genai-security-crosswalk 2.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE.md +28 -0
- package/README.md +618 -0
- package/data/entries/ASI01.json +911 -0
- package/data/entries/ASI02.json +850 -0
- package/data/entries/ASI03.json +854 -0
- package/data/entries/ASI04.json +759 -0
- package/data/entries/ASI05.json +764 -0
- package/data/entries/ASI06.json +817 -0
- package/data/entries/ASI07.json +789 -0
- package/data/entries/ASI08.json +788 -0
- package/data/entries/ASI09.json +754 -0
- package/data/entries/ASI10.json +833 -0
- package/data/entries/DSGAI01.json +779 -0
- package/data/entries/DSGAI02.json +728 -0
- package/data/entries/DSGAI03.json +671 -0
- package/data/entries/DSGAI04.json +752 -0
- package/data/entries/DSGAI05.json +689 -0
- package/data/entries/DSGAI06.json +673 -0
- package/data/entries/DSGAI07.json +680 -0
- package/data/entries/DSGAI08.json +698 -0
- package/data/entries/DSGAI09.json +687 -0
- package/data/entries/DSGAI10.json +627 -0
- package/data/entries/DSGAI11.json +663 -0
- package/data/entries/DSGAI12.json +695 -0
- package/data/entries/DSGAI13.json +688 -0
- package/data/entries/DSGAI14.json +703 -0
- package/data/entries/DSGAI15.json +655 -0
- package/data/entries/DSGAI16.json +716 -0
- package/data/entries/DSGAI17.json +690 -0
- package/data/entries/DSGAI18.json +613 -0
- package/data/entries/DSGAI19.json +638 -0
- package/data/entries/DSGAI20.json +671 -0
- package/data/entries/DSGAI21.json +881 -0
- package/data/entries/LLM01.json +975 -0
- package/data/entries/LLM02.json +868 -0
- package/data/entries/LLM03.json +817 -0
- package/data/entries/LLM04.json +797 -0
- package/data/entries/LLM05.json +761 -0
- package/data/entries/LLM06.json +848 -0
- package/data/entries/LLM07.json +749 -0
- package/data/entries/LLM08.json +750 -0
- package/data/entries/LLM09.json +760 -0
- package/data/entries/LLM10.json +763 -0
- package/data/incidents-schema.json +121 -0
- package/data/incidents.json +1484 -0
- package/data/schema.json +134 -0
- package/dist/index.d.ts +97 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +124 -0
- package/dist/index.js.map +1 -0
- package/dist/index.test.d.ts +2 -0
- package/dist/index.test.d.ts.map +1 -0
- package/dist/index.test.js +97 -0
- package/dist/index.test.js.map +1 -0
- package/package.json +62 -0
|
@@ -0,0 +1,817 @@
|
|
|
1
|
+
{
|
|
2
|
+
"id": "ASI06",
|
|
3
|
+
"name": "Memory and Context Poisoning",
|
|
4
|
+
"source_list": "Agentic-Top10-2026",
|
|
5
|
+
"version": "2026-Q1",
|
|
6
|
+
"severity": "High",
|
|
7
|
+
"aivss_score": 8.7,
|
|
8
|
+
"audience": [
|
|
9
|
+
"red-teamer",
|
|
10
|
+
"security-engineer",
|
|
11
|
+
"ml-engineer",
|
|
12
|
+
"ot-engineer",
|
|
13
|
+
"ciso",
|
|
14
|
+
"compliance",
|
|
15
|
+
"auditor",
|
|
16
|
+
"developer"
|
|
17
|
+
],
|
|
18
|
+
"mappings": [
|
|
19
|
+
{
|
|
20
|
+
"framework": "MITRE ATLAS",
|
|
21
|
+
"control_id": "AML.T0032",
|
|
22
|
+
"control_name": "Data Poisoning",
|
|
23
|
+
"tier": "Hardening",
|
|
24
|
+
"scope": "Both",
|
|
25
|
+
"url": "https://atlas.mitre.org/techniques/AML.T0032",
|
|
26
|
+
"notes": "Injecting malicious content into agent persistent memory or RAG stores"
|
|
27
|
+
},
|
|
28
|
+
{
|
|
29
|
+
"framework": "MITRE ATLAS",
|
|
30
|
+
"control_id": "AML.T0063",
|
|
31
|
+
"control_name": "Embedding Manipulation",
|
|
32
|
+
"tier": "Hardening",
|
|
33
|
+
"scope": "Both",
|
|
34
|
+
"url": "https://atlas.mitre.org/techniques/AML.T0063",
|
|
35
|
+
"notes": "Crafting content whose embeddings bias future retrieval results in attacker's favour"
|
|
36
|
+
},
|
|
37
|
+
{
|
|
38
|
+
"framework": "MITRE ATLAS",
|
|
39
|
+
"control_id": "AML.T0020",
|
|
40
|
+
"control_name": "Backdoor via Poisoned Memory",
|
|
41
|
+
"tier": "Hardening",
|
|
42
|
+
"scope": "Both",
|
|
43
|
+
"url": "https://atlas.mitre.org/techniques/AML.T0020",
|
|
44
|
+
"notes": "Establishing persistent trigger-response patterns in agent memory stores"
|
|
45
|
+
},
|
|
46
|
+
{
|
|
47
|
+
"framework": "NIST AI RMF 1.0",
|
|
48
|
+
"control_id": "GV-1.6",
|
|
49
|
+
"control_name": "Policies for data privacy",
|
|
50
|
+
"tier": "Hardening",
|
|
51
|
+
"scope": "Both",
|
|
52
|
+
"notes": "Agent memory treated as sensitive data asset — classification, access controls, retention policy"
|
|
53
|
+
},
|
|
54
|
+
{
|
|
55
|
+
"framework": "NIST AI RMF 1.0",
|
|
56
|
+
"control_id": "MP-2.3",
|
|
57
|
+
"control_name": "Risk categorisation",
|
|
58
|
+
"tier": "Hardening",
|
|
59
|
+
"scope": "Both",
|
|
60
|
+
"notes": "Memory poisoning risk mapped per agent — memory stores, trust levels, access controls, TTL documented"
|
|
61
|
+
},
|
|
62
|
+
{
|
|
63
|
+
"framework": "NIST AI RMF 1.0",
|
|
64
|
+
"control_id": "MS-2.5",
|
|
65
|
+
"control_name": "Testing — adversarial",
|
|
66
|
+
"tier": "Hardening",
|
|
67
|
+
"scope": "Both",
|
|
68
|
+
"notes": "Adversarial testing of memory integrity — poisoning scenarios, anomaly detection effectiveness"
|
|
69
|
+
},
|
|
70
|
+
{
|
|
71
|
+
"framework": "NIST AI RMF 1.0",
|
|
72
|
+
"control_id": "MG-2.4",
|
|
73
|
+
"control_name": "Risk response — data",
|
|
74
|
+
"tier": "Hardening",
|
|
75
|
+
"scope": "Both",
|
|
76
|
+
"notes": "Response for confirmed memory poisoning — audit procedure, content purge, operational impact assessment"
|
|
77
|
+
},
|
|
78
|
+
{
|
|
79
|
+
"framework": "EU AI Act",
|
|
80
|
+
"control_id": "Data governance applies to all data influencing AI behaviour — including agent memory",
|
|
81
|
+
"control_name": "Art. 10 — Data and data governance",
|
|
82
|
+
"tier": "Hardening",
|
|
83
|
+
"scope": "Both",
|
|
84
|
+
"notes": "Agent memory governance — classification, access controls, integrity validation, retention — is an Art. 10 requirement"
|
|
85
|
+
},
|
|
86
|
+
{
|
|
87
|
+
"framework": "EU AI Act",
|
|
88
|
+
"control_id": "Technical resilience against adversarial memory manipulation",
|
|
89
|
+
"control_name": "Art. 15 — Accuracy, robustness, cybersecurity",
|
|
90
|
+
"tier": "Hardening",
|
|
91
|
+
"scope": "Both",
|
|
92
|
+
"notes": "Memory integrity monitoring and access controls are Art. 15 requirements"
|
|
93
|
+
},
|
|
94
|
+
{
|
|
95
|
+
"framework": "EU AI Act",
|
|
96
|
+
"control_id": "Post-market monitoring for memory integrity",
|
|
97
|
+
"control_name": "Art. 17 — Quality management",
|
|
98
|
+
"tier": "Hardening",
|
|
99
|
+
"scope": "Both",
|
|
100
|
+
"notes": "Memory anomaly detection in post-market monitoring programme"
|
|
101
|
+
},
|
|
102
|
+
{
|
|
103
|
+
"framework": "ISO/IEC 27001:2022",
|
|
104
|
+
"control_id": "A.8.3",
|
|
105
|
+
"control_name": "Information access restriction",
|
|
106
|
+
"tier": "Hardening",
|
|
107
|
+
"scope": "Both",
|
|
108
|
+
"notes": "Access controls on all agent memory stores — only agent and designated administrators can write"
|
|
109
|
+
},
|
|
110
|
+
{
|
|
111
|
+
"framework": "ISO/IEC 27001:2022",
|
|
112
|
+
"control_id": "A.8.24",
|
|
113
|
+
"control_name": "Use of cryptography",
|
|
114
|
+
"tier": "Hardening",
|
|
115
|
+
"scope": "Both",
|
|
116
|
+
"notes": "Agent memory stores encrypted at rest — embeddings, long-term memory, operational knowledge base"
|
|
117
|
+
},
|
|
118
|
+
{
|
|
119
|
+
"framework": "ISO/IEC 27001:2022",
|
|
120
|
+
"control_id": "A.8.16",
|
|
121
|
+
"control_name": "Monitoring activities",
|
|
122
|
+
"tier": "Hardening",
|
|
123
|
+
"scope": "Both",
|
|
124
|
+
"notes": "Memory store access and content monitored — anomalous write patterns, statistical integrity checks"
|
|
125
|
+
},
|
|
126
|
+
{
|
|
127
|
+
"framework": "ISO/IEC 27001:2022",
|
|
128
|
+
"control_id": "A.8.12",
|
|
129
|
+
"control_name": "Data leakage prevention",
|
|
130
|
+
"tier": "Hardening",
|
|
131
|
+
"scope": "Both",
|
|
132
|
+
"notes": "DLP on memory write paths — credential patterns, sensitive content detected before memory write"
|
|
133
|
+
},
|
|
134
|
+
{
|
|
135
|
+
"framework": "ISO/IEC 42001:2023",
|
|
136
|
+
"control_id": "A.7.2",
|
|
137
|
+
"control_name": "Data quality",
|
|
138
|
+
"tier": "Hardening",
|
|
139
|
+
"scope": "Both",
|
|
140
|
+
"notes": "Agent memory content quality requirements — access controls, integrity verification, TTL as data quality controls"
|
|
141
|
+
},
|
|
142
|
+
{
|
|
143
|
+
"framework": "ISO/IEC 42001:2023",
|
|
144
|
+
"control_id": "A.7.3",
|
|
145
|
+
"control_name": "Data provenance and characteristics",
|
|
146
|
+
"tier": "Hardening",
|
|
147
|
+
"scope": "Both",
|
|
148
|
+
"notes": "Memory provenance tracked — source, write access controls, TTL, modification history in AIMS"
|
|
149
|
+
},
|
|
150
|
+
{
|
|
151
|
+
"framework": "ISO/IEC 42001:2023",
|
|
152
|
+
"control_id": "A.6.2.3",
|
|
153
|
+
"control_name": "AI system security",
|
|
154
|
+
"tier": "Hardening",
|
|
155
|
+
"scope": "Both",
|
|
156
|
+
"notes": "Memory store access controls and integrity monitoring as AIMS security design requirements"
|
|
157
|
+
},
|
|
158
|
+
{
|
|
159
|
+
"framework": "ISO/IEC 42001:2023",
|
|
160
|
+
"control_id": "A.6.2.8",
|
|
161
|
+
"control_name": "Monitoring of AI systems",
|
|
162
|
+
"tier": "Hardening",
|
|
163
|
+
"scope": "Both",
|
|
164
|
+
"notes": "Memory integrity monitored in operation — anomalous write patterns, content integrity checks as AIMS monitoring"
|
|
165
|
+
},
|
|
166
|
+
{
|
|
167
|
+
"framework": "CIS Controls v8.1",
|
|
168
|
+
"control_id": "3.11 Encrypt sensitive data at rest",
|
|
169
|
+
"control_name": "CIS 3 — Data Protection",
|
|
170
|
+
"tier": "Hardening",
|
|
171
|
+
"scope": "Both",
|
|
172
|
+
"notes": "Agent memory stores encrypted at rest — embeddings, long-term memory, operational knowledge"
|
|
173
|
+
},
|
|
174
|
+
{
|
|
175
|
+
"framework": "CIS Controls v8.1",
|
|
176
|
+
"control_id": "8.2 Collect audit logs",
|
|
177
|
+
"control_name": "CIS 8 — Audit Log Management",
|
|
178
|
+
"tier": "Hardening",
|
|
179
|
+
"scope": "Both",
|
|
180
|
+
"notes": "Memory write operations logged — who or what wrote, when, content hash"
|
|
181
|
+
},
|
|
182
|
+
{
|
|
183
|
+
"framework": "CIS Controls v8.1",
|
|
184
|
+
"control_id": "16.1 Establish secure development standards",
|
|
185
|
+
"control_name": "CIS 16 — Application Software Security",
|
|
186
|
+
"tier": "Hardening",
|
|
187
|
+
"scope": "Both",
|
|
188
|
+
"notes": "Memory write validation as secure development requirement — untrusted sources cannot write directly"
|
|
189
|
+
},
|
|
190
|
+
{
|
|
191
|
+
"framework": "CIS Controls v8.1",
|
|
192
|
+
"control_id": "13.3 Deploy a network-based intrusion detection system",
|
|
193
|
+
"control_name": "CIS 13 — Network Monitoring",
|
|
194
|
+
"tier": "Hardening",
|
|
195
|
+
"scope": "Both",
|
|
196
|
+
"notes": "Memory store access monitored — bulk read, anomalous write patterns detected"
|
|
197
|
+
},
|
|
198
|
+
{
|
|
199
|
+
"framework": "OWASP ASVS 4.0.3",
|
|
200
|
+
"control_id": "V5.1.1",
|
|
201
|
+
"control_name": "Verify all user input validated against allowlist",
|
|
202
|
+
"tier": "Hardening",
|
|
203
|
+
"scope": "Both",
|
|
204
|
+
"notes": "All content entering agent memory validated — injection patterns rejected at write boundary"
|
|
205
|
+
},
|
|
206
|
+
{
|
|
207
|
+
"framework": "OWASP ASVS 4.0.3",
|
|
208
|
+
"control_id": "V4.1.3",
|
|
209
|
+
"control_name": "Verify access control enforces least privilege",
|
|
210
|
+
"tier": "Hardening",
|
|
211
|
+
"scope": "Both",
|
|
212
|
+
"notes": "Memory write access restricted to minimum required sources — only agent and authorised administrators can write"
|
|
213
|
+
},
|
|
214
|
+
{
|
|
215
|
+
"framework": "OWASP ASVS 4.0.3",
|
|
216
|
+
"control_id": "V6.1.1",
|
|
217
|
+
"control_name": "Verify sensitive data encrypted at rest",
|
|
218
|
+
"tier": "Hardening",
|
|
219
|
+
"scope": "Both",
|
|
220
|
+
"notes": "Agent memory stores encrypted at rest — embeddings, long-term memory"
|
|
221
|
+
},
|
|
222
|
+
{
|
|
223
|
+
"framework": "OWASP ASVS 4.0.3",
|
|
224
|
+
"control_id": "V12.1.1",
|
|
225
|
+
"control_name": "Verify file upload malware scanning",
|
|
226
|
+
"tier": "Hardening",
|
|
227
|
+
"scope": "Both",
|
|
228
|
+
"notes": "Content entering agent memory scanned — adversarial content, injection patterns detected before write"
|
|
229
|
+
},
|
|
230
|
+
{
|
|
231
|
+
"framework": "ISA/IEC 62443",
|
|
232
|
+
"control_id": "SR 3.3",
|
|
233
|
+
"control_name": "Software and information integrity",
|
|
234
|
+
"tier": "Hardening",
|
|
235
|
+
"scope": "Both",
|
|
236
|
+
"notes": "Agent memory content validated for integrity — unauthorised modifications detected"
|
|
237
|
+
},
|
|
238
|
+
{
|
|
239
|
+
"framework": "ISA/IEC 62443",
|
|
240
|
+
"control_id": "SR 3.7",
|
|
241
|
+
"control_name": "Software and information integrity (monitoring)",
|
|
242
|
+
"tier": "Hardening",
|
|
243
|
+
"scope": "Both",
|
|
244
|
+
"notes": "Continuous monitoring of agent memory for anomalous content patterns or unexpected modifications"
|
|
245
|
+
},
|
|
246
|
+
{
|
|
247
|
+
"framework": "ISA/IEC 62443",
|
|
248
|
+
"control_id": "SR 6.1",
|
|
249
|
+
"control_name": "Timely response to events",
|
|
250
|
+
"tier": "Hardening",
|
|
251
|
+
"scope": "Both",
|
|
252
|
+
"notes": "Memory poisoning indicators treated as security events — agent suspended, memory audited, human notified"
|
|
253
|
+
},
|
|
254
|
+
{
|
|
255
|
+
"framework": "ISA/IEC 62443",
|
|
256
|
+
"control_id": "SR 3.1",
|
|
257
|
+
"control_name": "Software and information integrity (baseline)",
|
|
258
|
+
"tier": "Hardening",
|
|
259
|
+
"scope": "Both",
|
|
260
|
+
"notes": "Agent memory baseline established and maintained — deviations from baseline detectable"
|
|
261
|
+
},
|
|
262
|
+
{
|
|
263
|
+
"framework": "NIST SP 800-82 Rev 3",
|
|
264
|
+
"control_id": "Data confidentiality risks in OT",
|
|
265
|
+
"control_name": "§5.4",
|
|
266
|
+
"tier": "Hardening",
|
|
267
|
+
"scope": "Both",
|
|
268
|
+
"notes": "OT data exfiltration via compromised automation"
|
|
269
|
+
},
|
|
270
|
+
{
|
|
271
|
+
"framework": "NIST SP 800-82 Rev 3",
|
|
272
|
+
"control_id": "Risk assessment",
|
|
273
|
+
"control_name": "§6.2",
|
|
274
|
+
"tier": "Hardening",
|
|
275
|
+
"scope": "Both",
|
|
276
|
+
"notes": "Assess outbound data paths from agent"
|
|
277
|
+
},
|
|
278
|
+
{
|
|
279
|
+
"framework": "NIST SP 800-82 Rev 3",
|
|
280
|
+
"control_id": "Network monitoring",
|
|
281
|
+
"control_name": "§7.3",
|
|
282
|
+
"tier": "Hardening",
|
|
283
|
+
"scope": "Both",
|
|
284
|
+
"notes": "Monitor all outbound data from OT zone"
|
|
285
|
+
},
|
|
286
|
+
{
|
|
287
|
+
"framework": "NIST CSF 2.0",
|
|
288
|
+
"control_id": "PR.DS-01",
|
|
289
|
+
"control_name": "Data Security",
|
|
290
|
+
"tier": "Hardening",
|
|
291
|
+
"scope": "Both",
|
|
292
|
+
"notes": "Agent memory stores protected at rest — access controls, encryption, integrity verification"
|
|
293
|
+
},
|
|
294
|
+
{
|
|
295
|
+
"framework": "NIST CSF 2.0",
|
|
296
|
+
"control_id": "DE.CM-09",
|
|
297
|
+
"control_name": "Continuous Monitoring",
|
|
298
|
+
"tier": "Hardening",
|
|
299
|
+
"scope": "Both",
|
|
300
|
+
"notes": "Monitoring for anomalous data — memory content integrity checks, unusual write patterns detected"
|
|
301
|
+
},
|
|
302
|
+
{
|
|
303
|
+
"framework": "NIST CSF 2.0",
|
|
304
|
+
"control_id": "ID.AM-08",
|
|
305
|
+
"control_name": "Asset Management",
|
|
306
|
+
"tier": "Hardening",
|
|
307
|
+
"scope": "Both",
|
|
308
|
+
"notes": "Agent memory stores inventoried as data assets — content classification, access controls, TTL documented"
|
|
309
|
+
},
|
|
310
|
+
{
|
|
311
|
+
"framework": "NIST CSF 2.0",
|
|
312
|
+
"control_id": "RS.AN-03",
|
|
313
|
+
"control_name": "Incident Analysis",
|
|
314
|
+
"tier": "Hardening",
|
|
315
|
+
"scope": "Both",
|
|
316
|
+
"notes": "Memory poisoning incidents analysed — affected sessions identified, operational decisions influenced reviewed"
|
|
317
|
+
},
|
|
318
|
+
{
|
|
319
|
+
"framework": "SOC 2",
|
|
320
|
+
"control_id": "Memory poisoning risk documented in risk assessment — scenarios for RAG, persistent memory, and context window corruption",
|
|
321
|
+
"control_name": "CC3.3",
|
|
322
|
+
"tier": "Hardening",
|
|
323
|
+
"scope": "Both",
|
|
324
|
+
"notes": "Risk register with memory poisoning entries"
|
|
325
|
+
},
|
|
326
|
+
{
|
|
327
|
+
"framework": "SOC 2",
|
|
328
|
+
"control_id": "Agent memory stores monitored for unexpected modifications — baseline established, deviations trigger alerts",
|
|
329
|
+
"control_name": "CC7.2",
|
|
330
|
+
"tier": "Hardening",
|
|
331
|
+
"scope": "Both",
|
|
332
|
+
"notes": "Memory access log, anomaly alert configuration"
|
|
333
|
+
},
|
|
334
|
+
{
|
|
335
|
+
"framework": "SOC 2",
|
|
336
|
+
"control_id": "Processing based on compromised memory is not authorised — memory integrity controls support PI1 evidence",
|
|
337
|
+
"control_name": "PI1.1",
|
|
338
|
+
"tier": "Hardening",
|
|
339
|
+
"scope": "Both",
|
|
340
|
+
"notes": "Integrity verification configuration"
|
|
341
|
+
},
|
|
342
|
+
{
|
|
343
|
+
"framework": "SOC 2",
|
|
344
|
+
"control_id": "Controls on memory store write access — only authorised processes may write to agent memory stores",
|
|
345
|
+
"control_name": "CC5.2",
|
|
346
|
+
"tier": "Hardening",
|
|
347
|
+
"scope": "Both",
|
|
348
|
+
"notes": "Memory access policy, write access controls"
|
|
349
|
+
},
|
|
350
|
+
{
|
|
351
|
+
"framework": "PCI DSS v4.0",
|
|
352
|
+
"control_id": "PAN in agent memory protected — primary account numbers truncated or masked if stored in agent context or memory stores",
|
|
353
|
+
"control_name": "Req 3.4",
|
|
354
|
+
"tier": "Hardening",
|
|
355
|
+
"scope": "Both",
|
|
356
|
+
"notes": "Memory store review, PAN protection evidence"
|
|
357
|
+
},
|
|
358
|
+
{
|
|
359
|
+
"framework": "PCI DSS v4.0",
|
|
360
|
+
"control_id": "Agent memory encryption — CHD in persistent memory stores encrypted using strong cryptography",
|
|
361
|
+
"control_name": "Req 3.5",
|
|
362
|
+
"tier": "Hardening",
|
|
363
|
+
"scope": "Both",
|
|
364
|
+
"notes": "Encryption configuration, key management records"
|
|
365
|
+
},
|
|
366
|
+
{
|
|
367
|
+
"framework": "PCI DSS v4.0",
|
|
368
|
+
"control_id": "Model and memory changes managed — updates to agent memory stores treated as system changes requiring security review",
|
|
369
|
+
"control_name": "Req 6.5",
|
|
370
|
+
"tier": "Hardening",
|
|
371
|
+
"scope": "Both",
|
|
372
|
+
"notes": "Change management records"
|
|
373
|
+
},
|
|
374
|
+
{
|
|
375
|
+
"framework": "PCI DSS v4.0",
|
|
376
|
+
"control_id": "Memory poisoning in penetration test scope — test whether adversarial content in memory affects agent behaviour",
|
|
377
|
+
"control_name": "Req 11.3",
|
|
378
|
+
"tier": "Hardening",
|
|
379
|
+
"scope": "Both",
|
|
380
|
+
"notes": "Pen test report"
|
|
381
|
+
},
|
|
382
|
+
{
|
|
383
|
+
"framework": "ENISA Multilayer Framework",
|
|
384
|
+
"control_id": "L2",
|
|
385
|
+
"control_name": "Data and Model Security (DMS)",
|
|
386
|
+
"tier": "Hardening",
|
|
387
|
+
"scope": "Both",
|
|
388
|
+
"notes": "Agent memory stores classified and protected as sensitive AI data assets — integrity verification, access controls, immutable audit log"
|
|
389
|
+
},
|
|
390
|
+
{
|
|
391
|
+
"framework": "ENISA Multilayer Framework",
|
|
392
|
+
"control_id": "L2",
|
|
393
|
+
"control_name": "AI System Integrity (ASI)",
|
|
394
|
+
"tier": "Hardening",
|
|
395
|
+
"scope": "Both",
|
|
396
|
+
"notes": "AI system integrity verification includes memory poisoning testing — adversarial inputs designed to corrupt persistent agent state"
|
|
397
|
+
},
|
|
398
|
+
{
|
|
399
|
+
"framework": "ENISA Multilayer Framework",
|
|
400
|
+
"control_id": "L2",
|
|
401
|
+
"control_name": "Monitoring and Detection (MON)",
|
|
402
|
+
"tier": "Hardening",
|
|
403
|
+
"scope": "Both",
|
|
404
|
+
"notes": "Agent memory stores monitored for unexpected modifications — drift detection on persistent context"
|
|
405
|
+
},
|
|
406
|
+
{
|
|
407
|
+
"framework": "ENISA Multilayer Framework",
|
|
408
|
+
"control_id": "L1",
|
|
409
|
+
"control_name": "General ICT — Data Protection",
|
|
410
|
+
"tier": "Hardening",
|
|
411
|
+
"scope": "Both",
|
|
412
|
+
"notes": "Agent memory stores access-controlled — only the owning agent process has write access"
|
|
413
|
+
},
|
|
414
|
+
{
|
|
415
|
+
"framework": "OWASP SAMM v2.0",
|
|
416
|
+
"control_id": "D-TA",
|
|
417
|
+
"control_name": "Design / Threat Assessment",
|
|
418
|
+
"tier": "Hardening",
|
|
419
|
+
"scope": "Both",
|
|
420
|
+
"notes": "Enumerate all outbound data paths from agent: tools, APIs, generated output"
|
|
421
|
+
},
|
|
422
|
+
{
|
|
423
|
+
"framework": "OWASP SAMM v2.0",
|
|
424
|
+
"control_id": "V-ST",
|
|
425
|
+
"control_name": "Verification / Security Testing",
|
|
426
|
+
"tier": "Hardening",
|
|
427
|
+
"scope": "Both",
|
|
428
|
+
"notes": "Test whether agent can be instructed to exfiltrate via each outbound channel"
|
|
429
|
+
},
|
|
430
|
+
{
|
|
431
|
+
"framework": "OWASP SAMM v2.0",
|
|
432
|
+
"control_id": "O-IM",
|
|
433
|
+
"control_name": "Operations / Incident Management",
|
|
434
|
+
"tier": "Hardening",
|
|
435
|
+
"scope": "Both",
|
|
436
|
+
"notes": "Alert on unexpected data volumes in tool calls or API responses"
|
|
437
|
+
},
|
|
438
|
+
{
|
|
439
|
+
"framework": "OWASP SAMM v2.0",
|
|
440
|
+
"control_id": "O-OM",
|
|
441
|
+
"control_name": "Operations / Operational Management",
|
|
442
|
+
"tier": "Hardening",
|
|
443
|
+
"scope": "Both",
|
|
444
|
+
"notes": "Apply DLP controls to all agent-generated output before delivery"
|
|
445
|
+
},
|
|
446
|
+
{
|
|
447
|
+
"framework": "OWASP SAMM v2.0",
|
|
448
|
+
"control_id": "D-SA",
|
|
449
|
+
"control_name": "Design / Security Architecture",
|
|
450
|
+
"tier": "Hardening",
|
|
451
|
+
"scope": "Both",
|
|
452
|
+
"notes": "All agent outputs pass through content inspection before leaving system boundary"
|
|
453
|
+
},
|
|
454
|
+
{
|
|
455
|
+
"framework": "CWE/CVE",
|
|
456
|
+
"control_id": "Acceptance of Extraneous Untrusted Data with Trusted Data",
|
|
457
|
+
"control_name": "CWE-349",
|
|
458
|
+
"tier": "Foundational",
|
|
459
|
+
"scope": "Both",
|
|
460
|
+
"notes": "Agent memory store accepts writes from untrusted sources alongside trusted operational knowledge"
|
|
461
|
+
},
|
|
462
|
+
{
|
|
463
|
+
"framework": "CWE/CVE",
|
|
464
|
+
"control_id": "Insufficient Verification of Data Authenticity",
|
|
465
|
+
"control_name": "CWE-345",
|
|
466
|
+
"tier": "Foundational",
|
|
467
|
+
"scope": "Both",
|
|
468
|
+
"notes": "Memory content not integrity-verified before storage or retrieval"
|
|
469
|
+
},
|
|
470
|
+
{
|
|
471
|
+
"framework": "CWE/CVE",
|
|
472
|
+
"control_id": "Improper Input Validation",
|
|
473
|
+
"control_name": "CWE-20",
|
|
474
|
+
"tier": "Foundational",
|
|
475
|
+
"scope": "Both",
|
|
476
|
+
"notes": "Content entering agent memory not validated before write"
|
|
477
|
+
},
|
|
478
|
+
{
|
|
479
|
+
"framework": "CWE/CVE",
|
|
480
|
+
"control_id": "Improper Access Control",
|
|
481
|
+
"control_name": "CWE-284",
|
|
482
|
+
"tier": "Foundational",
|
|
483
|
+
"scope": "Both",
|
|
484
|
+
"notes": "Vector store and memory databases with insufficient access controls permitting unauthorised writes"
|
|
485
|
+
},
|
|
486
|
+
{
|
|
487
|
+
"framework": "CWE/CVE",
|
|
488
|
+
"control_id": "Multiple Releases of Same Resource or Handle",
|
|
489
|
+
"control_name": "CWE-1341",
|
|
490
|
+
"tier": "Foundational",
|
|
491
|
+
"scope": "Both",
|
|
492
|
+
"notes": "Memory TTL not enforced — entries persist beyond intended lifetime"
|
|
493
|
+
},
|
|
494
|
+
{
|
|
495
|
+
"framework": "OWASP AI Testing Guide",
|
|
496
|
+
"control_id": "Memory write path injection",
|
|
497
|
+
"control_name": "AST — Agent-Specific",
|
|
498
|
+
"tier": "Hardening",
|
|
499
|
+
"scope": "Both",
|
|
500
|
+
"notes": "Attempt to poison memory through every channel that can write to agent memory stores"
|
|
501
|
+
},
|
|
502
|
+
{
|
|
503
|
+
"framework": "OWASP AI Testing Guide",
|
|
504
|
+
"control_id": "Poisoned memory influence detection",
|
|
505
|
+
"control_name": "MBT — Model Behaviour",
|
|
506
|
+
"tier": "Hardening",
|
|
507
|
+
"scope": "Both",
|
|
508
|
+
"notes": "Verify that behaviour influenced by poisoned memory differs detectably from baseline"
|
|
509
|
+
},
|
|
510
|
+
{
|
|
511
|
+
"framework": "OWASP AI Testing Guide",
|
|
512
|
+
"control_id": "Memory content integrity",
|
|
513
|
+
"control_name": "DPT — Data Protection",
|
|
514
|
+
"tier": "Hardening",
|
|
515
|
+
"scope": "Both",
|
|
516
|
+
"notes": "Verify memory store content integrity monitoring detects unauthorised modification"
|
|
517
|
+
},
|
|
518
|
+
{
|
|
519
|
+
"framework": "MAESTRO",
|
|
520
|
+
"control_id": "L2",
|
|
521
|
+
"control_name": "Data Operations",
|
|
522
|
+
"tier": "Hardening",
|
|
523
|
+
"scope": "Both"
|
|
524
|
+
},
|
|
525
|
+
{
|
|
526
|
+
"framework": "MAESTRO",
|
|
527
|
+
"control_id": "L1",
|
|
528
|
+
"control_name": "Foundation Models",
|
|
529
|
+
"tier": "Hardening",
|
|
530
|
+
"scope": "Both"
|
|
531
|
+
},
|
|
532
|
+
{
|
|
533
|
+
"framework": "MAESTRO",
|
|
534
|
+
"control_id": "L5",
|
|
535
|
+
"control_name": "Evaluation & Observability",
|
|
536
|
+
"tier": "Hardening",
|
|
537
|
+
"scope": "Both"
|
|
538
|
+
},
|
|
539
|
+
{
|
|
540
|
+
"framework": "AIUC-1",
|
|
541
|
+
"control_id": "A",
|
|
542
|
+
"control_name": "Data & Privacy (full domain)",
|
|
543
|
+
"tier": "Hardening",
|
|
544
|
+
"scope": "Both"
|
|
545
|
+
},
|
|
546
|
+
{
|
|
547
|
+
"framework": "AIUC-1",
|
|
548
|
+
"control_id": "B002",
|
|
549
|
+
"control_name": "Detect adversarial input",
|
|
550
|
+
"tier": "Hardening",
|
|
551
|
+
"scope": "Both"
|
|
552
|
+
},
|
|
553
|
+
{
|
|
554
|
+
"framework": "AIUC-1",
|
|
555
|
+
"control_id": "B005",
|
|
556
|
+
"control_name": "Implement real-time input filtering",
|
|
557
|
+
"tier": "Hardening",
|
|
558
|
+
"scope": "Both"
|
|
559
|
+
},
|
|
560
|
+
{
|
|
561
|
+
"framework": "OWASP NHI Top 10",
|
|
562
|
+
"control_id": "Memory store credentials leaked — attacker writes poisoned content directly",
|
|
563
|
+
"control_name": "NHI-2 Secret Leakage",
|
|
564
|
+
"tier": "Hardening",
|
|
565
|
+
"scope": "Both",
|
|
566
|
+
"notes": "Scan all paths where memory store credentials could leak — logs, config, agent context"
|
|
567
|
+
},
|
|
568
|
+
{
|
|
569
|
+
"framework": "OWASP NHI Top 10",
|
|
570
|
+
"control_id": "Memory store credentials in cleartext — trivially extracted",
|
|
571
|
+
"control_name": "NHI-6 Insecure Credential Storage",
|
|
572
|
+
"tier": "Hardening",
|
|
573
|
+
"scope": "Both",
|
|
574
|
+
"notes": "Secret manager for all memory store credentials — no cleartext anywhere"
|
|
575
|
+
},
|
|
576
|
+
{
|
|
577
|
+
"framework": "OWASP NHI Top 10",
|
|
578
|
+
"control_id": "Long-lived memory store credentials enable persistent access for attacker",
|
|
579
|
+
"control_name": "NHI-7 Long-Lived Credentials",
|
|
580
|
+
"tier": "Hardening",
|
|
581
|
+
"scope": "Both",
|
|
582
|
+
"notes": "Short-lived credentials for memory store access — rotate on each agent session"
|
|
583
|
+
},
|
|
584
|
+
{
|
|
585
|
+
"framework": "NIST SP 800-218A",
|
|
586
|
+
"control_id": "Protect agent memory stores, context databases, and shared state repositories from unauthorised read, write, and modification; enforce access controls per agent identity",
|
|
587
|
+
"control_name": "PS.1.1-PS – Protect all code from unauthorised access",
|
|
588
|
+
"tier": "Foundational",
|
|
589
|
+
"scope": "Both",
|
|
590
|
+
"notes": "Prevents direct tampering with agent memory and context"
|
|
591
|
+
},
|
|
592
|
+
{
|
|
593
|
+
"framework": "NIST SP 800-218A",
|
|
594
|
+
"control_id": "Maintain versioned, integrity-verified snapshots of agent memory and context stores; enable rollback to pre-poisoning states",
|
|
595
|
+
"control_name": "PS.3.1-PS – Archive and protect software releases",
|
|
596
|
+
"tier": "Foundational",
|
|
597
|
+
"scope": "Both",
|
|
598
|
+
"notes": "Ensures recovery capability for memory poisoning incidents"
|
|
599
|
+
},
|
|
600
|
+
{
|
|
601
|
+
"framework": "NIST SP 800-218A",
|
|
602
|
+
"control_id": "Review agent behaviour for memory-influenced anomalies — verify that persistent memory and shared context do not introduce unintended behaviour changes across sessions",
|
|
603
|
+
"control_name": "PW.7.2-PS – Review the software for security vulnerabilities",
|
|
604
|
+
"tier": "Foundational",
|
|
605
|
+
"scope": "Both",
|
|
606
|
+
"notes": "Catches memory poisoning effects before they propagate"
|
|
607
|
+
},
|
|
608
|
+
{
|
|
609
|
+
"framework": "NIST SP 800-218A",
|
|
610
|
+
"control_id": "When memory poisoning is detected, conduct forensic analysis to identify the poisoned records, their ingestion source, propagation path, and blast radius across agents",
|
|
611
|
+
"control_name": "RV.3.1-PS – Analyse root causes",
|
|
612
|
+
"tier": "Foundational",
|
|
613
|
+
"scope": "Both",
|
|
614
|
+
"notes": "Enables thorough incident response for memory poisoning events"
|
|
615
|
+
},
|
|
616
|
+
{
|
|
617
|
+
"framework": "FedRAMP",
|
|
618
|
+
"control_id": "SC-28",
|
|
619
|
+
"control_name": "Protection of Information at Rest — memory store protection",
|
|
620
|
+
"tier": "Foundational",
|
|
621
|
+
"scope": "Both",
|
|
622
|
+
"notes": "Encrypt agent memory stores and context databases at rest; enforce access controls and integrity verification on all memory read and write operations"
|
|
623
|
+
},
|
|
624
|
+
{
|
|
625
|
+
"framework": "FedRAMP",
|
|
626
|
+
"control_id": "SI-3",
|
|
627
|
+
"control_name": "Malicious Code Protection — adversarial memory detection",
|
|
628
|
+
"tier": "Foundational",
|
|
629
|
+
"scope": "Both",
|
|
630
|
+
"notes": "Extend malicious content detection to agent memory stores; detect poisoned memories, manipulated context, and adversarial state modifications"
|
|
631
|
+
},
|
|
632
|
+
{
|
|
633
|
+
"framework": "FedRAMP",
|
|
634
|
+
"control_id": "AU-2",
|
|
635
|
+
"control_name": "Event Logging — memory operation audit",
|
|
636
|
+
"tier": "Foundational",
|
|
637
|
+
"scope": "Both",
|
|
638
|
+
"notes": "Log all agent memory operations — reads, writes, deletions — with sufficient detail to detect poisoning and support forensic investigation"
|
|
639
|
+
},
|
|
640
|
+
{
|
|
641
|
+
"framework": "FedRAMP",
|
|
642
|
+
"control_id": "RA-5",
|
|
643
|
+
"control_name": "Vulnerability Scanning — memory infrastructure",
|
|
644
|
+
"tier": "Foundational",
|
|
645
|
+
"scope": "Both",
|
|
646
|
+
"notes": "Include agent memory stores, context databases, and shared state infrastructure in vulnerability scanning and security assessment"
|
|
647
|
+
},
|
|
648
|
+
{
|
|
649
|
+
"framework": "DORA",
|
|
650
|
+
"control_id": "Art. 9",
|
|
651
|
+
"control_name": "Protection and Prevention — memory integrity controls",
|
|
652
|
+
"tier": "Foundational",
|
|
653
|
+
"scope": "Both",
|
|
654
|
+
"notes": "Implement security controls protecting agent memory stores from poisoning, tampering, and unauthorised modification; enforce access controls and integrity verification"
|
|
655
|
+
},
|
|
656
|
+
{
|
|
657
|
+
"framework": "DORA",
|
|
658
|
+
"control_id": "Art. 10",
|
|
659
|
+
"control_name": "Detection — memory manipulation detection",
|
|
660
|
+
"tier": "Foundational",
|
|
661
|
+
"scope": "Both",
|
|
662
|
+
"notes": "Deploy detection mechanisms for agent memory manipulation; monitor for anomalous writes, content inconsistencies, and cross-session poisoning patterns"
|
|
663
|
+
},
|
|
664
|
+
{
|
|
665
|
+
"framework": "DORA",
|
|
666
|
+
"control_id": "Art. 8",
|
|
667
|
+
"control_name": "Identification — memory store assets",
|
|
668
|
+
"tier": "Foundational",
|
|
669
|
+
"scope": "Both",
|
|
670
|
+
"notes": "Register agent memory stores, context databases, and shared state systems in the ICT asset inventory; classify by data sensitivity"
|
|
671
|
+
},
|
|
672
|
+
{
|
|
673
|
+
"framework": "DORA",
|
|
674
|
+
"control_id": "Art. 13",
|
|
675
|
+
"control_name": "Learning and Evolving — memory poisoning post-mortem",
|
|
676
|
+
"tier": "Foundational",
|
|
677
|
+
"scope": "Both",
|
|
678
|
+
"notes": "Conduct post-incident analysis for memory poisoning events; trace poisoned content to source and assess impact on agent decisions"
|
|
679
|
+
}
|
|
680
|
+
],
|
|
681
|
+
"tools": [
|
|
682
|
+
{
|
|
683
|
+
"name": "Weaviate (with RBAC)",
|
|
684
|
+
"type": "open-source",
|
|
685
|
+
"url": "https://weaviate.io"
|
|
686
|
+
},
|
|
687
|
+
{
|
|
688
|
+
"name": "LlamaIndex",
|
|
689
|
+
"type": "open-source",
|
|
690
|
+
"url": "https://www.llamaindex.ai"
|
|
691
|
+
},
|
|
692
|
+
{
|
|
693
|
+
"name": "Langfuse",
|
|
694
|
+
"type": "open-source",
|
|
695
|
+
"url": "https://langfuse.com"
|
|
696
|
+
},
|
|
697
|
+
{
|
|
698
|
+
"name": "Langfuse (audit logging)",
|
|
699
|
+
"type": "open-source",
|
|
700
|
+
"url": "https://langfuse.com"
|
|
701
|
+
},
|
|
702
|
+
{
|
|
703
|
+
"name": "Claroty",
|
|
704
|
+
"type": "commercial",
|
|
705
|
+
"url": "https://claroty.com"
|
|
706
|
+
},
|
|
707
|
+
{
|
|
708
|
+
"name": "LLM Guard",
|
|
709
|
+
"type": "open-source",
|
|
710
|
+
"url": "https://github.com/protectai/llm-guard"
|
|
711
|
+
},
|
|
712
|
+
{
|
|
713
|
+
"name": "Azure AI Content Safety",
|
|
714
|
+
"type": "commercial",
|
|
715
|
+
"url": "https://azure.microsoft.com/en-us/products/ai-services/ai-content-safety"
|
|
716
|
+
},
|
|
717
|
+
{
|
|
718
|
+
"name": "Chroma",
|
|
719
|
+
"type": "open-source",
|
|
720
|
+
"url": "https://www.trychroma.com"
|
|
721
|
+
},
|
|
722
|
+
{
|
|
723
|
+
"name": "LAAF (LLM Agent Assessment Framework)",
|
|
724
|
+
"type": "open-source",
|
|
725
|
+
"url": "https://github.com/OWASP/LAAF"
|
|
726
|
+
},
|
|
727
|
+
{
|
|
728
|
+
"name": "Garak",
|
|
729
|
+
"type": "open-source",
|
|
730
|
+
"url": "https://github.com/leondz/garak"
|
|
731
|
+
},
|
|
732
|
+
{
|
|
733
|
+
"name": "Great Expectations",
|
|
734
|
+
"type": "open-source",
|
|
735
|
+
"url": "https://greatexpectations.io"
|
|
736
|
+
},
|
|
737
|
+
{
|
|
738
|
+
"name": "Weaviate",
|
|
739
|
+
"type": "open-source",
|
|
740
|
+
"url": "https://weaviate.io"
|
|
741
|
+
},
|
|
742
|
+
{
|
|
743
|
+
"name": "LangSmith",
|
|
744
|
+
"type": "commercial",
|
|
745
|
+
"url": "https://smith.langchain.com"
|
|
746
|
+
},
|
|
747
|
+
{
|
|
748
|
+
"name": "OpenTelemetry",
|
|
749
|
+
"type": "open-source",
|
|
750
|
+
"url": "https://opentelemetry.io"
|
|
751
|
+
},
|
|
752
|
+
{
|
|
753
|
+
"name": "HashiCorp Vault",
|
|
754
|
+
"type": "commercial",
|
|
755
|
+
"url": "https://www.vaultproject.io"
|
|
756
|
+
},
|
|
757
|
+
{
|
|
758
|
+
"name": "LAAF v2.0",
|
|
759
|
+
"url": "https://github.com/qorvexconsulting1/laaf-V2.0",
|
|
760
|
+
"type": "open-source"
|
|
761
|
+
}
|
|
762
|
+
],
|
|
763
|
+
"incidents": [
|
|
764
|
+
{
|
|
765
|
+
"name": "RAG corpus poisoning — embedding-space manipulation to force retrieval",
|
|
766
|
+
"url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
|
|
767
|
+
"year": 2024,
|
|
768
|
+
"incident_id": "INC-016"
|
|
769
|
+
},
|
|
770
|
+
{
|
|
771
|
+
"name": "LAAF v2.0 — Empirical LPCI breakthrough rates of 67–100% across 5 production LLMs",
|
|
772
|
+
"url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
|
|
773
|
+
"year": 2026,
|
|
774
|
+
"incident_id": "INC-021"
|
|
775
|
+
},
|
|
776
|
+
{
|
|
777
|
+
"name": "Nassi et al. \"ComPromptMized\" Morris II multi-agent worm",
|
|
778
|
+
"url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
|
|
779
|
+
"year": 2024,
|
|
780
|
+
"incident_id": "INC-023"
|
|
781
|
+
},
|
|
782
|
+
{
|
|
783
|
+
"name": "Crescendo: multi-turn escalation attack (Microsoft)",
|
|
784
|
+
"url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
|
|
785
|
+
"year": 2024,
|
|
786
|
+
"incident_id": "INC-029"
|
|
787
|
+
},
|
|
788
|
+
{
|
|
789
|
+
"name": "Adversarial embedding attacks on production RAG systems",
|
|
790
|
+
"url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
|
|
791
|
+
"year": 2024,
|
|
792
|
+
"incident_id": "INC-046"
|
|
793
|
+
}
|
|
794
|
+
],
|
|
795
|
+
"crossrefs": {
|
|
796
|
+
"llm_top10": [
|
|
797
|
+
"LLM04",
|
|
798
|
+
"LLM08",
|
|
799
|
+
"LLM02",
|
|
800
|
+
"LLM03"
|
|
801
|
+
],
|
|
802
|
+
"dsgai_2026": [
|
|
803
|
+
"DSGAI04",
|
|
804
|
+
"DSGAI13",
|
|
805
|
+
"DSGAI06",
|
|
806
|
+
"DSGAI08"
|
|
807
|
+
]
|
|
808
|
+
},
|
|
809
|
+
"changelog": [
|
|
810
|
+
{
|
|
811
|
+
"date": "2026-03-27",
|
|
812
|
+
"version": "1.0.0",
|
|
813
|
+
"change": "Initial entry — generated from GenAI Security Crosswalk v1.5.1 mapping files",
|
|
814
|
+
"author": "emmanuelgjr"
|
|
815
|
+
}
|
|
816
|
+
]
|
|
817
|
+
}
|