genai-security-crosswalk 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (55) hide show
  1. package/LICENSE.md +28 -0
  2. package/README.md +618 -0
  3. package/data/entries/ASI01.json +911 -0
  4. package/data/entries/ASI02.json +850 -0
  5. package/data/entries/ASI03.json +854 -0
  6. package/data/entries/ASI04.json +759 -0
  7. package/data/entries/ASI05.json +764 -0
  8. package/data/entries/ASI06.json +817 -0
  9. package/data/entries/ASI07.json +789 -0
  10. package/data/entries/ASI08.json +788 -0
  11. package/data/entries/ASI09.json +754 -0
  12. package/data/entries/ASI10.json +833 -0
  13. package/data/entries/DSGAI01.json +779 -0
  14. package/data/entries/DSGAI02.json +728 -0
  15. package/data/entries/DSGAI03.json +671 -0
  16. package/data/entries/DSGAI04.json +752 -0
  17. package/data/entries/DSGAI05.json +689 -0
  18. package/data/entries/DSGAI06.json +673 -0
  19. package/data/entries/DSGAI07.json +680 -0
  20. package/data/entries/DSGAI08.json +698 -0
  21. package/data/entries/DSGAI09.json +687 -0
  22. package/data/entries/DSGAI10.json +627 -0
  23. package/data/entries/DSGAI11.json +663 -0
  24. package/data/entries/DSGAI12.json +695 -0
  25. package/data/entries/DSGAI13.json +688 -0
  26. package/data/entries/DSGAI14.json +703 -0
  27. package/data/entries/DSGAI15.json +655 -0
  28. package/data/entries/DSGAI16.json +716 -0
  29. package/data/entries/DSGAI17.json +690 -0
  30. package/data/entries/DSGAI18.json +613 -0
  31. package/data/entries/DSGAI19.json +638 -0
  32. package/data/entries/DSGAI20.json +671 -0
  33. package/data/entries/DSGAI21.json +881 -0
  34. package/data/entries/LLM01.json +975 -0
  35. package/data/entries/LLM02.json +868 -0
  36. package/data/entries/LLM03.json +817 -0
  37. package/data/entries/LLM04.json +797 -0
  38. package/data/entries/LLM05.json +761 -0
  39. package/data/entries/LLM06.json +848 -0
  40. package/data/entries/LLM07.json +749 -0
  41. package/data/entries/LLM08.json +750 -0
  42. package/data/entries/LLM09.json +760 -0
  43. package/data/entries/LLM10.json +763 -0
  44. package/data/incidents-schema.json +121 -0
  45. package/data/incidents.json +1484 -0
  46. package/data/schema.json +134 -0
  47. package/dist/index.d.ts +97 -0
  48. package/dist/index.d.ts.map +1 -0
  49. package/dist/index.js +124 -0
  50. package/dist/index.js.map +1 -0
  51. package/dist/index.test.d.ts +2 -0
  52. package/dist/index.test.d.ts.map +1 -0
  53. package/dist/index.test.js +97 -0
  54. package/dist/index.test.js.map +1 -0
  55. package/package.json +62 -0
package/data/entries/LLM07.json ADDED
@@ -0,0 +1,749 @@
1
+ {
2
+ "id": "LLM07",
3
+ "name": "System Prompt Leakage",
4
+ "source_list": "LLM-Top10-2025",
5
+ "version": "2026-Q1",
6
+ "severity": "High",
7
+ "aivss_score": null,
8
+ "audience": [
9
+ "red-teamer",
10
+ "security-engineer",
11
+ "developer",
12
+ "ml-engineer",
13
+ "ot-engineer",
14
+ "ciso",
15
+ "compliance",
16
+ "auditor"
17
+ ],
18
+ "mappings": [
19
+ {
20
+ "framework": "MITRE ATLAS",
21
+ "control_id": "AML.T0041",
22
+ "control_name": "Configuration Exposure",
23
+ "tier": "Foundational",
24
+ "scope": "Build",
25
+ "url": "https://atlas.mitre.org/techniques/AML.T0041",
26
+ "notes": "Extraction of internal model configuration, instructions, or system prompts"
27
+ },
28
+ {
29
+ "framework": "MITRE ATLAS",
30
+ "control_id": "AML.T0051.000",
31
+ "control_name": "Direct Prompt Injection",
32
+ "tier": "Foundational",
33
+ "scope": "Build",
34
+ "url": "https://atlas.mitre.org/techniques/AML.T0051.000",
35
+ "notes": "Crafting inputs specifically designed to reveal or override system prompt content"
36
+ },
37
+ {
38
+ "framework": "NIST AI RMF 1.0",
39
+ "control_id": "GV-1.6",
40
+ "control_name": "Policies for data privacy",
41
+ "tier": "Foundational",
42
+ "scope": "Build",
43
+ "notes": "System prompts classified as sensitive configuration — subject to data governance policy"
44
+ },
45
+ {
46
+ "framework": "NIST AI RMF 1.0",
47
+ "control_id": "MS-2.6",
48
+ "control_name": "Testing — data leakage",
49
+ "tier": "Foundational",
50
+ "scope": "Build",
51
+ "notes": "Prompt extraction scenarios included in evaluation programme"
52
+ },
53
+ {
54
+ "framework": "NIST AI RMF 1.0",
55
+ "control_id": "MG-2.4",
56
+ "control_name": "Risk response — data",
57
+ "tier": "Foundational",
58
+ "scope": "Build",
59
+ "notes": "Defined response for detected system prompt leakage"
60
+ },
61
+ {
62
+ "framework": "NIST AI RMF 1.0",
63
+ "control_id": "MP-2.3",
64
+ "control_name": "Risk categorisation",
65
+ "tier": "Foundational",
66
+ "scope": "Build",
67
+ "notes": "System prompt leakage risk mapped and rated in AI risk register"
68
+ },
69
+ {
70
+ "framework": "EU AI Act",
71
+ "control_id": "Users must receive sufficient information about the AI system — but this does not require disclosing system prompts",
72
+ "control_name": "Art. 13 — Transparency",
73
+ "tier": "Foundational",
74
+ "scope": "Both",
75
+ "notes": "Transparency obligation must be met without exposing security-sensitive system prompt content"
76
+ },
77
+ {
78
+ "framework": "EU AI Act",
79
+ "control_id": "Configuration management documented",
80
+ "control_name": "Art. 17 — Quality management",
81
+ "tier": "Foundational",
82
+ "scope": "Both",
83
+ "notes": "System prompt versions, access controls, and change procedures are quality management artefacts"
84
+ },
85
+ {
86
+ "framework": "EU AI Act",
87
+ "control_id": "GPAI providers must publish summaries of training data and model capabilities",
88
+ "control_name": "Art. 53(1)(b) — GPAI transparency",
89
+ "tier": "Foundational",
90
+ "scope": "Both",
91
+ "notes": "Published summaries must not inadvertently expose security-sensitive configuration"
92
+ },
93
+ {
94
+ "framework": "ISO/IEC 27001:2022",
95
+ "control_id": "A.5.12",
96
+ "control_name": "Classification of information",
97
+ "tier": "Foundational",
98
+ "scope": "Build",
99
+ "notes": "System prompts classified as sensitive configuration — subject to data governance policy"
100
+ },
101
+ {
102
+ "framework": "ISO/IEC 27001:2022",
103
+ "control_id": "A.8.3",
104
+ "control_name": "Information access restriction",
105
+ "tier": "Foundational",
106
+ "scope": "Build",
107
+ "notes": "Access controls on system prompt storage — version controlled, access logged"
108
+ },
109
+ {
110
+ "framework": "ISO/IEC 27001:2022",
111
+ "control_id": "A.8.24",
112
+ "control_name": "Use of cryptography",
113
+ "tier": "Foundational",
114
+ "scope": "Build",
115
+ "notes": "System prompts encrypted at rest — not stored in cleartext configuration files"
116
+ },
117
+ {
118
+ "framework": "ISO/IEC 27001:2022",
119
+ "control_id": "A.8.15",
120
+ "control_name": "Logging",
121
+ "tier": "Foundational",
122
+ "scope": "Build",
123
+ "notes": "Access to system prompts logged — unauthorised access attempts detectable"
124
+ },
125
+ {
126
+ "framework": "ISO/IEC 42001:2023",
127
+ "control_id": "A.7.3",
128
+ "control_name": "Data provenance and characteristics",
129
+ "tier": "Foundational",
130
+ "scope": "Both",
131
+ "notes": "System prompts classified as sensitive operational data — provenance, access controls, handling requirements documented"
132
+ },
133
+ {
134
+ "framework": "ISO/IEC 42001:2023",
135
+ "control_id": "A.6.2.3",
136
+ "control_name": "AI system security",
137
+ "tier": "Foundational",
138
+ "scope": "Both",
139
+ "notes": "System prompt encryption and access controls as AIMS security design requirements"
140
+ },
141
+ {
142
+ "framework": "ISO/IEC 42001:2023",
143
+ "control_id": "A.8.1",
144
+ "control_name": "Information for interested parties",
145
+ "tier": "Foundational",
146
+ "scope": "Both",
147
+ "notes": "Transparency obligations balanced with operational security — what must be disclosed vs what may be kept confidential"
148
+ },
149
+ {
150
+ "framework": "ISO/IEC 42001:2023",
151
+ "control_id": "Cl.7",
152
+ "control_name": "Support",
153
+ "tier": "Foundational",
154
+ "scope": "Both",
155
+ "notes": "Documented information controls — system prompts managed as AIMS documented information with appropriate access controls"
156
+ },
157
+ {
158
+ "framework": "CIS Controls v8.1",
159
+ "control_id": "3.1 Establish data management process",
160
+ "control_name": "CIS 3 — Data Protection",
161
+ "tier": "Foundational",
162
+ "scope": "Both",
163
+ "notes": "System prompts classified as sensitive configuration — data handling policy applied"
164
+ },
165
+ {
166
+ "framework": "CIS Controls v8.1",
167
+ "control_id": "4.1 Establish secure configuration process",
168
+ "control_name": "CIS 4 — Secure Configuration",
169
+ "tier": "Foundational",
170
+ "scope": "Both",
171
+ "notes": "Secure configuration for LLM deployments — system prompts not in cleartext config"
172
+ },
173
+ {
174
+ "framework": "CIS Controls v8.1",
175
+ "control_id": "8.2 Collect audit logs",
176
+ "control_name": "CIS 8 — Audit Log Management",
177
+ "tier": "Foundational",
178
+ "scope": "Both",
179
+ "notes": "System prompt access logged — unauthorised access attempts detectable"
180
+ },
181
+ {
182
+ "framework": "OWASP ASVS 4.0.3",
183
+ "control_id": "V8.1.1",
184
+ "control_name": "Verify sensitive data not cached in cleartext",
185
+ "tier": "Foundational",
186
+ "scope": "Both",
187
+ "notes": "System prompts not stored in cleartext application configuration or source code"
188
+ },
189
+ {
190
+ "framework": "OWASP ASVS 4.0.3",
191
+ "control_id": "V4.1.3",
192
+ "control_name": "Verify access control enforces least privilege",
193
+ "tier": "Foundational",
194
+ "scope": "Both",
195
+ "notes": "System prompt access restricted to authorised personnel — read access logged"
196
+ },
197
+ {
198
+ "framework": "OWASP ASVS 4.0.3",
199
+ "control_id": "V7.2.1",
200
+ "control_name": "Verify access control decisions logged",
201
+ "tier": "Foundational",
202
+ "scope": "Both",
203
+ "notes": "All access to system prompts logged — unauthorised access attempts detectable"
204
+ },
205
+ {
206
+ "framework": "OWASP ASVS 4.0.3",
207
+ "control_id": "V14.2.3",
208
+ "control_name": "Verify secrets not in source code",
209
+ "tier": "Foundational",
210
+ "scope": "Both",
211
+ "notes": "System prompts not hardcoded in source code — stored in secret management system"
212
+ },
213
+ {
214
+ "framework": "ISA/IEC 62443",
215
+ "control_id": "SR 4.1",
216
+ "control_name": "Data confidentiality in transit",
217
+ "tier": "Foundational",
218
+ "scope": "Both",
219
+ "notes": "System prompt content treated as sensitive OT configuration data — encrypted in transit"
220
+ },
221
+ {
222
+ "framework": "ISA/IEC 62443",
223
+ "control_id": "SR 3.1",
224
+ "control_name": "Software and information integrity",
225
+ "tier": "Foundational",
226
+ "scope": "Both",
227
+ "notes": "System prompt integrity protected — unauthorised modification detected"
228
+ },
229
+ {
230
+ "framework": "ISA/IEC 62443",
231
+ "control_id": "SR 5.1",
232
+ "control_name": "Information flow restriction",
233
+ "tier": "Foundational",
234
+ "scope": "Both",
235
+ "notes": "System prompt content cannot flow to unauthorised external destinations"
236
+ },
237
+ {
238
+ "framework": "NIST SP 800-82 Rev 3",
239
+ "control_id": "OT configuration and topology data as espionage target",
240
+ "control_name": "Section 5.4 — Information disclosure",
241
+ "tier": "Foundational",
242
+ "scope": "Both",
243
+ "notes": "System prompts containing OT specifics treated as sensitive configuration data"
244
+ },
245
+ {
246
+ "framework": "NIST SP 800-82 Rev 3",
247
+ "control_id": "Protecting sensitive OT data",
248
+ "control_name": "Section 7.3 — Data protection",
249
+ "tier": "Foundational",
250
+ "scope": "Both",
251
+ "notes": "System prompt encryption and access controls as data protection measures"
252
+ },
253
+ {
254
+ "framework": "NIST SP 800-82 Rev 3",
255
+ "control_id": "Title",
256
+ "control_name": "Control",
257
+ "tier": "Foundational",
258
+ "scope": "Both",
259
+ "notes": "Application"
260
+ },
261
+ {
262
+ "framework": "NIST SP 800-82 Rev 3",
263
+ "control_id": "Protection of Information at Rest",
264
+ "control_name": "SC-28",
265
+ "tier": "Foundational",
266
+ "scope": "Both",
267
+ "notes": "System prompts encrypted at rest — not stored in cleartext configuration files"
268
+ },
269
+ {
270
+ "framework": "NIST SP 800-82 Rev 3",
271
+ "control_id": "Access Enforcement",
272
+ "control_name": "AC-3",
273
+ "tier": "Foundational",
274
+ "scope": "Both",
275
+ "notes": "System prompt access restricted to authorised personnel — version controlled, access logged"
276
+ },
277
+ {
278
+ "framework": "NIST SP 800-82 Rev 3",
279
+ "control_id": "Protection of Audit Information",
280
+ "control_name": "AU-9",
281
+ "tier": "Foundational",
282
+ "scope": "Both",
283
+ "notes": "System prompt access logs protected — unauthorised access attempts detectable"
284
+ },
285
+ {
286
+ "framework": "NIST CSF 2.0",
287
+ "control_id": "PR.DS-01",
288
+ "control_name": "Data Security",
289
+ "tier": "Foundational",
290
+ "scope": "Both",
291
+ "notes": "System prompts classified as sensitive configuration and protected at rest — encrypted, access-controlled"
292
+ },
293
+ {
294
+ "framework": "NIST CSF 2.0",
295
+ "control_id": "PR.AA-05",
296
+ "control_name": "Identity Management, Authentication & Access Control",
297
+ "tier": "Foundational",
298
+ "scope": "Both",
299
+ "notes": "Access to system prompt storage restricted to authorised personnel — least privilege enforced"
300
+ },
301
+ {
302
+ "framework": "NIST CSF 2.0",
303
+ "control_id": "DE.CM-01",
304
+ "control_name": "Continuous Monitoring",
305
+ "tier": "Foundational",
306
+ "scope": "Both",
307
+ "notes": "Access to system prompt storage logged and monitored — anomalous access detected"
308
+ },
309
+ {
310
+ "framework": "NIST CSF 2.0",
311
+ "control_id": "GV.RM-06",
312
+ "control_name": "Risk Management Strategy",
313
+ "tier": "Foundational",
314
+ "scope": "Both",
315
+ "notes": "Risk tolerance defined for system prompt exposure — operational security value of prompt confidentiality assessed"
316
+ },
317
+ {
318
+ "framework": "SOC 2",
319
+ "control_id": "System prompts classified as confidential — encryption at rest, access-controlled, not in cleartext config",
320
+ "control_name": "C2.1 — Confidential information protection",
321
+ "tier": "Foundational",
322
+ "scope": "Both"
323
+ },
324
+ {
325
+ "framework": "SOC 2",
326
+ "control_id": "Access controls on system prompt storage — only authorised personnel can read or modify, all access logged",
327
+ "control_name": "CC6.1 — Logical access",
328
+ "tier": "Foundational",
329
+ "scope": "Both"
330
+ },
331
+ {
332
+ "framework": "SOC 2",
333
+ "control_id": "System prompt security procedures — version control, rotation, extraction resistance testing documented",
334
+ "control_name": "CC5.2 — Control activities",
335
+ "tier": "Foundational",
336
+ "scope": "Both"
337
+ },
338
+ {
339
+ "framework": "SOC 2",
340
+ "control_id": "Access to system prompt storage monitored — anomalous access attempts detected and alerted",
341
+ "control_name": "CC7.2 — Monitoring",
342
+ "tier": "Foundational",
343
+ "scope": "Both"
344
+ },
345
+ {
346
+ "framework": "PCI DSS v4.0",
347
+ "control_id": "Req 3.5.1",
348
+ "control_name": "Protection of sensitive authentication data",
349
+ "tier": "Foundational",
350
+ "scope": "Both",
351
+ "notes": "System prompts containing CDE configuration treated as sensitive — encrypted at rest, access-controlled"
352
+ },
353
+ {
354
+ "framework": "PCI DSS v4.0",
355
+ "control_id": "Req 7.2.1",
356
+ "control_name": "Restrict access by need to know",
357
+ "tier": "Foundational",
358
+ "scope": "Both",
359
+ "notes": "System prompt access restricted — only authorised personnel with documented business need"
360
+ },
361
+ {
362
+ "framework": "PCI DSS v4.0",
363
+ "control_id": "Req 10.2.1",
364
+ "control_name": "Logging and monitoring",
365
+ "tier": "Foundational",
366
+ "scope": "Both",
367
+ "notes": "All access to system prompt storage logged — access to CDE configuration data requires audit trail"
368
+ },
369
+ {
370
+ "framework": "PCI DSS v4.0",
371
+ "control_id": "Req 6.2.4",
372
+ "control_name": "Bespoke software security",
373
+ "tier": "Foundational",
374
+ "scope": "Both",
375
+ "notes": "System prompt design prevents leakage — no cleartext CDE identifiers, tokens resolved at runtime"
376
+ },
377
+ {
378
+ "framework": "ENISA Multilayer Framework",
379
+ "control_id": "L2",
380
+ "control_name": "Data and Model Security (DMS)",
381
+ "tier": "Foundational",
382
+ "scope": "Both",
383
+ "notes": "System prompts classified as sensitive AI system configuration — encrypted, access-controlled, version-managed"
384
+ },
385
+ {
386
+ "framework": "ENISA Multilayer Framework",
387
+ "control_id": "L2",
388
+ "control_name": "Governance and Risk (GOV)",
389
+ "tier": "Foundational",
390
+ "scope": "Both",
391
+ "notes": "System prompt security as AI governance obligation — operational security value assessed"
392
+ },
393
+ {
394
+ "framework": "ENISA Multilayer Framework",
395
+ "control_id": "MON",
396
+ "control_name": "Monitoring and Detection",
397
+ "tier": "Foundational",
398
+ "scope": "Both",
399
+ "notes": "System prompt access logged and monitored — anomalous access detected"
400
+ },
401
+ {
402
+ "framework": "ENISA Multilayer Framework",
403
+ "control_id": "L1",
404
+ "control_name": "General ICT — Data Protection",
405
+ "tier": "Foundational",
406
+ "scope": "Both",
407
+ "notes": "System prompts not stored in cleartext — encryption at rest as L1 data protection practice"
408
+ },
409
+ {
410
+ "framework": "OWASP SAMM v2.0",
411
+ "control_id": "D-SR",
412
+ "control_name": "Security Requirements",
413
+ "tier": "Foundational",
414
+ "scope": "Both",
415
+ "notes": "System prompt security as explicit requirement — confidentiality, encryption, access control specified before development"
416
+ },
417
+ {
418
+ "framework": "OWASP SAMM v2.0",
419
+ "control_id": "I-SB",
420
+ "control_name": "Secure Build",
421
+ "tier": "Foundational",
422
+ "scope": "Both",
423
+ "notes": "System prompt protection implemented in code — no cleartext storage, version control access restrictions"
424
+ },
425
+ {
426
+ "framework": "OWASP SAMM v2.0",
427
+ "control_id": "V-ST",
428
+ "control_name": "Security Testing",
429
+ "tier": "Foundational",
430
+ "scope": "Both",
431
+ "notes": "Prompt extraction testing as penetration testing activity — resistance to known extraction techniques verified"
432
+ },
433
+ {
434
+ "framework": "STRIDE",
435
+ "control_id": "I",
436
+ "control_name": "Configuration Information Disclosure",
437
+ "tier": "Foundational",
438
+ "scope": "Build"
439
+ },
440
+ {
441
+ "framework": "STRIDE",
442
+ "control_id": "R",
443
+ "control_name": "Security Control Repudiation",
444
+ "tier": "Foundational",
445
+ "scope": "Build"
446
+ },
447
+ {
448
+ "framework": "CWE/CVE",
449
+ "control_id": "CWE-200",
450
+ "control_name": "CWE-200",
451
+ "tier": "Foundational",
452
+ "scope": "Build",
453
+ "url": "https://cwe.mitre.org/data/definitions/200.html"
454
+ },
455
+ {
456
+ "framework": "CWE/CVE",
457
+ "control_id": "CWE-312",
458
+ "control_name": "CWE-312",
459
+ "tier": "Foundational",
460
+ "scope": "Build",
461
+ "url": "https://cwe.mitre.org/data/definitions/312.html"
462
+ },
463
+ {
464
+ "framework": "CWE/CVE",
465
+ "control_id": "CWE-215",
466
+ "control_name": "CWE-215",
467
+ "tier": "Foundational",
468
+ "scope": "Build",
469
+ "url": "https://cwe.mitre.org/data/definitions/215.html"
470
+ },
471
+ {
472
+ "framework": "OWASP AI Testing Guide",
473
+ "control_id": "System prompt extraction via crafted inputs",
474
+ "control_name": "IHT — Input Handling",
475
+ "tier": "Foundational",
476
+ "scope": "Both",
477
+ "notes": "Attempt to extract system prompt contents through direct requests, indirect summarisation, translation, and instruction-override techniques"
478
+ },
479
+ {
480
+ "framework": "OWASP AI Testing Guide",
481
+ "control_id": "Credential and sensitive content in system prompt",
482
+ "control_name": "DPT — Data Protection",
483
+ "tier": "Foundational",
484
+ "scope": "Both",
485
+ "notes": "Verify that credentials, API keys, or sensitive business logic in the system prompt are not reproducible by any input technique"
486
+ },
487
+ {
488
+ "framework": "OWASP AI Testing Guide",
489
+ "control_id": "Refusal robustness for system prompt disclosure",
490
+ "control_name": "MBT — Model Behaviour",
491
+ "tier": "Foundational",
492
+ "scope": "Both",
493
+ "notes": "Verify that the model consistently refuses system prompt disclosure across varied request phrasings and social engineering approaches"
494
+ },
495
+ {
496
+ "framework": "MAESTRO",
497
+ "control_id": "L1",
498
+ "control_name": "Foundation Models",
499
+ "tier": "Foundational",
500
+ "scope": "Both"
501
+ },
502
+ {
503
+ "framework": "MAESTRO",
504
+ "control_id": "L6",
505
+ "control_name": "Security & Compliance",
506
+ "tier": "Foundational",
507
+ "scope": "Both"
508
+ },
509
+ {
510
+ "framework": "AIUC-1",
511
+ "control_id": "A",
512
+ "control_name": "Data & Privacy domain",
513
+ "tier": "Foundational",
514
+ "scope": "Both",
515
+ "notes": "Foundational"
516
+ },
517
+ {
518
+ "framework": "AIUC-1",
519
+ "control_id": "B006",
520
+ "control_name": "Prevent unauthorized AI actions",
521
+ "tier": "Foundational",
522
+ "scope": "Both",
523
+ "notes": "Foundational"
524
+ },
525
+ {
526
+ "framework": "AIUC-1",
527
+ "control_id": "E",
528
+ "control_name": "Accountability domain",
529
+ "tier": "Foundational",
530
+ "scope": "Both",
531
+ "notes": "Foundational"
532
+ },
533
+ {
534
+ "framework": "OWASP NHI Top 10",
535
+ "control_id": "API keys or tokens embedded in system prompt",
536
+ "control_name": "NHI-2 Secret Leakage",
537
+ "tier": "Foundational",
538
+ "scope": "Both",
539
+ "notes": "Scan system prompts for credential patterns before deployment"
540
+ },
541
+ {
542
+ "framework": "OWASP NHI Top 10",
543
+ "control_id": "System prompt stored as plaintext config with embedded credentials",
544
+ "control_name": "NHI-6 Insecure Credential Storage",
545
+ "tier": "Foundational",
546
+ "scope": "Both",
547
+ "notes": "Externalise credentials to vault; reference by ID in system prompt"
548
+ },
549
+ {
550
+ "framework": "NIST SP 800-218A",
551
+ "control_id": "PS.1.1-PS",
552
+ "control_name": "Protect all code from unauthorised access — system prompt confidentiality",
553
+ "tier": "Foundational",
554
+ "scope": "Build",
555
+ "notes": "Classify system prompts as sensitive configuration artefacts; apply access controls, version control, and audit logging to all prompt stores"
556
+ },
557
+ {
558
+ "framework": "NIST SP 800-218A",
559
+ "control_id": "PW.5.1-PS",
560
+ "control_name": "Secure coding — no credentials in prompts",
561
+ "tier": "Foundational",
562
+ "scope": "Build",
563
+ "notes": "Enforce secure coding standards prohibiting embedding of credentials, API keys, or sensitive configuration data in system prompts or model context"
564
+ },
565
+ {
566
+ "framework": "NIST SP 800-218A",
567
+ "control_id": "PW.7.2-PS",
568
+ "control_name": "Review for security vulnerabilities — prompt disclosure",
569
+ "tier": "Foundational",
570
+ "scope": "Build",
571
+ "notes": "Include system prompt extraction scenarios in pre-release security reviews; verify that outputs cannot reveal system prompt content"
572
+ },
573
+ {
574
+ "framework": "NIST SP 800-218A",
575
+ "control_id": "PW.8.2-PS",
576
+ "control_name": "Test for security vulnerabilities — prompt extraction",
577
+ "tier": "Foundational",
578
+ "scope": "Build",
579
+ "notes": "Conduct adversarial prompt extraction testing against all known extraction techniques before deployment and after each system prompt change"
580
+ },
581
+ {
582
+ "framework": "FedRAMP",
583
+ "control_id": "SC-28",
584
+ "control_name": "Protection of Information at Rest — system prompt confidentiality",
585
+ "tier": "Foundational",
586
+ "scope": "Build",
587
+ "notes": "Classify system prompts as sensitive configuration; encrypt at rest, enforce access controls, and apply version control and audit logging to all prompt stores"
588
+ },
589
+ {
590
+ "framework": "FedRAMP",
591
+ "control_id": "AC-3",
592
+ "control_name": "Access Enforcement — prompt configuration access",
593
+ "tier": "Foundational",
594
+ "scope": "Build",
595
+ "notes": "Restrict access to system prompt configurations to authorised personnel; enforce role-based access control and change management on all prompt modifications"
596
+ },
597
+ {
598
+ "framework": "FedRAMP",
599
+ "control_id": "AU-2",
600
+ "control_name": "Event Logging — prompt extraction detection",
601
+ "tier": "Foundational",
602
+ "scope": "Build",
603
+ "notes": "Log inference interactions with sufficient detail to detect system prompt extraction attempts; alert on query patterns indicative of extraction techniques"
604
+ },
605
+ {
606
+ "framework": "FedRAMP",
607
+ "control_id": "SI-3",
608
+ "control_name": "Malicious Code Protection — prompt extraction defence",
609
+ "tier": "Foundational",
610
+ "scope": "Build",
611
+ "notes": "Deploy output monitoring to detect and block responses containing system prompt content; treat extraction as a security event"
612
+ },
613
+ {
614
+ "framework": "DORA",
615
+ "control_id": "Art. 9",
616
+ "control_name": "Protection and Prevention — prompt confidentiality",
617
+ "tier": "Foundational",
618
+ "scope": "Build",
619
+ "notes": "Classify system prompts as sensitive ICT configuration; implement protection controls including encryption, access control, and output monitoring to prevent extraction"
620
+ },
621
+ {
622
+ "framework": "DORA",
623
+ "control_id": "Art. 17–23",
624
+ "control_name": "ICT Incident Management — prompt extraction reporting",
625
+ "tier": "Foundational",
626
+ "scope": "Build",
627
+ "notes": "Classify successful system prompt extraction as an ICT-related incident; assess impact and report per DORA incident classification criteria"
628
+ },
629
+ {
630
+ "framework": "DORA",
631
+ "control_id": "Art. 13",
632
+ "control_name": "Learning and Evolving — extraction post-mortem",
633
+ "tier": "Foundational",
634
+ "scope": "Build",
635
+ "notes": "Conduct post-incident analysis for prompt extraction events; identify root cause, assess business impact, and update protection controls"
636
+ },
637
+ {
638
+ "framework": "DORA",
639
+ "control_id": "Art. 10",
640
+ "control_name": "Detection — extraction attempt detection",
641
+ "tier": "Foundational",
642
+ "scope": "Build",
643
+ "notes": "Deploy detection mechanisms for system prompt extraction attempts; monitor inference requests for extraction technique patterns"
644
+ }
645
+ ],
646
+ "tools": [
647
+ {
648
+ "name": "LLM Guard",
649
+ "type": "open-source",
650
+ "url": "https://github.com/protectai/llm-guard"
651
+ },
652
+ {
653
+ "name": "Garak",
654
+ "type": "open-source",
655
+ "url": "https://github.com/leondz/garak"
656
+ },
657
+ {
658
+ "name": "Trufflehog",
659
+ "type": "open-source",
660
+ "url": "https://github.com/trufflesecurity/trufflehog"
661
+ },
662
+ {
663
+ "name": "Rebuff",
664
+ "type": "open-source",
665
+ "url": "https://github.com/protectai/rebuff"
666
+ },
667
+ {
668
+ "name": "HashiCorp Vault",
669
+ "type": "commercial",
670
+ "url": "https://www.vaultproject.io"
671
+ },
672
+ {
673
+ "name": "LAAF v2.0",
674
+ "url": "https://github.com/qorvexconsulting1/laaf-V2.0",
675
+ "type": "open-source"
676
+ }
677
+ ],
678
+ "incidents": [
679
+ {
680
+ "name": "GitHub Copilot reproduces verbatim licensed code and embedded secrets",
681
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
682
+ "year": 2023,
683
+ "incident_id": "INC-008"
684
+ },
685
+ {
686
+ "name": "WormGPT — uncensored LLM sold for cybercrime on dark web forums",
687
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
688
+ "year": 2023,
689
+ "incident_id": "INC-011"
690
+ },
691
+ {
692
+ "name": "Perez & Ribeiro — 'Ignore Previous Prompt': foundational direct injection study",
693
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
694
+ "year": 2022,
695
+ "incident_id": "INC-013"
696
+ },
697
+ {
698
+ "name": "GPT-4 system prompt extraction via jailbreak in production deployments",
699
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
700
+ "year": 2023,
701
+ "incident_id": "INC-018"
702
+ },
703
+ {
704
+ "name": "LAAF v2.0 — Empirical LPCI breakthrough rates of 67–100% across 5 production LLMs",
705
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
706
+ "year": 2026,
707
+ "incident_id": "INC-021"
708
+ },
709
+ {
710
+ "name": "Greshake et al. \"Not What You've Signed Up For\" indirect prompt injection paper",
711
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
712
+ "year": 2023,
713
+ "incident_id": "INC-022"
714
+ },
715
+ {
716
+ "name": "GitHub Copilot Workspace prompt injection via repository content",
717
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
718
+ "year": 2024,
719
+ "incident_id": "INC-025"
720
+ },
721
+ {
722
+ "name": "Skeleton Key: direct system prompt override (Microsoft)",
723
+ "url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
724
+ "year": 2024,
725
+ "incident_id": "INC-030"
726
+ }
727
+ ],
728
+ "crossrefs": {
729
+ "agentic_top10": [
730
+ "ASI01",
731
+ "ASI02"
732
+ ],
733
+ "dsgai_2026": [
734
+ "DSGAI15",
735
+ "DSGAI08"
736
+ ],
737
+ "llm_top10": [
738
+ "LLM01"
739
+ ]
740
+ },
741
+ "changelog": [
742
+ {
743
+ "date": "2026-03-27",
744
+ "version": "1.0.0",
745
+ "change": "Initial entry — generated from GenAI Security Crosswalk v1.5.1 mapping files",
746
+ "author": "emmanuelgjr"
747
+ }
748
+ ]
749
+ }