
|
|
685
|
+
{
|
|
686
|
+
"framework": "DORA",
|
|
687
|
+
"control_id": "Art. 11",
|
|
688
|
+
"control_name": "Response and Recovery — DoS incident response",
|
|
689
|
+
"tier": "Foundational",
|
|
690
|
+
"scope": "Both",
|
|
691
|
+
"notes": "Define response and recovery procedures for AI denial of service events; include automated throttling, failover, and service restoration"
|
|
692
|
+
}
|
|
693
|
+
],
|
|
694
|
+
"tools": [
|
|
695
|
+
{
|
|
696
|
+
"name": "IBM Adversarial Robustness Toolbox",
|
|
697
|
+
"type": "open-source",
|
|
698
|
+
"url": "https://github.com/Trusted-AI/adversarial-robustness-toolbox"
|
|
699
|
+
},
|
|
700
|
+
{
|
|
701
|
+
"name": "CleanLab",
|
|
702
|
+
"type": "open-source",
|
|
703
|
+
"url": "https://github.com/cleanlab/cleanlab"
|
|
704
|
+
},
|
|
705
|
+
{
|
|
706
|
+
"name": "BackdoorBench",
|
|
707
|
+
"type": "open-source",
|
|
708
|
+
"url": "https://github.com/SCLBD/BackdoorBench"
|
|
709
|
+
},
|
|
710
|
+
{
|
|
711
|
+
"name": "Great Expectations",
|
|
712
|
+
"type": "open-source",
|
|
713
|
+
"url": "https://greatexpectations.io"
|
|
714
|
+
},
|
|
715
|
+
{
|
|
716
|
+
"name": "Claroty (OT monitoring)",
|
|
717
|
+
"type": "commercial",
|
|
718
|
+
"url": "https://claroty.com"
|
|
719
|
+
},
|
|
720
|
+
{
|
|
721
|
+
"name": "Dragos",
|
|
722
|
+
"type": "commercial",
|
|
723
|
+
"url": "https://www.dragos.com"
|
|
724
|
+
},
|
|
725
|
+
{
|
|
726
|
+
"name": "Cleanlab",
|
|
727
|
+
"type": "open-source",
|
|
728
|
+
"url": "https://github.com/cleanlab/cleanlab"
|
|
729
|
+
},
|
|
730
|
+
{
|
|
731
|
+
"name": "Garak",
|
|
732
|
+
"type": "open-source",
|
|
733
|
+
"url": "https://github.com/leondz/garak"
|
|
734
|
+
},
|
|
735
|
+
{
|
|
736
|
+
"name": "LiteLLM",
|
|
737
|
+
"type": "open-source",
|
|
738
|
+
"url": "https://github.com/BerriAI/litellm"
|
|
739
|
+
},
|
|
740
|
+
{
|
|
741
|
+
"name": "Kong Gateway",
|
|
742
|
+
"type": "open-source",
|
|
743
|
+
"url": "https://github.com/Kong/kong"
|
|
744
|
+
},
|
|
745
|
+
{
|
|
746
|
+
"name": "OpenTelemetry",
|
|
747
|
+
"type": "open-source",
|
|
748
|
+
"url": "https://opentelemetry.io"
|
|
749
|
+
},
|
|
750
|
+
{
|
|
751
|
+
"name": "Locust",
|
|
752
|
+
"type": "open-source",
|
|
753
|
+
"url": "https://locust.io"
|
|
754
|
+
},
|
|
755
|
+
{
|
|
756
|
+
"name": "AWS WAF / Azure Front Door",
|
|
757
|
+
"type": "commercial",
|
|
758
|
+
"url": "https://aws.amazon.com/waf/"
|
|
759
|
+
}
|
|
760
|
+
],
|
|
761
|
+
"incidents": [
|
|
762
|
+
{
|
|
763
|
+
"name": "Many-shot jailbreaking (Anthropic research)",
|
|
764
|
+
"url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
|
|
765
|
+
"year": 2024,
|
|
766
|
+
"incident_id": "INC-028"
|
|
767
|
+
},
|
|
768
|
+
{
|
|
769
|
+
"name": "Anthropic Claude context flooding — resource exhaustion via adversarial long-context prompts",
|
|
770
|
+
"url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
|
|
771
|
+
"year": 2024,
|
|
772
|
+
"incident_id": "INC-045"
|
|
773
|
+
}
|
|
774
|
+
],
|
|
775
|
+
"crossrefs": {
|
|
776
|
+
"agentic_top10": [
|
|
777
|
+
"ASI06",
|
|
778
|
+
"ASI08"
|
|
779
|
+
],
|
|
780
|
+
"dsgai_2026": [
|
|
781
|
+
"DSGAI04",
|
|
782
|
+
"DSGAI21",
|
|
783
|
+
"DSGAI03",
|
|
784
|
+
"DSGAI02",
|
|
785
|
+
"DSGAI09",
|
|
786
|
+
"DSGAI17"
|
|
787
|
+
]
|
|
788
|
+
},
|
|
789
|
+
"changelog": [
|
|
790
|
+
{
|
|
791
|
+
"date": "2026-03-27",
|
|
792
|
+
"version": "1.0.0",
|
|
793
|
+
"change": "Initial entry — generated from GenAI Security Crosswalk v1.5.1 mapping files",
|
|
794
|
+
"author": "emmanuelgjr"
|
|
795
|
+
}
|
|
796
|
+
]
|
|
797
|
+
}
|