genai-security-crosswalk 2.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE.md +28 -0
- package/README.md +618 -0
- package/data/entries/ASI01.json +911 -0
- package/data/entries/ASI02.json +850 -0
- package/data/entries/ASI03.json +854 -0
- package/data/entries/ASI04.json +759 -0
- package/data/entries/ASI05.json +764 -0
- package/data/entries/ASI06.json +817 -0
- package/data/entries/ASI07.json +789 -0
- package/data/entries/ASI08.json +788 -0
- package/data/entries/ASI09.json +754 -0
- package/data/entries/ASI10.json +833 -0
- package/data/entries/DSGAI01.json +779 -0
- package/data/entries/DSGAI02.json +728 -0
- package/data/entries/DSGAI03.json +671 -0
- package/data/entries/DSGAI04.json +752 -0
- package/data/entries/DSGAI05.json +689 -0
- package/data/entries/DSGAI06.json +673 -0
- package/data/entries/DSGAI07.json +680 -0
- package/data/entries/DSGAI08.json +698 -0
- package/data/entries/DSGAI09.json +687 -0
- package/data/entries/DSGAI10.json +627 -0
- package/data/entries/DSGAI11.json +663 -0
- package/data/entries/DSGAI12.json +695 -0
- package/data/entries/DSGAI13.json +688 -0
- package/data/entries/DSGAI14.json +703 -0
- package/data/entries/DSGAI15.json +655 -0
- package/data/entries/DSGAI16.json +716 -0
- package/data/entries/DSGAI17.json +690 -0
- package/data/entries/DSGAI18.json +613 -0
- package/data/entries/DSGAI19.json +638 -0
- package/data/entries/DSGAI20.json +671 -0
- package/data/entries/DSGAI21.json +881 -0
- package/data/entries/LLM01.json +975 -0
- package/data/entries/LLM02.json +868 -0
- package/data/entries/LLM03.json +817 -0
- package/data/entries/LLM04.json +797 -0
- package/data/entries/LLM05.json +761 -0
- package/data/entries/LLM06.json +848 -0
- package/data/entries/LLM07.json +749 -0
- package/data/entries/LLM08.json +750 -0
- package/data/entries/LLM09.json +760 -0
- package/data/entries/LLM10.json +763 -0
- package/data/incidents-schema.json +121 -0
- package/data/incidents.json +1484 -0
- package/data/schema.json +134 -0
- package/dist/index.d.ts +97 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +124 -0
- package/dist/index.js.map +1 -0
- package/dist/index.test.d.ts +2 -0
- package/dist/index.test.d.ts.map +1 -0
- package/dist/index.test.js +97 -0
- package/dist/index.test.js.map +1 -0
- package/package.json +62 -0
|
@@ -0,0 +1,789 @@
|
|
|
1
|
+
{
|
|
2
|
+
"id": "ASI07",
|
|
3
|
+
"name": "Insecure Inter-Agent Communications",
|
|
4
|
+
"source_list": "Agentic-Top10-2026",
|
|
5
|
+
"version": "2026-Q1",
|
|
6
|
+
"severity": "High",
|
|
7
|
+
"aivss_score": 8.2,
|
|
8
|
+
"audience": [
|
|
9
|
+
"red-teamer",
|
|
10
|
+
"security-engineer",
|
|
11
|
+
"ml-engineer",
|
|
12
|
+
"ot-engineer",
|
|
13
|
+
"ciso",
|
|
14
|
+
"compliance",
|
|
15
|
+
"auditor",
|
|
16
|
+
"developer"
|
|
17
|
+
],
|
|
18
|
+
"mappings": [
|
|
19
|
+
{
|
|
20
|
+
"framework": "MITRE ATLAS",
|
|
21
|
+
"control_id": "AML.T0043",
|
|
22
|
+
"control_name": "Network Service Scanning",
|
|
23
|
+
"tier": "Hardening",
|
|
24
|
+
"scope": "Both",
|
|
25
|
+
"url": "https://atlas.mitre.org/techniques/AML.T0043",
|
|
26
|
+
"notes": "Identifying and mapping inter-agent communication endpoints for targeting"
|
|
27
|
+
},
|
|
28
|
+
{
|
|
29
|
+
"framework": "MITRE ATLAS",
|
|
30
|
+
"control_id": "AML.T0022",
|
|
31
|
+
"control_name": "Valid Accounts",
|
|
32
|
+
"tier": "Hardening",
|
|
33
|
+
"scope": "Both",
|
|
34
|
+
"url": "https://atlas.mitre.org/techniques/AML.T0022",
|
|
35
|
+
"notes": "Using compromised agent credentials to impersonate trusted agents in A2A channels"
|
|
36
|
+
},
|
|
37
|
+
{
|
|
38
|
+
"framework": "MITRE ATLAS",
|
|
39
|
+
"control_id": "AML.T0016",
|
|
40
|
+
"control_name": "Exfiltration via AI Inference API",
|
|
41
|
+
"tier": "Hardening",
|
|
42
|
+
"scope": "Both",
|
|
43
|
+
"url": "https://atlas.mitre.org/techniques/AML.T0016",
|
|
44
|
+
"notes": "Intercepting inter-agent messages to exfiltrate sensitive context passed between agents"
|
|
45
|
+
},
|
|
46
|
+
{
|
|
47
|
+
"framework": "NIST AI RMF 1.0",
|
|
48
|
+
"control_id": "GV-1.6",
|
|
49
|
+
"control_name": "Policies for data privacy",
|
|
50
|
+
"tier": "Hardening",
|
|
51
|
+
"scope": "Build",
|
|
52
|
+
"notes": "A2A communication security policy — authentication, encryption, schema validation requirements"
|
|
53
|
+
},
|
|
54
|
+
{
|
|
55
|
+
"framework": "NIST AI RMF 1.0",
|
|
56
|
+
"control_id": "MP-5.1",
|
|
57
|
+
"control_name": "Interdependencies",
|
|
58
|
+
"tier": "Hardening",
|
|
59
|
+
"scope": "Build",
|
|
60
|
+
"notes": "All A2A communication channels mapped — authentication method, encryption status, schema validation, logging"
|
|
61
|
+
},
|
|
62
|
+
{
|
|
63
|
+
"framework": "NIST AI RMF 1.0",
|
|
64
|
+
"control_id": "MS-2.5",
|
|
65
|
+
"control_name": "Testing — adversarial",
|
|
66
|
+
"tier": "Hardening",
|
|
67
|
+
"scope": "Build",
|
|
68
|
+
"notes": "A2A security testing — spoofing, replay, man-in-the-middle scenarios on all inter-agent channels"
|
|
69
|
+
},
|
|
70
|
+
{
|
|
71
|
+
"framework": "NIST AI RMF 1.0",
|
|
72
|
+
"control_id": "MG-2.2",
|
|
73
|
+
"control_name": "Risk response",
|
|
74
|
+
"tier": "Hardening",
|
|
75
|
+
"scope": "Build",
|
|
76
|
+
"notes": "Incident response for A2A compromise — channel isolation, agent suspension, forensic capture"
|
|
77
|
+
},
|
|
78
|
+
{
|
|
79
|
+
"framework": "EU AI Act",
|
|
80
|
+
"control_id": "A2A communication risks identified and mitigated",
|
|
81
|
+
"control_name": "Art. 9 — Risk management",
|
|
82
|
+
"tier": "Hardening",
|
|
83
|
+
"scope": "Both",
|
|
84
|
+
"notes": "Inter-agent channels in Art. 9 risk assessment — authentication, encryption, schema validation status"
|
|
85
|
+
},
|
|
86
|
+
{
|
|
87
|
+
"framework": "EU AI Act",
|
|
88
|
+
"control_id": "Cybersecurity measures protecting all system components",
|
|
89
|
+
"control_name": "Art. 15 — Accuracy, robustness, cybersecurity",
|
|
90
|
+
"tier": "Hardening",
|
|
91
|
+
"scope": "Both",
|
|
92
|
+
"notes": "Authenticated, encrypted A2A communication is an Art. 15 requirement for high-risk agentic systems"
|
|
93
|
+
},
|
|
94
|
+
{
|
|
95
|
+
"framework": "EU AI Act",
|
|
96
|
+
"control_id": "Documentation of A2A security controls",
|
|
97
|
+
"control_name": "Art. 17 — Quality management",
|
|
98
|
+
"tier": "Hardening",
|
|
99
|
+
"scope": "Both",
|
|
100
|
+
"notes": "A2A authentication and encryption documented in quality management system"
|
|
101
|
+
},
|
|
102
|
+
{
|
|
103
|
+
"framework": "ISO/IEC 27001:2022",
|
|
104
|
+
"control_id": "A.8.20",
|
|
105
|
+
"control_name": "Networks security",
|
|
106
|
+
"tier": "Hardening",
|
|
107
|
+
"scope": "Both",
|
|
108
|
+
"notes": "A2A communication channels network-isolated — dedicated VLAN, traffic volume caps, protocol filtering"
|
|
109
|
+
},
|
|
110
|
+
{
|
|
111
|
+
"framework": "ISO/IEC 27001:2022",
|
|
112
|
+
"control_id": "A.8.24",
|
|
113
|
+
"control_name": "Use of cryptography",
|
|
114
|
+
"tier": "Hardening",
|
|
115
|
+
"scope": "Both",
|
|
116
|
+
"notes": "A2A messages encrypted and integrity-verified — mutual TLS, nonce-based replay protection"
|
|
117
|
+
},
|
|
118
|
+
{
|
|
119
|
+
"framework": "ISO/IEC 27001:2022",
|
|
120
|
+
"control_id": "A.8.15",
|
|
121
|
+
"control_name": "Logging",
|
|
122
|
+
"tier": "Hardening",
|
|
123
|
+
"scope": "Both",
|
|
124
|
+
"notes": "All A2A messages logged — sender identity, content hash, timestamp, schema validation results"
|
|
125
|
+
},
|
|
126
|
+
{
|
|
127
|
+
"framework": "ISO/IEC 27001:2022",
|
|
128
|
+
"control_id": "A.5.14",
|
|
129
|
+
"control_name": "Transfer of information",
|
|
130
|
+
"tier": "Hardening",
|
|
131
|
+
"scope": "Both",
|
|
132
|
+
"notes": "Information transfer policies and agreements for A2A communication — authentication requirements, acceptable content"
|
|
133
|
+
},
|
|
134
|
+
{
|
|
135
|
+
"framework": "ISO/IEC 42001:2023",
|
|
136
|
+
"control_id": "A.6.2.3",
|
|
137
|
+
"control_name": "AI system security",
|
|
138
|
+
"tier": "Hardening",
|
|
139
|
+
"scope": "Both",
|
|
140
|
+
"notes": "A2A authentication, encryption, and schema validation as AIMS security design requirements"
|
|
141
|
+
},
|
|
142
|
+
{
|
|
143
|
+
"framework": "ISO/IEC 42001:2023",
|
|
144
|
+
"control_id": "A.6.2.6",
|
|
145
|
+
"control_name": "Testing of AI systems",
|
|
146
|
+
"tier": "Hardening",
|
|
147
|
+
"scope": "Both",
|
|
148
|
+
"notes": "A2A security scenarios in AIMS testing — spoofing, replay, schema violations before deployment"
|
|
149
|
+
},
|
|
150
|
+
{
|
|
151
|
+
"framework": "ISO/IEC 42001:2023",
|
|
152
|
+
"control_id": "A.10.1",
|
|
153
|
+
"control_name": "Third-party AI system acquisition",
|
|
154
|
+
"tier": "Hardening",
|
|
155
|
+
"scope": "Both",
|
|
156
|
+
"notes": "A2A communication infrastructure providers assessed — security obligations in arrangements"
|
|
157
|
+
},
|
|
158
|
+
{
|
|
159
|
+
"framework": "ISO/IEC 42001:2023",
|
|
160
|
+
"control_id": "Cl.8",
|
|
161
|
+
"control_name": "Operation",
|
|
162
|
+
"tier": "Hardening",
|
|
163
|
+
"scope": "Both",
|
|
164
|
+
"notes": "A2A communication documented as AIMS operational control — authentication requirements, encryption standards"
|
|
165
|
+
},
|
|
166
|
+
{
|
|
167
|
+
"framework": "CIS Controls v8.1",
|
|
168
|
+
"control_id": "12.4 Establish and maintain architecture diagram",
|
|
169
|
+
"control_name": "CIS 12 — Network Infrastructure Management",
|
|
170
|
+
"tier": "Hardening",
|
|
171
|
+
"scope": "Both",
|
|
172
|
+
"notes": "A2A communication channels mapped in network architecture — authentication method, encryption status"
|
|
173
|
+
},
|
|
174
|
+
{
|
|
175
|
+
"framework": "CIS Controls v8.1",
|
|
176
|
+
"control_id": "3.10 Encrypt sensitive data in transit",
|
|
177
|
+
"control_name": "CIS 3 — Data Protection",
|
|
178
|
+
"tier": "Hardening",
|
|
179
|
+
"scope": "Both",
|
|
180
|
+
"notes": "All A2A messages encrypted in transit — no cleartext inter-agent communication"
|
|
181
|
+
},
|
|
182
|
+
{
|
|
183
|
+
"framework": "CIS Controls v8.1",
|
|
184
|
+
"control_id": "8.5 Collect detailed audit logs",
|
|
185
|
+
"control_name": "CIS 8 — Audit Log Management",
|
|
186
|
+
"tier": "Hardening",
|
|
187
|
+
"scope": "Both",
|
|
188
|
+
"notes": "All A2A messages logged — sender identity, content hash, timestamp, schema validation results"
|
|
189
|
+
},
|
|
190
|
+
{
|
|
191
|
+
"framework": "CIS Controls v8.1",
|
|
192
|
+
"control_id": "16.1 Establish secure development standards",
|
|
193
|
+
"control_name": "CIS 16 — Application Software Security",
|
|
194
|
+
"tier": "Hardening",
|
|
195
|
+
"scope": "Both",
|
|
196
|
+
"notes": "A2A authentication and schema validation as secure development requirements"
|
|
197
|
+
},
|
|
198
|
+
{
|
|
199
|
+
"framework": "OWASP ASVS 4.0.3",
|
|
200
|
+
"control_id": "V9.1.1",
|
|
201
|
+
"control_name": "Verify TLS used for all client connectivity",
|
|
202
|
+
"tier": "Hardening",
|
|
203
|
+
"scope": "Both",
|
|
204
|
+
"notes": "All A2A communication encrypted — mutual TLS, no cleartext inter-agent messages"
|
|
205
|
+
},
|
|
206
|
+
{
|
|
207
|
+
"framework": "OWASP ASVS 4.0.3",
|
|
208
|
+
"control_id": "V3.3.1",
|
|
209
|
+
"control_name": "Verify anti-replay tokens in state-changing operations",
|
|
210
|
+
"tier": "Hardening",
|
|
211
|
+
"scope": "Both",
|
|
212
|
+
"notes": "Replay protection on all A2A messages — nonces, timestamps, sequence numbers"
|
|
213
|
+
},
|
|
214
|
+
{
|
|
215
|
+
"framework": "OWASP ASVS 4.0.3",
|
|
216
|
+
"control_id": "V4.1.3",
|
|
217
|
+
"control_name": "Verify access control enforces identity",
|
|
218
|
+
"tier": "Hardening",
|
|
219
|
+
"scope": "Both",
|
|
220
|
+
"notes": "A2A channels enforce sender identity — unauthenticated messages rejected"
|
|
221
|
+
},
|
|
222
|
+
{
|
|
223
|
+
"framework": "OWASP ASVS 4.0.3",
|
|
224
|
+
"control_id": "V7.2.1",
|
|
225
|
+
"control_name": "Verify all security controls logged",
|
|
226
|
+
"tier": "Hardening",
|
|
227
|
+
"scope": "Both",
|
|
228
|
+
"notes": "All A2A messages logged — sender identity, content hash, schema validation results"
|
|
229
|
+
},
|
|
230
|
+
{
|
|
231
|
+
"framework": "ISA/IEC 62443",
|
|
232
|
+
"control_id": "SR 1.3",
|
|
233
|
+
"control_name": "Use of authenticators",
|
|
234
|
+
"tier": "Hardening",
|
|
235
|
+
"scope": "Both",
|
|
236
|
+
"notes": "All inter-agent messages authenticated — no ambient trust between agents in OT context"
|
|
237
|
+
},
|
|
238
|
+
{
|
|
239
|
+
"framework": "ISA/IEC 62443",
|
|
240
|
+
"control_id": "SR 4.1",
|
|
241
|
+
"control_name": "Data confidentiality in transit",
|
|
242
|
+
"tier": "Hardening",
|
|
243
|
+
"scope": "Both",
|
|
244
|
+
"notes": "All A2A communication encrypted — no cleartext agent messages on OT network segments"
|
|
245
|
+
},
|
|
246
|
+
{
|
|
247
|
+
"framework": "ISA/IEC 62443",
|
|
248
|
+
"control_id": "SR 4.4",
|
|
249
|
+
"control_name": "Communication integrity",
|
|
250
|
+
"tier": "Hardening",
|
|
251
|
+
"scope": "Both",
|
|
252
|
+
"notes": "Message integrity enforced — replay protection, nonces, sequence numbers on A2A channels"
|
|
253
|
+
},
|
|
254
|
+
{
|
|
255
|
+
"framework": "ISA/IEC 62443",
|
|
256
|
+
"control_id": "SR 3.1",
|
|
257
|
+
"control_name": "Software and information integrity",
|
|
258
|
+
"tier": "Hardening",
|
|
259
|
+
"scope": "Both",
|
|
260
|
+
"notes": "A2A message schema validation — reject malformed or unexpected message structures"
|
|
261
|
+
},
|
|
262
|
+
{
|
|
263
|
+
"framework": "NIST SP 800-82 Rev 3",
|
|
264
|
+
"control_id": "Supply chain risks",
|
|
265
|
+
"control_name": "§5.5",
|
|
266
|
+
"tier": "Foundational",
|
|
267
|
+
"scope": "Both",
|
|
268
|
+
"notes": "Expanded to include agentic AI components"
|
|
269
|
+
},
|
|
270
|
+
{
|
|
271
|
+
"framework": "NIST SP 800-82 Rev 3",
|
|
272
|
+
"control_id": "Supply chain risk management",
|
|
273
|
+
"control_name": "§6.3",
|
|
274
|
+
"tier": "Foundational",
|
|
275
|
+
"scope": "Both",
|
|
276
|
+
"notes": "SBOM and vendor assessment for agentic stack"
|
|
277
|
+
},
|
|
278
|
+
{
|
|
279
|
+
"framework": "NIST SP 800-82 Rev 3",
|
|
280
|
+
"control_id": "Third-party management",
|
|
281
|
+
"control_name": "§8.4",
|
|
282
|
+
"tier": "Foundational",
|
|
283
|
+
"scope": "Both",
|
|
284
|
+
"notes": "Formal vendor programme for OT agent components"
|
|
285
|
+
},
|
|
286
|
+
{
|
|
287
|
+
"framework": "NIST CSF 2.0",
|
|
288
|
+
"control_id": "PR.AA-01",
|
|
289
|
+
"control_name": "Identity Management, Authentication & Access Control",
|
|
290
|
+
"tier": "Hardening",
|
|
291
|
+
"scope": "Both",
|
|
292
|
+
"notes": "Agent identities managed — each agent has a unique, verifiable identity for A2A authentication"
|
|
293
|
+
},
|
|
294
|
+
{
|
|
295
|
+
"framework": "NIST CSF 2.0",
|
|
296
|
+
"control_id": "PR.DS-02",
|
|
297
|
+
"control_name": "Data Security",
|
|
298
|
+
"tier": "Hardening",
|
|
299
|
+
"scope": "Both",
|
|
300
|
+
"notes": "Data in transit protected — all A2A communication encrypted, integrity verified"
|
|
301
|
+
},
|
|
302
|
+
{
|
|
303
|
+
"framework": "NIST CSF 2.0",
|
|
304
|
+
"control_id": "DE.CM-01",
|
|
305
|
+
"control_name": "Continuous Monitoring",
|
|
306
|
+
"tier": "Hardening",
|
|
307
|
+
"scope": "Both",
|
|
308
|
+
"notes": "A2A channels monitored — replay attacks, spoofed senders, anomalous message patterns detected"
|
|
309
|
+
},
|
|
310
|
+
{
|
|
311
|
+
"framework": "NIST CSF 2.0",
|
|
312
|
+
"control_id": "GV.SC-01",
|
|
313
|
+
"control_name": "Supply Chain Risk Management",
|
|
314
|
+
"tier": "Hardening",
|
|
315
|
+
"scope": "Both",
|
|
316
|
+
"notes": "Inter-agent communication infrastructure treated as internal supply chain — authentication requirements documented"
|
|
317
|
+
},
|
|
318
|
+
{
|
|
319
|
+
"framework": "SOC 2",
|
|
320
|
+
"control_id": "Inter-agent authentication required — all agent-to-agent messages authenticated before acting",
|
|
321
|
+
"control_name": "CC6.1",
|
|
322
|
+
"tier": "Hardening",
|
|
323
|
+
"scope": "Both",
|
|
324
|
+
"notes": "mTLS configuration, certificate management records"
|
|
325
|
+
},
|
|
326
|
+
{
|
|
327
|
+
"framework": "SOC 2",
|
|
328
|
+
"control_id": "Inter-agent communication policy — which agents may communicate with which, under what conditions, with what data",
|
|
329
|
+
"control_name": "CC5.2",
|
|
330
|
+
"tier": "Hardening",
|
|
331
|
+
"scope": "Both",
|
|
332
|
+
"notes": "Inter-agent communication policy document"
|
|
333
|
+
},
|
|
334
|
+
{
|
|
335
|
+
"framework": "SOC 2",
|
|
336
|
+
"control_id": "Inter-agent traffic monitored — unexpected communication patterns, unauthorised agent requests detected",
|
|
337
|
+
"control_name": "CC7.2",
|
|
338
|
+
"tier": "Hardening",
|
|
339
|
+
"scope": "Both",
|
|
340
|
+
"notes": "Inter-agent traffic logs, anomaly alert records"
|
|
341
|
+
},
|
|
342
|
+
{
|
|
343
|
+
"framework": "SOC 2",
|
|
344
|
+
"control_id": "Third-party agents treated as vendor risk — agents from external providers assessed before integration",
|
|
345
|
+
"control_name": "CC9.2",
|
|
346
|
+
"tier": "Hardening",
|
|
347
|
+
"scope": "Both",
|
|
348
|
+
"notes": "Vendor assessment records for third-party agents"
|
|
349
|
+
},
|
|
350
|
+
{
|
|
351
|
+
"framework": "PCI DSS v4.0",
|
|
352
|
+
"control_id": "CHD encrypted in transit between agents — all inter-agent communication carrying CHD uses TLS 1.2+",
|
|
353
|
+
"control_name": "Req 4.2",
|
|
354
|
+
"tier": "Hardening",
|
|
355
|
+
"scope": "Both",
|
|
356
|
+
"notes": "TLS configuration, protocol verification"
|
|
357
|
+
},
|
|
358
|
+
{
|
|
359
|
+
"framework": "PCI DSS v4.0",
|
|
360
|
+
"control_id": "Inter-agent authentication — agents authenticate to each other before exchanging CHD",
|
|
361
|
+
"control_name": "Req 8.2",
|
|
362
|
+
"tier": "Hardening",
|
|
363
|
+
"scope": "Both",
|
|
364
|
+
"notes": "Certificate configuration, authentication evidence"
|
|
365
|
+
},
|
|
366
|
+
{
|
|
367
|
+
"framework": "PCI DSS v4.0",
|
|
368
|
+
"control_id": "Inter-agent CHD exchanges logged — source, destination, data classification, timestamp",
|
|
369
|
+
"control_name": "Req 10.2",
|
|
370
|
+
"tier": "Hardening",
|
|
371
|
+
"scope": "Both",
|
|
372
|
+
"notes": "Inter-agent communication audit log"
|
|
373
|
+
},
|
|
374
|
+
{
|
|
375
|
+
"framework": "PCI DSS v4.0",
|
|
376
|
+
"control_id": "Secure development requirements for inter-agent APIs — authentication and encryption requirements in design specifications",
|
|
377
|
+
"control_name": "Req 6.2",
|
|
378
|
+
"tier": "Hardening",
|
|
379
|
+
"scope": "Both",
|
|
380
|
+
"notes": "Design documentation, code review records"
|
|
381
|
+
},
|
|
382
|
+
{
|
|
383
|
+
"framework": "ENISA Multilayer Framework",
|
|
384
|
+
"control_id": "L2",
|
|
385
|
+
"control_name": "AI System Integrity (ASI)",
|
|
386
|
+
"tier": "Hardening",
|
|
387
|
+
"scope": "Both",
|
|
388
|
+
"notes": "All inter-agent messages authenticated and integrity-verified — mutual authentication as AI system integrity requirement"
|
|
389
|
+
},
|
|
390
|
+
{
|
|
391
|
+
"framework": "ENISA Multilayer Framework",
|
|
392
|
+
"control_id": "L2",
|
|
393
|
+
"control_name": "Governance and Risk (GOV)",
|
|
394
|
+
"tier": "Hardening",
|
|
395
|
+
"scope": "Both",
|
|
396
|
+
"notes": "Agent-to-agent communication policy documented — which agents may communicate with which, under what conditions, with what data"
|
|
397
|
+
},
|
|
398
|
+
{
|
|
399
|
+
"framework": "ENISA Multilayer Framework",
|
|
400
|
+
"control_id": "L2",
|
|
401
|
+
"control_name": "Monitoring and Detection (MON)",
|
|
402
|
+
"tier": "Hardening",
|
|
403
|
+
"scope": "Both",
|
|
404
|
+
"notes": "All agent-to-agent messages logged — anomaly detection for unexpected communication patterns"
|
|
405
|
+
},
|
|
406
|
+
{
|
|
407
|
+
"framework": "ENISA Multilayer Framework",
|
|
408
|
+
"control_id": "L1",
|
|
409
|
+
"control_name": "General ICT — Network",
|
|
410
|
+
"tier": "Hardening",
|
|
411
|
+
"scope": "Both",
|
|
412
|
+
"notes": "Inter-agent communication restricted to approved channels — network segmentation enforces the agent communication policy"
|
|
413
|
+
},
|
|
414
|
+
{
|
|
415
|
+
"framework": "OWASP SAMM v2.0",
|
|
416
|
+
"control_id": "G-PC",
|
|
417
|
+
"control_name": "Governance / Policy & Compliance",
|
|
418
|
+
"tier": "Foundational",
|
|
419
|
+
"scope": "Both",
|
|
420
|
+
"notes": "Approved vendor list for all agentic stack components"
|
|
421
|
+
},
|
|
422
|
+
{
|
|
423
|
+
"framework": "OWASP SAMM v2.0",
|
|
424
|
+
"control_id": "I-SB",
|
|
425
|
+
"control_name": "Implementation / Secure Build",
|
|
426
|
+
"tier": "Foundational",
|
|
427
|
+
"scope": "Both",
|
|
428
|
+
"notes": "SBOM for all agentic system components including LLM APIs and tool servers"
|
|
429
|
+
},
|
|
430
|
+
{
|
|
431
|
+
"framework": "OWASP SAMM v2.0",
|
|
432
|
+
"control_id": "V-AA",
|
|
433
|
+
"control_name": "Verification / Architecture Assessment",
|
|
434
|
+
"tier": "Foundational",
|
|
435
|
+
"scope": "Both",
|
|
436
|
+
"notes": "Architecture review validates all third-party components against policy"
|
|
437
|
+
},
|
|
438
|
+
{
|
|
439
|
+
"framework": "OWASP SAMM v2.0",
|
|
440
|
+
"control_id": "D-TA",
|
|
441
|
+
"control_name": "Design / Threat Assessment",
|
|
442
|
+
"tier": "Foundational",
|
|
443
|
+
"scope": "Both",
|
|
444
|
+
"notes": "Model compromise scenarios for each third-party component"
|
|
445
|
+
},
|
|
446
|
+
{
|
|
447
|
+
"framework": "OWASP SAMM v2.0",
|
|
448
|
+
"control_id": "O-OM",
|
|
449
|
+
"control_name": "Operations / Operational Management",
|
|
450
|
+
"tier": "Foundational",
|
|
451
|
+
"scope": "Both",
|
|
452
|
+
"notes": "Track security advisories for all integrated components"
|
|
453
|
+
},
|
|
454
|
+
{
|
|
455
|
+
"framework": "CWE/CVE",
|
|
456
|
+
"control_id": "Improper Authentication",
|
|
457
|
+
"control_name": "CWE-287",
|
|
458
|
+
"tier": "Foundational",
|
|
459
|
+
"scope": "Both",
|
|
460
|
+
"notes": "A2A channels without mutual authentication — agents accept messages from any sender"
|
|
461
|
+
},
|
|
462
|
+
{
|
|
463
|
+
"framework": "CWE/CVE",
|
|
464
|
+
"control_id": "Authentication Bypass by Capture-replay",
|
|
465
|
+
"control_name": "CWE-294",
|
|
466
|
+
"tier": "Foundational",
|
|
467
|
+
"scope": "Both",
|
|
468
|
+
"notes": "Replay attacks on A2A channels without nonce-based replay protection"
|
|
469
|
+
},
|
|
470
|
+
{
|
|
471
|
+
"framework": "CWE/CVE",
|
|
472
|
+
"control_id": "Cleartext Transmission of Sensitive Information",
|
|
473
|
+
"control_name": "CWE-319",
|
|
474
|
+
"tier": "Foundational",
|
|
475
|
+
"scope": "Both",
|
|
476
|
+
"notes": "A2A messages containing sensitive context transmitted without encryption"
|
|
477
|
+
},
|
|
478
|
+
{
|
|
479
|
+
"framework": "CWE/CVE",
|
|
480
|
+
"control_id": "Origin Validation Error",
|
|
481
|
+
"control_name": "CWE-346",
|
|
482
|
+
"tier": "Foundational",
|
|
483
|
+
"scope": "Both",
|
|
484
|
+
"notes": "Agent does not verify that A2A messages originate from the claimed sender"
|
|
485
|
+
},
|
|
486
|
+
{
|
|
487
|
+
"framework": "CWE/CVE",
|
|
488
|
+
"control_id": "Improper Enforcement of Message Integrity During Transmission",
|
|
489
|
+
"control_name": "CWE-924",
|
|
490
|
+
"tier": "Foundational",
|
|
491
|
+
"scope": "Both",
|
|
492
|
+
"notes": "A2A message integrity not cryptographically verified"
|
|
493
|
+
},
|
|
494
|
+
{
|
|
495
|
+
"framework": "OWASP AI Testing Guide",
|
|
496
|
+
"control_id": "A2A authentication enforcement",
|
|
497
|
+
"control_name": "ACT — Access Control",
|
|
498
|
+
"tier": "Hardening",
|
|
499
|
+
"scope": "Both",
|
|
500
|
+
"notes": "Attempt unauthenticated and weakly authenticated A2A message delivery"
|
|
501
|
+
},
|
|
502
|
+
{
|
|
503
|
+
"framework": "OWASP AI Testing Guide",
|
|
504
|
+
"control_id": "Replay attack prevention",
|
|
505
|
+
"control_name": "AST — Agent-Specific",
|
|
506
|
+
"tier": "Hardening",
|
|
507
|
+
"scope": "Both",
|
|
508
|
+
"notes": "Capture and replay a valid A2A message; verify replay is rejected"
|
|
509
|
+
},
|
|
510
|
+
{
|
|
511
|
+
"framework": "OWASP AI Testing Guide",
|
|
512
|
+
"control_id": "A2A audit completeness",
|
|
513
|
+
"control_name": "LMT — Logging & Monitoring",
|
|
514
|
+
"tier": "Hardening",
|
|
515
|
+
"scope": "Both",
|
|
516
|
+
"notes": "Verify all A2A messages are logged with sender identity and content hash"
|
|
517
|
+
},
|
|
518
|
+
{
|
|
519
|
+
"framework": "MAESTRO",
|
|
520
|
+
"control_id": "L7",
|
|
521
|
+
"control_name": "Agent Ecosystem",
|
|
522
|
+
"tier": "Hardening",
|
|
523
|
+
"scope": "Both"
|
|
524
|
+
},
|
|
525
|
+
{
|
|
526
|
+
"framework": "MAESTRO",
|
|
527
|
+
"control_id": "L6",
|
|
528
|
+
"control_name": "Security & Compliance",
|
|
529
|
+
"tier": "Hardening",
|
|
530
|
+
"scope": "Both"
|
|
531
|
+
},
|
|
532
|
+
{
|
|
533
|
+
"framework": "MAESTRO",
|
|
534
|
+
"control_id": "L3",
|
|
535
|
+
"control_name": "Agent Frameworks",
|
|
536
|
+
"tier": "Hardening",
|
|
537
|
+
"scope": "Both"
|
|
538
|
+
},
|
|
539
|
+
{
|
|
540
|
+
"framework": "AIUC-1",
|
|
541
|
+
"control_id": "B007",
|
|
542
|
+
"control_name": "Enforce user access privileges to AI systems",
|
|
543
|
+
"tier": "Hardening",
|
|
544
|
+
"scope": "Build"
|
|
545
|
+
},
|
|
546
|
+
{
|
|
547
|
+
"framework": "AIUC-1",
|
|
548
|
+
"control_id": "B008",
|
|
549
|
+
"control_name": "Protect model deployment environment",
|
|
550
|
+
"tier": "Hardening",
|
|
551
|
+
"scope": "Build"
|
|
552
|
+
},
|
|
553
|
+
{
|
|
554
|
+
"framework": "AIUC-1",
|
|
555
|
+
"control_id": "E",
|
|
556
|
+
"control_name": "Accountability (full domain)",
|
|
557
|
+
"tier": "Hardening",
|
|
558
|
+
"scope": "Build"
|
|
559
|
+
},
|
|
560
|
+
{
|
|
561
|
+
"framework": "OWASP NHI Top 10",
|
|
562
|
+
"control_id": "Weak or missing authentication on A2A channels — agent spoofing enabled",
|
|
563
|
+
"control_name": "NHI-4 Insecure Authentication",
|
|
564
|
+
"tier": "Hardening",
|
|
565
|
+
"scope": "Both",
|
|
566
|
+
"notes": "Strong mutual authentication on all A2A channels — mTLS, certificate-based, short-lived"
|
|
567
|
+
},
|
|
568
|
+
{
|
|
569
|
+
"framework": "OWASP NHI Top 10",
|
|
570
|
+
"control_id": "Long-lived A2A tokens enable persistent replay attacks",
|
|
571
|
+
"control_name": "NHI-7 Long-Lived Credentials",
|
|
572
|
+
"tier": "Hardening",
|
|
573
|
+
"scope": "Both",
|
|
574
|
+
"notes": "Short-lived A2A tokens with nonce-based replay protection"
|
|
575
|
+
},
|
|
576
|
+
{
|
|
577
|
+
"framework": "OWASP NHI Top 10",
|
|
578
|
+
"control_id": "Shared A2A credentials allow one compromised agent to impersonate others",
|
|
579
|
+
"control_name": "NHI-9 NHI Reuse",
|
|
580
|
+
"tier": "Hardening",
|
|
581
|
+
"scope": "Both",
|
|
582
|
+
"notes": "Unique identity per agent — A2A authentication bound to specific agent identity"
|
|
583
|
+
},
|
|
584
|
+
{
|
|
585
|
+
"framework": "NIST SP 800-218A",
|
|
586
|
+
"control_id": "Define explicit security requirements constraining permitted tool invocation sequences and cross-tool data flows for each agent deployment",
|
|
587
|
+
"control_name": "PW.1.1-PS – Define security requirements",
|
|
588
|
+
"tier": "Foundational",
|
|
589
|
+
"scope": "Build",
|
|
590
|
+
"notes": "Establishes chaining constraints as mandatory requirements"
|
|
591
|
+
},
|
|
592
|
+
{
|
|
593
|
+
"framework": "NIST SP 800-218A",
|
|
594
|
+
"control_id": "Threat model tool interaction graphs — identify composite action sequences that could achieve unauthorised outcomes; design controls for chain-level authorisation",
|
|
595
|
+
"control_name": "PW.2.1-PS – Design software to meet security requirements",
|
|
596
|
+
"tier": "Foundational",
|
|
597
|
+
"scope": "Build",
|
|
598
|
+
"notes": "Ensures chaining risks are addressed at design time"
|
|
599
|
+
},
|
|
600
|
+
{
|
|
601
|
+
"framework": "NIST SP 800-218A",
|
|
602
|
+
"control_id": "Review agent behaviour for chain-based scope violations — verify that multi-step tool sequences cannot achieve outcomes exceeding individual tool permissions",
|
|
603
|
+
"control_name": "PW.7.2-PS – Review the software for security vulnerabilities",
|
|
604
|
+
"tier": "Foundational",
|
|
605
|
+
"scope": "Build",
|
|
606
|
+
"notes": "Catches chaining vulnerabilities before production"
|
|
607
|
+
},
|
|
608
|
+
{
|
|
609
|
+
"framework": "NIST SP 800-218A",
|
|
610
|
+
"control_id": "Establish monitoring for anomalous tool invocation sequences; define triage procedures for suspected lateral chaining incidents",
|
|
611
|
+
"control_name": "RV.1.1-PS – Identify and confirm vulnerabilities",
|
|
612
|
+
"tier": "Foundational",
|
|
613
|
+
"scope": "Build",
|
|
614
|
+
"notes": "Enables detection of chaining attacks in production"
|
|
615
|
+
},
|
|
616
|
+
{
|
|
617
|
+
"framework": "FedRAMP",
|
|
618
|
+
"control_id": "AC-6",
|
|
619
|
+
"control_name": "Least Privilege — tool chain restrictions",
|
|
620
|
+
"tier": "Foundational",
|
|
621
|
+
"scope": "Build",
|
|
622
|
+
"notes": "Enforce least privilege across tool chains; prevent agents from combining tool invocations that individually are safe but together achieve harmful outcomes"
|
|
623
|
+
},
|
|
624
|
+
{
|
|
625
|
+
"framework": "FedRAMP",
|
|
626
|
+
"control_id": "CM-7",
|
|
627
|
+
"control_name": "Least Functionality — tool combination restrictions",
|
|
628
|
+
"tier": "Foundational",
|
|
629
|
+
"scope": "Build",
|
|
630
|
+
"notes": "Restrict permitted tool combinations; define allowed tool chains in configuration and deny undefined sequences"
|
|
631
|
+
},
|
|
632
|
+
{
|
|
633
|
+
"framework": "FedRAMP",
|
|
634
|
+
"control_id": "AC-3",
|
|
635
|
+
"control_name": "Access Enforcement — per-tool boundary enforcement",
|
|
636
|
+
"tier": "Foundational",
|
|
637
|
+
"scope": "Build",
|
|
638
|
+
"notes": "Enforce access control at each tool invocation independently; re-evaluate authorisation at every step in a tool chain regardless of prior approvals"
|
|
639
|
+
},
|
|
640
|
+
{
|
|
641
|
+
"framework": "FedRAMP",
|
|
642
|
+
"control_id": "AU-2",
|
|
643
|
+
"control_name": "Event Logging — tool chain audit trail",
|
|
644
|
+
"tier": "Foundational",
|
|
645
|
+
"scope": "Build",
|
|
646
|
+
"notes": "Log complete tool chain sequences with full context; enable detection and forensic analysis of harmful tool combination patterns"
|
|
647
|
+
},
|
|
648
|
+
{
|
|
649
|
+
"framework": "DORA",
|
|
650
|
+
"control_id": "Art. 9",
|
|
651
|
+
"control_name": "Protection and Prevention — tool chain controls",
|
|
652
|
+
"tier": "Foundational",
|
|
653
|
+
"scope": "Build",
|
|
654
|
+
"notes": "Implement security controls restricting tool chain composition; enforce per-tool access control and define permitted tool sequences for financial agent systems"
|
|
655
|
+
},
|
|
656
|
+
{
|
|
657
|
+
"framework": "DORA",
|
|
658
|
+
"control_id": "Art. 5–7",
|
|
659
|
+
"control_name": "ICT Risk Management — tool composition governance",
|
|
660
|
+
"tier": "Foundational",
|
|
661
|
+
"scope": "Build",
|
|
662
|
+
"notes": "Include tool chaining risk in ICT risk management framework; define policies for permitted tool combinations and escalation requirements for novel tool chains"
|
|
663
|
+
},
|
|
664
|
+
{
|
|
665
|
+
"framework": "DORA",
|
|
666
|
+
"control_id": "Art. 24–27",
|
|
667
|
+
"control_name": "Resilience Testing — tool chain testing",
|
|
668
|
+
"tier": "Foundational",
|
|
669
|
+
"scope": "Build",
|
|
670
|
+
"notes": "Include lateral tool chaining in resilience testing; test whether agents can combine permitted tools to achieve unauthorised outcomes"
|
|
671
|
+
},
|
|
672
|
+
{
|
|
673
|
+
"framework": "DORA",
|
|
674
|
+
"control_id": "Art. 10",
|
|
675
|
+
"control_name": "Detection — tool chain anomaly detection",
|
|
676
|
+
"tier": "Foundational",
|
|
677
|
+
"scope": "Build",
|
|
678
|
+
"notes": "Monitor agent tool invocation sequences for anomalous patterns; alert on novel tool combinations or sequences that cross security boundaries"
|
|
679
|
+
}
|
|
680
|
+
],
|
|
681
|
+
"tools": [
|
|
682
|
+
{
|
|
683
|
+
"name": "SPIFFE / SPIRE",
|
|
684
|
+
"type": "open-source",
|
|
685
|
+
"url": "https://spiffe.io"
|
|
686
|
+
},
|
|
687
|
+
{
|
|
688
|
+
"name": "Linkerd",
|
|
689
|
+
"type": "open-source",
|
|
690
|
+
"url": "https://linkerd.io"
|
|
691
|
+
},
|
|
692
|
+
{
|
|
693
|
+
"name": "cert-manager",
|
|
694
|
+
"type": "open-source",
|
|
695
|
+
"url": "https://cert-manager.io"
|
|
696
|
+
},
|
|
697
|
+
{
|
|
698
|
+
"name": "SPIFFE/SPIRE",
|
|
699
|
+
"type": "open-source",
|
|
700
|
+
"url": "https://github.com/spiffe/spire"
|
|
701
|
+
},
|
|
702
|
+
{
|
|
703
|
+
"name": "mTLS (cert-manager)",
|
|
704
|
+
"type": "open-source",
|
|
705
|
+
"url": "https://cert-manager.io"
|
|
706
|
+
},
|
|
707
|
+
{
|
|
708
|
+
"name": "Garak",
|
|
709
|
+
"type": "open-source",
|
|
710
|
+
"url": "https://github.com/leondz/garak"
|
|
711
|
+
},
|
|
712
|
+
{
|
|
713
|
+
"name": "LangSmith",
|
|
714
|
+
"type": "commercial",
|
|
715
|
+
"url": "https://smith.langchain.com"
|
|
716
|
+
},
|
|
717
|
+
{
|
|
718
|
+
"name": "OpenTelemetry",
|
|
719
|
+
"type": "open-source",
|
|
720
|
+
"url": "https://opentelemetry.io"
|
|
721
|
+
},
|
|
722
|
+
{
|
|
723
|
+
"name": "NeMo Guardrails",
|
|
724
|
+
"type": "open-source",
|
|
725
|
+
"url": "https://github.com/NVIDIA/NeMo-Guardrails"
|
|
726
|
+
},
|
|
727
|
+
{
|
|
728
|
+
"name": "Open Policy Agent",
|
|
729
|
+
"type": "open-source",
|
|
730
|
+
"url": "https://www.openpolicyagent.org"
|
|
731
|
+
},
|
|
732
|
+
{
|
|
733
|
+
"name": "Guardrails AI",
|
|
734
|
+
"type": "open-source",
|
|
735
|
+
"url": "https://github.com/guardrails-ai/guardrails"
|
|
736
|
+
},
|
|
737
|
+
{
|
|
738
|
+
"name": "AgentOps",
|
|
739
|
+
"url": "https://github.com/AgentOps-AI/agentops",
|
|
740
|
+
"type": "open-source"
|
|
741
|
+
},
|
|
742
|
+
{
|
|
743
|
+
"name": "Agentic Security",
|
|
744
|
+
"url": "https://github.com/msoedov/agentic_security",
|
|
745
|
+
"type": "open-source"
|
|
746
|
+
}
|
|
747
|
+
],
|
|
748
|
+
"incidents": [
|
|
749
|
+
{
|
|
750
|
+
"name": "Multi-agent prompt injection cascade — demonstrated cross-agent goal propagation",
|
|
751
|
+
"url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
|
|
752
|
+
"year": 2024,
|
|
753
|
+
"incident_id": "INC-020"
|
|
754
|
+
},
|
|
755
|
+
{
|
|
756
|
+
"name": "Nassi et al. \"ComPromptMized\" Morris II multi-agent worm",
|
|
757
|
+
"url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
|
|
758
|
+
"year": 2024,
|
|
759
|
+
"incident_id": "INC-023"
|
|
760
|
+
},
|
|
761
|
+
{
|
|
762
|
+
"name": "Multi-agent financial trading system flash crash — cascading autonomous failures",
|
|
763
|
+
"url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
|
|
764
|
+
"year": 2025,
|
|
765
|
+
"incident_id": "INC-041"
|
|
766
|
+
}
|
|
767
|
+
],
|
|
768
|
+
"crossrefs": {
|
|
769
|
+
"dsgai_2026": [
|
|
770
|
+
"DSGAI02",
|
|
771
|
+
"DSGAI16",
|
|
772
|
+
"DSGAI17",
|
|
773
|
+
"DSGAI06"
|
|
774
|
+
],
|
|
775
|
+
"llm_top10": [
|
|
776
|
+
"LLM03",
|
|
777
|
+
"LLM06",
|
|
778
|
+
"LLM01"
|
|
779
|
+
]
|
|
780
|
+
},
|
|
781
|
+
"changelog": [
|
|
782
|
+
{
|
|
783
|
+
"date": "2026-03-27",
|
|
784
|
+
"version": "1.0.0",
|
|
785
|
+
"change": "Initial entry — generated from GenAI Security Crosswalk v1.5.1 mapping files",
|
|
786
|
+
"author": "emmanuelgjr"
|
|
787
|
+
}
|
|
788
|
+
]
|
|
789
|
+
}
|