genai-security-crosswalk 2.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE.md +28 -0
- package/README.md +618 -0
- package/data/entries/ASI01.json +911 -0
- package/data/entries/ASI02.json +850 -0
- package/data/entries/ASI03.json +854 -0
- package/data/entries/ASI04.json +759 -0
- package/data/entries/ASI05.json +764 -0
- package/data/entries/ASI06.json +817 -0
- package/data/entries/ASI07.json +789 -0
- package/data/entries/ASI08.json +788 -0
- package/data/entries/ASI09.json +754 -0
- package/data/entries/ASI10.json +833 -0
- package/data/entries/DSGAI01.json +779 -0
- package/data/entries/DSGAI02.json +728 -0
- package/data/entries/DSGAI03.json +671 -0
- package/data/entries/DSGAI04.json +752 -0
- package/data/entries/DSGAI05.json +689 -0
- package/data/entries/DSGAI06.json +673 -0
- package/data/entries/DSGAI07.json +680 -0
- package/data/entries/DSGAI08.json +698 -0
- package/data/entries/DSGAI09.json +687 -0
- package/data/entries/DSGAI10.json +627 -0
- package/data/entries/DSGAI11.json +663 -0
- package/data/entries/DSGAI12.json +695 -0
- package/data/entries/DSGAI13.json +688 -0
- package/data/entries/DSGAI14.json +703 -0
- package/data/entries/DSGAI15.json +655 -0
- package/data/entries/DSGAI16.json +716 -0
- package/data/entries/DSGAI17.json +690 -0
- package/data/entries/DSGAI18.json +613 -0
- package/data/entries/DSGAI19.json +638 -0
- package/data/entries/DSGAI20.json +671 -0
- package/data/entries/DSGAI21.json +881 -0
- package/data/entries/LLM01.json +975 -0
- package/data/entries/LLM02.json +868 -0
- package/data/entries/LLM03.json +817 -0
- package/data/entries/LLM04.json +797 -0
- package/data/entries/LLM05.json +761 -0
- package/data/entries/LLM06.json +848 -0
- package/data/entries/LLM07.json +749 -0
- package/data/entries/LLM08.json +750 -0
- package/data/entries/LLM09.json +760 -0
- package/data/entries/LLM10.json +763 -0
- package/data/incidents-schema.json +121 -0
- package/data/incidents.json +1484 -0
- package/data/schema.json +134 -0
- package/dist/index.d.ts +97 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +124 -0
- package/dist/index.js.map +1 -0
- package/dist/index.test.d.ts +2 -0
- package/dist/index.test.d.ts.map +1 -0
- package/dist/index.test.js +97 -0
- package/dist/index.test.js.map +1 -0
- package/package.json +62 -0
|
@@ -0,0 +1,763 @@
|
|
|
1
|
+
{
|
|
2
|
+
"id": "LLM10",
|
|
3
|
+
"name": "Unbounded Consumption",
|
|
4
|
+
"source_list": "LLM-Top10-2025",
|
|
5
|
+
"version": "2026-Q1",
|
|
6
|
+
"severity": "Medium",
|
|
7
|
+
"aivss_score": null,
|
|
8
|
+
"audience": [
|
|
9
|
+
"red-teamer",
|
|
10
|
+
"security-engineer",
|
|
11
|
+
"developer",
|
|
12
|
+
"ml-engineer",
|
|
13
|
+
"ot-engineer",
|
|
14
|
+
"ciso",
|
|
15
|
+
"compliance",
|
|
16
|
+
"auditor"
|
|
17
|
+
],
|
|
18
|
+
"mappings": [
|
|
19
|
+
{
|
|
20
|
+
"framework": "MITRE ATLAS",
|
|
21
|
+
"control_id": "AML.T0029",
|
|
22
|
+
"control_name": "Denial of ML Service",
|
|
23
|
+
"tier": "Foundational",
|
|
24
|
+
"scope": "Both",
|
|
25
|
+
"url": "https://atlas.mitre.org/techniques/AML.T0029",
|
|
26
|
+
"notes": "Overloading AI systems with computationally expensive inputs to cause service degradation"
|
|
27
|
+
},
|
|
28
|
+
{
|
|
29
|
+
"framework": "MITRE ATLAS",
|
|
30
|
+
"control_id": "AML.T0034",
|
|
31
|
+
"control_name": "Cost Harvesting",
|
|
32
|
+
"tier": "Foundational",
|
|
33
|
+
"scope": "Both",
|
|
34
|
+
"url": "https://atlas.mitre.org/techniques/AML.T0034",
|
|
35
|
+
"notes": "Crafting inputs that maximise token usage or API costs per request"
|
|
36
|
+
},
|
|
37
|
+
{
|
|
38
|
+
"framework": "NIST AI RMF 1.0",
|
|
39
|
+
"control_id": "MS-2.5",
|
|
40
|
+
"control_name": "Testing — adversarial",
|
|
41
|
+
"tier": "Foundational",
|
|
42
|
+
"scope": "Both",
|
|
43
|
+
"notes": "Resource exhaustion and denial-of-service scenarios included in adversarial testing"
|
|
44
|
+
},
|
|
45
|
+
{
|
|
46
|
+
"framework": "NIST AI RMF 1.0",
|
|
47
|
+
"control_id": "MG-2.2",
|
|
48
|
+
"control_name": "Risk response",
|
|
49
|
+
"tier": "Foundational",
|
|
50
|
+
"scope": "Both",
|
|
51
|
+
"notes": "Defined response to detected unbounded consumption events including rate limiting activation"
|
|
52
|
+
},
|
|
53
|
+
{
|
|
54
|
+
"framework": "NIST AI RMF 1.0",
|
|
55
|
+
"control_id": "MG-3.2",
|
|
56
|
+
"control_name": "Residual risk — availability",
|
|
57
|
+
"tier": "Foundational",
|
|
58
|
+
"scope": "Both",
|
|
59
|
+
"notes": "Residual availability risk from resource exhaustion documented and treated"
|
|
60
|
+
},
|
|
61
|
+
{
|
|
62
|
+
"framework": "NIST AI RMF 1.0",
|
|
63
|
+
"control_id": "GV-1.7",
|
|
64
|
+
"control_name": "Policies for trustworthy AI",
|
|
65
|
+
"tier": "Foundational",
|
|
66
|
+
"scope": "Both",
|
|
67
|
+
"notes": "Organisational policy defines resource limits and availability requirements for all LLM deployments"
|
|
68
|
+
},
|
|
69
|
+
{
|
|
70
|
+
"framework": "EU AI Act",
|
|
71
|
+
"control_id": "Availability risks identified and mitigated",
|
|
72
|
+
"control_name": "Art. 9 — Risk management",
|
|
73
|
+
"tier": "Foundational",
|
|
74
|
+
"scope": "Both",
|
|
75
|
+
"notes": "Resource exhaustion and DoS scenarios included in risk management system"
|
|
76
|
+
},
|
|
77
|
+
{
|
|
78
|
+
"framework": "EU AI Act",
|
|
79
|
+
"control_id": "High-risk AI must remain available under adversarial conditions",
|
|
80
|
+
"control_name": "Art. 15 — Accuracy, robustness, cybersecurity",
|
|
81
|
+
"tier": "Foundational",
|
|
82
|
+
"scope": "Both",
|
|
83
|
+
"notes": "Technical resilience against denial-of-service attacks is an Art. 15 requirement"
|
|
84
|
+
},
|
|
85
|
+
{
|
|
86
|
+
"framework": "EU AI Act",
|
|
87
|
+
"control_id": "Operational continuity procedures documented",
|
|
88
|
+
"control_name": "Art. 17 — Quality management",
|
|
89
|
+
"tier": "Foundational",
|
|
90
|
+
"scope": "Both",
|
|
91
|
+
"notes": "Post-market monitoring and incident response for availability failures required"
|
|
92
|
+
},
|
|
93
|
+
{
|
|
94
|
+
"framework": "ISO/IEC 27001:2022",
|
|
95
|
+
"control_id": "A.8.16",
|
|
96
|
+
"control_name": "Monitoring activities",
|
|
97
|
+
"tier": "Foundational",
|
|
98
|
+
"scope": "Both",
|
|
99
|
+
"notes": "Real-time monitoring of LLM resource consumption — cost anomaly detection and alerting"
|
|
100
|
+
},
|
|
101
|
+
{
|
|
102
|
+
"framework": "ISO/IEC 27001:2022",
|
|
103
|
+
"control_id": "A.5.30",
|
|
104
|
+
"control_name": "ICT readiness for business continuity",
|
|
105
|
+
"tier": "Foundational",
|
|
106
|
+
"scope": "Both",
|
|
107
|
+
"notes": "LLM availability requirements in BCP — RTO/RPO defined, rate limiting as resilience control"
|
|
108
|
+
},
|
|
109
|
+
{
|
|
110
|
+
"framework": "ISO/IEC 27001:2022",
|
|
111
|
+
"control_id": "A.8.13",
|
|
112
|
+
"control_name": "Backup",
|
|
113
|
+
"tier": "Foundational",
|
|
114
|
+
"scope": "Both",
|
|
115
|
+
"notes": "Backup and recovery for LLM service infrastructure — failover capability tested"
|
|
116
|
+
},
|
|
117
|
+
{
|
|
118
|
+
"framework": "ISO/IEC 27001:2022",
|
|
119
|
+
"control_id": "A.5.24",
|
|
120
|
+
"control_name": "Incident management",
|
|
121
|
+
"tier": "Foundational",
|
|
122
|
+
"scope": "Both",
|
|
123
|
+
"notes": "Incident response procedures for LLM availability failures and cost overruns"
|
|
124
|
+
},
|
|
125
|
+
{
|
|
126
|
+
"framework": "ISO/IEC 42001:2023",
|
|
127
|
+
"control_id": "A.6.2.3",
|
|
128
|
+
"control_name": "AI system security",
|
|
129
|
+
"tier": "Foundational",
|
|
130
|
+
"scope": "Both",
|
|
131
|
+
"notes": "Rate limiting and resource controls as AIMS security design requirements — enforced at deployment"
|
|
132
|
+
},
|
|
133
|
+
{
|
|
134
|
+
"framework": "ISO/IEC 42001:2023",
|
|
135
|
+
"control_id": "A.6.2.8",
|
|
136
|
+
"control_name": "Monitoring of AI systems",
|
|
137
|
+
"tier": "Foundational",
|
|
138
|
+
"scope": "Both",
|
|
139
|
+
"notes": "Resource consumption monitored in operation — cost anomaly detection as AIMS monitoring control"
|
|
140
|
+
},
|
|
141
|
+
{
|
|
142
|
+
"framework": "ISO/IEC 42001:2023",
|
|
143
|
+
"control_id": "Cl.6.1",
|
|
144
|
+
"control_name": "Risk assessment",
|
|
145
|
+
"tier": "Foundational",
|
|
146
|
+
"scope": "Both",
|
|
147
|
+
"notes": "Consumption risk in AI risk assessment — impact on service availability, cost exposure documented"
|
|
148
|
+
},
|
|
149
|
+
{
|
|
150
|
+
"framework": "ISO/IEC 42001:2023",
|
|
151
|
+
"control_id": "Cl.9",
|
|
152
|
+
"control_name": "Performance evaluation",
|
|
153
|
+
"tier": "Foundational",
|
|
154
|
+
"scope": "Both",
|
|
155
|
+
"notes": "Resource consumption metrics in AIMS performance evaluation — consumption trends in management review"
|
|
156
|
+
},
|
|
157
|
+
{
|
|
158
|
+
"framework": "CIS Controls v8.1",
|
|
159
|
+
"control_id": "4.1 Establish secure configuration process",
|
|
160
|
+
"control_name": "CIS 4 — Secure Configuration",
|
|
161
|
+
"tier": "Foundational",
|
|
162
|
+
"scope": "Both",
|
|
163
|
+
"notes": "Secure configuration includes resource limits — token caps, rate limits, cost budgets"
|
|
164
|
+
},
|
|
165
|
+
{
|
|
166
|
+
"framework": "CIS Controls v8.1",
|
|
167
|
+
"control_id": "12.6 Use of network-based URL filters",
|
|
168
|
+
"control_name": "CIS 12 — Network Infrastructure Management",
|
|
169
|
+
"tier": "Foundational",
|
|
170
|
+
"scope": "Both",
|
|
171
|
+
"notes": "Rate limiting and traffic controls at the API gateway and network layer"
|
|
172
|
+
},
|
|
173
|
+
{
|
|
174
|
+
"framework": "CIS Controls v8.1",
|
|
175
|
+
"control_id": "17.1 Designate personnel for incident response",
|
|
176
|
+
"control_name": "CIS 17 — Incident Response",
|
|
177
|
+
"tier": "Foundational",
|
|
178
|
+
"scope": "Both",
|
|
179
|
+
"notes": "Defined response for consumption anomalies — automated rate limiting, session suspension, alerting"
|
|
180
|
+
},
|
|
181
|
+
{
|
|
182
|
+
"framework": "OWASP ASVS 4.0.3",
|
|
183
|
+
"control_id": "V13.1.1",
|
|
184
|
+
"control_name": "Verify API rate limiting",
|
|
185
|
+
"tier": "Foundational",
|
|
186
|
+
"scope": "Both",
|
|
187
|
+
"notes": "Rate limiting on all LLM API endpoints — per user, per session, per API key"
|
|
188
|
+
},
|
|
189
|
+
{
|
|
190
|
+
"framework": "OWASP ASVS 4.0.3",
|
|
191
|
+
"control_id": "V13.1.3",
|
|
192
|
+
"control_name": "Verify API rejects large unexpected payloads",
|
|
193
|
+
"tier": "Foundational",
|
|
194
|
+
"scope": "Both",
|
|
195
|
+
"notes": "Token limits on LLM API inputs — requests exceeding limits rejected at the gateway"
|
|
196
|
+
},
|
|
197
|
+
{
|
|
198
|
+
"framework": "OWASP ASVS 4.0.3",
|
|
199
|
+
"control_id": "V11.1.4",
|
|
200
|
+
"control_name": "Verify business logic rate limits",
|
|
201
|
+
"tier": "Foundational",
|
|
202
|
+
"scope": "Both",
|
|
203
|
+
"notes": "Business logic controls on LLM usage — per-tenant cost budgets, rate limit policies"
|
|
204
|
+
},
|
|
205
|
+
{
|
|
206
|
+
"framework": "OWASP ASVS 4.0.3",
|
|
207
|
+
"control_id": "V7.4.1",
|
|
208
|
+
"control_name": "Verify error handling does not expose sensitive data",
|
|
209
|
+
"tier": "Foundational",
|
|
210
|
+
"scope": "Both",
|
|
211
|
+
"notes": "LLM resource exhaustion errors handled gracefully — no sensitive information in error responses"
|
|
212
|
+
},
|
|
213
|
+
{
|
|
214
|
+
"framework": "ISA/IEC 62443",
|
|
215
|
+
"control_id": "SR 7.6",
|
|
216
|
+
"control_name": "Denial of service protection",
|
|
217
|
+
"tier": "Foundational",
|
|
218
|
+
"scope": "Both",
|
|
219
|
+
"notes": "LLM components protected against resource exhaustion attacks affecting OT availability"
|
|
220
|
+
},
|
|
221
|
+
{
|
|
222
|
+
"framework": "ISA/IEC 62443",
|
|
223
|
+
"control_id": "SR 7.7",
|
|
224
|
+
"control_name": "Control system backup",
|
|
225
|
+
"tier": "Foundational",
|
|
226
|
+
"scope": "Both",
|
|
227
|
+
"notes": "LLM resource exhaustion cannot affect backup and recovery of OT control systems"
|
|
228
|
+
},
|
|
229
|
+
{
|
|
230
|
+
"framework": "ISA/IEC 62443",
|
|
231
|
+
"control_id": "SR 6.6",
|
|
232
|
+
"control_name": "Timely response to events",
|
|
233
|
+
"tier": "Foundational",
|
|
234
|
+
"scope": "Both",
|
|
235
|
+
"notes": "Network monitoring detects and responds to LLM-related resource exhaustion before OT impact"
|
|
236
|
+
},
|
|
237
|
+
{
|
|
238
|
+
"framework": "NIST SP 800-82 Rev 3",
|
|
239
|
+
"control_id": "Denial of service attacks targeting OT availability",
|
|
240
|
+
"control_name": "Section 5.6 — DoS threats",
|
|
241
|
+
"tier": "Foundational",
|
|
242
|
+
"scope": "Both",
|
|
243
|
+
"notes": "LLM-induced resource exhaustion as a DoS vector affecting shared OT network infrastructure"
|
|
244
|
+
},
|
|
245
|
+
{
|
|
246
|
+
"framework": "NIST SP 800-82 Rev 3",
|
|
247
|
+
"control_id": "Assess availability risks for OT systems",
|
|
248
|
+
"control_name": "Section 6.2 — Risk assessment",
|
|
249
|
+
"tier": "Foundational",
|
|
250
|
+
"scope": "Both",
|
|
251
|
+
"notes": "LLM resource consumption impact assessed on shared OT network and compute infrastructure"
|
|
252
|
+
},
|
|
253
|
+
{
|
|
254
|
+
"framework": "NIST SP 800-82 Rev 3",
|
|
255
|
+
"control_id": "Network architecture preventing DoS propagation",
|
|
256
|
+
"control_name": "Section 7.2 — Network segmentation",
|
|
257
|
+
"tier": "Foundational",
|
|
258
|
+
"scope": "Both",
|
|
259
|
+
"notes": "LLM infrastructure isolated from OT control network — bandwidth caps at DMZ boundary"
|
|
260
|
+
},
|
|
261
|
+
{
|
|
262
|
+
"framework": "NIST SP 800-82 Rev 3",
|
|
263
|
+
"control_id": "Title",
|
|
264
|
+
"control_name": "Control",
|
|
265
|
+
"tier": "Foundational",
|
|
266
|
+
"scope": "Both",
|
|
267
|
+
"notes": "Application"
|
|
268
|
+
},
|
|
269
|
+
{
|
|
270
|
+
"framework": "NIST SP 800-82 Rev 3",
|
|
271
|
+
"control_id": "Denial of Service Protection",
|
|
272
|
+
"control_name": "SC-5",
|
|
273
|
+
"tier": "Foundational",
|
|
274
|
+
"scope": "Both",
|
|
275
|
+
"notes": "LLM infrastructure protected against resource exhaustion attacks affecting OT availability"
|
|
276
|
+
},
|
|
277
|
+
{
|
|
278
|
+
"framework": "NIST SP 800-82 Rev 3",
|
|
279
|
+
"control_id": "Fail-Safe Procedures",
|
|
280
|
+
"control_name": "SI-17",
|
|
281
|
+
"tier": "Foundational",
|
|
282
|
+
"scope": "Both",
|
|
283
|
+
"notes": "LLM service degradation has defined fail-safe behaviour — process control continues without LLM"
|
|
284
|
+
},
|
|
285
|
+
{
|
|
286
|
+
"framework": "NIST SP 800-82 Rev 3",
|
|
287
|
+
"control_id": "Audit Record Generation",
|
|
288
|
+
"control_name": "AU-12",
|
|
289
|
+
"tier": "Foundational",
|
|
290
|
+
"scope": "Both",
|
|
291
|
+
"notes": "LLM resource consumption logged — patterns indicating exhaustion attacks detectable"
|
|
292
|
+
},
|
|
293
|
+
{
|
|
294
|
+
"framework": "NIST CSF 2.0",
|
|
295
|
+
"control_id": "PR.IR-01",
|
|
296
|
+
"control_name": "Infrastructure Resilience",
|
|
297
|
+
"tier": "Foundational",
|
|
298
|
+
"scope": "Both",
|
|
299
|
+
"notes": "Networks and environments protected to achieve resilience — rate limiting and resource controls as resilience measures"
|
|
300
|
+
},
|
|
301
|
+
{
|
|
302
|
+
"framework": "NIST CSF 2.0",
|
|
303
|
+
"control_id": "DE.CM-01",
|
|
304
|
+
"control_name": "Continuous Monitoring",
|
|
305
|
+
"tier": "Foundational",
|
|
306
|
+
"scope": "Both",
|
|
307
|
+
"notes": "LLM resource consumption monitored — anomalous usage patterns detected and alerted"
|
|
308
|
+
},
|
|
309
|
+
{
|
|
310
|
+
"framework": "NIST CSF 2.0",
|
|
311
|
+
"control_id": "RS.MI-01",
|
|
312
|
+
"control_name": "Incident Mitigation",
|
|
313
|
+
"tier": "Foundational",
|
|
314
|
+
"scope": "Both",
|
|
315
|
+
"notes": "Incidents contained — automated rate limiting, circuit breakers, cost budgets as containment controls"
|
|
316
|
+
},
|
|
317
|
+
{
|
|
318
|
+
"framework": "NIST CSF 2.0",
|
|
319
|
+
"control_id": "GV.RM-01",
|
|
320
|
+
"control_name": "Risk Management Strategy",
|
|
321
|
+
"tier": "Foundational",
|
|
322
|
+
"scope": "Both",
|
|
323
|
+
"notes": "Risk management strategy established — LLM availability requirements and acceptable consumption risk defined"
|
|
324
|
+
},
|
|
325
|
+
{
|
|
326
|
+
"framework": "SOC 2",
|
|
327
|
+
"control_id": "LLM service availability commitments documented — SLAs, RTO/RPO, resource limits that protect availability",
|
|
328
|
+
"control_name": "A1.1 — Availability policies",
|
|
329
|
+
"tier": "Foundational",
|
|
330
|
+
"scope": "Both"
|
|
331
|
+
},
|
|
332
|
+
{
|
|
333
|
+
"framework": "SOC 2",
|
|
334
|
+
"control_id": "Rate limiting and resource controls protect LLM service availability — implemented and monitored",
|
|
335
|
+
"control_name": "A1.2 — Environmental protections",
|
|
336
|
+
"tier": "Foundational",
|
|
337
|
+
"scope": "Both"
|
|
338
|
+
},
|
|
339
|
+
{
|
|
340
|
+
"framework": "SOC 2",
|
|
341
|
+
"control_id": "Real-time monitoring of LLM resource consumption — cost anomalies and unusual volume patterns alerted",
|
|
342
|
+
"control_name": "CC7.2 — Anomaly detection",
|
|
343
|
+
"tier": "Foundational",
|
|
344
|
+
"scope": "Both"
|
|
345
|
+
},
|
|
346
|
+
{
|
|
347
|
+
"framework": "SOC 2",
|
|
348
|
+
"control_id": "Resource exhaustion risks identified in LLM risk assessment — DoS and sponge attack vectors assessed",
|
|
349
|
+
"control_name": "CC3.2 — Risk assessment",
|
|
350
|
+
"tier": "Foundational",
|
|
351
|
+
"scope": "Both"
|
|
352
|
+
},
|
|
353
|
+
{
|
|
354
|
+
"framework": "PCI DSS v4.0",
|
|
355
|
+
"control_id": "Req 1.3.2",
|
|
356
|
+
"control_name": "Network security controls",
|
|
357
|
+
"tier": "Foundational",
|
|
358
|
+
"scope": "Both",
|
|
359
|
+
"notes": "Network controls restrict inbound traffic to CDE — rate limiting at network layer for LLM applications"
|
|
360
|
+
},
|
|
361
|
+
{
|
|
362
|
+
"framework": "PCI DSS v4.0",
|
|
363
|
+
"control_id": "Req 6.4.1",
|
|
364
|
+
"control_name": "Public-facing application protection",
|
|
365
|
+
"tier": "Foundational",
|
|
366
|
+
"scope": "Both",
|
|
367
|
+
"notes": "LLM-powered public-facing applications protected against DoS — rate limiting and payload limits enforced"
|
|
368
|
+
},
|
|
369
|
+
{
|
|
370
|
+
"framework": "PCI DSS v4.0",
|
|
371
|
+
"control_id": "Req 10.6.1",
|
|
372
|
+
"control_name": "Audit log review",
|
|
373
|
+
"tier": "Foundational",
|
|
374
|
+
"scope": "Both",
|
|
375
|
+
"notes": "Automated monitoring for resource exhaustion patterns — unusual consumption volumes alerted"
|
|
376
|
+
},
|
|
377
|
+
{
|
|
378
|
+
"framework": "PCI DSS v4.0",
|
|
379
|
+
"control_id": "Req 12.3.2",
|
|
380
|
+
"control_name": "Targeted risk analysis",
|
|
381
|
+
"tier": "Foundational",
|
|
382
|
+
"scope": "Both",
|
|
383
|
+
"notes": "Targeted risk analysis for LLM availability in CDE — DoS impact on payment processing, controls documented"
|
|
384
|
+
},
|
|
385
|
+
{
|
|
386
|
+
"framework": "ENISA Multilayer Framework",
|
|
387
|
+
"control_id": "L1",
|
|
388
|
+
"control_name": "General ICT — Availability",
|
|
389
|
+
"tier": "Foundational",
|
|
390
|
+
"scope": "Both",
|
|
391
|
+
"notes": "Rate limiting and resource controls as L1 availability practices — LLM infrastructure protected against exhaustion"
|
|
392
|
+
},
|
|
393
|
+
{
|
|
394
|
+
"framework": "ENISA Multilayer Framework",
|
|
395
|
+
"control_id": "MON",
|
|
396
|
+
"control_name": "Monitoring and Detection",
|
|
397
|
+
"tier": "Foundational",
|
|
398
|
+
"scope": "Both",
|
|
399
|
+
"notes": "LLM resource consumption monitored — cost anomaly detection as ENISA monitoring practice"
|
|
400
|
+
},
|
|
401
|
+
{
|
|
402
|
+
"framework": "ENISA Multilayer Framework",
|
|
403
|
+
"control_id": "L1",
|
|
404
|
+
"control_name": "Incident Response (IRS)",
|
|
405
|
+
"tier": "Foundational",
|
|
406
|
+
"scope": "Both",
|
|
407
|
+
"notes": "Incident response for consumption anomalies — automated rate limiting, circuit breakers, cost budgets"
|
|
408
|
+
},
|
|
409
|
+
{
|
|
410
|
+
"framework": "ENISA Multilayer Framework",
|
|
411
|
+
"control_id": "L2",
|
|
412
|
+
"control_name": "Governance and Risk (GOV)",
|
|
413
|
+
"tier": "Foundational",
|
|
414
|
+
"scope": "Both",
|
|
415
|
+
"notes": "LLM availability in risk management — RTO/RPO defined, consumption risk in AI risk register"
|
|
416
|
+
},
|
|
417
|
+
{
|
|
418
|
+
"framework": "OWASP SAMM v2.0",
|
|
419
|
+
"control_id": "D-SR",
|
|
420
|
+
"control_name": "Security Requirements",
|
|
421
|
+
"tier": "Foundational",
|
|
422
|
+
"scope": "Both",
|
|
423
|
+
"notes": "Rate limiting and resource caps as security requirements — specified before LLM infrastructure deployment"
|
|
424
|
+
},
|
|
425
|
+
{
|
|
426
|
+
"framework": "OWASP SAMM v2.0",
|
|
427
|
+
"control_id": "I-SD",
|
|
428
|
+
"control_name": "Secure Deployment",
|
|
429
|
+
"tier": "Foundational",
|
|
430
|
+
"scope": "Both",
|
|
431
|
+
"notes": "Rate limiting and resource controls deployed with every LLM deployment — not optional post-deployment hardening"
|
|
432
|
+
},
|
|
433
|
+
{
|
|
434
|
+
"framework": "OWASP SAMM v2.0",
|
|
435
|
+
"control_id": "O-IM",
|
|
436
|
+
"control_name": "Incident Management",
|
|
437
|
+
"tier": "Foundational",
|
|
438
|
+
"scope": "Both",
|
|
439
|
+
"notes": "Consumption anomaly detection as incident management control — automated response, escalation procedure"
|
|
440
|
+
},
|
|
441
|
+
{
|
|
442
|
+
"framework": "OWASP SAMM v2.0",
|
|
443
|
+
"control_id": "O-EM",
|
|
444
|
+
"control_name": "Environment Management",
|
|
445
|
+
"tier": "Foundational",
|
|
446
|
+
"scope": "Both",
|
|
447
|
+
"notes": "Resource limits as environment configuration — documented, version-controlled, reviewed on change"
|
|
448
|
+
},
|
|
449
|
+
{
|
|
450
|
+
"framework": "STRIDE",
|
|
451
|
+
"control_id": "D",
|
|
452
|
+
"control_name": "Resource Exhaustion (Denial of Service)",
|
|
453
|
+
"tier": "Foundational",
|
|
454
|
+
"scope": "Both"
|
|
455
|
+
},
|
|
456
|
+
{
|
|
457
|
+
"framework": "CWE/CVE",
|
|
458
|
+
"control_id": "CWE-400",
|
|
459
|
+
"control_name": "CWE-400",
|
|
460
|
+
"tier": "Foundational",
|
|
461
|
+
"scope": "Both",
|
|
462
|
+
"url": "https://cwe.mitre.org/data/definitions/400.html"
|
|
463
|
+
},
|
|
464
|
+
{
|
|
465
|
+
"framework": "CWE/CVE",
|
|
466
|
+
"control_id": "CWE-770",
|
|
467
|
+
"control_name": "CWE-770",
|
|
468
|
+
"tier": "Foundational",
|
|
469
|
+
"scope": "Both",
|
|
470
|
+
"url": "https://cwe.mitre.org/data/definitions/770.html"
|
|
471
|
+
},
|
|
472
|
+
{
|
|
473
|
+
"framework": "CWE/CVE",
|
|
474
|
+
"control_id": "CWE-799",
|
|
475
|
+
"control_name": "CWE-799",
|
|
476
|
+
"tier": "Foundational",
|
|
477
|
+
"scope": "Both",
|
|
478
|
+
"url": "https://cwe.mitre.org/data/definitions/799.html"
|
|
479
|
+
},
|
|
480
|
+
{
|
|
481
|
+
"framework": "OWASP AI Testing Guide",
|
|
482
|
+
"control_id": "Resource exhaustion and rate limiting",
|
|
483
|
+
"control_name": "AVT — Availability",
|
|
484
|
+
"tier": "Foundational",
|
|
485
|
+
"scope": "Both",
|
|
486
|
+
"notes": "Test rate limiting enforcement, token budget controls, and compute throttling under load; verify graceful degradation"
|
|
487
|
+
},
|
|
488
|
+
{
|
|
489
|
+
"framework": "OWASP AI Testing Guide",
|
|
490
|
+
"control_id": "Consumption anomaly detection",
|
|
491
|
+
"control_name": "LMT — Logging & Monitoring",
|
|
492
|
+
"tier": "Foundational",
|
|
493
|
+
"scope": "Both",
|
|
494
|
+
"notes": "Verify monitoring detects abnormal consumption patterns — token flooding, API abuse, wallet drainage — before service impact"
|
|
495
|
+
},
|
|
496
|
+
{
|
|
497
|
+
"framework": "OWASP AI Testing Guide",
|
|
498
|
+
"control_id": "Per-user quota enforcement",
|
|
499
|
+
"control_name": "ACT — Access Control",
|
|
500
|
+
"tier": "Foundational",
|
|
501
|
+
"scope": "Both",
|
|
502
|
+
"notes": "Verify per-user and per-tenant quotas are enforced and cannot be bypassed through session switching or credential abuse"
|
|
503
|
+
},
|
|
504
|
+
{
|
|
505
|
+
"framework": "MAESTRO",
|
|
506
|
+
"control_id": "L4",
|
|
507
|
+
"control_name": "Deployment & Infrastructure",
|
|
508
|
+
"tier": "Foundational",
|
|
509
|
+
"scope": "Both"
|
|
510
|
+
},
|
|
511
|
+
{
|
|
512
|
+
"framework": "MAESTRO",
|
|
513
|
+
"control_id": "L3",
|
|
514
|
+
"control_name": "Agent Frameworks",
|
|
515
|
+
"tier": "Foundational",
|
|
516
|
+
"scope": "Both"
|
|
517
|
+
},
|
|
518
|
+
{
|
|
519
|
+
"framework": "MAESTRO",
|
|
520
|
+
"control_id": "L5",
|
|
521
|
+
"control_name": "Evaluation & Observability",
|
|
522
|
+
"tier": "Foundational",
|
|
523
|
+
"scope": "Both"
|
|
524
|
+
},
|
|
525
|
+
{
|
|
526
|
+
"framework": "AIUC-1",
|
|
527
|
+
"control_id": "D",
|
|
528
|
+
"control_name": "Reliability domain (all)",
|
|
529
|
+
"tier": "Foundational",
|
|
530
|
+
"scope": "Both",
|
|
531
|
+
"notes": "Foundational"
|
|
532
|
+
},
|
|
533
|
+
{
|
|
534
|
+
"framework": "AIUC-1",
|
|
535
|
+
"control_id": "B006",
|
|
536
|
+
"control_name": "Prevent unauthorized AI actions",
|
|
537
|
+
"tier": "Foundational",
|
|
538
|
+
"scope": "Both",
|
|
539
|
+
"notes": "Foundational"
|
|
540
|
+
},
|
|
541
|
+
{
|
|
542
|
+
"framework": "AIUC-1",
|
|
543
|
+
"control_id": "E",
|
|
544
|
+
"control_name": "Accountability domain",
|
|
545
|
+
"tier": "Foundational",
|
|
546
|
+
"scope": "Both",
|
|
547
|
+
"notes": "Foundational"
|
|
548
|
+
},
|
|
549
|
+
{
|
|
550
|
+
"framework": "OWASP NHI Top 10",
|
|
551
|
+
"control_id": "Single credential with access to multiple services — one exhaustion affects all",
|
|
552
|
+
"control_name": "NHI-5 Over-Privileged NHI",
|
|
553
|
+
"tier": "Foundational",
|
|
554
|
+
"scope": "Both",
|
|
555
|
+
"notes": "Separate credentials per service with independent quotas"
|
|
556
|
+
},
|
|
557
|
+
{
|
|
558
|
+
"framework": "OWASP NHI Top 10",
|
|
559
|
+
"control_id": "Shared credential used across services — quota exhaustion in one affects all",
|
|
560
|
+
"control_name": "NHI-9 NHI Reuse",
|
|
561
|
+
"tier": "Foundational",
|
|
562
|
+
"scope": "Both",
|
|
563
|
+
"notes": "Separate credentials per integration"
|
|
564
|
+
},
|
|
565
|
+
{
|
|
566
|
+
"framework": "NIST SP 800-218A",
|
|
567
|
+
"control_id": "PW.2.1-PS",
|
|
568
|
+
"control_name": "Design software — resource and throttling requirements",
|
|
569
|
+
"tier": "Foundational",
|
|
570
|
+
"scope": "Both",
|
|
571
|
+
"notes": "Define token limits, rate limits, and cost budgets as explicit security design requirements for all AI inference services; document in design specifications"
|
|
572
|
+
},
|
|
573
|
+
{
|
|
574
|
+
"framework": "NIST SP 800-218A",
|
|
575
|
+
"control_id": "PW.8.2-PS",
|
|
576
|
+
"control_name": "Test for security vulnerabilities — load and adversarial consumption testing",
|
|
577
|
+
"tier": "Foundational",
|
|
578
|
+
"scope": "Both",
|
|
579
|
+
"notes": "Conduct adversarial resource consumption testing (sponge examples, token amplification, recursive context injection) before each production release"
|
|
580
|
+
},
|
|
581
|
+
{
|
|
582
|
+
"framework": "NIST SP 800-218A",
|
|
583
|
+
"control_id": "RV.2.1-PS",
|
|
584
|
+
"control_name": "Assess, prioritise, and remediate — availability remediation",
|
|
585
|
+
"tier": "Foundational",
|
|
586
|
+
"scope": "Both",
|
|
587
|
+
"notes": "Define and test remediation procedures for availability incidents — rate limit tightening, model rollback, cost circuit breaker activation"
|
|
588
|
+
},
|
|
589
|
+
{
|
|
590
|
+
"framework": "NIST SP 800-218A",
|
|
591
|
+
"control_id": "PS.2.1-PS",
|
|
592
|
+
"control_name": "Verify software integrity — throttle and limit configuration integrity",
|
|
593
|
+
"tier": "Foundational",
|
|
594
|
+
"scope": "Both",
|
|
595
|
+
"notes": "Verify that rate limit and resource constraint configurations have not been altered before deployment; treat throttle configuration as a security artefact"
|
|
596
|
+
},
|
|
597
|
+
{
|
|
598
|
+
"framework": "FedRAMP",
|
|
599
|
+
"control_id": "SC-7",
|
|
600
|
+
"control_name": "Boundary Protection — rate limiting and cost controls",
|
|
601
|
+
"tier": "Foundational",
|
|
602
|
+
"scope": "Both",
|
|
603
|
+
"notes": "Enforce rate limiting, token quotas, and cost circuit breakers at the AI service boundary; define per-user and per-session consumption limits"
|
|
604
|
+
},
|
|
605
|
+
{
|
|
606
|
+
"framework": "FedRAMP",
|
|
607
|
+
"control_id": "SI-4",
|
|
608
|
+
"control_name": "System Monitoring — consumption anomaly detection",
|
|
609
|
+
"tier": "Foundational",
|
|
610
|
+
"scope": "Both",
|
|
611
|
+
"notes": "Monitor AI service consumption metrics — tokens, latency, cost — in real time; alert and auto-mitigate on consumption anomalies"
|
|
612
|
+
},
|
|
613
|
+
{
|
|
614
|
+
"framework": "FedRAMP",
|
|
615
|
+
"control_id": "CM-7",
|
|
616
|
+
"control_name": "Least Functionality — resource budget enforcement",
|
|
617
|
+
"tier": "Foundational",
|
|
618
|
+
"scope": "Both",
|
|
619
|
+
"notes": "Restrict AI services to defined resource budgets; disable unnecessary model capabilities; enforce compute and cost limits in configuration"
|
|
620
|
+
},
|
|
621
|
+
{
|
|
622
|
+
"framework": "FedRAMP",
|
|
623
|
+
"control_id": "IR-4",
|
|
624
|
+
"control_name": "Incident Handling — consumption incident response",
|
|
625
|
+
"tier": "Foundational",
|
|
626
|
+
"scope": "Both",
|
|
627
|
+
"notes": "Define incident handling procedures for AI consumption anomalies including automatic throttling, service suspension, and cost cap enforcement"
|
|
628
|
+
},
|
|
629
|
+
{
|
|
630
|
+
"framework": "DORA",
|
|
631
|
+
"control_id": "Art. 9",
|
|
632
|
+
"control_name": "Protection and Prevention — consumption controls",
|
|
633
|
+
"tier": "Foundational",
|
|
634
|
+
"scope": "Both",
|
|
635
|
+
"notes": "Implement rate limiting, token quotas, and cost circuit breakers on financial AI inference services; define per-user and per-service consumption limits"
|
|
636
|
+
},
|
|
637
|
+
{
|
|
638
|
+
"framework": "DORA",
|
|
639
|
+
"control_id": "Art. 10",
|
|
640
|
+
"control_name": "Detection — consumption anomaly detection",
|
|
641
|
+
"tier": "Foundational",
|
|
642
|
+
"scope": "Both",
|
|
643
|
+
"notes": "Monitor AI service consumption metrics in real time; alert on token spikes, latency degradation, and cost overruns affecting financial service availability"
|
|
644
|
+
},
|
|
645
|
+
{
|
|
646
|
+
"framework": "DORA",
|
|
647
|
+
"control_id": "Art. 12",
|
|
648
|
+
"control_name": "Backup Policies — AI service continuity",
|
|
649
|
+
"tier": "Foundational",
|
|
650
|
+
"scope": "Both",
|
|
651
|
+
"notes": "Maintain backup model deployments and fallback inference paths for AI services supporting critical financial functions; test restoration procedures"
|
|
652
|
+
},
|
|
653
|
+
{
|
|
654
|
+
"framework": "DORA",
|
|
655
|
+
"control_id": "Art. 11",
|
|
656
|
+
"control_name": "Response and Recovery — consumption incident response",
|
|
657
|
+
"tier": "Foundational",
|
|
658
|
+
"scope": "Both",
|
|
659
|
+
"notes": "Define response and recovery procedures for AI consumption incidents; include automatic throttling, failover activation, and service restoration"
|
|
660
|
+
}
|
|
661
|
+
],
|
|
662
|
+
"tools": [
|
|
663
|
+
{
|
|
664
|
+
"name": "Kong Gateway",
|
|
665
|
+
"type": "open-source",
|
|
666
|
+
"url": "https://github.com/Kong/kong"
|
|
667
|
+
},
|
|
668
|
+
{
|
|
669
|
+
"name": "Nginx (rate limiting)",
|
|
670
|
+
"type": "open-source",
|
|
671
|
+
"url": "https://nginx.org"
|
|
672
|
+
},
|
|
673
|
+
{
|
|
674
|
+
"name": "LiteLLM",
|
|
675
|
+
"type": "open-source",
|
|
676
|
+
"url": "https://github.com/BerriAI/litellm"
|
|
677
|
+
},
|
|
678
|
+
{
|
|
679
|
+
"name": "OpenTelemetry",
|
|
680
|
+
"type": "open-source",
|
|
681
|
+
"url": "https://opentelemetry.io"
|
|
682
|
+
},
|
|
683
|
+
{
|
|
684
|
+
"name": "Claroty",
|
|
685
|
+
"type": "commercial",
|
|
686
|
+
"url": "https://claroty.com"
|
|
687
|
+
},
|
|
688
|
+
{
|
|
689
|
+
"name": "Nozomi Networks",
|
|
690
|
+
"type": "commercial",
|
|
691
|
+
"url": "https://www.nozominetworks.com"
|
|
692
|
+
},
|
|
693
|
+
{
|
|
694
|
+
"name": "LiteLLM (rate limiting)",
|
|
695
|
+
"type": "open-source",
|
|
696
|
+
"url": "https://github.com/BerriAI/litellm"
|
|
697
|
+
},
|
|
698
|
+
{
|
|
699
|
+
"name": "AWS Budgets / Azure Cost Management",
|
|
700
|
+
"type": "commercial",
|
|
701
|
+
"url": "https://aws.amazon.com/aws-cost-management/aws-budgets/"
|
|
702
|
+
},
|
|
703
|
+
{
|
|
704
|
+
"name": "Inspect AI",
|
|
705
|
+
"url": "https://github.com/UKGovernmentBEIS/inspect_ai",
|
|
706
|
+
"type": "open-source"
|
|
707
|
+
}
|
|
708
|
+
],
|
|
709
|
+
"incidents": [
|
|
710
|
+
{
|
|
711
|
+
"name": "Clarkesworld magazine overwhelmed by AI-generated fiction submissions",
|
|
712
|
+
"url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
|
|
713
|
+
"year": 2023,
|
|
714
|
+
"incident_id": "INC-014"
|
|
715
|
+
},
|
|
716
|
+
{
|
|
717
|
+
"name": "AutoGPT and BabyAGI — uncontrolled web browsing and file system access",
|
|
718
|
+
"url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
|
|
719
|
+
"year": 2023,
|
|
720
|
+
"incident_id": "INC-017"
|
|
721
|
+
},
|
|
722
|
+
{
|
|
723
|
+
"name": "AI voice deepfake CEO fraud — Hong Kong $25M loss",
|
|
724
|
+
"url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
|
|
725
|
+
"year": 2024,
|
|
726
|
+
"incident_id": "INC-026"
|
|
727
|
+
},
|
|
728
|
+
{
|
|
729
|
+
"name": "Anthropic Claude context flooding — resource exhaustion via adversarial long-context prompts",
|
|
730
|
+
"url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
|
|
731
|
+
"year": 2024,
|
|
732
|
+
"incident_id": "INC-045"
|
|
733
|
+
}
|
|
734
|
+
],
|
|
735
|
+
"crossrefs": {
|
|
736
|
+
"llm_top10": [
|
|
737
|
+
"LLM01",
|
|
738
|
+
"LLM06",
|
|
739
|
+
"LLM07",
|
|
740
|
+
"LLM02",
|
|
741
|
+
"LLM05",
|
|
742
|
+
"LLM03",
|
|
743
|
+
"LLM04",
|
|
744
|
+
"LLM08",
|
|
745
|
+
"LLM09"
|
|
746
|
+
],
|
|
747
|
+
"agentic_top10": [
|
|
748
|
+
"ASI08",
|
|
749
|
+
"ASI10"
|
|
750
|
+
],
|
|
751
|
+
"dsgai_2026": [
|
|
752
|
+
"DSGAI17"
|
|
753
|
+
]
|
|
754
|
+
},
|
|
755
|
+
"changelog": [
|
|
756
|
+
{
|
|
757
|
+
"date": "2026-03-27",
|
|
758
|
+
"version": "1.0.0",
|
|
759
|
+
"change": "Initial entry — generated from GenAI Security Crosswalk v1.5.1 mapping files",
|
|
760
|
+
"author": "emmanuelgjr"
|
|
761
|
+
}
|
|
762
|
+
]
|
|
763
|
+
}
|