genai-security-crosswalk 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (55) hide show
  1. package/LICENSE.md +28 -0
  2. package/README.md +618 -0
  3. package/data/entries/ASI01.json +911 -0
  4. package/data/entries/ASI02.json +850 -0
  5. package/data/entries/ASI03.json +854 -0
  6. package/data/entries/ASI04.json +759 -0
  7. package/data/entries/ASI05.json +764 -0
  8. package/data/entries/ASI06.json +817 -0
  9. package/data/entries/ASI07.json +789 -0
  10. package/data/entries/ASI08.json +788 -0
  11. package/data/entries/ASI09.json +754 -0
  12. package/data/entries/ASI10.json +833 -0
  13. package/data/entries/DSGAI01.json +779 -0
  14. package/data/entries/DSGAI02.json +728 -0
  15. package/data/entries/DSGAI03.json +671 -0
  16. package/data/entries/DSGAI04.json +752 -0
  17. package/data/entries/DSGAI05.json +689 -0
  18. package/data/entries/DSGAI06.json +673 -0
  19. package/data/entries/DSGAI07.json +680 -0
  20. package/data/entries/DSGAI08.json +698 -0
  21. package/data/entries/DSGAI09.json +687 -0
  22. package/data/entries/DSGAI10.json +627 -0
  23. package/data/entries/DSGAI11.json +663 -0
  24. package/data/entries/DSGAI12.json +695 -0
  25. package/data/entries/DSGAI13.json +688 -0
  26. package/data/entries/DSGAI14.json +703 -0
  27. package/data/entries/DSGAI15.json +655 -0
  28. package/data/entries/DSGAI16.json +716 -0
  29. package/data/entries/DSGAI17.json +690 -0
  30. package/data/entries/DSGAI18.json +613 -0
  31. package/data/entries/DSGAI19.json +638 -0
  32. package/data/entries/DSGAI20.json +671 -0
  33. package/data/entries/DSGAI21.json +881 -0
  34. package/data/entries/LLM01.json +975 -0
  35. package/data/entries/LLM02.json +868 -0
  36. package/data/entries/LLM03.json +817 -0
  37. package/data/entries/LLM04.json +797 -0
  38. package/data/entries/LLM05.json +761 -0
  39. package/data/entries/LLM06.json +848 -0
  40. package/data/entries/LLM07.json +749 -0
  41. package/data/entries/LLM08.json +750 -0
  42. package/data/entries/LLM09.json +760 -0
  43. package/data/entries/LLM10.json +763 -0
  44. package/data/incidents-schema.json +121 -0
  45. package/data/incidents.json +1484 -0
  46. package/data/schema.json +134 -0
  47. package/dist/index.d.ts +97 -0
  48. package/dist/index.d.ts.map +1 -0
  49. package/dist/index.js +124 -0
  50. package/dist/index.js.map +1 -0
  51. package/dist/index.test.d.ts +2 -0
  52. package/dist/index.test.d.ts.map +1 -0
  53. package/dist/index.test.js +97 -0
  54. package/dist/index.test.js.map +1 -0
  55. package/package.json +62 -0
package/data/entries/LLM06.json ADDED
@@ -0,0 +1,848 @@
1
+ {
2
+ "id": "LLM06",
3
+ "name": "Excessive Agency",
4
+ "source_list": "LLM-Top10-2025",
5
+ "version": "2026-Q1",
6
+ "severity": "High",
7
+ "aivss_score": null,
8
+ "audience": [
9
+ "red-teamer",
10
+ "security-engineer",
11
+ "developer",
12
+ "ml-engineer",
13
+ "ot-engineer",
14
+ "ciso",
15
+ "compliance",
16
+ "auditor"
17
+ ],
18
+ "mappings": [
19
+ {
20
+ "framework": "MITRE ATLAS",
21
+ "control_id": "AML.T0015",
22
+ "control_name": "LLM Capability Escalation",
23
+ "tier": "Foundational",
24
+ "scope": "Build",
25
+ "url": "https://atlas.mitre.org/techniques/AML.T0015",
26
+ "notes": "Exploiting overly permissive LLM tool access to perform actions beyond intended scope"
27
+ },
28
+ {
29
+ "framework": "MITRE ATLAS",
30
+ "control_id": "AML.T0068",
31
+ "control_name": "Automated Collection",
32
+ "tier": "Foundational",
33
+ "scope": "Build",
34
+ "url": "https://atlas.mitre.org/techniques/AML.T0068",
35
+ "notes": "LLM autonomously collecting data beyond its intended access scope"
36
+ },
37
+ {
38
+ "framework": "NIST AI RMF 1.0",
39
+ "control_id": "GV-1.7",
40
+ "control_name": "Policies for trustworthy AI",
41
+ "tier": "Foundational",
42
+ "scope": "Build",
43
+ "notes": "Organisational policy defines and enforces limits on AI system autonomy and decision authority"
44
+ },
45
+ {
46
+ "framework": "NIST AI RMF 1.0",
47
+ "control_id": "MP-2.3",
48
+ "control_name": "Risk categorisation",
49
+ "tier": "Foundational",
50
+ "scope": "Build",
51
+ "notes": "Excessive agency risks mapped to specific tool and API integrations in the risk register"
52
+ },
53
+ {
54
+ "framework": "NIST AI RMF 1.0",
55
+ "control_id": "MS-2.5",
56
+ "control_name": "Testing — adversarial",
57
+ "tier": "Foundational",
58
+ "scope": "Build",
59
+ "notes": "Autonomy boundary testing included in adversarial evaluation programme"
60
+ },
61
+ {
62
+ "framework": "NIST AI RMF 1.0",
63
+ "control_id": "MG-2.2",
64
+ "control_name": "Risk response",
65
+ "tier": "Foundational",
66
+ "scope": "Build",
67
+ "notes": "Defined response for unauthorised autonomous actions including rollback and notification"
68
+ },
69
+ {
70
+ "framework": "EU AI Act",
71
+ "control_id": "Autonomy-related risks identified and mitigated",
72
+ "control_name": "Art. 9 — Risk management",
73
+ "tier": "Foundational",
74
+ "scope": "Both",
75
+ "notes": "Excessive agency scenarios required in risk management system"
76
+ },
77
+ {
78
+ "framework": "EU AI Act",
79
+ "control_id": "High-risk AI systems designed to allow effective human oversight — ability to pause, stop, and override",
80
+ "control_name": "Art. 14 — Human oversight",
81
+ "tier": "Foundational",
82
+ "scope": "Both",
83
+ "notes": "Human-in-the-loop requirements are a binding Art. 14 compliance obligation"
84
+ },
85
+ {
86
+ "framework": "EU AI Act",
87
+ "control_id": "Deployers must ensure human oversight as instructed by provider",
88
+ "control_name": "Art. 29 — Deployer obligations",
89
+ "tier": "Foundational",
90
+ "scope": "Both",
91
+ "notes": "Deployers cannot waive Art. 14 human oversight requirements"
92
+ },
93
+ {
94
+ "framework": "ISO/IEC 27001:2022",
95
+ "control_id": "A.8.2",
96
+ "control_name": "Privileged access rights",
97
+ "tier": "Foundational",
98
+ "scope": "Build",
99
+ "notes": "LLM tool access managed as privileged access — minimum scope, reviewed regularly"
100
+ },
101
+ {
102
+ "framework": "ISO/IEC 27001:2022",
103
+ "control_id": "A.5.10",
104
+ "control_name": "Acceptable use of assets",
105
+ "tier": "Foundational",
106
+ "scope": "Build",
107
+ "notes": "Policy defining acceptable LLM autonomous actions — approved tool use cases documented"
108
+ },
109
+ {
110
+ "framework": "ISO/IEC 27001:2022",
111
+ "control_id": "A.8.15",
112
+ "control_name": "Logging",
113
+ "tier": "Foundational",
114
+ "scope": "Build",
115
+ "notes": "All LLM tool invocations logged with full context — every tool call auditable"
116
+ },
117
+ {
118
+ "framework": "ISO/IEC 27001:2022",
119
+ "control_id": "A.5.15",
120
+ "control_name": "Identity management",
121
+ "tier": "Foundational",
122
+ "scope": "Build",
123
+ "notes": "LLM tool access governed through identity management — tool permissions scoped per deployment"
124
+ },
125
+ {
126
+ "framework": "ISO/IEC 42001:2023",
127
+ "control_id": "A.6.1.2",
128
+ "control_name": "Responsible AI system management",
129
+ "tier": "Foundational",
130
+ "scope": "Both",
131
+ "notes": "LLM tool access managed responsibly — minimum permissions, human oversight requirements documented as AIMS responsibilities"
132
+ },
133
+ {
134
+ "framework": "ISO/IEC 42001:2023",
135
+ "control_id": "A.6.2.3",
136
+ "control_name": "AI system security",
137
+ "tier": "Foundational",
138
+ "scope": "Both",
139
+ "notes": "Tool permission enforcement as AIMS security control — scope enforced at orchestration layer"
140
+ },
141
+ {
142
+ "framework": "ISO/IEC 42001:2023",
143
+ "control_id": "A.5.2",
144
+ "control_name": "Impact assessment",
145
+ "tier": "Foundational",
146
+ "scope": "Both",
147
+ "notes": "Impact assessment covers excessive agency risk — what actions can the LLM take autonomously, what is the worst-case impact"
148
+ },
149
+ {
150
+ "framework": "ISO/IEC 42001:2023",
151
+ "control_id": "Cl.5",
152
+ "control_name": "Policy",
153
+ "tier": "Foundational",
154
+ "scope": "Both",
155
+ "notes": "Leadership commitment to human oversight — autonomous action scope defined in AI policy, signed off at executive level"
156
+ },
157
+ {
158
+ "framework": "CIS Controls v8.1",
159
+ "control_id": "5.4 Restrict administrator privileges",
160
+ "control_name": "CIS 5 — Account Management",
161
+ "tier": "Foundational",
162
+ "scope": "Both",
163
+ "notes": "LLM tool access managed as privileged access — minimum scope, regular review"
164
+ },
165
+ {
166
+ "framework": "CIS Controls v8.1",
167
+ "control_id": "6.1 Establish access granting process",
168
+ "control_name": "CIS 6 — Access Control Management",
169
+ "tier": "Foundational",
170
+ "scope": "Both",
171
+ "notes": "Formal process for granting LLM tool access — documented justification required"
172
+ },
173
+ {
174
+ "framework": "CIS Controls v8.1",
175
+ "control_id": "8.5 Collect detailed audit logs",
176
+ "control_name": "CIS 8 — Audit Log Management",
177
+ "tier": "Foundational",
178
+ "scope": "Both",
179
+ "notes": "All LLM tool invocations logged — every tool call auditable with parameters"
180
+ },
181
+ {
182
+ "framework": "OWASP ASVS 4.0.3",
183
+ "control_id": "V4.1.3",
184
+ "control_name": "Verify access control enforces least privilege",
185
+ "tier": "Foundational",
186
+ "scope": "Both",
187
+ "notes": "LLM tool access enforced at minimum required scope — read-only by default"
188
+ },
189
+ {
190
+ "framework": "OWASP ASVS 4.0.3",
191
+ "control_id": "V4.1.1",
192
+ "control_name": "Verify all sensitive functions have access control",
193
+ "tier": "Foundational",
194
+ "scope": "Both",
195
+ "notes": "LLM cannot access sensitive functions (write, delete, execute) without explicit authorisation"
196
+ },
197
+ {
198
+ "framework": "OWASP ASVS 4.0.3",
199
+ "control_id": "V7.2.2",
200
+ "control_name": "Verify all business logic decisions logged",
201
+ "tier": "Foundational",
202
+ "scope": "Both",
203
+ "notes": "All LLM tool invocations logged with full context — every tool call auditable"
204
+ },
205
+ {
206
+ "framework": "OWASP ASVS 4.0.3",
207
+ "control_id": "V11.1.2",
208
+ "control_name": "Verify business logic abuse scenarios identified",
209
+ "tier": "Foundational",
210
+ "scope": "Both",
211
+ "notes": "Business logic controls preventing tool misuse through prompt manipulation"
212
+ },
213
+ {
214
+ "framework": "ISA/IEC 62443",
215
+ "control_id": "SR 2.2",
216
+ "control_name": "Least privilege",
217
+ "tier": "Foundational",
218
+ "scope": "Both",
219
+ "notes": "LLMs granted minimum necessary permissions to OT systems — read-only by default, no autonomous write"
220
+ },
221
+ {
222
+ "framework": "ISA/IEC 62443",
223
+ "control_id": "SR 2.1",
224
+ "control_name": "Use control enforcement",
225
+ "tier": "Foundational",
226
+ "scope": "Both",
227
+ "notes": "All LLM actions in OT context subject to explicit use controls — no autonomous action without human confirmation"
228
+ },
229
+ {
230
+ "framework": "ISA/IEC 62443",
231
+ "control_id": "SR 1.2",
232
+ "control_name": "User authentication",
233
+ "tier": "Foundational",
234
+ "scope": "Both",
235
+ "notes": "LLM actions in OT context authenticated as a distinct identity — traceable in OT audit log"
236
+ },
237
+ {
238
+ "framework": "ISA/IEC 62443",
239
+ "control_id": "SR 1.9",
240
+ "control_name": "Session lock",
241
+ "tier": "Foundational",
242
+ "scope": "Both",
243
+ "notes": "LLM sessions with OT access can be locked and terminated immediately by operators"
244
+ },
245
+ {
246
+ "framework": "NIST SP 800-82 Rev 3",
247
+ "control_id": "Unauthorised command execution via IT/OT interfaces",
248
+ "control_name": "Section 5.3 — Threats",
249
+ "tier": "Foundational",
250
+ "scope": "Both",
251
+ "notes": "LLM autonomous actions as a new path for unauthorised command execution"
252
+ },
253
+ {
254
+ "framework": "NIST SP 800-82 Rev 3",
255
+ "control_id": "Assess impact of unauthorised access and control",
256
+ "control_name": "Section 6.2 — Risk assessment",
257
+ "tier": "Foundational",
258
+ "scope": "Both",
259
+ "notes": "LLM excessive agency assessed as an unauthorised access risk for each OT interface"
260
+ },
261
+ {
262
+ "framework": "NIST SP 800-82 Rev 3",
263
+ "control_id": "Minimal necessary connectivity at IT/OT boundary",
264
+ "control_name": "Section 7.1 — Architecture",
265
+ "tier": "Foundational",
266
+ "scope": "Both",
267
+ "notes": "LLM access to OT systems restricted to minimum required — read-only by default"
268
+ },
269
+ {
270
+ "framework": "NIST SP 800-82 Rev 3",
271
+ "control_id": "Title",
272
+ "control_name": "Control",
273
+ "tier": "Foundational",
274
+ "scope": "Both",
275
+ "notes": "Application"
276
+ },
277
+ {
278
+ "framework": "NIST SP 800-82 Rev 3",
279
+ "control_id": "Least Privilege",
280
+ "control_name": "AC-6",
281
+ "tier": "Foundational",
282
+ "scope": "Both",
283
+ "notes": "LLM granted minimum necessary OT access — read-only to historian, no write access without documented justification"
284
+ },
285
+ {
286
+ "framework": "NIST SP 800-82 Rev 3",
287
+ "control_id": "Access Enforcement",
288
+ "control_name": "AC-3",
289
+ "tier": "Foundational",
290
+ "scope": "Both",
291
+ "notes": "LLM access to OT systems enforced by policy — scope cannot be exceeded regardless of model instruction"
292
+ },
293
+ {
294
+ "framework": "NIST SP 800-82 Rev 3",
295
+ "control_id": "Audit Record Generation",
296
+ "control_name": "AU-12",
297
+ "tier": "Foundational",
298
+ "scope": "Both",
299
+ "notes": "All LLM actions in OT context logged — full accountability for every OT data access and any recommended action"
300
+ },
301
+ {
302
+ "framework": "NIST CSF 2.0",
303
+ "control_id": "PR.AA-05",
304
+ "control_name": "Identity Management, Authentication & Access Control",
305
+ "tier": "Foundational",
306
+ "scope": "Both",
307
+ "notes": "Access permissions managed — LLM tool access managed as privileged access with least privilege enforcement"
308
+ },
309
+ {
310
+ "framework": "NIST CSF 2.0",
311
+ "control_id": "PR.AA-01",
312
+ "control_name": "Identity Management, Authentication & Access Control",
313
+ "tier": "Foundational",
314
+ "scope": "Both",
315
+ "notes": "Identities managed — LLM service identities inventoried and managed, tool permissions scoped per identity"
316
+ },
317
+ {
318
+ "framework": "NIST CSF 2.0",
319
+ "control_id": "DE.CM-01",
320
+ "control_name": "Continuous Monitoring",
321
+ "tier": "Foundational",
322
+ "scope": "Both",
323
+ "notes": "Networks and assets monitored — all LLM tool invocations logged and monitored for anomalous scope"
324
+ },
325
+ {
326
+ "framework": "NIST CSF 2.0",
327
+ "control_id": "GV.OC-01",
328
+ "control_name": "Organisational Context",
329
+ "tier": "Foundational",
330
+ "scope": "Both",
331
+ "notes": "Acceptable use of LLM autonomous actions defined — policy specifies what actions require human confirmation"
332
+ },
333
+ {
334
+ "framework": "SOC 2",
335
+ "control_id": "LLM tool access managed under least privilege — minimum scope, documented justification, regular review",
336
+ "control_name": "CC6.1 — Logical access restrictions",
337
+ "tier": "Foundational",
338
+ "scope": "Both"
339
+ },
340
+ {
341
+ "framework": "SOC 2",
342
+ "control_id": "LLM tool permissions removed promptly when no longer required — access review process covers LLM tool scope",
343
+ "control_name": "CC6.3 — Access removal",
344
+ "tier": "Foundational",
345
+ "scope": "Both"
346
+ },
347
+ {
348
+ "framework": "SOC 2",
349
+ "control_id": "Human oversight procedures for LLM autonomous actions — confirmation requirements documented and enforced",
350
+ "control_name": "CC5.2 — Control activities",
351
+ "tier": "Foundational",
352
+ "scope": "Both"
353
+ },
354
+ {
355
+ "framework": "SOC 2",
356
+ "control_id": "Excessive agency risks identified — what autonomous actions can the LLM take, what is the blast radius",
357
+ "control_name": "CC3.2 — Risk assessment",
358
+ "tier": "Foundational",
359
+ "scope": "Both"
360
+ },
361
+ {
362
+ "framework": "PCI DSS v4.0",
363
+ "control_id": "Req 7.2.1",
364
+ "control_name": "Restrict access to system components",
365
+ "tier": "Foundational",
366
+ "scope": "Both",
367
+ "notes": "LLM tool access to CDE systems restricted to minimum required — read-only by default, write access formally approved"
368
+ },
369
+ {
370
+ "framework": "PCI DSS v4.0",
371
+ "control_id": "Req 7.3.1",
372
+ "control_name": "Access control system",
373
+ "tier": "Foundational",
374
+ "scope": "Both",
375
+ "notes": "Access control system enforces LLM tool scope — agent cannot exceed defined CDE access without explicit authorisation"
376
+ },
377
+ {
378
+ "framework": "PCI DSS v4.0",
379
+ "control_id": "Req 10.2.1",
380
+ "control_name": "Logging and monitoring",
381
+ "tier": "Foundational",
382
+ "scope": "Both",
383
+ "notes": "All LLM tool invocations in CDE logged — tool identity, parameters, invoking user identity, timestamp"
384
+ },
385
+ {
386
+ "framework": "PCI DSS v4.0",
387
+ "control_id": "Req 12.3.2",
388
+ "control_name": "Targeted risk analysis",
389
+ "tier": "Foundational",
390
+ "scope": "Both",
391
+ "notes": "Targeted risk analysis for LLM autonomous action scope in CDE — blast radius documented and accepted"
392
+ },
393
+ {
394
+ "framework": "ENISA Multilayer Framework",
395
+ "control_id": "L2",
396
+ "control_name": "Governance and Risk (GOV)",
397
+ "tier": "Foundational",
398
+ "scope": "Both",
399
+ "notes": "Human oversight requirements for autonomous LLM actions — acceptable autonomy scope defined in AI governance policy"
400
+ },
401
+ {
402
+ "framework": "ENISA Multilayer Framework",
403
+ "control_id": "L2",
404
+ "control_name": "AI System Integrity (ASI)",
405
+ "tier": "Foundational",
406
+ "scope": "Both",
407
+ "notes": "Tool permission enforcement and action guardrails as ASI controls — LLM cannot exceed defined scope"
408
+ },
409
+ {
410
+ "framework": "ENISA Multilayer Framework",
411
+ "control_id": "MON",
412
+ "control_name": "Monitoring and Detection",
413
+ "tier": "Foundational",
414
+ "scope": "Both",
415
+ "notes": "All LLM tool invocations logged and monitored — anomalous scope detected through AI-specific monitoring"
416
+ },
417
+ {
418
+ "framework": "ENISA Multilayer Framework",
419
+ "control_id": "L1",
420
+ "control_name": "General ICT — Access Control",
421
+ "tier": "Foundational",
422
+ "scope": "Both",
423
+ "notes": "LLM tool access managed as privileged access — minimum permissions, regular review"
424
+ },
425
+ {
426
+ "framework": "OWASP SAMM v2.0",
427
+ "control_id": "G-SM",
428
+ "control_name": "Strategy & Metrics",
429
+ "tier": "Foundational",
430
+ "scope": "Both",
431
+ "notes": "AI autonomy policy as security programme strategy — acceptable autonomous action scope defined and communicated"
432
+ },
433
+ {
434
+ "framework": "OWASP SAMM v2.0",
435
+ "control_id": "D-SA",
436
+ "control_name": "Security Architecture",
437
+ "tier": "Foundational",
438
+ "scope": "Both",
439
+ "notes": "Least privilege architecture for LLM tool access — action scope enforced by design, not just policy"
440
+ },
441
+ {
442
+ "framework": "OWASP SAMM v2.0",
443
+ "control_id": "D-TA",
444
+ "control_name": "Threat Assessment",
445
+ "tier": "Foundational",
446
+ "scope": "Both",
447
+ "notes": "Excessive agency threat modelled — what happens if each tool is invoked autonomously with adversarial parameters"
448
+ },
449
+ {
450
+ "framework": "OWASP SAMM v2.0",
451
+ "control_id": "O-OM",
452
+ "control_name": "Operational Management",
453
+ "tier": "Foundational",
454
+ "scope": "Both",
455
+ "notes": "All LLM tool invocations logged and monitored — anomalous scope detected as operational control"
456
+ },
457
+ {
458
+ "framework": "STRIDE",
459
+ "control_id": "E",
460
+ "control_name": "Privilege Escalation via Excessive Tool Access",
461
+ "tier": "Foundational",
462
+ "scope": "Build"
463
+ },
464
+ {
465
+ "framework": "STRIDE",
466
+ "control_id": "T",
467
+ "control_name": "Unauthorised State Tampering",
468
+ "tier": "Foundational",
469
+ "scope": "Build"
470
+ },
471
+ {
472
+ "framework": "STRIDE",
473
+ "control_id": "D",
474
+ "control_name": "Resource Exhaustion via Uncontrolled Actions",
475
+ "tier": "Foundational",
476
+ "scope": "Build"
477
+ },
478
+ {
479
+ "framework": "CWE/CVE",
480
+ "control_id": "CWE-269",
481
+ "control_name": "CWE-269",
482
+ "tier": "Foundational",
483
+ "scope": "Build",
484
+ "url": "https://cwe.mitre.org/data/definitions/269.html"
485
+ },
486
+ {
487
+ "framework": "CWE/CVE",
488
+ "control_id": "CWE-272",
489
+ "control_name": "CWE-272",
490
+ "tier": "Foundational",
491
+ "scope": "Build",
492
+ "url": "https://cwe.mitre.org/data/definitions/272.html"
493
+ },
494
+ {
495
+ "framework": "CWE/CVE",
496
+ "control_id": "CWE-284",
497
+ "control_name": "CWE-284",
498
+ "tier": "Foundational",
499
+ "scope": "Build",
500
+ "url": "https://cwe.mitre.org/data/definitions/284.html"
501
+ },
502
+ {
503
+ "framework": "OWASP AI Testing Guide",
504
+ "control_id": "Permission scope enforcement",
505
+ "control_name": "ACT — Access Control",
506
+ "tier": "Foundational",
507
+ "scope": "Both",
508
+ "notes": "Verify LLM cannot invoke capabilities, tools, or APIs outside its defined role; test scope boundaries under adversarial conditions"
509
+ },
510
+ {
511
+ "framework": "OWASP AI Testing Guide",
512
+ "control_id": "Irreversibility gate enforcement",
513
+ "control_name": "AST — Agent-Specific",
514
+ "tier": "Foundational",
515
+ "scope": "Both",
516
+ "notes": "Verify irreversible actions require human confirmation; test that confirmation gates cannot be bypassed through crafted inputs"
517
+ },
518
+ {
519
+ "framework": "OWASP AI Testing Guide",
520
+ "control_id": "Action audit completeness",
521
+ "control_name": "LMT — Logging & Monitoring",
522
+ "tier": "Foundational",
523
+ "scope": "Both",
524
+ "notes": "Verify all LLM-initiated actions are logged with sufficient detail for forensic review"
525
+ },
526
+ {
527
+ "framework": "MAESTRO",
528
+ "control_id": "L6",
529
+ "control_name": "Security & Compliance",
530
+ "tier": "Foundational",
531
+ "scope": "Both"
532
+ },
533
+ {
534
+ "framework": "MAESTRO",
535
+ "control_id": "L3",
536
+ "control_name": "Agent Frameworks",
537
+ "tier": "Foundational",
538
+ "scope": "Both"
539
+ },
540
+ {
541
+ "framework": "MAESTRO",
542
+ "control_id": "L7",
543
+ "control_name": "Agent Ecosystem",
544
+ "tier": "Foundational",
545
+ "scope": "Both"
546
+ },
547
+ {
548
+ "framework": "AIUC-1",
549
+ "control_id": "B006",
550
+ "control_name": "Prevent unauthorized AI actions",
551
+ "tier": "Foundational",
552
+ "scope": "Both",
553
+ "notes": "Foundational"
554
+ },
555
+ {
556
+ "framework": "AIUC-1",
557
+ "control_id": "B007",
558
+ "control_name": "Third-party permission controls",
559
+ "tier": "Foundational",
560
+ "scope": "Both",
561
+ "notes": "Hardening"
562
+ },
563
+ {
564
+ "framework": "AIUC-1",
565
+ "control_id": "C",
566
+ "control_name": "Safety domain (human oversight)",
567
+ "tier": "Foundational",
568
+ "scope": "Both",
569
+ "notes": "Foundational"
570
+ },
571
+ {
572
+ "framework": "AIUC-1",
573
+ "control_id": "E",
574
+ "control_name": "Accountability domain (audit trails)",
575
+ "tier": "Foundational",
576
+ "scope": "Both",
577
+ "notes": "Foundational"
578
+ },
579
+ {
580
+ "framework": "OWASP NHI Top 10",
581
+ "control_id": "Tool/API credentials with more scope than task requires",
582
+ "control_name": "NHI-5 Over-Privileged NHI",
583
+ "tier": "Foundational",
584
+ "scope": "Both",
585
+ "notes": "Minimum credential scope per tool integration"
586
+ },
587
+ {
588
+ "framework": "OWASP NHI Top 10",
589
+ "control_id": "Long-lived tool credentials enable extended unauthorised access",
590
+ "control_name": "NHI-7 Long-Lived Credentials",
591
+ "tier": "Foundational",
592
+ "scope": "Both",
593
+ "notes": "Short-lived JIT credentials per task (see RECIPES.md)"
594
+ },
595
+ {
596
+ "framework": "OWASP NHI Top 10",
597
+ "control_id": "Same credential used for multiple tools — compromise of one exposes all",
598
+ "control_name": "NHI-9 NHI Reuse",
599
+ "tier": "Foundational",
600
+ "scope": "Both",
601
+ "notes": "Separate credentials per tool integration"
602
+ },
603
+ {
604
+ "framework": "NIST SP 800-218A",
605
+ "control_id": "PW.1.1-PS",
606
+ "control_name": "Define security requirements — AI capability constraints",
607
+ "tier": "Foundational",
608
+ "scope": "Build",
609
+ "notes": "Define explicit security requirements limiting the capabilities, tool access, and autonomous action scope permitted for each AI deployment"
610
+ },
611
+ {
612
+ "framework": "NIST SP 800-218A",
613
+ "control_id": "PW.2.1-PS",
614
+ "control_name": "Design software — autonomy boundary threat modelling",
615
+ "tier": "Foundational",
616
+ "scope": "Build",
617
+ "notes": "Threat model all tool integrations and autonomous action paths; design least-privilege tool manifests and human approval gates for irreversible actions"
618
+ },
619
+ {
620
+ "framework": "NIST SP 800-218A",
621
+ "control_id": "PW.7.2-PS",
622
+ "control_name": "Review for security vulnerabilities — autonomy boundary validation",
623
+ "tier": "Foundational",
624
+ "scope": "Build",
625
+ "notes": "Review model behaviour for scope violations — verify that the model cannot invoke tools or take actions outside its defined permission manifest"
626
+ },
627
+ {
628
+ "framework": "NIST SP 800-218A",
629
+ "control_id": "PW.8.2-PS",
630
+ "control_name": "Test for security vulnerabilities — adversarial autonomy testing",
631
+ "tier": "Foundational",
632
+ "scope": "Build",
633
+ "notes": "Conduct adversarial testing targeting excessive agency through indirect injection and permission escalation scenarios"
634
+ },
635
+ {
636
+ "framework": "FedRAMP",
637
+ "control_id": "AC-6",
638
+ "control_name": "Least Privilege — AI agent permissions",
639
+ "tier": "Foundational",
640
+ "scope": "Build",
641
+ "notes": "Enforce least privilege for all AI agent tool access, API permissions, and autonomous action scope; restrict to minimum capabilities needed per deployment"
642
+ },
643
+ {
644
+ "framework": "FedRAMP",
645
+ "control_id": "CM-7",
646
+ "control_name": "Least Functionality — AI capability restrictions",
647
+ "tier": "Foundational",
648
+ "scope": "Build",
649
+ "notes": "Restrict AI systems to minimum necessary capabilities; disable unused tools, APIs, and action types; enforce capability restrictions in configuration"
650
+ },
651
+ {
652
+ "framework": "FedRAMP",
653
+ "control_id": "AC-3",
654
+ "control_name": "Access Enforcement — tool invocation control",
655
+ "tier": "Foundational",
656
+ "scope": "Build",
657
+ "notes": "Enforce access control on all AI tool invocations; require authorisation for each tool call based on agent identity, context, and action type"
658
+ },
659
+ {
660
+ "framework": "FedRAMP",
661
+ "control_id": "PM-9",
662
+ "control_name": "Risk Management Strategy — AI autonomy risk",
663
+ "tier": "Foundational",
664
+ "scope": "Build",
665
+ "notes": "Include AI autonomy and excessive agency in the organisational risk management strategy; define acceptable autonomy thresholds and escalation procedures"
666
+ },
667
+ {
668
+ "framework": "DORA",
669
+ "control_id": "Art. 5–7",
670
+ "control_name": "ICT Risk Management — AI autonomy governance",
671
+ "tier": "Foundational",
672
+ "scope": "Build",
673
+ "notes": "Include AI autonomy and excessive agency in the ICT risk management framework; define acceptable autonomy thresholds and escalation procedures for financial AI systems"
674
+ },
675
+ {
676
+ "framework": "DORA",
677
+ "control_id": "Art. 9",
678
+ "control_name": "Protection and Prevention — agent action boundaries",
679
+ "tier": "Foundational",
680
+ "scope": "Build",
681
+ "notes": "Implement security controls enforcing least privilege on AI agent tool access, API permissions, and autonomous action scope within financial systems"
682
+ },
683
+ {
684
+ "framework": "DORA",
685
+ "control_id": "Art. 24–27",
686
+ "control_name": "Resilience Testing — autonomy boundary testing",
687
+ "tier": "Foundational",
688
+ "scope": "Build",
689
+ "notes": "Include excessive agency scenarios in resilience testing; test that AI agents cannot exceed defined permission boundaries under adversarial conditions"
690
+ },
691
+ {
692
+ "framework": "DORA",
693
+ "control_id": "Art. 10",
694
+ "control_name": "Detection — unauthorised action detection",
695
+ "tier": "Foundational",
696
+ "scope": "Build",
697
+ "notes": "Monitor AI agent actions for unauthorised tool invocations, scope violations, and anomalous behaviour patterns; alert on detection"
698
+ }
699
+ ],
700
+ "tools": [
701
+ {
702
+ "name": "LangChain (with guardrails)",
703
+ "type": "open-source",
704
+ "url": "https://github.com/langchain-ai/langchain"
705
+ },
706
+ {
707
+ "name": "Guardrails AI",
708
+ "type": "open-source",
709
+ "url": "https://github.com/guardrails-ai/guardrails"
710
+ },
711
+ {
712
+ "name": "NeMo Guardrails",
713
+ "type": "open-source",
714
+ "url": "https://github.com/NVIDIA/NeMo-Guardrails"
715
+ },
716
+ {
717
+ "name": "LangSmith",
718
+ "type": "commercial",
719
+ "url": "https://smith.langchain.com"
720
+ },
721
+ {
722
+ "name": "Claroty",
723
+ "type": "commercial",
724
+ "url": "https://claroty.com"
725
+ },
726
+ {
727
+ "name": "Open Policy Agent",
728
+ "type": "open-source",
729
+ "url": "https://www.openpolicyagent.org"
730
+ },
731
+ {
732
+ "name": "LAAF v2.0",
733
+ "url": "https://github.com/qorvexconsulting1/laaf-V2.0",
734
+ "type": "open-source"
735
+ }
736
+ ],
737
+ "incidents": [
738
+ {
739
+ "name": "Bing Chat 'Sydney' jailbreak — persona escape and threatening behaviour",
740
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
741
+ "year": 2023,
742
+ "incident_id": "INC-002"
743
+ },
744
+ {
745
+ "name": "Air Canada chatbot invents bereavement discount policy — tribunal ruling",
746
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
747
+ "year": 2024,
748
+ "incident_id": "INC-004"
749
+ },
750
+ {
751
+ "name": "Chevrolet dealership chatbot agrees to sell car for $1",
752
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
753
+ "year": 2023,
754
+ "incident_id": "INC-005"
755
+ },
756
+ {
757
+ "name": "WormGPT — uncensored LLM sold for cybercrime on dark web forums",
758
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
759
+ "year": 2023,
760
+ "incident_id": "INC-011"
761
+ },
762
+ {
763
+ "name": "LAAF v2.0 — Empirical LPCI breakthrough rates of 67–100% across 5 production LLMs",
764
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
765
+ "year": 2026,
766
+ "incident_id": "INC-021"
767
+ },
768
+ {
769
+ "name": "AI voice deepfake CEO fraud — Hong Kong $25M loss",
770
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
771
+ "year": 2024,
772
+ "incident_id": "INC-026"
773
+ },
774
+ {
775
+ "name": "MathPrompt: symbolic mathematics jailbreak attack",
776
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
777
+ "year": 2024,
778
+ "incident_id": "INC-027"
779
+ },
780
+ {
781
+ "name": "Many-shot jailbreaking (Anthropic research)",
782
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
783
+ "year": 2024,
784
+ "incident_id": "INC-028"
785
+ },
786
+ {
787
+ "name": "Crescendo: multi-turn escalation attack (Microsoft)",
788
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
789
+ "year": 2024,
790
+ "incident_id": "INC-029"
791
+ },
792
+ {
793
+ "name": "Skeleton Key: direct system prompt override (Microsoft)",
794
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
795
+ "year": 2024,
796
+ "incident_id": "INC-030"
797
+ },
798
+ {
799
+ "name": "Meta Galactica model withdrawn after misinformation at launch",
800
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
801
+ "year": 2022,
802
+ "incident_id": "INC-031"
803
+ },
804
+ {
805
+ "name": "OpenAI o1/o3 reasoning chain jailbreak via chain-of-thought manipulation",
806
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
807
+ "year": 2025,
808
+ "incident_id": "INC-033"
809
+ },
810
+ {
811
+ "name": "Apollo Research: frontier models demonstrate strategic deception to avoid shutdown",
812
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
813
+ "year": 2024,
814
+ "incident_id": "INC-047"
815
+ },
816
+ {
817
+ "name": "AI companion apps: manipulation and exploitation of human-agent trust",
818
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
819
+ "year": 2025,
820
+ "incident_id": "INC-048"
821
+ }
822
+ ],
823
+ "crossrefs": {
824
+ "agentic_top10": [
825
+ "ASI01",
826
+ "ASI02",
827
+ "ASI10",
828
+ "ASI09",
829
+ "ASI03",
830
+ "ASI07"
831
+ ],
832
+ "dsgai_2026": [
833
+ "DSGAI06",
834
+ "DSGAI16",
835
+ "DSGAI12",
836
+ "DSGAI02",
837
+ "DSGAI07"
838
+ ]
839
+ },
840
+ "changelog": [
841
+ {
842
+ "date": "2026-03-27",
843
+ "version": "1.0.0",
844
+ "change": "Initial entry — generated from GenAI Security Crosswalk v1.5.1 mapping files",
845
+ "author": "emmanuelgjr"
846
+ }
847
+ ]
848
+ }