genai-security-crosswalk 2.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE.md +28 -0
- package/README.md +618 -0
- package/data/entries/ASI01.json +911 -0
- package/data/entries/ASI02.json +850 -0
- package/data/entries/ASI03.json +854 -0
- package/data/entries/ASI04.json +759 -0
- package/data/entries/ASI05.json +764 -0
- package/data/entries/ASI06.json +817 -0
- package/data/entries/ASI07.json +789 -0
- package/data/entries/ASI08.json +788 -0
- package/data/entries/ASI09.json +754 -0
- package/data/entries/ASI10.json +833 -0
- package/data/entries/DSGAI01.json +779 -0
- package/data/entries/DSGAI02.json +728 -0
- package/data/entries/DSGAI03.json +671 -0
- package/data/entries/DSGAI04.json +752 -0
- package/data/entries/DSGAI05.json +689 -0
- package/data/entries/DSGAI06.json +673 -0
- package/data/entries/DSGAI07.json +680 -0
- package/data/entries/DSGAI08.json +698 -0
- package/data/entries/DSGAI09.json +687 -0
- package/data/entries/DSGAI10.json +627 -0
- package/data/entries/DSGAI11.json +663 -0
- package/data/entries/DSGAI12.json +695 -0
- package/data/entries/DSGAI13.json +688 -0
- package/data/entries/DSGAI14.json +703 -0
- package/data/entries/DSGAI15.json +655 -0
- package/data/entries/DSGAI16.json +716 -0
- package/data/entries/DSGAI17.json +690 -0
- package/data/entries/DSGAI18.json +613 -0
- package/data/entries/DSGAI19.json +638 -0
- package/data/entries/DSGAI20.json +671 -0
- package/data/entries/DSGAI21.json +881 -0
- package/data/entries/LLM01.json +975 -0
- package/data/entries/LLM02.json +868 -0
- package/data/entries/LLM03.json +817 -0
- package/data/entries/LLM04.json +797 -0
- package/data/entries/LLM05.json +761 -0
- package/data/entries/LLM06.json +848 -0
- package/data/entries/LLM07.json +749 -0
- package/data/entries/LLM08.json +750 -0
- package/data/entries/LLM09.json +760 -0
- package/data/entries/LLM10.json +763 -0
- package/data/incidents-schema.json +121 -0
- package/data/incidents.json +1484 -0
- package/data/schema.json +134 -0
- package/dist/index.d.ts +97 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +124 -0
- package/dist/index.js.map +1 -0
- package/dist/index.test.d.ts +2 -0
- package/dist/index.test.d.ts.map +1 -0
- package/dist/index.test.js +97 -0
- package/dist/index.test.js.map +1 -0
- package/package.json +62 -0
|
@@ -0,0 +1,854 @@
|
|
|
1
|
+
{
|
|
2
|
+
"id": "ASI03",
|
|
3
|
+
"name": "Identity and Privilege Abuse",
|
|
4
|
+
"source_list": "Agentic-Top10-2026",
|
|
5
|
+
"version": "2026-Q1",
|
|
6
|
+
"severity": "Critical",
|
|
7
|
+
"aivss_score": 9.3,
|
|
8
|
+
"audience": [
|
|
9
|
+
"red-teamer",
|
|
10
|
+
"security-engineer",
|
|
11
|
+
"ml-engineer",
|
|
12
|
+
"ot-engineer",
|
|
13
|
+
"ciso",
|
|
14
|
+
"compliance",
|
|
15
|
+
"auditor",
|
|
16
|
+
"developer"
|
|
17
|
+
],
|
|
18
|
+
"mappings": [
|
|
19
|
+
{
|
|
20
|
+
"framework": "MITRE ATLAS",
|
|
21
|
+
"control_id": "AML.T0022",
|
|
22
|
+
"control_name": "Valid Accounts",
|
|
23
|
+
"tier": "Foundational",
|
|
24
|
+
"scope": "Both",
|
|
25
|
+
"url": "https://atlas.mitre.org/techniques/AML.T0022",
|
|
26
|
+
"notes": "Exploiting legitimate agent credentials to access AI systems or data pipelines"
|
|
27
|
+
},
|
|
28
|
+
{
|
|
29
|
+
"framework": "MITRE ATLAS",
|
|
30
|
+
"control_id": "AML.T0016",
|
|
31
|
+
"control_name": "Exfiltration via AI Inference API",
|
|
32
|
+
"tier": "Foundational",
|
|
33
|
+
"scope": "Both",
|
|
34
|
+
"url": "https://atlas.mitre.org/techniques/AML.T0016",
|
|
35
|
+
"notes": "Using compromised agent credentials to exfiltrate data through inference API"
|
|
36
|
+
},
|
|
37
|
+
{
|
|
38
|
+
"framework": "MITRE ATLAS",
|
|
39
|
+
"control_id": "AML.T0024",
|
|
40
|
+
"control_name": "Model Inversion",
|
|
41
|
+
"tier": "Foundational",
|
|
42
|
+
"scope": "Both",
|
|
43
|
+
"url": "https://atlas.mitre.org/techniques/AML.T0024",
|
|
44
|
+
"notes": "Reconstructing sensitive data accessible to the agent through credential abuse"
|
|
45
|
+
},
|
|
46
|
+
{
|
|
47
|
+
"framework": "NIST AI RMF 1.0",
|
|
48
|
+
"control_id": "GV-1.6",
|
|
49
|
+
"control_name": "Policies for data privacy",
|
|
50
|
+
"tier": "Foundational",
|
|
51
|
+
"scope": "Both",
|
|
52
|
+
"notes": "Agent identity and credential governance policy — NHI inventory, short-lived credentials, scope controls"
|
|
53
|
+
},
|
|
54
|
+
{
|
|
55
|
+
"framework": "NIST AI RMF 1.0",
|
|
56
|
+
"control_id": "MP-2.3",
|
|
57
|
+
"control_name": "Risk categorisation",
|
|
58
|
+
"tier": "Foundational",
|
|
59
|
+
"scope": "Both",
|
|
60
|
+
"notes": "Agent credential exposure risks mapped per deployment — credential types, scope, and lateral movement potential"
|
|
61
|
+
},
|
|
62
|
+
{
|
|
63
|
+
"framework": "NIST AI RMF 1.0",
|
|
64
|
+
"control_id": "MS-2.5",
|
|
65
|
+
"control_name": "Testing — adversarial",
|
|
66
|
+
"tier": "Foundational",
|
|
67
|
+
"scope": "Both",
|
|
68
|
+
"notes": "Adversarial testing covering credential leakage and abuse — memory stores, logs, tool payload captures"
|
|
69
|
+
},
|
|
70
|
+
{
|
|
71
|
+
"framework": "NIST AI RMF 1.0",
|
|
72
|
+
"control_id": "MG-2.2",
|
|
73
|
+
"control_name": "Risk response",
|
|
74
|
+
"tier": "Foundational",
|
|
75
|
+
"scope": "Both",
|
|
76
|
+
"notes": "Incident response for credential exposure — rotation, containment, lateral movement assessment, downstream notification"
|
|
77
|
+
},
|
|
78
|
+
{
|
|
79
|
+
"framework": "EU AI Act",
|
|
80
|
+
"control_id": "Credential exposure risk identified and mitigated",
|
|
81
|
+
"control_name": "Art. 9 — Risk management",
|
|
82
|
+
"tier": "Foundational",
|
|
83
|
+
"scope": "Both",
|
|
84
|
+
"notes": "Agent credential lifecycle in Art. 9 risk management — NHI inventory, scope controls, rotation documented"
|
|
85
|
+
},
|
|
86
|
+
{
|
|
87
|
+
"framework": "EU AI Act",
|
|
88
|
+
"control_id": "Cybersecurity measures protecting against credential theft",
|
|
89
|
+
"control_name": "Art. 15 — Accuracy, robustness, cybersecurity",
|
|
90
|
+
"tier": "Foundational",
|
|
91
|
+
"scope": "Both",
|
|
92
|
+
"notes": "Short-lived credentials, JIT access, PKI-backed identities are Art. 15 requirements"
|
|
93
|
+
},
|
|
94
|
+
{
|
|
95
|
+
"framework": "EU AI Act",
|
|
96
|
+
"control_id": "Documented procedures for credential incident response",
|
|
97
|
+
"control_name": "Art. 17 — Quality management",
|
|
98
|
+
"tier": "Foundational",
|
|
99
|
+
"scope": "Both",
|
|
100
|
+
"notes": "Agent credential incident response in quality management system — rotation, containment, lateral movement assessment"
|
|
101
|
+
},
|
|
102
|
+
{
|
|
103
|
+
"framework": "ISO/IEC 27001:2022",
|
|
104
|
+
"control_id": "A.8.2",
|
|
105
|
+
"control_name": "Privileged access rights",
|
|
106
|
+
"tier": "Foundational",
|
|
107
|
+
"scope": "Both",
|
|
108
|
+
"notes": "Agent credentials managed as privileged access — JIT issuance, minimum scope, regular review, automatic expiry"
|
|
109
|
+
},
|
|
110
|
+
{
|
|
111
|
+
"framework": "ISO/IEC 27001:2022",
|
|
112
|
+
"control_id": "A.5.16",
|
|
113
|
+
"control_name": "Identity management",
|
|
114
|
+
"tier": "Foundational",
|
|
115
|
+
"scope": "Both",
|
|
116
|
+
"notes": "NHI lifecycle management — all agent identities inventoried, provisioned, reviewed, and deprovisioned through formal process"
|
|
117
|
+
},
|
|
118
|
+
{
|
|
119
|
+
"framework": "ISO/IEC 27001:2022",
|
|
120
|
+
"control_id": "A.8.24",
|
|
121
|
+
"control_name": "Use of cryptography",
|
|
122
|
+
"tier": "Foundational",
|
|
123
|
+
"scope": "Both",
|
|
124
|
+
"notes": "Agent credentials encrypted at rest and in transit — secret manager, no cleartext storage"
|
|
125
|
+
},
|
|
126
|
+
{
|
|
127
|
+
"framework": "ISO/IEC 27001:2022",
|
|
128
|
+
"control_id": "A.8.15",
|
|
129
|
+
"control_name": "Logging",
|
|
130
|
+
"tier": "Foundational",
|
|
131
|
+
"scope": "Both",
|
|
132
|
+
"notes": "All credential operations logged — issuance, use, expiry, anomalous patterns detectable"
|
|
133
|
+
},
|
|
134
|
+
{
|
|
135
|
+
"framework": "ISO/IEC 42001:2023",
|
|
136
|
+
"control_id": "A.6.2.3",
|
|
137
|
+
"control_name": "AI system security",
|
|
138
|
+
"tier": "Foundational",
|
|
139
|
+
"scope": "Both",
|
|
140
|
+
"notes": "Credential security as AIMS design requirement — short-lived JIT credentials, no cleartext storage, least privilege"
|
|
141
|
+
},
|
|
142
|
+
{
|
|
143
|
+
"framework": "ISO/IEC 42001:2023",
|
|
144
|
+
"control_id": "A.7.3",
|
|
145
|
+
"control_name": "Data provenance and characteristics",
|
|
146
|
+
"tier": "Foundational",
|
|
147
|
+
"scope": "Both",
|
|
148
|
+
"notes": "Agent credentials tracked as AI system data — issuance, scope, expiry, rotation documented"
|
|
149
|
+
},
|
|
150
|
+
{
|
|
151
|
+
"framework": "ISO/IEC 42001:2023",
|
|
152
|
+
"control_id": "Cl.7",
|
|
153
|
+
"control_name": "Support",
|
|
154
|
+
"tier": "Foundational",
|
|
155
|
+
"scope": "Both",
|
|
156
|
+
"notes": "Resources for AI systems include NHIs — agent identities inventoried and managed as AIMS resources"
|
|
157
|
+
},
|
|
158
|
+
{
|
|
159
|
+
"framework": "ISO/IEC 42001:2023",
|
|
160
|
+
"control_id": "A.10.1",
|
|
161
|
+
"control_name": "Third-party AI system acquisition",
|
|
162
|
+
"tier": "Foundational",
|
|
163
|
+
"scope": "Both",
|
|
164
|
+
"notes": "Third-party services accessed via agent credentials assessed — security obligations in access arrangements"
|
|
165
|
+
},
|
|
166
|
+
{
|
|
167
|
+
"framework": "CIS Controls v8.1",
|
|
168
|
+
"control_id": "5.4 Restrict administrator privileges",
|
|
169
|
+
"control_name": "CIS 5 — Account Management",
|
|
170
|
+
"tier": "Foundational",
|
|
171
|
+
"scope": "Both",
|
|
172
|
+
"notes": "Agent credentials managed as privileged accounts — minimum scope, regular review, JIT issuance"
|
|
173
|
+
},
|
|
174
|
+
{
|
|
175
|
+
"framework": "CIS Controls v8.1",
|
|
176
|
+
"control_id": "6.2 Establish an access revoking process",
|
|
177
|
+
"control_name": "CIS 6 — Access Control Management",
|
|
178
|
+
"tier": "Foundational",
|
|
179
|
+
"scope": "Both",
|
|
180
|
+
"notes": "Agent credential revocation process — immediate revocation on detection, decommission procedure"
|
|
181
|
+
},
|
|
182
|
+
{
|
|
183
|
+
"framework": "CIS Controls v8.1",
|
|
184
|
+
"control_id": "8.5 Collect detailed audit logs",
|
|
185
|
+
"control_name": "CIS 8 — Audit Log Management",
|
|
186
|
+
"tier": "Foundational",
|
|
187
|
+
"scope": "Both",
|
|
188
|
+
"notes": "All credential operations logged — issuance, use, anomalous patterns detectable"
|
|
189
|
+
},
|
|
190
|
+
{
|
|
191
|
+
"framework": "CIS Controls v8.1",
|
|
192
|
+
"control_id": "3.11 Encrypt sensitive data at rest",
|
|
193
|
+
"control_name": "CIS 3 — Data Protection",
|
|
194
|
+
"tier": "Foundational",
|
|
195
|
+
"scope": "Both",
|
|
196
|
+
"notes": "Agent credentials encrypted at rest — secret manager, no cleartext storage"
|
|
197
|
+
},
|
|
198
|
+
{
|
|
199
|
+
"framework": "OWASP ASVS 4.0.3",
|
|
200
|
+
"control_id": "V2.1.1",
|
|
201
|
+
"control_name": "Verify credentials not in source code",
|
|
202
|
+
"tier": "Foundational",
|
|
203
|
+
"scope": "Both",
|
|
204
|
+
"notes": "Agent credentials not hardcoded — secret manager required"
|
|
205
|
+
},
|
|
206
|
+
{
|
|
207
|
+
"framework": "OWASP ASVS 4.0.3",
|
|
208
|
+
"control_id": "V4.1.3",
|
|
209
|
+
"control_name": "Verify access control enforces least privilege",
|
|
210
|
+
"tier": "Foundational",
|
|
211
|
+
"scope": "Both",
|
|
212
|
+
"notes": "Agent credential scope minimum required — no over-privileged NHIs"
|
|
213
|
+
},
|
|
214
|
+
{
|
|
215
|
+
"framework": "OWASP ASVS 4.0.3",
|
|
216
|
+
"control_id": "V6.1.1",
|
|
217
|
+
"control_name": "Verify sensitive data encrypted at rest",
|
|
218
|
+
"tier": "Foundational",
|
|
219
|
+
"scope": "Both",
|
|
220
|
+
"notes": "Agent credentials encrypted at rest — no cleartext in config or agent memory"
|
|
221
|
+
},
|
|
222
|
+
{
|
|
223
|
+
"framework": "OWASP ASVS 4.0.3",
|
|
224
|
+
"control_id": "V7.2.1",
|
|
225
|
+
"control_name": "Verify access control decisions logged",
|
|
226
|
+
"tier": "Foundational",
|
|
227
|
+
"scope": "Both",
|
|
228
|
+
"notes": "All credential usage logged — issuance, access, expiry detectable"
|
|
229
|
+
},
|
|
230
|
+
{
|
|
231
|
+
"framework": "OWASP ASVS 4.0.3",
|
|
232
|
+
"control_id": "V14.2.3",
|
|
233
|
+
"control_name": "Verify secrets not in source code",
|
|
234
|
+
"tier": "Foundational",
|
|
235
|
+
"scope": "Both",
|
|
236
|
+
"notes": "Agent credentials not committed to source control"
|
|
237
|
+
},
|
|
238
|
+
{
|
|
239
|
+
"framework": "ISA/IEC 62443",
|
|
240
|
+
"control_id": "SR 1.2",
|
|
241
|
+
"control_name": "Identification and authentication",
|
|
242
|
+
"tier": "Foundational",
|
|
243
|
+
"scope": "Both",
|
|
244
|
+
"notes": "All agent access to OT systems using distinct, traceable identity — not shared service accounts"
|
|
245
|
+
},
|
|
246
|
+
{
|
|
247
|
+
"framework": "ISA/IEC 62443",
|
|
248
|
+
"control_id": "SR 1.6",
|
|
249
|
+
"control_name": "Authenticator management",
|
|
250
|
+
"tier": "Foundational",
|
|
251
|
+
"scope": "Both",
|
|
252
|
+
"notes": "Agent credentials managed with defined lifecycle — issuance, rotation, revocation procedures"
|
|
253
|
+
},
|
|
254
|
+
{
|
|
255
|
+
"framework": "ISA/IEC 62443",
|
|
256
|
+
"control_id": "SR 2.2",
|
|
257
|
+
"control_name": "Least privilege",
|
|
258
|
+
"tier": "Foundational",
|
|
259
|
+
"scope": "Both",
|
|
260
|
+
"notes": "Agent credentials scoped to minimum OT data access required for defined task"
|
|
261
|
+
},
|
|
262
|
+
{
|
|
263
|
+
"framework": "ISA/IEC 62443",
|
|
264
|
+
"control_id": "SR 4.1",
|
|
265
|
+
"control_name": "Data confidentiality in transit",
|
|
266
|
+
"tier": "Foundational",
|
|
267
|
+
"scope": "Both",
|
|
268
|
+
"notes": "Agent credentials never transmitted or stored in cleartext within OT network"
|
|
269
|
+
},
|
|
270
|
+
{
|
|
271
|
+
"framework": "ISA/IEC 62443",
|
|
272
|
+
"control_id": "SR 1.9",
|
|
273
|
+
"control_name": "Session lock",
|
|
274
|
+
"tier": "Foundational",
|
|
275
|
+
"scope": "Both",
|
|
276
|
+
"notes": "Agent sessions terminated and credentials revoked immediately on compromise detection"
|
|
277
|
+
},
|
|
278
|
+
{
|
|
279
|
+
"framework": "NIST SP 800-82 Rev 3",
|
|
280
|
+
"control_id": "ICS vulnerabilities",
|
|
281
|
+
"control_name": "§5.3",
|
|
282
|
+
"tier": "Hardening",
|
|
283
|
+
"scope": "Both",
|
|
284
|
+
"notes": "Memory corruption and state manipulation"
|
|
285
|
+
},
|
|
286
|
+
{
|
|
287
|
+
"framework": "NIST SP 800-82 Rev 3",
|
|
288
|
+
"control_id": "Risk assessment",
|
|
289
|
+
"control_name": "§6.2",
|
|
290
|
+
"tier": "Hardening",
|
|
291
|
+
"scope": "Both",
|
|
292
|
+
"notes": "Assess agent memory stores as OT data integrity risk"
|
|
293
|
+
},
|
|
294
|
+
{
|
|
295
|
+
"framework": "NIST CSF 2.0",
|
|
296
|
+
"control_id": "PR.AA-01",
|
|
297
|
+
"control_name": "Identity Management, Authentication & Access Control",
|
|
298
|
+
"tier": "Foundational",
|
|
299
|
+
"scope": "Both",
|
|
300
|
+
"notes": "Identities and credentials managed — NHI inventory, lifecycle management, unique identity per agent"
|
|
301
|
+
},
|
|
302
|
+
{
|
|
303
|
+
"framework": "NIST CSF 2.0",
|
|
304
|
+
"control_id": "PR.AA-05",
|
|
305
|
+
"control_name": "Identity Management, Authentication & Access Control",
|
|
306
|
+
"tier": "Foundational",
|
|
307
|
+
"scope": "Both",
|
|
308
|
+
"notes": "Access permissions managed — agent credential scope enforced, least privilege per agent role"
|
|
309
|
+
},
|
|
310
|
+
{
|
|
311
|
+
"framework": "NIST CSF 2.0",
|
|
312
|
+
"control_id": "PR.DS-01",
|
|
313
|
+
"control_name": "Data Security",
|
|
314
|
+
"tier": "Foundational",
|
|
315
|
+
"scope": "Both",
|
|
316
|
+
"notes": "Sensitive data protected at rest — agent credentials encrypted, not stored in cleartext"
|
|
317
|
+
},
|
|
318
|
+
{
|
|
319
|
+
"framework": "NIST CSF 2.0",
|
|
320
|
+
"control_id": "DE.CM-01",
|
|
321
|
+
"control_name": "Continuous Monitoring",
|
|
322
|
+
"tier": "Foundational",
|
|
323
|
+
"scope": "Both",
|
|
324
|
+
"notes": "Credential usage monitored — anomalous access patterns detected"
|
|
325
|
+
},
|
|
326
|
+
{
|
|
327
|
+
"framework": "SOC 2",
|
|
328
|
+
"control_id": "Agent credentials managed as logical access assets — provisioning, scope, rotation, revocation per access management policy",
|
|
329
|
+
"control_name": "CC6.1",
|
|
330
|
+
"tier": "Foundational",
|
|
331
|
+
"scope": "Both",
|
|
332
|
+
"notes": "Credential lifecycle records, provisioning logs"
|
|
333
|
+
},
|
|
334
|
+
{
|
|
335
|
+
"framework": "SOC 2",
|
|
336
|
+
"control_id": "Credentials revoked at session end — no persistent credential caching in agent memory after session terminates",
|
|
337
|
+
"control_name": "CC6.3",
|
|
338
|
+
"tier": "Foundational",
|
|
339
|
+
"scope": "Both",
|
|
340
|
+
"notes": "Session termination logs, credential TTL configuration"
|
|
341
|
+
},
|
|
342
|
+
{
|
|
343
|
+
"framework": "SOC 2",
|
|
344
|
+
"control_id": "Credential usage monitored — anomalous scope expansion or after-session access detected",
|
|
345
|
+
"control_name": "CC7.3",
|
|
346
|
+
"tier": "Foundational",
|
|
347
|
+
"scope": "Both",
|
|
348
|
+
"notes": "Credential audit log, anomaly alert records"
|
|
349
|
+
},
|
|
350
|
+
{
|
|
351
|
+
"framework": "SOC 2",
|
|
352
|
+
"control_id": "Agent credentials treated as confidential information — stored in secrets manager, access-controlled",
|
|
353
|
+
"control_name": "C1.1",
|
|
354
|
+
"tier": "Foundational",
|
|
355
|
+
"scope": "Both",
|
|
356
|
+
"notes": "Secrets management configuration, access control evidence"
|
|
357
|
+
},
|
|
358
|
+
{
|
|
359
|
+
"framework": "PCI DSS v4.0",
|
|
360
|
+
"control_id": "Agent accounts are system/application accounts — unique agent identity per deployment, no shared credentials",
|
|
361
|
+
"control_name": "Req 8.2",
|
|
362
|
+
"tier": "Foundational",
|
|
363
|
+
"scope": "Both",
|
|
364
|
+
"notes": "Account inventory, unique account evidence"
|
|
365
|
+
},
|
|
366
|
+
{
|
|
367
|
+
"framework": "PCI DSS v4.0",
|
|
368
|
+
"control_id": "Agent credential management — unique credentials, strong authentication where interactive, credential rotation schedule",
|
|
369
|
+
"control_name": "Req 8.3",
|
|
370
|
+
"tier": "Foundational",
|
|
371
|
+
"scope": "Both",
|
|
372
|
+
"notes": "Credential management policy, rotation records"
|
|
373
|
+
},
|
|
374
|
+
{
|
|
375
|
+
"framework": "PCI DSS v4.0",
|
|
376
|
+
"control_id": "Agent access to CHD follows need-to-know — access to cardholder data restricted to what agent function requires",
|
|
377
|
+
"control_name": "Req 7.2",
|
|
378
|
+
"tier": "Foundational",
|
|
379
|
+
"scope": "Both",
|
|
380
|
+
"notes": "Access control matrix, need-to-know justification"
|
|
381
|
+
},
|
|
382
|
+
{
|
|
383
|
+
"framework": "PCI DSS v4.0",
|
|
384
|
+
"control_id": "Agent credential usage logged — all authentication events for agent accounts in CHD scope logged",
|
|
385
|
+
"control_name": "Req 10.2",
|
|
386
|
+
"tier": "Foundational",
|
|
387
|
+
"scope": "Both",
|
|
388
|
+
"notes": "Authentication audit log"
|
|
389
|
+
},
|
|
390
|
+
{
|
|
391
|
+
"framework": "ENISA Multilayer Framework",
|
|
392
|
+
"control_id": "L2",
|
|
393
|
+
"control_name": "Data and Model Security (DMS)",
|
|
394
|
+
"tier": "Foundational",
|
|
395
|
+
"scope": "Both",
|
|
396
|
+
"notes": "Agent credentials treated as sensitive AI data assets — stored in secrets manager, never in agent memory or model context"
|
|
397
|
+
},
|
|
398
|
+
{
|
|
399
|
+
"framework": "ENISA Multilayer Framework",
|
|
400
|
+
"control_id": "L2",
|
|
401
|
+
"control_name": "Governance and Risk (GOV)",
|
|
402
|
+
"tier": "Foundational",
|
|
403
|
+
"scope": "Both",
|
|
404
|
+
"notes": "Agent credential lifecycle policy documented in AI governance framework — scope, lifetime, rotation, revocation"
|
|
405
|
+
},
|
|
406
|
+
{
|
|
407
|
+
"framework": "ENISA Multilayer Framework",
|
|
408
|
+
"control_id": "MON",
|
|
409
|
+
"control_name": "Monitoring and Detection",
|
|
410
|
+
"tier": "Foundational",
|
|
411
|
+
"scope": "Both",
|
|
412
|
+
"notes": "All agent credential operations logged — anomaly detection for scope expansion or after-session access"
|
|
413
|
+
},
|
|
414
|
+
{
|
|
415
|
+
"framework": "ENISA Multilayer Framework",
|
|
416
|
+
"control_id": "L1",
|
|
417
|
+
"control_name": "General ICT — Access Control",
|
|
418
|
+
"tier": "Foundational",
|
|
419
|
+
"scope": "Both",
|
|
420
|
+
"notes": "Short-lived tokens for all agent interactions — credential TTL enforced at the IAM layer"
|
|
421
|
+
},
|
|
422
|
+
{
|
|
423
|
+
"framework": "OWASP SAMM v2.0",
|
|
424
|
+
"control_id": "D-TA",
|
|
425
|
+
"control_name": "Design / Threat Assessment",
|
|
426
|
+
"tier": "Hardening",
|
|
427
|
+
"scope": "Both",
|
|
428
|
+
"notes": "Include memory store read/write paths in threat model"
|
|
429
|
+
},
|
|
430
|
+
{
|
|
431
|
+
"framework": "OWASP SAMM v2.0",
|
|
432
|
+
"control_id": "I-SB",
|
|
433
|
+
"control_name": "Implementation / Secure Build",
|
|
434
|
+
"tier": "Hardening",
|
|
435
|
+
"scope": "Both",
|
|
436
|
+
"notes": "Validate and sanitise all content written to persistent memory"
|
|
437
|
+
},
|
|
438
|
+
{
|
|
439
|
+
"framework": "OWASP SAMM v2.0",
|
|
440
|
+
"control_id": "V-ST",
|
|
441
|
+
"control_name": "Verification / Security Testing",
|
|
442
|
+
"tier": "Hardening",
|
|
443
|
+
"scope": "Both",
|
|
444
|
+
"notes": "Test persistent memory integrity across session boundaries"
|
|
445
|
+
},
|
|
446
|
+
{
|
|
447
|
+
"framework": "OWASP SAMM v2.0",
|
|
448
|
+
"control_id": "O-EM",
|
|
449
|
+
"control_name": "Operations / Environment Management",
|
|
450
|
+
"tier": "Hardening",
|
|
451
|
+
"scope": "Both",
|
|
452
|
+
"notes": "Apply access controls, encryption at rest, and integrity verification to all memory stores"
|
|
453
|
+
},
|
|
454
|
+
{
|
|
455
|
+
"framework": "OWASP SAMM v2.0",
|
|
456
|
+
"control_id": "V-AA",
|
|
457
|
+
"control_name": "Verification / Architecture Assessment",
|
|
458
|
+
"tier": "Hardening",
|
|
459
|
+
"scope": "Both",
|
|
460
|
+
"notes": "Confirm memory stores have appropriate access controls"
|
|
461
|
+
},
|
|
462
|
+
{
|
|
463
|
+
"framework": "CWE/CVE",
|
|
464
|
+
"control_id": "Execution with Unnecessary Privileges",
|
|
465
|
+
"control_name": "CWE-250",
|
|
466
|
+
"tier": "Foundational",
|
|
467
|
+
"scope": "Both",
|
|
468
|
+
"notes": "Agent runs with broader credentials than its task requires; NHI-5 over-privilege"
|
|
469
|
+
},
|
|
470
|
+
{
|
|
471
|
+
"framework": "CWE/CVE",
|
|
472
|
+
"control_id": "Insufficiently Protected Credentials",
|
|
473
|
+
"control_name": "CWE-522",
|
|
474
|
+
"tier": "Foundational",
|
|
475
|
+
"scope": "Both",
|
|
476
|
+
"notes": "Agent credentials stored in cleartext memory, logs, config, or tool payloads"
|
|
477
|
+
},
|
|
478
|
+
{
|
|
479
|
+
"framework": "CWE/CVE",
|
|
480
|
+
"control_id": "Cleartext Storage of Sensitive Information",
|
|
481
|
+
"control_name": "CWE-312",
|
|
482
|
+
"tier": "Foundational",
|
|
483
|
+
"scope": "Both",
|
|
484
|
+
"notes": "Credentials and tokens not encrypted at rest in agent memory or configuration"
|
|
485
|
+
},
|
|
486
|
+
{
|
|
487
|
+
"framework": "CWE/CVE",
|
|
488
|
+
"control_id": "Use of Hard-coded Credentials",
|
|
489
|
+
"control_name": "CWE-798",
|
|
490
|
+
"tier": "Foundational",
|
|
491
|
+
"scope": "Both",
|
|
492
|
+
"notes": "Agent credentials hardcoded in prompts or source code"
|
|
493
|
+
},
|
|
494
|
+
{
|
|
495
|
+
"framework": "CWE/CVE",
|
|
496
|
+
"control_id": "Insufficient Session Expiration",
|
|
497
|
+
"control_name": "CWE-613",
|
|
498
|
+
"tier": "Foundational",
|
|
499
|
+
"scope": "Both",
|
|
500
|
+
"notes": "Long-lived agent credentials without expiry or rotation — NHI-7"
|
|
501
|
+
},
|
|
502
|
+
{
|
|
503
|
+
"framework": "OWASP AI Testing Guide",
|
|
504
|
+
"control_id": "Credential scope enforcement",
|
|
505
|
+
"control_name": "ACT — Access Control",
|
|
506
|
+
"tier": "Foundational",
|
|
507
|
+
"scope": "Both",
|
|
508
|
+
"notes": "Verify agent cannot access systems beyond its credential scope; test scope boundaries"
|
|
509
|
+
},
|
|
510
|
+
{
|
|
511
|
+
"framework": "OWASP AI Testing Guide",
|
|
512
|
+
"control_id": "Credential usage audit trail",
|
|
513
|
+
"control_name": "LMT — Logging & Monitoring",
|
|
514
|
+
"tier": "Foundational",
|
|
515
|
+
"scope": "Both",
|
|
516
|
+
"notes": "Verify all credential operations are logged with sufficient detail for forensic investigation"
|
|
517
|
+
},
|
|
518
|
+
{
|
|
519
|
+
"framework": "OWASP AI Testing Guide",
|
|
520
|
+
"control_id": "Credential leakage paths",
|
|
521
|
+
"control_name": "DPT — Data Protection",
|
|
522
|
+
"tier": "Foundational",
|
|
523
|
+
"scope": "Both",
|
|
524
|
+
"notes": "Test whether credentials appear in agent outputs, logs, memory stores, or tool payloads"
|
|
525
|
+
},
|
|
526
|
+
{
|
|
527
|
+
"framework": "MAESTRO",
|
|
528
|
+
"control_id": "L6",
|
|
529
|
+
"control_name": "Security & Compliance",
|
|
530
|
+
"tier": "Foundational",
|
|
531
|
+
"scope": "Both"
|
|
532
|
+
},
|
|
533
|
+
{
|
|
534
|
+
"framework": "MAESTRO",
|
|
535
|
+
"control_id": "L7",
|
|
536
|
+
"control_name": "Agent Ecosystem",
|
|
537
|
+
"tier": "Foundational",
|
|
538
|
+
"scope": "Both"
|
|
539
|
+
},
|
|
540
|
+
{
|
|
541
|
+
"framework": "MAESTRO",
|
|
542
|
+
"control_id": "L4",
|
|
543
|
+
"control_name": "Deployment & Infrastructure",
|
|
544
|
+
"tier": "Foundational",
|
|
545
|
+
"scope": "Both"
|
|
546
|
+
},
|
|
547
|
+
{
|
|
548
|
+
"framework": "AIUC-1",
|
|
549
|
+
"control_id": "A",
|
|
550
|
+
"control_name": "Data & Privacy (full domain)",
|
|
551
|
+
"tier": "Foundational",
|
|
552
|
+
"scope": "Both"
|
|
553
|
+
},
|
|
554
|
+
{
|
|
555
|
+
"framework": "AIUC-1",
|
|
556
|
+
"control_id": "B007",
|
|
557
|
+
"control_name": "Enforce user access privileges to AI systems",
|
|
558
|
+
"tier": "Foundational",
|
|
559
|
+
"scope": "Both"
|
|
560
|
+
},
|
|
561
|
+
{
|
|
562
|
+
"framework": "AIUC-1",
|
|
563
|
+
"control_id": "B008",
|
|
564
|
+
"control_name": "Protect model deployment environment",
|
|
565
|
+
"tier": "Foundational",
|
|
566
|
+
"scope": "Both"
|
|
567
|
+
},
|
|
568
|
+
{
|
|
569
|
+
"framework": "AIUC-1",
|
|
570
|
+
"control_id": "E",
|
|
571
|
+
"control_name": "Accountability (full domain)",
|
|
572
|
+
"tier": "Foundational",
|
|
573
|
+
"scope": "Both"
|
|
574
|
+
},
|
|
575
|
+
{
|
|
576
|
+
"framework": "OWASP NHI Top 10",
|
|
577
|
+
"control_id": "Agent credentials not revoked on decommission — dormant tokens exploitable",
|
|
578
|
+
"control_name": "NHI-1 Improper Offboarding",
|
|
579
|
+
"tier": "Foundational",
|
|
580
|
+
"scope": "Both",
|
|
581
|
+
"notes": "Formal agent offboarding — all credentials revoked, tokens invalidated, access removed"
|
|
582
|
+
},
|
|
583
|
+
{
|
|
584
|
+
"framework": "OWASP NHI Top 10",
|
|
585
|
+
"control_id": "Agent credentials exposed in memory, logs, tool payloads",
|
|
586
|
+
"control_name": "NHI-2 Secret Leakage",
|
|
587
|
+
"tier": "Foundational",
|
|
588
|
+
"scope": "Both",
|
|
589
|
+
"notes": "No credentials in agent context, logs, or tool payloads — secret manager only"
|
|
590
|
+
},
|
|
591
|
+
{
|
|
592
|
+
"framework": "OWASP NHI Top 10",
|
|
593
|
+
"control_id": "Third-party tool credentials with excessive permissions inherited by agent",
|
|
594
|
+
"control_name": "NHI-3 Vulnerable Third-Party NHI",
|
|
595
|
+
"tier": "Foundational",
|
|
596
|
+
"scope": "Both",
|
|
597
|
+
"notes": "Validate all third-party NHIs — revoke over-privileged third-party tokens"
|
|
598
|
+
},
|
|
599
|
+
{
|
|
600
|
+
"framework": "OWASP NHI Top 10",
|
|
601
|
+
"control_id": "Weak agent-to-system authentication — credential reuse or weak secrets",
|
|
602
|
+
"control_name": "NHI-4 Insecure Authentication",
|
|
603
|
+
"tier": "Foundational",
|
|
604
|
+
"scope": "Both",
|
|
605
|
+
"notes": "Strong authentication for all agent-to-system connections — mTLS, short-lived tokens"
|
|
606
|
+
},
|
|
607
|
+
{
|
|
608
|
+
"framework": "OWASP NHI Top 10",
|
|
609
|
+
"control_id": "Agent holds more permissions than required — lateral movement amplifier",
|
|
610
|
+
"control_name": "NHI-5 Over-Privileged NHI",
|
|
611
|
+
"tier": "Foundational",
|
|
612
|
+
"scope": "Both",
|
|
613
|
+
"notes": "Least privilege per agent role — scope enforced, reviewed quarterly"
|
|
614
|
+
},
|
|
615
|
+
{
|
|
616
|
+
"framework": "OWASP NHI Top 10",
|
|
617
|
+
"control_id": "Agent credentials stored in cleartext — config files, environment variables",
|
|
618
|
+
"control_name": "NHI-6 Insecure Credential Storage",
|
|
619
|
+
"tier": "Foundational",
|
|
620
|
+
"scope": "Both",
|
|
621
|
+
"notes": "Secret manager for all agent credentials — no cleartext storage anywhere"
|
|
622
|
+
},
|
|
623
|
+
{
|
|
624
|
+
"framework": "OWASP NHI Top 10",
|
|
625
|
+
"control_id": "Agent tokens without expiry — compromise persists indefinitely",
|
|
626
|
+
"control_name": "NHI-7 Long-Lived Credentials",
|
|
627
|
+
"tier": "Foundational",
|
|
628
|
+
"scope": "Both",
|
|
629
|
+
"notes": "Short-lived credentials — task-scoped tokens with automatic expiry"
|
|
630
|
+
},
|
|
631
|
+
{
|
|
632
|
+
"framework": "OWASP NHI Top 10",
|
|
633
|
+
"control_id": "Production agent credentials accessible in dev/test environments",
|
|
634
|
+
"control_name": "NHI-8 Environment Isolation Failure",
|
|
635
|
+
"tier": "Foundational",
|
|
636
|
+
"scope": "Both",
|
|
637
|
+
"notes": "Strict environment isolation — separate credentials per environment, no cross-environment reuse"
|
|
638
|
+
},
|
|
639
|
+
{
|
|
640
|
+
"framework": "OWASP NHI Top 10",
|
|
641
|
+
"control_id": "Shared agent credential across multiple instances or deployments",
|
|
642
|
+
"control_name": "NHI-9 NHI Reuse",
|
|
643
|
+
"tier": "Foundational",
|
|
644
|
+
"scope": "Both",
|
|
645
|
+
"notes": "Unique identity per agent deployment — no credential sharing"
|
|
646
|
+
},
|
|
647
|
+
{
|
|
648
|
+
"framework": "OWASP NHI Top 10",
|
|
649
|
+
"control_id": "Humans using agent service accounts — no attribution, no MFA",
|
|
650
|
+
"control_name": "NHI-10 Human Use of NHI",
|
|
651
|
+
"tier": "Foundational",
|
|
652
|
+
"scope": "Both",
|
|
653
|
+
"notes": "Agent credentials machine-only — human use detected and blocked"
|
|
654
|
+
},
|
|
655
|
+
{
|
|
656
|
+
"framework": "NIST SP 800-218A",
|
|
657
|
+
"control_id": "Define explicit privilege boundaries for each agent identity — maximum permitted privilege level, credential scope, and escalation constraints",
|
|
658
|
+
"control_name": "PW.1.1-PS – Define security requirements",
|
|
659
|
+
"tier": "Foundational",
|
|
660
|
+
"scope": "Both",
|
|
661
|
+
"notes": "Establishes privilege boundaries as mandatory requirements"
|
|
662
|
+
},
|
|
663
|
+
{
|
|
664
|
+
"framework": "NIST SP 800-218A",
|
|
665
|
+
"control_id": "Implement secure credential handling — agents must not inherit user credentials, store tokens in context, or pass credentials between agents without explicit authorisation",
|
|
666
|
+
"control_name": "PW.5.1-PS – Secure coding practices",
|
|
667
|
+
"tier": "Foundational",
|
|
668
|
+
"scope": "Both",
|
|
669
|
+
"notes": "Prevents credential leakage through agent code paths"
|
|
670
|
+
},
|
|
671
|
+
{
|
|
672
|
+
"framework": "NIST SP 800-218A",
|
|
673
|
+
"control_id": "Protect credential stores, identity configurations, and privilege mapping files from unauthorised access and modification",
|
|
674
|
+
"control_name": "PS.1.1-PS – Protect all code from unauthorised access",
|
|
675
|
+
"tier": "Foundational",
|
|
676
|
+
"scope": "Both",
|
|
677
|
+
"notes": "Prevents tampering with privilege boundaries"
|
|
678
|
+
},
|
|
679
|
+
{
|
|
680
|
+
"framework": "NIST SP 800-218A",
|
|
681
|
+
"control_id": "Establish monitoring and triage procedures for privilege escalation incidents — detect agents operating beyond their assigned privilege level",
|
|
682
|
+
"control_name": "RV.1.1-PS – Identify and confirm vulnerabilities",
|
|
683
|
+
"tier": "Foundational",
|
|
684
|
+
"scope": "Both",
|
|
685
|
+
"notes": "Enables rapid detection of privilege escalation in production"
|
|
686
|
+
},
|
|
687
|
+
{
|
|
688
|
+
"framework": "FedRAMP",
|
|
689
|
+
"control_id": "AC-6",
|
|
690
|
+
"control_name": "Least Privilege — escalation prevention",
|
|
691
|
+
"tier": "Foundational",
|
|
692
|
+
"scope": "Both",
|
|
693
|
+
"notes": "Enforce least privilege with explicit privilege ceilings per agent; prevent accumulation of permissions through tool chaining or inter-agent delegation"
|
|
694
|
+
},
|
|
695
|
+
{
|
|
696
|
+
"framework": "FedRAMP",
|
|
697
|
+
"control_id": "IA-2",
|
|
698
|
+
"control_name": "Identification and Authentication — agent NHI",
|
|
699
|
+
"tier": "Foundational",
|
|
700
|
+
"scope": "Both",
|
|
701
|
+
"notes": "Assign unique non-human identities to each AI agent; authenticate agent identity at each tool invocation and inter-agent communication boundary"
|
|
702
|
+
},
|
|
703
|
+
{
|
|
704
|
+
"framework": "FedRAMP",
|
|
705
|
+
"control_id": "AC-3",
|
|
706
|
+
"control_name": "Access Enforcement — tool boundary enforcement",
|
|
707
|
+
"tier": "Foundational",
|
|
708
|
+
"scope": "Both",
|
|
709
|
+
"notes": "Enforce access control at every tool invocation boundary; validate agent identity and authorisation for each requested action regardless of calling context"
|
|
710
|
+
},
|
|
711
|
+
{
|
|
712
|
+
"framework": "FedRAMP",
|
|
713
|
+
"control_id": "IR-4",
|
|
714
|
+
"control_name": "Incident Handling — escalation incident response",
|
|
715
|
+
"tier": "Foundational",
|
|
716
|
+
"scope": "Both",
|
|
717
|
+
"notes": "Define incident handling procedures for agent privilege escalation events; include automated containment, privilege revocation, and forensic investigation"
|
|
718
|
+
},
|
|
719
|
+
{
|
|
720
|
+
"framework": "DORA",
|
|
721
|
+
"control_id": "Art. 9",
|
|
722
|
+
"control_name": "Protection and Prevention — escalation prevention controls",
|
|
723
|
+
"tier": "Foundational",
|
|
724
|
+
"scope": "Both",
|
|
725
|
+
"notes": "Implement security controls preventing agent privilege escalation through tool chaining, inter-agent delegation, or permission accumulation"
|
|
726
|
+
},
|
|
727
|
+
{
|
|
728
|
+
"framework": "DORA",
|
|
729
|
+
"control_id": "Art. 17–23",
|
|
730
|
+
"control_name": "ICT Incident Management — escalation incident reporting",
|
|
731
|
+
"tier": "Foundational",
|
|
732
|
+
"scope": "Both",
|
|
733
|
+
"notes": "Classify agent privilege escalation as an ICT-related incident; assess impact on financial systems and report per DORA incident classification criteria"
|
|
734
|
+
},
|
|
735
|
+
{
|
|
736
|
+
"framework": "DORA",
|
|
737
|
+
"control_id": "Art. 24–27",
|
|
738
|
+
"control_name": "Resilience Testing — escalation scenario testing",
|
|
739
|
+
"tier": "Foundational",
|
|
740
|
+
"scope": "Both",
|
|
741
|
+
"notes": "Include agent privilege escalation scenarios in threat-led penetration testing; test for escalation through tool chaining and inter-agent trust"
|
|
742
|
+
},
|
|
743
|
+
{
|
|
744
|
+
"framework": "DORA",
|
|
745
|
+
"control_id": "Art. 10",
|
|
746
|
+
"control_name": "Detection — escalation detection",
|
|
747
|
+
"tier": "Foundational",
|
|
748
|
+
"scope": "Both",
|
|
749
|
+
"notes": "Deploy detection mechanisms for agent privilege escalation; monitor for permission boundary violations and unexpected privilege accumulation"
|
|
750
|
+
}
|
|
751
|
+
],
|
|
752
|
+
"tools": [
|
|
753
|
+
{
|
|
754
|
+
"name": "HashiCorp Vault",
|
|
755
|
+
"type": "open-source",
|
|
756
|
+
"url": "https://www.vaultproject.io"
|
|
757
|
+
},
|
|
758
|
+
{
|
|
759
|
+
"name": "SPIFFE / SPIRE",
|
|
760
|
+
"type": "open-source",
|
|
761
|
+
"url": "https://spiffe.io"
|
|
762
|
+
},
|
|
763
|
+
{
|
|
764
|
+
"name": "Teleport",
|
|
765
|
+
"type": "commercial",
|
|
766
|
+
"url": "https://goteleport.com"
|
|
767
|
+
},
|
|
768
|
+
{
|
|
769
|
+
"name": "Entro Security",
|
|
770
|
+
"type": "commercial",
|
|
771
|
+
"url": "https://entro.security"
|
|
772
|
+
},
|
|
773
|
+
{
|
|
774
|
+
"name": "Claroty (OT identity)",
|
|
775
|
+
"type": "commercial",
|
|
776
|
+
"url": "https://claroty.com"
|
|
777
|
+
},
|
|
778
|
+
{
|
|
779
|
+
"name": "AWS Secrets Manager",
|
|
780
|
+
"type": "commercial",
|
|
781
|
+
"url": "https://aws.amazon.com/secrets-manager/"
|
|
782
|
+
},
|
|
783
|
+
{
|
|
784
|
+
"name": "LAAF (LLM Agent Assessment Framework)",
|
|
785
|
+
"type": "open-source",
|
|
786
|
+
"url": "https://github.com/OWASP/LAAF"
|
|
787
|
+
},
|
|
788
|
+
{
|
|
789
|
+
"name": "Open Policy Agent (OPA)",
|
|
790
|
+
"type": "open-source",
|
|
791
|
+
"url": "https://www.openpolicyagent.org"
|
|
792
|
+
},
|
|
793
|
+
{
|
|
794
|
+
"name": "Falco",
|
|
795
|
+
"type": "open-source",
|
|
796
|
+
"url": "https://falco.org"
|
|
797
|
+
},
|
|
798
|
+
{
|
|
799
|
+
"name": "Open Policy Agent",
|
|
800
|
+
"type": "open-source",
|
|
801
|
+
"url": "https://www.openpolicyagent.org"
|
|
802
|
+
},
|
|
803
|
+
{
|
|
804
|
+
"name": "SPIFFE/SPIRE",
|
|
805
|
+
"type": "open-source",
|
|
806
|
+
"url": "https://spiffe.io"
|
|
807
|
+
},
|
|
808
|
+
{
|
|
809
|
+
"name": "CyberArk",
|
|
810
|
+
"type": "commercial",
|
|
811
|
+
"url": "https://www.cyberark.com"
|
|
812
|
+
},
|
|
813
|
+
{
|
|
814
|
+
"name": "LAAF v2.0",
|
|
815
|
+
"url": "https://github.com/qorvexconsulting1/laaf-V2.0",
|
|
816
|
+
"type": "open-source"
|
|
817
|
+
}
|
|
818
|
+
],
|
|
819
|
+
"incidents": [
|
|
820
|
+
{
|
|
821
|
+
"name": "Agentic AI privilege escalation via tool chain manipulation — research",
|
|
822
|
+
"url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
|
|
823
|
+
"year": 2024,
|
|
824
|
+
"incident_id": "INC-019"
|
|
825
|
+
},
|
|
826
|
+
{
|
|
827
|
+
"name": "LAAF v2.0 — Empirical LPCI breakthrough rates of 67–100% across 5 production LLMs",
|
|
828
|
+
"url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
|
|
829
|
+
"year": 2026,
|
|
830
|
+
"incident_id": "INC-021"
|
|
831
|
+
}
|
|
832
|
+
],
|
|
833
|
+
"crossrefs": {
|
|
834
|
+
"llm_top10": [
|
|
835
|
+
"LLM06",
|
|
836
|
+
"LLM01"
|
|
837
|
+
],
|
|
838
|
+
"dsgai_2026": [
|
|
839
|
+
"DSGAI02",
|
|
840
|
+
"DSGAI10",
|
|
841
|
+
"DSGAI11",
|
|
842
|
+
"DSGAI06",
|
|
843
|
+
"DSGAI08"
|
|
844
|
+
]
|
|
845
|
+
},
|
|
846
|
+
"changelog": [
|
|
847
|
+
{
|
|
848
|
+
"date": "2026-03-27",
|
|
849
|
+
"version": "1.0.0",
|
|
850
|
+
"change": "Initial entry — generated from GenAI Security Crosswalk v1.5.1 mapping files",
|
|
851
|
+
"author": "emmanuelgjr"
|
|
852
|
+
}
|
|
853
|
+
]
|
|
854
|
+
}
|