genai-security-crosswalk 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (55) hide show
  1. package/LICENSE.md +28 -0
  2. package/README.md +618 -0
  3. package/data/entries/ASI01.json +911 -0
  4. package/data/entries/ASI02.json +850 -0
  5. package/data/entries/ASI03.json +854 -0
  6. package/data/entries/ASI04.json +759 -0
  7. package/data/entries/ASI05.json +764 -0
  8. package/data/entries/ASI06.json +817 -0
  9. package/data/entries/ASI07.json +789 -0
  10. package/data/entries/ASI08.json +788 -0
  11. package/data/entries/ASI09.json +754 -0
  12. package/data/entries/ASI10.json +833 -0
  13. package/data/entries/DSGAI01.json +779 -0
  14. package/data/entries/DSGAI02.json +728 -0
  15. package/data/entries/DSGAI03.json +671 -0
  16. package/data/entries/DSGAI04.json +752 -0
  17. package/data/entries/DSGAI05.json +689 -0
  18. package/data/entries/DSGAI06.json +673 -0
  19. package/data/entries/DSGAI07.json +680 -0
  20. package/data/entries/DSGAI08.json +698 -0
  21. package/data/entries/DSGAI09.json +687 -0
  22. package/data/entries/DSGAI10.json +627 -0
  23. package/data/entries/DSGAI11.json +663 -0
  24. package/data/entries/DSGAI12.json +695 -0
  25. package/data/entries/DSGAI13.json +688 -0
  26. package/data/entries/DSGAI14.json +703 -0
  27. package/data/entries/DSGAI15.json +655 -0
  28. package/data/entries/DSGAI16.json +716 -0
  29. package/data/entries/DSGAI17.json +690 -0
  30. package/data/entries/DSGAI18.json +613 -0
  31. package/data/entries/DSGAI19.json +638 -0
  32. package/data/entries/DSGAI20.json +671 -0
  33. package/data/entries/DSGAI21.json +881 -0
  34. package/data/entries/LLM01.json +975 -0
  35. package/data/entries/LLM02.json +868 -0
  36. package/data/entries/LLM03.json +817 -0
  37. package/data/entries/LLM04.json +797 -0
  38. package/data/entries/LLM05.json +761 -0
  39. package/data/entries/LLM06.json +848 -0
  40. package/data/entries/LLM07.json +749 -0
  41. package/data/entries/LLM08.json +750 -0
  42. package/data/entries/LLM09.json +760 -0
  43. package/data/entries/LLM10.json +763 -0
  44. package/data/incidents-schema.json +121 -0
  45. package/data/incidents.json +1484 -0
  46. package/data/schema.json +134 -0
  47. package/dist/index.d.ts +97 -0
  48. package/dist/index.d.ts.map +1 -0
  49. package/dist/index.js +124 -0
  50. package/dist/index.js.map +1 -0
  51. package/dist/index.test.d.ts +2 -0
  52. package/dist/index.test.d.ts.map +1 -0
  53. package/dist/index.test.js +97 -0
  54. package/dist/index.test.js.map +1 -0
  55. package/package.json +62 -0
package/data/entries/LLM05.json ADDED
@@ -0,0 +1,761 @@
1
+ {
2
+ "id": "LLM05",
3
+ "name": "Insecure Output Handling",
4
+ "source_list": "LLM-Top10-2025",
5
+ "version": "2026-Q1",
6
+ "severity": "High",
7
+ "aivss_score": null,
8
+ "audience": [
9
+ "red-teamer",
10
+ "security-engineer",
11
+ "developer",
12
+ "ml-engineer",
13
+ "ot-engineer",
14
+ "ciso",
15
+ "compliance",
16
+ "auditor"
17
+ ],
18
+ "mappings": [
19
+ {
20
+ "framework": "MITRE ATLAS",
21
+ "control_id": "AML.T0037",
22
+ "control_name": "Output Manipulation",
23
+ "tier": "Foundational",
24
+ "scope": "Build",
25
+ "url": "https://atlas.mitre.org/techniques/AML.T0037",
26
+ "notes": "Crafting inputs that produce dangerous outputs consumed by downstream systems"
27
+ },
28
+ {
29
+ "framework": "MITRE ATLAS",
30
+ "control_id": "AML.T0040",
31
+ "control_name": "Unsafe Deserialisation via LLM",
32
+ "tier": "Foundational",
33
+ "scope": "Build",
34
+ "url": "https://atlas.mitre.org/techniques/AML.T0040",
35
+ "notes": "LLM outputs containing serialised payloads executed by downstream components"
36
+ },
37
+ {
38
+ "framework": "NIST AI RMF 1.0",
39
+ "control_id": "MS-2.5",
40
+ "control_name": "Testing — output safety",
41
+ "tier": "Foundational",
42
+ "scope": "Build",
43
+ "notes": "Output handling security included in AI evaluation and testing programme"
44
+ },
45
+ {
46
+ "framework": "NIST AI RMF 1.0",
47
+ "control_id": "MS-2.6",
48
+ "control_name": "Testing — data leakage",
49
+ "tier": "Foundational",
50
+ "scope": "Build",
51
+ "notes": "Output leakage and injection scenarios covered in evaluation"
52
+ },
53
+ {
54
+ "framework": "NIST AI RMF 1.0",
55
+ "control_id": "MG-2.2",
56
+ "control_name": "Risk response",
57
+ "tier": "Foundational",
58
+ "scope": "Build",
59
+ "notes": "Incident response for output handling failures defined and tested"
60
+ },
61
+ {
62
+ "framework": "NIST AI RMF 1.0",
63
+ "control_id": "GV-1.7",
64
+ "control_name": "Policies for trustworthy AI",
65
+ "tier": "Foundational",
66
+ "scope": "Build",
67
+ "notes": "Organisational policy requires secure output handling for all LLM integrations"
68
+ },
69
+ {
70
+ "framework": "EU AI Act",
71
+ "control_id": "Output handling risks identified and mitigated",
72
+ "control_name": "Art. 9 — Risk management",
73
+ "tier": "Foundational",
74
+ "scope": "Both",
75
+ "notes": "Insecure output handling included in risk management system"
76
+ },
77
+ {
78
+ "framework": "EU AI Act",
79
+ "control_id": "Accurate, robust outputs resilient to misuse",
80
+ "control_name": "Art. 15 — Accuracy, robustness, cybersecurity",
81
+ "tier": "Foundational",
82
+ "scope": "Both",
83
+ "notes": "Output validation and sanitisation are Art. 15 technical requirements"
84
+ },
85
+ {
86
+ "framework": "EU AI Act",
87
+ "control_id": "Documented procedures covering output quality",
88
+ "control_name": "Art. 17 — Quality management",
89
+ "tier": "Foundational",
90
+ "scope": "Both",
91
+ "notes": "Post-market monitoring of output handling incidents required"
92
+ },
93
+ {
94
+ "framework": "ISO/IEC 27001:2022",
95
+ "control_id": "A.8.28",
96
+ "control_name": "Secure coding",
97
+ "tier": "Foundational",
98
+ "scope": "Build",
99
+ "notes": "Output encoding, sanitisation, and schema validation as secure coding requirements"
100
+ },
101
+ {
102
+ "framework": "ISO/IEC 27001:2022",
103
+ "control_id": "A.8.26",
104
+ "control_name": "Application security requirements",
105
+ "tier": "Foundational",
106
+ "scope": "Build",
107
+ "notes": "Security requirements for all interfaces consuming LLM output — specified before development"
108
+ },
109
+ {
110
+ "framework": "ISO/IEC 27001:2022",
111
+ "control_id": "A.8.29",
112
+ "control_name": "Security testing",
113
+ "tier": "Foundational",
114
+ "scope": "Build",
115
+ "notes": "Output injection scenarios in security testing — XSS, SQL injection, command injection via LLM output"
116
+ },
117
+ {
118
+ "framework": "ISO/IEC 27001:2022",
119
+ "control_id": "A.8.16",
120
+ "control_name": "Monitoring activities",
121
+ "tier": "Foundational",
122
+ "scope": "Build",
123
+ "notes": "Runtime monitoring for output handling incidents — injection attempts in LLM output channels"
124
+ },
125
+ {
126
+ "framework": "ISO/IEC 42001:2023",
127
+ "control_id": "A.6.2.3",
128
+ "control_name": "AI system security",
129
+ "tier": "Foundational",
130
+ "scope": "Both",
131
+ "notes": "Output encoding and schema validation as AIMS security design requirements — LLM output treated as untrusted input to downstream systems"
132
+ },
133
+ {
134
+ "framework": "ISO/IEC 42001:2023",
135
+ "control_id": "A.6.2.6",
136
+ "control_name": "Testing of AI systems",
137
+ "tier": "Foundational",
138
+ "scope": "Both",
139
+ "notes": "Output injection scenarios in AIMS testing — XSS, SQL injection, command injection via LLM output tested before deployment"
140
+ },
141
+ {
142
+ "framework": "ISO/IEC 42001:2023",
143
+ "control_id": "A.9.1",
144
+ "control_name": "Use of AI systems",
145
+ "tier": "Foundational",
146
+ "scope": "Both",
147
+ "notes": "Guidance on AI system use — downstream consumers informed that LLM output must be validated before use"
148
+ },
149
+ {
150
+ "framework": "ISO/IEC 42001:2023",
151
+ "control_id": "Cl.8",
152
+ "control_name": "Operation",
153
+ "tier": "Foundational",
154
+ "scope": "Both",
155
+ "notes": "Operational controls for LLM deployment — output handling requirements documented as AIMS operational procedures"
156
+ },
157
+ {
158
+ "framework": "CIS Controls v8.1",
159
+ "control_id": "16.1 Establish secure development standards",
160
+ "control_name": "CIS 16 — Application Software Security",
161
+ "tier": "Foundational",
162
+ "scope": "Both",
163
+ "notes": "Output encoding and sanitisation as secure development requirements"
164
+ },
165
+ {
166
+ "framework": "CIS Controls v8.1",
167
+ "control_id": "8.2 Collect audit logs",
168
+ "control_name": "CIS 8 — Audit Log Management",
169
+ "tier": "Foundational",
170
+ "scope": "Both",
171
+ "notes": "Log all LLM outputs — injection attempts in model responses detectable"
172
+ },
173
+ {
174
+ "framework": "CIS Controls v8.1",
175
+ "control_id": "18.1 Establish penetration testing",
176
+ "control_name": "CIS 18 — Penetration Testing",
177
+ "tier": "Foundational",
178
+ "scope": "Both",
179
+ "notes": "Output injection scenarios in penetration testing — XSS, SQL injection via LLM output"
180
+ },
181
+ {
182
+ "framework": "OWASP ASVS 4.0.3",
183
+ "control_id": "V5.2.1",
184
+ "control_name": "Verify output encoding of untrusted data in HTML context",
185
+ "tier": "Foundational",
186
+ "scope": "Both",
187
+ "notes": "LLM responses rendered in browser contexts encoded against XSS"
188
+ },
189
+ {
190
+ "framework": "OWASP ASVS 4.0.3",
191
+ "control_id": "V5.3.5",
192
+ "control_name": "Verify output encoding in SQL query context",
193
+ "tier": "Foundational",
194
+ "scope": "Both",
195
+ "notes": "LLM-generated SQL parameterised — never raw LLM output in SQL context"
196
+ },
197
+ {
198
+ "framework": "OWASP ASVS 4.0.3",
199
+ "control_id": "V5.2.5",
200
+ "control_name": "Verify output encoding in OS command context",
201
+ "tier": "Foundational",
202
+ "scope": "Both",
203
+ "notes": "LLM-generated commands validated — never raw output in shell context"
204
+ },
205
+ {
206
+ "framework": "OWASP ASVS 4.0.3",
207
+ "control_id": "V5.2.4",
208
+ "control_name": "Verify application does not use eval or dynamic code",
209
+ "tier": "Foundational",
210
+ "scope": "Both",
211
+ "notes": "No eval or dynamic code execution of LLM-generated content"
212
+ },
213
+ {
214
+ "framework": "OWASP ASVS 4.0.3",
215
+ "control_id": "V4.2.2",
216
+ "control_name": "Verify anti-CSRF tokens in state-changing operations",
217
+ "tier": "Foundational",
218
+ "scope": "Both",
219
+ "notes": "CSRF protection on endpoints where LLM output triggers state changes"
220
+ },
221
+ {
222
+ "framework": "ISA/IEC 62443",
223
+ "control_id": "SR 3.3",
224
+ "control_name": "Software and information integrity",
225
+ "tier": "Foundational",
226
+ "scope": "Both",
227
+ "notes": "All LLM output validated before rendering or passing to OT systems"
228
+ },
229
+ {
230
+ "framework": "ISA/IEC 62443",
231
+ "control_id": "SR 2.3",
232
+ "control_name": "Use control",
233
+ "tier": "Foundational",
234
+ "scope": "Both",
235
+ "notes": "LLM output restricted to authorised actions — no raw output directly to control interfaces"
236
+ },
237
+ {
238
+ "framework": "ISA/IEC 62443",
239
+ "control_id": "SR 3.1",
240
+ "control_name": "Software and information integrity",
241
+ "tier": "Foundational",
242
+ "scope": "Both",
243
+ "notes": "Communication integrity enforcement on all LLM-to-OT data paths"
244
+ },
245
+ {
246
+ "framework": "NIST SP 800-82 Rev 3",
247
+ "control_id": "Code injection and execution via data paths",
248
+ "control_name": "Section 5.3 — Threats",
249
+ "tier": "Foundational",
250
+ "scope": "Both",
251
+ "notes": "LLM output injection as a new instantiation of this threat at the IT/OT boundary"
252
+ },
253
+ {
254
+ "framework": "NIST SP 800-82 Rev 3",
255
+ "control_id": "Validated data flows across zone boundaries",
256
+ "control_name": "Section 7.2 — Network segmentation",
257
+ "tier": "Foundational",
258
+ "scope": "Both",
259
+ "notes": "LLM output validated at DMZ boundary before entering control zone display or data systems"
260
+ },
261
+ {
262
+ "framework": "NIST SP 800-82 Rev 3",
263
+ "control_id": "Title",
264
+ "control_name": "Control",
265
+ "tier": "Foundational",
266
+ "scope": "Both",
267
+ "notes": "Application"
268
+ },
269
+ {
270
+ "framework": "NIST SP 800-82 Rev 3",
271
+ "control_id": "Information Input Validation",
272
+ "control_name": "SI-10",
273
+ "tier": "Foundational",
274
+ "scope": "Both",
275
+ "notes": "LLM outputs validated before passing to OT systems — schema validation, allowlist enforcement"
276
+ },
277
+ {
278
+ "framework": "NIST SP 800-82 Rev 3",
279
+ "control_id": "Malicious Code Protection",
280
+ "control_name": "SI-3",
281
+ "tier": "Foundational",
282
+ "scope": "Both",
283
+ "notes": "LLM output scanning for malicious content before OT system ingestion"
284
+ },
285
+ {
286
+ "framework": "NIST SP 800-82 Rev 3",
287
+ "control_id": "Least Functionality",
288
+ "control_name": "CM-7",
289
+ "tier": "Foundational",
290
+ "scope": "Both",
291
+ "notes": "OT interfaces that consume LLM output configured to accept only defined, safe input formats"
292
+ },
293
+ {
294
+ "framework": "NIST CSF 2.0",
295
+ "control_id": "PR.PS-04",
296
+ "control_name": "Platform Security",
297
+ "tier": "Foundational",
298
+ "scope": "Both",
299
+ "notes": "Secure software development practices — output encoding and schema validation as platform security requirements"
300
+ },
301
+ {
302
+ "framework": "NIST CSF 2.0",
303
+ "control_id": "PR.DS-02",
304
+ "control_name": "Data Security",
305
+ "tier": "Foundational",
306
+ "scope": "Both",
307
+ "notes": "Data in transit protected — LLM output validated before passing to downstream systems"
308
+ },
309
+ {
310
+ "framework": "NIST CSF 2.0",
311
+ "control_id": "DE.CM-01",
312
+ "control_name": "Continuous Monitoring",
313
+ "tier": "Foundational",
314
+ "scope": "Both",
315
+ "notes": "Networks and assets monitored — output injection patterns detected in LLM output channels"
316
+ },
317
+ {
318
+ "framework": "NIST CSF 2.0",
319
+ "control_id": "ID.RA-01",
320
+ "control_name": "Risk Assessment",
321
+ "tier": "Foundational",
322
+ "scope": "Both",
323
+ "notes": "Output injection documented as vulnerability class in risk assessment for all LLM integrations"
324
+ },
325
+ {
326
+ "framework": "SOC 2",
327
+ "control_id": "Policy requiring LLM output validation before use in downstream processing — complete and authorised processing",
328
+ "control_name": "PI1.1 — Processing integrity policies",
329
+ "tier": "Foundational",
330
+ "scope": "Both"
331
+ },
332
+ {
333
+ "framework": "SOC 2",
334
+ "control_id": "Input validation procedures for all systems consuming LLM output — encoding, schema validation, sanitisation",
335
+ "control_name": "CC5.2 — Select and develop control activities",
336
+ "tier": "Foundational",
337
+ "scope": "Both"
338
+ },
339
+ {
340
+ "framework": "SOC 2",
341
+ "control_id": "Monitoring for injection patterns in LLM output channels — detect anomalous processing before downstream harm",
342
+ "control_name": "CC7.2 — Anomaly detection",
343
+ "tier": "Foundational",
344
+ "scope": "Both"
345
+ },
346
+ {
347
+ "framework": "SOC 2",
348
+ "control_id": "Output injection risks identified in LLM risk assessment — XSS, SQL injection, command injection via AI-generated content",
349
+ "control_name": "CC3.2 — Risk assessment",
350
+ "tier": "Foundational",
351
+ "scope": "Both"
352
+ },
353
+ {
354
+ "framework": "PCI DSS v4.0",
355
+ "control_id": "Req 6.2.4",
356
+ "control_name": "Bespoke and custom software",
357
+ "tier": "Foundational",
358
+ "scope": "Both",
359
+ "notes": "Output handling in LLM integrations addresses all injection vulnerability classes — LLM output treated as untrusted"
360
+ },
361
+ {
362
+ "framework": "PCI DSS v4.0",
363
+ "control_id": "Req 6.4.1",
364
+ "control_name": "Public-facing web application protection",
365
+ "tier": "Foundational",
366
+ "scope": "Both",
367
+ "notes": "All interfaces consuming LLM output in PCI scope protected — input validation on all downstream consumers"
368
+ },
369
+ {
370
+ "framework": "PCI DSS v4.0",
371
+ "control_id": "Req 11.3.1",
372
+ "control_name": "Penetration testing",
373
+ "tier": "Foundational",
374
+ "scope": "Both",
375
+ "notes": "Output injection scenarios in penetration testing — SQL injection, command injection via LLM output"
376
+ },
377
+ {
378
+ "framework": "PCI DSS v4.0",
379
+ "control_id": "Req 10.6.1",
380
+ "control_name": "Audit log review",
381
+ "tier": "Foundational",
382
+ "scope": "Both",
383
+ "notes": "Monitoring for injection patterns in LLM output channels within CDE"
384
+ },
385
+ {
386
+ "framework": "ENISA Multilayer Framework",
387
+ "control_id": "L1",
388
+ "control_name": "General ICT — Secure Development",
389
+ "tier": "Foundational",
390
+ "scope": "Both",
391
+ "notes": "Output encoding and schema validation as L1 secure development requirements — LLM output treated as untrusted"
392
+ },
393
+ {
394
+ "framework": "ENISA Multilayer Framework",
395
+ "control_id": "L2",
396
+ "control_name": "AI System Integrity (ASI)",
397
+ "tier": "Foundational",
398
+ "scope": "Both",
399
+ "notes": "AI-specific output validation — schema enforcement, injection pattern detection before downstream consumption"
400
+ },
401
+ {
402
+ "framework": "ENISA Multilayer Framework",
403
+ "control_id": "MON",
404
+ "control_name": "Monitoring and Detection",
405
+ "tier": "Foundational",
406
+ "scope": "Both",
407
+ "notes": "Runtime monitoring of LLM output channels — injection patterns in model responses detected"
408
+ },
409
+ {
410
+ "framework": "ENISA Multilayer Framework",
411
+ "control_id": "L1",
412
+ "control_name": "General ICT — Application Security",
413
+ "tier": "Foundational",
414
+ "scope": "Both",
415
+ "notes": "DAST on all interfaces consuming LLM output as L1 application security practice"
416
+ },
417
+ {
418
+ "framework": "OWASP SAMM v2.0",
419
+ "control_id": "D-SR",
420
+ "control_name": "Security Requirements",
421
+ "tier": "Foundational",
422
+ "scope": "Both",
423
+ "notes": "Output encoding and schema validation as explicit security requirements before development"
424
+ },
425
+ {
426
+ "framework": "OWASP SAMM v2.0",
427
+ "control_id": "I-SB",
428
+ "control_name": "Secure Build",
429
+ "tier": "Foundational",
430
+ "scope": "Both",
431
+ "notes": "Output validation implemented in code — LLM output treated as untrusted, reviewed in code review"
432
+ },
433
+ {
434
+ "framework": "OWASP SAMM v2.0",
435
+ "control_id": "V-RT",
436
+ "control_name": "Requirements-Driven Testing",
437
+ "tier": "Foundational",
438
+ "scope": "Both",
439
+ "notes": "Output security requirements verified in testing — XSS, SQL injection via LLM output tested"
440
+ },
441
+ {
442
+ "framework": "OWASP SAMM v2.0",
443
+ "control_id": "V-ST",
444
+ "control_name": "Security Testing",
445
+ "tier": "Foundational",
446
+ "scope": "Both",
447
+ "notes": "DAST on all interfaces consuming LLM output as penetration testing activity"
448
+ },
449
+ {
450
+ "framework": "STRIDE",
451
+ "control_id": "T",
452
+ "control_name": "Output Tampering into Downstream Systems",
453
+ "tier": "Foundational",
454
+ "scope": "Build"
455
+ },
456
+ {
457
+ "framework": "STRIDE",
458
+ "control_id": "E",
459
+ "control_name": "Privilege Escalation via Output Injection",
460
+ "tier": "Foundational",
461
+ "scope": "Build"
462
+ },
463
+ {
464
+ "framework": "CWE/CVE",
465
+ "control_id": "CWE-79",
466
+ "control_name": "CWE-79",
467
+ "tier": "Foundational",
468
+ "scope": "Build",
469
+ "url": "https://cwe.mitre.org/data/definitions/79.html"
470
+ },
471
+ {
472
+ "framework": "CWE/CVE",
473
+ "control_id": "CWE-89",
474
+ "control_name": "CWE-89",
475
+ "tier": "Foundational",
476
+ "scope": "Build",
477
+ "url": "https://cwe.mitre.org/data/definitions/89.html"
478
+ },
479
+ {
480
+ "framework": "CWE/CVE",
481
+ "control_id": "CWE-78",
482
+ "control_name": "CWE-78",
483
+ "tier": "Foundational",
484
+ "scope": "Build",
485
+ "url": "https://cwe.mitre.org/data/definitions/78.html"
486
+ },
487
+ {
488
+ "framework": "OWASP AI Testing Guide",
489
+ "control_id": "Output injection into downstream systems",
490
+ "control_name": "OHT — Output Handling",
491
+ "tier": "Foundational",
492
+ "scope": "Both",
493
+ "notes": "Verify LLM-generated content is sanitised before insertion into HTML, SQL, shell commands, URLs, and other interpreters"
494
+ },
495
+ {
496
+ "framework": "OWASP AI Testing Guide",
497
+ "control_id": "Crafted inputs designed to produce malicious outputs",
498
+ "control_name": "IHT — Input Handling",
499
+ "tier": "Foundational",
500
+ "scope": "Both",
501
+ "notes": "Craft inputs designed to coerce the LLM into generating content that will be interpreted as code or commands by downstream systems"
502
+ },
503
+ {
504
+ "framework": "OWASP AI Testing Guide",
505
+ "control_id": "Downstream system access controls",
506
+ "control_name": "ACT — Access Control",
507
+ "tier": "Foundational",
508
+ "scope": "Both",
509
+ "notes": "Verify that downstream systems do not grant LLM outputs excessive permissions or execute LLM-generated commands without validation"
510
+ },
511
+ {
512
+ "framework": "MAESTRO",
513
+ "control_id": "L3",
514
+ "control_name": "Agent Frameworks",
515
+ "tier": "Foundational",
516
+ "scope": "Both"
517
+ },
518
+ {
519
+ "framework": "MAESTRO",
520
+ "control_id": "L4",
521
+ "control_name": "Deployment & Infrastructure",
522
+ "tier": "Foundational",
523
+ "scope": "Both"
524
+ },
525
+ {
526
+ "framework": "MAESTRO",
527
+ "control_id": "L1",
528
+ "control_name": "Foundation Models",
529
+ "tier": "Foundational",
530
+ "scope": "Both"
531
+ },
532
+ {
533
+ "framework": "AIUC-1",
534
+ "control_id": "B005",
535
+ "control_name": "Implement real-time input filtering",
536
+ "tier": "Foundational",
537
+ "scope": "Both",
538
+ "notes": "Foundational"
539
+ },
540
+ {
541
+ "framework": "AIUC-1",
542
+ "control_id": "B006",
543
+ "control_name": "Prevent unauthorized AI actions",
544
+ "tier": "Foundational",
545
+ "scope": "Both",
546
+ "notes": "Foundational"
547
+ },
548
+ {
549
+ "framework": "AIUC-1",
550
+ "control_id": "B009",
551
+ "control_name": "Validate AI-generated content",
552
+ "tier": "Foundational",
553
+ "scope": "Both",
554
+ "notes": "Foundational"
555
+ },
556
+ {
557
+ "framework": "AIUC-1",
558
+ "control_id": "C",
559
+ "control_name": "Safety domain (harm prevention)",
560
+ "tier": "Foundational",
561
+ "scope": "Both",
562
+ "notes": "Foundational"
563
+ },
564
+ {
565
+ "framework": "OWASP NHI Top 10",
566
+ "control_id": "Credentials appearing in model outputs passed to executors",
567
+ "control_name": "NHI-2 Secret Leakage",
568
+ "tier": "Foundational",
569
+ "scope": "Both",
570
+ "notes": "Credential detection in output pipeline before execution"
571
+ },
572
+ {
573
+ "framework": "OWASP NHI Top 10",
574
+ "control_id": "Downstream service credentials with excessive scope",
575
+ "control_name": "NHI-5 Over-Privileged NHI",
576
+ "tier": "Foundational",
577
+ "scope": "Both",
578
+ "notes": "Apply least-privilege to all credentials used in downstream processing"
579
+ },
580
+ {
581
+ "framework": "NIST SP 800-218A",
582
+ "control_id": "PW.4.1-PS",
583
+ "control_name": "Reuse existing well-secured software — third-party AI model and dataset vetting",
584
+ "tier": "Foundational",
585
+ "scope": "Both",
586
+ "notes": "Vet all third-party model weights, datasets, plugins, and libraries before use; verify provenance, licence, and security posture"
587
+ },
588
+ {
589
+ "framework": "NIST SP 800-218A",
590
+ "control_id": "PS.2.1-PS",
591
+ "control_name": "Verify software integrity — model and library supply chain",
592
+ "tier": "Foundational",
593
+ "scope": "Both",
594
+ "notes": "Verify integrity of all model artefacts and third-party components using cryptographic signatures and checksums before deployment"
595
+ },
596
+ {
597
+ "framework": "NIST SP 800-218A",
598
+ "control_id": "PS.3.1-PS",
599
+ "control_name": "Archive and protect software releases — model registry",
600
+ "tier": "Foundational",
601
+ "scope": "Both",
602
+ "notes": "Maintain a secure, versioned model registry with provenance records for all components; enable auditability and rollback"
603
+ },
604
+ {
605
+ "framework": "NIST SP 800-218A",
606
+ "control_id": "RV.1.1-PS",
607
+ "control_name": "Identify and confirm vulnerabilities — supply chain monitoring",
608
+ "tier": "Foundational",
609
+ "scope": "Both",
610
+ "notes": "Monitor for newly disclosed vulnerabilities in third-party AI components; establish a triage process for AI-specific CVEs"
611
+ },
612
+ {
613
+ "framework": "FedRAMP",
614
+ "control_id": "SR-2",
615
+ "control_name": "Supply Chain Risk Management Plan — AI components",
616
+ "tier": "Foundational",
617
+ "scope": "Both",
618
+ "notes": "Include all AI components — models, datasets, adapters, libraries, plugins — in the supply chain risk management plan with provenance and risk assessment"
619
+ },
620
+ {
621
+ "framework": "FedRAMP",
622
+ "control_id": "SR-3",
623
+ "control_name": "Supply Chain Controls — model provenance verification",
624
+ "tier": "Foundational",
625
+ "scope": "Both",
626
+ "notes": "Implement integrity verification for all AI supply chain components using cryptographic signatures, checksums, and attestation before deployment"
627
+ },
628
+ {
629
+ "framework": "FedRAMP",
630
+ "control_id": "SA-9",
631
+ "control_name": "External Information System Services — third-party AI",
632
+ "tier": "Foundational",
633
+ "scope": "Both",
634
+ "notes": "Require third-party AI service providers to meet FedRAMP requirements; establish SLAs covering model security, data handling, and incident notification"
635
+ },
636
+ {
637
+ "framework": "FedRAMP",
638
+ "control_id": "SA-3",
639
+ "control_name": "System Development Life Cycle — AI SDLC",
640
+ "tier": "Foundational",
641
+ "scope": "Both",
642
+ "notes": "Integrate AI-specific security activities into the SDLC — model security review, adversarial testing, supply chain verification at each lifecycle phase"
643
+ },
644
+ {
645
+ "framework": "DORA",
646
+ "control_id": "Art. 28–44",
647
+ "control_name": "Third-Party Risk — AI vendor oversight",
648
+ "tier": "Foundational",
649
+ "scope": "Both",
650
+ "notes": "Include AI model providers, dataset vendors, and ML library maintainers in third-party ICT risk management; conduct due diligence, contractual oversight, and ongoing monitoring"
651
+ },
652
+ {
653
+ "framework": "DORA",
654
+ "control_id": "Art. 8",
655
+ "control_name": "Identification — AI supply chain assets",
656
+ "tier": "Foundational",
657
+ "scope": "Both",
658
+ "notes": "Identify and classify all AI supply chain components — models, datasets, adapters, libraries, plugins — in the ICT asset inventory with provenance records"
659
+ },
660
+ {
661
+ "framework": "DORA",
662
+ "control_id": "Art. 5–7",
663
+ "control_name": "ICT Risk Management — AI supply chain governance",
664
+ "tier": "Foundational",
665
+ "scope": "Both",
666
+ "notes": "Include AI supply chain risk in the ICT risk management framework; define policies for AI component sourcing, vetting, and lifecycle management"
667
+ },
668
+ {
669
+ "framework": "DORA",
670
+ "control_id": "Art. 24–27",
671
+ "control_name": "Resilience Testing — supply chain resilience",
672
+ "tier": "Foundational",
673
+ "scope": "Both",
674
+ "notes": "Include AI supply chain disruption scenarios in resilience testing; test fallback procedures for third-party AI service failures"
675
+ }
676
+ ],
677
+ "tools": [
678
+ {
679
+ "name": "OWASP ZAP",
680
+ "type": "open-source",
681
+ "url": "https://www.zaproxy.org"
682
+ },
683
+ {
684
+ "name": "DOMPurify",
685
+ "type": "open-source",
686
+ "url": "https://github.com/cure53/DOMPurify"
687
+ },
688
+ {
689
+ "name": "Semgrep",
690
+ "type": "open-source",
691
+ "url": "https://semgrep.dev"
692
+ },
693
+ {
694
+ "name": "CycloneDX",
695
+ "type": "open-source",
696
+ "url": "https://cyclonedx.org"
697
+ },
698
+ {
699
+ "name": "ModelScan",
700
+ "type": "open-source",
701
+ "url": "https://github.com/protectai/modelscan"
702
+ },
703
+ {
704
+ "name": "OWASP Dependency-Check",
705
+ "type": "open-source",
706
+ "url": "https://owasp.org/www-project-dependency-check/"
707
+ },
708
+ {
709
+ "name": "Sigstore",
710
+ "type": "open-source",
711
+ "url": "https://www.sigstore.dev"
712
+ },
713
+ {
714
+ "name": "Vigil",
715
+ "url": "https://github.com/deadbits/vigil-llm",
716
+ "type": "open-source"
717
+ }
718
+ ],
719
+ "incidents": [
720
+ {
721
+ "name": "GitHub Copilot Workspace prompt injection via repository content",
722
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
723
+ "year": 2024,
724
+ "incident_id": "INC-025"
725
+ },
726
+ {
727
+ "name": "Azure OpenAI content filter bypass via structured output mode",
728
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
729
+ "year": 2025,
730
+ "incident_id": "INC-037"
731
+ },
732
+ {
733
+ "name": "Hugging Face model card supply chain manipulation",
734
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
735
+ "year": 2025,
736
+ "incident_id": "INC-038"
737
+ }
738
+ ],
739
+ "crossrefs": {
740
+ "agentic_top10": [
741
+ "ASI02",
742
+ "ASI05",
743
+ "ASI04",
744
+ "ASI10"
745
+ ],
746
+ "dsgai_2026": [
747
+ "DSGAI05",
748
+ "DSGAI12",
749
+ "DSGAI04",
750
+ "DSGAI19"
751
+ ]
752
+ },
753
+ "changelog": [
754
+ {
755
+ "date": "2026-03-27",
756
+ "version": "1.0.0",
757
+ "change": "Initial entry — generated from GenAI Security Crosswalk v1.5.1 mapping files",
758
+ "author": "emmanuelgjr"
759
+ }
760
+ ]
761
+ }