genai-security-crosswalk 2.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE.md +28 -0
- package/README.md +618 -0
- package/data/entries/ASI01.json +911 -0
- package/data/entries/ASI02.json +850 -0
- package/data/entries/ASI03.json +854 -0
- package/data/entries/ASI04.json +759 -0
- package/data/entries/ASI05.json +764 -0
- package/data/entries/ASI06.json +817 -0
- package/data/entries/ASI07.json +789 -0
- package/data/entries/ASI08.json +788 -0
- package/data/entries/ASI09.json +754 -0
- package/data/entries/ASI10.json +833 -0
- package/data/entries/DSGAI01.json +779 -0
- package/data/entries/DSGAI02.json +728 -0
- package/data/entries/DSGAI03.json +671 -0
- package/data/entries/DSGAI04.json +752 -0
- package/data/entries/DSGAI05.json +689 -0
- package/data/entries/DSGAI06.json +673 -0
- package/data/entries/DSGAI07.json +680 -0
- package/data/entries/DSGAI08.json +698 -0
- package/data/entries/DSGAI09.json +687 -0
- package/data/entries/DSGAI10.json +627 -0
- package/data/entries/DSGAI11.json +663 -0
- package/data/entries/DSGAI12.json +695 -0
- package/data/entries/DSGAI13.json +688 -0
- package/data/entries/DSGAI14.json +703 -0
- package/data/entries/DSGAI15.json +655 -0
- package/data/entries/DSGAI16.json +716 -0
- package/data/entries/DSGAI17.json +690 -0
- package/data/entries/DSGAI18.json +613 -0
- package/data/entries/DSGAI19.json +638 -0
- package/data/entries/DSGAI20.json +671 -0
- package/data/entries/DSGAI21.json +881 -0
- package/data/entries/LLM01.json +975 -0
- package/data/entries/LLM02.json +868 -0
- package/data/entries/LLM03.json +817 -0
- package/data/entries/LLM04.json +797 -0
- package/data/entries/LLM05.json +761 -0
- package/data/entries/LLM06.json +848 -0
- package/data/entries/LLM07.json +749 -0
- package/data/entries/LLM08.json +750 -0
- package/data/entries/LLM09.json +760 -0
- package/data/entries/LLM10.json +763 -0
- package/data/incidents-schema.json +121 -0
- package/data/incidents.json +1484 -0
- package/data/schema.json +134 -0
- package/dist/index.d.ts +97 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +124 -0
- package/dist/index.js.map +1 -0
- package/dist/index.test.d.ts +2 -0
- package/dist/index.test.d.ts.map +1 -0
- package/dist/index.test.js +97 -0
- package/dist/index.test.js.map +1 -0
- package/package.json +62 -0
|
@@ -0,0 +1,788 @@
|
|
|
1
|
+
{
|
|
2
|
+
"id": "ASI08",
|
|
3
|
+
"name": "Cascading Agent Failures",
|
|
4
|
+
"source_list": "Agentic-Top10-2026",
|
|
5
|
+
"version": "2026-Q1",
|
|
6
|
+
"severity": "Critical",
|
|
7
|
+
"aivss_score": 9.1,
|
|
8
|
+
"audience": [
|
|
9
|
+
"red-teamer",
|
|
10
|
+
"security-engineer",
|
|
11
|
+
"ml-engineer",
|
|
12
|
+
"ot-engineer",
|
|
13
|
+
"ciso",
|
|
14
|
+
"compliance",
|
|
15
|
+
"auditor",
|
|
16
|
+
"developer"
|
|
17
|
+
],
|
|
18
|
+
"mappings": [
|
|
19
|
+
{
|
|
20
|
+
"framework": "MITRE ATLAS",
|
|
21
|
+
"control_id": "AML.T0029",
|
|
22
|
+
"control_name": "Denial of ML Service",
|
|
23
|
+
"tier": "Foundational",
|
|
24
|
+
"scope": "Both",
|
|
25
|
+
"url": "https://atlas.mitre.org/techniques/AML.T0029",
|
|
26
|
+
"notes": "Triggering cascading failure propagation to exhaust system resources or degrade service"
|
|
27
|
+
},
|
|
28
|
+
{
|
|
29
|
+
"framework": "MITRE ATLAS",
|
|
30
|
+
"control_id": "AML.T0034",
|
|
31
|
+
"control_name": "Cost Harvesting",
|
|
32
|
+
"tier": "Foundational",
|
|
33
|
+
"scope": "Both",
|
|
34
|
+
"url": "https://atlas.mitre.org/techniques/AML.T0034",
|
|
35
|
+
"notes": "Crafting inputs that trigger runaway agent loops generating unbounded costs"
|
|
36
|
+
},
|
|
37
|
+
{
|
|
38
|
+
"framework": "MITRE ATLAS",
|
|
39
|
+
"control_id": "AML.T0057",
|
|
40
|
+
"control_name": "Exploit Public-Facing ML Application",
|
|
41
|
+
"tier": "Foundational",
|
|
42
|
+
"scope": "Both",
|
|
43
|
+
"url": "https://atlas.mitre.org/techniques/AML.T0057",
|
|
44
|
+
"notes": "Exploiting an exposed agent endpoint to introduce a fault that cascades internally"
|
|
45
|
+
},
|
|
46
|
+
{
|
|
47
|
+
"framework": "NIST AI RMF 1.0",
|
|
48
|
+
"control_id": "MP-4.1",
|
|
49
|
+
"control_name": "Risk tolerance",
|
|
50
|
+
"tier": "Foundational",
|
|
51
|
+
"scope": "Both",
|
|
52
|
+
"notes": "Cascade blast radius defined and accepted per deployment — maximum affected systems documented"
|
|
53
|
+
},
|
|
54
|
+
{
|
|
55
|
+
"framework": "NIST AI RMF 1.0",
|
|
56
|
+
"control_id": "MS-2.5",
|
|
57
|
+
"control_name": "Testing — adversarial",
|
|
58
|
+
"tier": "Foundational",
|
|
59
|
+
"scope": "Both",
|
|
60
|
+
"notes": "Cascade resilience testing — circuit breaker effectiveness, failover scenarios, chaos engineering"
|
|
61
|
+
},
|
|
62
|
+
{
|
|
63
|
+
"framework": "NIST AI RMF 1.0",
|
|
64
|
+
"control_id": "MG-2.2",
|
|
65
|
+
"control_name": "Risk response",
|
|
66
|
+
"tier": "Foundational",
|
|
67
|
+
"scope": "Both",
|
|
68
|
+
"notes": "Incident response for cascade events — defined suspension procedure, process control fallback"
|
|
69
|
+
},
|
|
70
|
+
{
|
|
71
|
+
"framework": "NIST AI RMF 1.0",
|
|
72
|
+
"control_id": "MG-3.2",
|
|
73
|
+
"control_name": "Residual risk",
|
|
74
|
+
"tier": "Foundational",
|
|
75
|
+
"scope": "Both",
|
|
76
|
+
"notes": "Residual cascade risk documented — BCP coverage for agent cluster failures"
|
|
77
|
+
},
|
|
78
|
+
{
|
|
79
|
+
"framework": "EU AI Act",
|
|
80
|
+
"control_id": "Cascade risks identified and mitigated — blast radius defined",
|
|
81
|
+
"control_name": "Art. 9 — Risk management",
|
|
82
|
+
"tier": "Foundational",
|
|
83
|
+
"scope": "Both",
|
|
84
|
+
"notes": "Cascade scenarios in Art. 9 risk management — maximum affected systems, circuit breaker thresholds"
|
|
85
|
+
},
|
|
86
|
+
{
|
|
87
|
+
"framework": "EU AI Act",
|
|
88
|
+
"control_id": "Human oversight over high-risk AI — ability to pause and stop",
|
|
89
|
+
"control_name": "Art. 14 — Human oversight",
|
|
90
|
+
"tier": "Foundational",
|
|
91
|
+
"scope": "Both",
|
|
92
|
+
"notes": "Circuit breakers and kill switches are Art. 14 human oversight mechanisms"
|
|
93
|
+
},
|
|
94
|
+
{
|
|
95
|
+
"framework": "EU AI Act",
|
|
96
|
+
"control_id": "Technical resilience against cascading failures",
|
|
97
|
+
"control_name": "Art. 15 — Accuracy, robustness, cybersecurity",
|
|
98
|
+
"tier": "Foundational",
|
|
99
|
+
"scope": "Both",
|
|
100
|
+
"notes": "Circuit breakers, fail-safe defaults, and cascade containment architecture are Art. 15 requirements"
|
|
101
|
+
},
|
|
102
|
+
{
|
|
103
|
+
"framework": "ISO/IEC 27001:2022",
|
|
104
|
+
"control_id": "A.8.16",
|
|
105
|
+
"control_name": "Monitoring activities",
|
|
106
|
+
"tier": "Foundational",
|
|
107
|
+
"scope": "Both",
|
|
108
|
+
"notes": "Cascade indicators monitored — correlated failure patterns across agent cluster detected before physical impact"
|
|
109
|
+
},
|
|
110
|
+
{
|
|
111
|
+
"framework": "ISO/IEC 27001:2022",
|
|
112
|
+
"control_id": "A.5.30",
|
|
113
|
+
"control_name": "ICT readiness for business continuity",
|
|
114
|
+
"tier": "Foundational",
|
|
115
|
+
"scope": "Both",
|
|
116
|
+
"notes": "Agent cluster failures covered in BCP — RTO/RPO defined, failover tested, circuit breakers as resilience controls"
|
|
117
|
+
},
|
|
118
|
+
{
|
|
119
|
+
"framework": "ISO/IEC 27001:2022",
|
|
120
|
+
"control_id": "A.5.24",
|
|
121
|
+
"control_name": "Information security incident management",
|
|
122
|
+
"tier": "Foundational",
|
|
123
|
+
"scope": "Both",
|
|
124
|
+
"notes": "Cascade events treated as security incidents — defined response, kill switch activation, operations notification"
|
|
125
|
+
},
|
|
126
|
+
{
|
|
127
|
+
"framework": "ISO/IEC 27001:2022",
|
|
128
|
+
"control_id": "A.8.13",
|
|
129
|
+
"control_name": "Backup",
|
|
130
|
+
"tier": "Foundational",
|
|
131
|
+
"scope": "Both",
|
|
132
|
+
"notes": "Agent state and configuration backed up — recovery to known-good state after cascade incident"
|
|
133
|
+
},
|
|
134
|
+
{
|
|
135
|
+
"framework": "ISO/IEC 42001:2023",
|
|
136
|
+
"control_id": "A.6.2.3",
|
|
137
|
+
"control_name": "AI system security",
|
|
138
|
+
"tier": "Foundational",
|
|
139
|
+
"scope": "Both",
|
|
140
|
+
"notes": "Circuit breakers and blast radius limits as AIMS security design requirements"
|
|
141
|
+
},
|
|
142
|
+
{
|
|
143
|
+
"framework": "ISO/IEC 42001:2023",
|
|
144
|
+
"control_id": "A.6.2.8",
|
|
145
|
+
"control_name": "Monitoring of AI systems",
|
|
146
|
+
"tier": "Foundational",
|
|
147
|
+
"scope": "Both",
|
|
148
|
+
"notes": "Cascade indicators monitored in operation — correlated failure patterns detected as AIMS monitoring"
|
|
149
|
+
},
|
|
150
|
+
{
|
|
151
|
+
"framework": "ISO/IEC 42001:2023",
|
|
152
|
+
"control_id": "Cl.6.1",
|
|
153
|
+
"control_name": "Risk assessment",
|
|
154
|
+
"tier": "Foundational",
|
|
155
|
+
"scope": "Both",
|
|
156
|
+
"notes": "Cascade blast radius in AI risk register — maximum affected systems formally documented and accepted"
|
|
157
|
+
},
|
|
158
|
+
{
|
|
159
|
+
"framework": "ISO/IEC 42001:2023",
|
|
160
|
+
"control_id": "Cl.9",
|
|
161
|
+
"control_name": "Performance evaluation",
|
|
162
|
+
"tier": "Foundational",
|
|
163
|
+
"scope": "Both",
|
|
164
|
+
"notes": "Cascade incidents in AIMS performance evaluation — circuit breaker effectiveness, recovery times in management review"
|
|
165
|
+
},
|
|
166
|
+
{
|
|
167
|
+
"framework": "CIS Controls v8.1",
|
|
168
|
+
"control_id": "4.1 Establish secure configuration process",
|
|
169
|
+
"control_name": "CIS 4 — Secure Configuration",
|
|
170
|
+
"tier": "Foundational",
|
|
171
|
+
"scope": "Both",
|
|
172
|
+
"notes": "Secure configuration includes circuit breakers and rate limits — cascade prevention as configuration requirement"
|
|
173
|
+
},
|
|
174
|
+
{
|
|
175
|
+
"framework": "CIS Controls v8.1",
|
|
176
|
+
"control_id": "12.6 Use network-based URL filters",
|
|
177
|
+
"control_name": "CIS 12 — Network Infrastructure Management",
|
|
178
|
+
"tier": "Foundational",
|
|
179
|
+
"scope": "Both",
|
|
180
|
+
"notes": "Network controls prevent cascade propagation across agent cluster boundaries"
|
|
181
|
+
},
|
|
182
|
+
{
|
|
183
|
+
"framework": "CIS Controls v8.1",
|
|
184
|
+
"control_id": "17.1 Designate personnel for incident response",
|
|
185
|
+
"control_name": "CIS 17 — Incident Response",
|
|
186
|
+
"tier": "Foundational",
|
|
187
|
+
"scope": "Both",
|
|
188
|
+
"notes": "Defined response for cascade events — kill switch activation, process control fallback, operations notification"
|
|
189
|
+
},
|
|
190
|
+
{
|
|
191
|
+
"framework": "CIS Controls v8.1",
|
|
192
|
+
"control_id": "8.6 Collect DNS query audit logs",
|
|
193
|
+
"control_name": "CIS 8 — Audit Log Management",
|
|
194
|
+
"tier": "Foundational",
|
|
195
|
+
"scope": "Both",
|
|
196
|
+
"notes": "Agent traffic monitored — cascade indicators detected before physical impact"
|
|
197
|
+
},
|
|
198
|
+
{
|
|
199
|
+
"framework": "OWASP ASVS 4.0.3",
|
|
200
|
+
"control_id": "V11.1.1",
|
|
201
|
+
"control_name": "Verify business logic assumptions documented",
|
|
202
|
+
"tier": "Foundational",
|
|
203
|
+
"scope": "Both",
|
|
204
|
+
"notes": "Cascade blast radius documented as business logic assumption — maximum affected systems formally accepted"
|
|
205
|
+
},
|
|
206
|
+
{
|
|
207
|
+
"framework": "OWASP ASVS 4.0.3",
|
|
208
|
+
"control_id": "V11.1.2",
|
|
209
|
+
"control_name": "Verify business logic limits prevent abuse",
|
|
210
|
+
"tier": "Foundational",
|
|
211
|
+
"scope": "Both",
|
|
212
|
+
"notes": "Circuit breakers as business logic controls — cascade propagation limited by design"
|
|
213
|
+
},
|
|
214
|
+
{
|
|
215
|
+
"framework": "OWASP ASVS 4.0.3",
|
|
216
|
+
"control_id": "V13.1.1",
|
|
217
|
+
"control_name": "Verify API rate limiting",
|
|
218
|
+
"tier": "Foundational",
|
|
219
|
+
"scope": "Both",
|
|
220
|
+
"notes": "Rate limiting on all agent API endpoints — cascade amplification through API exhaustion limited"
|
|
221
|
+
},
|
|
222
|
+
{
|
|
223
|
+
"framework": "OWASP ASVS 4.0.3",
|
|
224
|
+
"control_id": "V7.4.1",
|
|
225
|
+
"control_name": "Verify error handling does not expose sensitive data",
|
|
226
|
+
"tier": "Foundational",
|
|
227
|
+
"scope": "Both",
|
|
228
|
+
"notes": "Cascade errors handled gracefully — no sensitive system information in error responses"
|
|
229
|
+
},
|
|
230
|
+
{
|
|
231
|
+
"framework": "ISA/IEC 62443",
|
|
232
|
+
"control_id": "SR 7.6",
|
|
233
|
+
"control_name": "Denial of service protection",
|
|
234
|
+
"tier": "Foundational",
|
|
235
|
+
"scope": "Both",
|
|
236
|
+
"notes": "Circuit breakers preventing cascade propagation — agent failure contained within defined blast radius"
|
|
237
|
+
},
|
|
238
|
+
{
|
|
239
|
+
"framework": "ISA/IEC 62443",
|
|
240
|
+
"control_id": "SR 7.7",
|
|
241
|
+
"control_name": "Control system backup",
|
|
242
|
+
"tier": "Foundational",
|
|
243
|
+
"scope": "Both",
|
|
244
|
+
"notes": "Agent system failures cannot affect backup and recovery of OT process control"
|
|
245
|
+
},
|
|
246
|
+
{
|
|
247
|
+
"framework": "ISA/IEC 62443",
|
|
248
|
+
"control_id": "SR 6.6",
|
|
249
|
+
"control_name": "Timely response to events",
|
|
250
|
+
"tier": "Foundational",
|
|
251
|
+
"scope": "Both",
|
|
252
|
+
"notes": "Cascade indicators detected and responded to before physical process impact"
|
|
253
|
+
},
|
|
254
|
+
{
|
|
255
|
+
"framework": "ISA/IEC 62443",
|
|
256
|
+
"control_id": "SR 5.1",
|
|
257
|
+
"control_name": "Information flow restriction",
|
|
258
|
+
"tier": "Foundational",
|
|
259
|
+
"scope": "Both",
|
|
260
|
+
"notes": "Agent-to-agent information flows restricted — cascade paths limited by design"
|
|
261
|
+
},
|
|
262
|
+
{
|
|
263
|
+
"framework": "NIST SP 800-82 Rev 3",
|
|
264
|
+
"control_id": "ICS vulnerabilities",
|
|
265
|
+
"control_name": "§5.3",
|
|
266
|
+
"tier": "Advanced",
|
|
267
|
+
"scope": "Both",
|
|
268
|
+
"notes": "Safety system bypass is the highest severity OT threat"
|
|
269
|
+
},
|
|
270
|
+
{
|
|
271
|
+
"framework": "NIST SP 800-82 Rev 3",
|
|
272
|
+
"control_id": "Risk assessment",
|
|
273
|
+
"control_name": "§6.2",
|
|
274
|
+
"tier": "Advanced",
|
|
275
|
+
"scope": "Both",
|
|
276
|
+
"notes": "Safety control inversion must be in OT risk register"
|
|
277
|
+
},
|
|
278
|
+
{
|
|
279
|
+
"framework": "NIST SP 800-82 Rev 3",
|
|
280
|
+
"control_id": "Secure architecture",
|
|
281
|
+
"control_name": "§7.1",
|
|
282
|
+
"tier": "Advanced",
|
|
283
|
+
"scope": "Both",
|
|
284
|
+
"notes": "Mandatory: safety function must be independent of AI decision layer"
|
|
285
|
+
},
|
|
286
|
+
{
|
|
287
|
+
"framework": "NIST CSF 2.0",
|
|
288
|
+
"control_id": "PR.IR-01",
|
|
289
|
+
"control_name": "Infrastructure Resilience",
|
|
290
|
+
"tier": "Foundational",
|
|
291
|
+
"scope": "Both",
|
|
292
|
+
"notes": "Networks and environments protected for resilience — circuit breakers, blast radius limits, fail-safe defaults"
|
|
293
|
+
},
|
|
294
|
+
{
|
|
295
|
+
"framework": "NIST CSF 2.0",
|
|
296
|
+
"control_id": "DE.CM-01",
|
|
297
|
+
"control_name": "Continuous Monitoring",
|
|
298
|
+
"tier": "Foundational",
|
|
299
|
+
"scope": "Both",
|
|
300
|
+
"notes": "Cascade indicators detected — correlated failure patterns across agent cluster monitored"
|
|
301
|
+
},
|
|
302
|
+
{
|
|
303
|
+
"framework": "NIST CSF 2.0",
|
|
304
|
+
"control_id": "RS.MI-01",
|
|
305
|
+
"control_name": "Incident Mitigation",
|
|
306
|
+
"tier": "Foundational",
|
|
307
|
+
"scope": "Both",
|
|
308
|
+
"notes": "Incidents contained — kill switch activated, process control fallback initiated"
|
|
309
|
+
},
|
|
310
|
+
{
|
|
311
|
+
"framework": "NIST CSF 2.0",
|
|
312
|
+
"control_id": "RC.RP-01",
|
|
313
|
+
"control_name": "Incident Recovery",
|
|
314
|
+
"tier": "Foundational",
|
|
315
|
+
"scope": "Both",
|
|
316
|
+
"notes": "Recovery plan includes agent cluster failures — BCP covers AI system availability, RTO/RPO defined"
|
|
317
|
+
},
|
|
318
|
+
{
|
|
319
|
+
"framework": "SOC 2",
|
|
320
|
+
"control_id": "Availability commitments defined for multi-agent system — RTO/RPO documented; cascade failure scenarios in availability risk",
|
|
321
|
+
"control_name": "A1.1",
|
|
322
|
+
"tier": "Foundational",
|
|
323
|
+
"scope": "Both",
|
|
324
|
+
"notes": "Availability SLA, BCP documentation"
|
|
325
|
+
},
|
|
326
|
+
{
|
|
327
|
+
"framework": "SOC 2",
|
|
328
|
+
"control_id": "Capacity and performance monitoring — early warning of cascade failure precursors (latency, error rate, queue depth)",
|
|
329
|
+
"control_name": "A1.2",
|
|
330
|
+
"tier": "Foundational",
|
|
331
|
+
"scope": "Both",
|
|
332
|
+
"notes": "Monitoring dashboards, alert configuration"
|
|
333
|
+
},
|
|
334
|
+
{
|
|
335
|
+
"framework": "SOC 2",
|
|
336
|
+
"control_id": "Cascade failure incidents detected and responded to — incident response procedures for multi-agent failures",
|
|
337
|
+
"control_name": "CC7.3",
|
|
338
|
+
"tier": "Foundational",
|
|
339
|
+
"scope": "Both",
|
|
340
|
+
"notes": "IR plan covering cascade scenarios, incident records"
|
|
341
|
+
},
|
|
342
|
+
{
|
|
343
|
+
"framework": "SOC 2",
|
|
344
|
+
"control_id": "Cascade failure risk in risk assessment — blast radius analysis, dependency mapping documented",
|
|
345
|
+
"control_name": "CC3.3",
|
|
346
|
+
"tier": "Foundational",
|
|
347
|
+
"scope": "Both",
|
|
348
|
+
"notes": "Risk register with cascade failure entries"
|
|
349
|
+
},
|
|
350
|
+
{
|
|
351
|
+
"framework": "PCI DSS v4.0",
|
|
352
|
+
"control_id": "Critical agent control failures detected promptly — monitoring for cascade precursors with alert thresholds",
|
|
353
|
+
"control_name": "Req 10.7",
|
|
354
|
+
"tier": "Foundational",
|
|
355
|
+
"scope": "Both",
|
|
356
|
+
"notes": "Monitoring configuration, alert records, detection evidence"
|
|
357
|
+
},
|
|
358
|
+
{
|
|
359
|
+
"framework": "PCI DSS v4.0",
|
|
360
|
+
"control_id": "Cascade failure risk analysis — targeted risk analysis documents cascade failure likelihood, impact, treatment",
|
|
361
|
+
"control_name": "Req 12.3",
|
|
362
|
+
"tier": "Foundational",
|
|
363
|
+
"scope": "Both",
|
|
364
|
+
"notes": "Risk analysis documentation"
|
|
365
|
+
},
|
|
366
|
+
{
|
|
367
|
+
"framework": "PCI DSS v4.0",
|
|
368
|
+
"control_id": "Network controls prevent cascade propagation — agent network segments isolated to contain blast radius",
|
|
369
|
+
"control_name": "Req 1.3",
|
|
370
|
+
"tier": "Foundational",
|
|
371
|
+
"scope": "Both",
|
|
372
|
+
"notes": "Network diagram, segmentation evidence"
|
|
373
|
+
},
|
|
374
|
+
{
|
|
375
|
+
"framework": "PCI DSS v4.0",
|
|
376
|
+
"control_id": "Baseline availability configuration for agent infrastructure — capacity and resilience requirements in hardening baseline",
|
|
377
|
+
"control_name": "Req 2.2",
|
|
378
|
+
"tier": "Foundational",
|
|
379
|
+
"scope": "Both",
|
|
380
|
+
"notes": "Hardening baseline documentation"
|
|
381
|
+
},
|
|
382
|
+
{
|
|
383
|
+
"framework": "ENISA Multilayer Framework",
|
|
384
|
+
"control_id": "MON",
|
|
385
|
+
"control_name": "Monitoring and Detection",
|
|
386
|
+
"tier": "Foundational",
|
|
387
|
+
"scope": "Both",
|
|
388
|
+
"notes": "Early warning detection of failure propagation across agent ecosystem — AI-specific anomaly detection for cascade signatures"
|
|
389
|
+
},
|
|
390
|
+
{
|
|
391
|
+
"framework": "ENISA Multilayer Framework",
|
|
392
|
+
"control_id": "IRS",
|
|
393
|
+
"control_name": "Incident Response",
|
|
394
|
+
"tier": "Foundational",
|
|
395
|
+
"scope": "Both",
|
|
396
|
+
"notes": "AI incident response plan covers cascading agent failures — circuit breaker activation, agent isolation, service recovery procedures"
|
|
397
|
+
},
|
|
398
|
+
{
|
|
399
|
+
"framework": "ENISA Multilayer Framework",
|
|
400
|
+
"control_id": "L2",
|
|
401
|
+
"control_name": "Governance and Risk (GOV)",
|
|
402
|
+
"tier": "Foundational",
|
|
403
|
+
"scope": "Both",
|
|
404
|
+
"notes": "Cascade failure risk documented in AI risk register — blast radius analysis, circuit breaker design, residual risk"
|
|
405
|
+
},
|
|
406
|
+
{
|
|
407
|
+
"framework": "ENISA Multilayer Framework",
|
|
408
|
+
"control_id": "L1",
|
|
409
|
+
"control_name": "General ICT — Business Continuity",
|
|
410
|
+
"tier": "Foundational",
|
|
411
|
+
"scope": "Both",
|
|
412
|
+
"notes": "Multi-agent deployment covered by BCM — recovery time and recovery point objectives defined per agent tier"
|
|
413
|
+
},
|
|
414
|
+
{
|
|
415
|
+
"framework": "OWASP SAMM v2.0",
|
|
416
|
+
"control_id": "D-SA",
|
|
417
|
+
"control_name": "Design / Security Architecture",
|
|
418
|
+
"tier": "Advanced",
|
|
419
|
+
"scope": "Both",
|
|
420
|
+
"notes": "Safety controls must be layered — no single-point bypass path"
|
|
421
|
+
},
|
|
422
|
+
{
|
|
423
|
+
"framework": "OWASP SAMM v2.0",
|
|
424
|
+
"control_id": "V-AA",
|
|
425
|
+
"control_name": "Verification / Architecture Assessment",
|
|
426
|
+
"tier": "Advanced",
|
|
427
|
+
"scope": "Both",
|
|
428
|
+
"notes": "Independent review of every safety control bypass scenario"
|
|
429
|
+
},
|
|
430
|
+
{
|
|
431
|
+
"framework": "OWASP SAMM v2.0",
|
|
432
|
+
"control_id": "V-ST",
|
|
433
|
+
"control_name": "Verification / Security Testing",
|
|
434
|
+
"tier": "Advanced",
|
|
435
|
+
"scope": "Both",
|
|
436
|
+
"notes": "Dedicated red team exercise targeting guardrail bypass"
|
|
437
|
+
},
|
|
438
|
+
{
|
|
439
|
+
"framework": "OWASP SAMM v2.0",
|
|
440
|
+
"control_id": "O-IM",
|
|
441
|
+
"control_name": "Operations / Incident Management",
|
|
442
|
+
"tier": "Advanced",
|
|
443
|
+
"scope": "Both",
|
|
444
|
+
"notes": "Alert immediately when output validator is disabled or bypassed"
|
|
445
|
+
},
|
|
446
|
+
{
|
|
447
|
+
"framework": "OWASP SAMM v2.0",
|
|
448
|
+
"control_id": "G-SM",
|
|
449
|
+
"control_name": "Governance / Strategy & Metrics",
|
|
450
|
+
"tier": "Advanced",
|
|
451
|
+
"scope": "Both",
|
|
452
|
+
"notes": "No production agent deployment without signed safety control architecture review"
|
|
453
|
+
},
|
|
454
|
+
{
|
|
455
|
+
"framework": "CWE/CVE",
|
|
456
|
+
"control_id": "Uncontrolled Resource Consumption",
|
|
457
|
+
"control_name": "CWE-400",
|
|
458
|
+
"tier": "Foundational",
|
|
459
|
+
"scope": "Both",
|
|
460
|
+
"notes": "Agent resource consumption not bounded — enables exhaustion propagation across cluster"
|
|
461
|
+
},
|
|
462
|
+
{
|
|
463
|
+
"framework": "CWE/CVE",
|
|
464
|
+
"control_id": "Improper Check or Handling of Exceptional Conditions",
|
|
465
|
+
"control_name": "CWE-703",
|
|
466
|
+
"tier": "Foundational",
|
|
467
|
+
"scope": "Both",
|
|
468
|
+
"notes": "Agent failures not caught and handled — exception propagates to downstream agents"
|
|
469
|
+
},
|
|
470
|
+
{
|
|
471
|
+
"framework": "CWE/CVE",
|
|
472
|
+
"control_id": "Improper Handling of Exceptional Conditions",
|
|
473
|
+
"control_name": "CWE-755",
|
|
474
|
+
"tier": "Foundational",
|
|
475
|
+
"scope": "Both",
|
|
476
|
+
"notes": "Cascade fails because upstream agents do not handle failure conditions gracefully"
|
|
477
|
+
},
|
|
478
|
+
{
|
|
479
|
+
"framework": "CWE/CVE",
|
|
480
|
+
"control_id": "OWASP ReDoS",
|
|
481
|
+
"control_name": "CWE-730",
|
|
482
|
+
"tier": "Foundational",
|
|
483
|
+
"scope": "Both",
|
|
484
|
+
"notes": "Regex-based input processing causing runaway computation propagating through pipeline"
|
|
485
|
+
},
|
|
486
|
+
{
|
|
487
|
+
"framework": "CWE/CVE",
|
|
488
|
+
"control_id": "Uncontrolled Recursion",
|
|
489
|
+
"control_name": "CWE-674",
|
|
490
|
+
"tier": "Foundational",
|
|
491
|
+
"scope": "Both",
|
|
492
|
+
"notes": "Recursive agent calls without depth limits enabling stack exhaustion cascade"
|
|
493
|
+
},
|
|
494
|
+
{
|
|
495
|
+
"framework": "OWASP AI Testing Guide",
|
|
496
|
+
"control_id": "Circuit breaker trigger and recovery",
|
|
497
|
+
"control_name": "AVT — Availability",
|
|
498
|
+
"tier": "Foundational",
|
|
499
|
+
"scope": "Both",
|
|
500
|
+
"notes": "Inject failures to verify circuit breaker activates at threshold; test recovery path"
|
|
501
|
+
},
|
|
502
|
+
{
|
|
503
|
+
"framework": "OWASP AI Testing Guide",
|
|
504
|
+
"control_id": "Blast radius containment",
|
|
505
|
+
"control_name": "AST — Agent-Specific",
|
|
506
|
+
"tier": "Foundational",
|
|
507
|
+
"scope": "Both",
|
|
508
|
+
"notes": "Verify failure in one agent cluster does not propagate to adjacent clusters"
|
|
509
|
+
},
|
|
510
|
+
{
|
|
511
|
+
"framework": "OWASP AI Testing Guide",
|
|
512
|
+
"control_id": "Cascade detection alert",
|
|
513
|
+
"control_name": "LMT — Logging & Monitoring",
|
|
514
|
+
"tier": "Foundational",
|
|
515
|
+
"scope": "Both",
|
|
516
|
+
"notes": "Verify monitoring raises alert on cascade indicators before physical impact"
|
|
517
|
+
},
|
|
518
|
+
{
|
|
519
|
+
"framework": "MAESTRO",
|
|
520
|
+
"control_id": "L7",
|
|
521
|
+
"control_name": "Agent Ecosystem",
|
|
522
|
+
"tier": "Foundational",
|
|
523
|
+
"scope": "Both"
|
|
524
|
+
},
|
|
525
|
+
{
|
|
526
|
+
"framework": "MAESTRO",
|
|
527
|
+
"control_id": "L4",
|
|
528
|
+
"control_name": "Deployment & Infrastructure",
|
|
529
|
+
"tier": "Foundational",
|
|
530
|
+
"scope": "Both"
|
|
531
|
+
},
|
|
532
|
+
{
|
|
533
|
+
"framework": "MAESTRO",
|
|
534
|
+
"control_id": "L5",
|
|
535
|
+
"control_name": "Evaluation & Observability",
|
|
536
|
+
"tier": "Foundational",
|
|
537
|
+
"scope": "Both"
|
|
538
|
+
},
|
|
539
|
+
{
|
|
540
|
+
"framework": "AIUC-1",
|
|
541
|
+
"control_id": "D",
|
|
542
|
+
"control_name": "Reliability (full domain)",
|
|
543
|
+
"tier": "Foundational",
|
|
544
|
+
"scope": "Both"
|
|
545
|
+
},
|
|
546
|
+
{
|
|
547
|
+
"framework": "AIUC-1",
|
|
548
|
+
"control_id": "B006",
|
|
549
|
+
"control_name": "Prevent unauthorized AI agent actions",
|
|
550
|
+
"tier": "Foundational",
|
|
551
|
+
"scope": "Both"
|
|
552
|
+
},
|
|
553
|
+
{
|
|
554
|
+
"framework": "AIUC-1",
|
|
555
|
+
"control_id": "E",
|
|
556
|
+
"control_name": "Accountability (full domain)",
|
|
557
|
+
"tier": "Foundational",
|
|
558
|
+
"scope": "Both"
|
|
559
|
+
},
|
|
560
|
+
{
|
|
561
|
+
"framework": "OWASP NHI Top 10",
|
|
562
|
+
"control_id": "Cascading agent failure with over-privileged credentials exposes all accessible systems",
|
|
563
|
+
"control_name": "NHI-5 Over-Privileged NHI",
|
|
564
|
+
"tier": "Foundational",
|
|
565
|
+
"scope": "Both",
|
|
566
|
+
"notes": "Least privilege per agent — cascade blast radius limited by credential scope"
|
|
567
|
+
},
|
|
568
|
+
{
|
|
569
|
+
"framework": "OWASP NHI Top 10",
|
|
570
|
+
"control_id": "Shared credentials mean cascade in one agent affects all agents sharing the credential",
|
|
571
|
+
"control_name": "NHI-9 NHI Reuse",
|
|
572
|
+
"tier": "Foundational",
|
|
573
|
+
"scope": "Both",
|
|
574
|
+
"notes": "Unique identity per agent — cascade cannot leverage shared credentials for lateral movement"
|
|
575
|
+
},
|
|
576
|
+
{
|
|
577
|
+
"framework": "OWASP NHI Top 10",
|
|
578
|
+
"control_id": "Long-lived credentials exposed during cascade remain valid for attacker use post-incident",
|
|
579
|
+
"control_name": "NHI-7 Long-Lived Credentials",
|
|
580
|
+
"tier": "Foundational",
|
|
581
|
+
"scope": "Both",
|
|
582
|
+
"notes": "Short-lived credentials — cascade event triggers automatic revocation of all affected tokens"
|
|
583
|
+
},
|
|
584
|
+
{
|
|
585
|
+
"framework": "NIST SP 800-218A",
|
|
586
|
+
"control_id": "Design circuit breakers, step limits, cost budgets, and human approval gates as explicit security requirements for all agentic automation workflows",
|
|
587
|
+
"control_name": "PW.2.1-PS – Design software to meet security requirements",
|
|
588
|
+
"tier": "Foundational",
|
|
589
|
+
"scope": "Both",
|
|
590
|
+
"notes": "Ensures cascade prevention is a design-phase requirement"
|
|
591
|
+
},
|
|
592
|
+
{
|
|
593
|
+
"framework": "NIST SP 800-218A",
|
|
594
|
+
"control_id": "Conduct adversarial testing of cascade failure paths — test error propagation, hallucination amplification, and runaway automation scenarios",
|
|
595
|
+
"control_name": "PW.8.2-PS – Test for security vulnerabilities",
|
|
596
|
+
"tier": "Foundational",
|
|
597
|
+
"scope": "Both",
|
|
598
|
+
"notes": "Validates cascade prevention controls under attack conditions"
|
|
599
|
+
},
|
|
600
|
+
{
|
|
601
|
+
"framework": "NIST SP 800-218A",
|
|
602
|
+
"control_id": "Define remediation procedures for cascade failure incidents including automatic circuit breaker activation, workflow suspension, cost cap enforcement, and rollback",
|
|
603
|
+
"control_name": "RV.2.1-PS – Assess, prioritise, and remediate vulnerabilities",
|
|
604
|
+
"tier": "Foundational",
|
|
605
|
+
"scope": "Both",
|
|
606
|
+
"notes": "Enables rapid response to cascading automation failures"
|
|
607
|
+
},
|
|
608
|
+
{
|
|
609
|
+
"framework": "NIST SP 800-218A",
|
|
610
|
+
"control_id": "Define explicit requirements for maximum automation depth, step limits, cost budgets, and mandatory human checkpoints for each agent workflow",
|
|
611
|
+
"control_name": "PW.1.1-PS – Define security requirements",
|
|
612
|
+
"tier": "Foundational",
|
|
613
|
+
"scope": "Both",
|
|
614
|
+
"notes": "Establishes automation boundaries as mandatory requirements"
|
|
615
|
+
},
|
|
616
|
+
{
|
|
617
|
+
"framework": "FedRAMP",
|
|
618
|
+
"control_id": "SC-7",
|
|
619
|
+
"control_name": "Boundary Protection — inter-agent boundaries",
|
|
620
|
+
"tier": "Foundational",
|
|
621
|
+
"scope": "Both",
|
|
622
|
+
"notes": "Enforce boundary protection between agents in multi-agent systems; prevent uncontrolled propagation of failures or attacks across agent boundaries"
|
|
623
|
+
},
|
|
624
|
+
{
|
|
625
|
+
"framework": "FedRAMP",
|
|
626
|
+
"control_id": "SI-4",
|
|
627
|
+
"control_name": "System Monitoring — cascade detection",
|
|
628
|
+
"tier": "Foundational",
|
|
629
|
+
"scope": "Both",
|
|
630
|
+
"notes": "Monitor multi-agent systems for cascade indicators — error propagation, resource exhaustion spreading, and anomalous inter-agent communication patterns"
|
|
631
|
+
},
|
|
632
|
+
{
|
|
633
|
+
"framework": "FedRAMP",
|
|
634
|
+
"control_id": "IR-4",
|
|
635
|
+
"control_name": "Incident Handling — cascading failure response",
|
|
636
|
+
"tier": "Foundational",
|
|
637
|
+
"scope": "Both",
|
|
638
|
+
"notes": "Define incident handling procedures for cascading agent failures; include automated circuit breakers, agent isolation, and multi-agent system shutdown procedures"
|
|
639
|
+
},
|
|
640
|
+
{
|
|
641
|
+
"framework": "FedRAMP",
|
|
642
|
+
"control_id": "PM-9",
|
|
643
|
+
"control_name": "Risk Management Strategy — automation risk",
|
|
644
|
+
"tier": "Foundational",
|
|
645
|
+
"scope": "Both",
|
|
646
|
+
"notes": "Include cascading automation risk in the organisational risk management strategy; define acceptable multi-agent coupling thresholds and circuit breaker requirements"
|
|
647
|
+
},
|
|
648
|
+
{
|
|
649
|
+
"framework": "DORA",
|
|
650
|
+
"control_id": "Art. 11",
|
|
651
|
+
"control_name": "Response and Recovery — cascading failure response",
|
|
652
|
+
"tier": "Foundational",
|
|
653
|
+
"scope": "Both",
|
|
654
|
+
"notes": "Define response and recovery procedures for cascading agent failures; include automated circuit breakers, agent isolation, and multi-agent system safe-state transitions"
|
|
655
|
+
},
|
|
656
|
+
{
|
|
657
|
+
"framework": "DORA",
|
|
658
|
+
"control_id": "Art. 10",
|
|
659
|
+
"control_name": "Detection — cascade indicator monitoring",
|
|
660
|
+
"tier": "Foundational",
|
|
661
|
+
"scope": "Both",
|
|
662
|
+
"notes": "Monitor multi-agent systems for cascade indicators — error propagation, resource exhaustion spreading, and anomalous inter-agent communication patterns"
|
|
663
|
+
},
|
|
664
|
+
{
|
|
665
|
+
"framework": "DORA",
|
|
666
|
+
"control_id": "Art. 12",
|
|
667
|
+
"control_name": "Backup Policies — agent system continuity",
|
|
668
|
+
"tier": "Foundational",
|
|
669
|
+
"scope": "Both",
|
|
670
|
+
"notes": "Maintain backup configurations, memory snapshots, and fallback agent deployments; enable restoration of agent systems to known-good state"
|
|
671
|
+
},
|
|
672
|
+
{
|
|
673
|
+
"framework": "DORA",
|
|
674
|
+
"control_id": "Art. 5–7",
|
|
675
|
+
"control_name": "ICT Risk Management — cascading risk governance",
|
|
676
|
+
"tier": "Foundational",
|
|
677
|
+
"scope": "Both",
|
|
678
|
+
"notes": "Include cascading automation risk in ICT risk management; define acceptable multi-agent coupling thresholds and circuit breaker requirements"
|
|
679
|
+
}
|
|
680
|
+
],
|
|
681
|
+
"tools": [
|
|
682
|
+
{
|
|
683
|
+
"name": "OpenTelemetry",
|
|
684
|
+
"type": "open-source",
|
|
685
|
+
"url": "https://opentelemetry.io"
|
|
686
|
+
},
|
|
687
|
+
{
|
|
688
|
+
"name": "Resilience4j",
|
|
689
|
+
"type": "open-source",
|
|
690
|
+
"url": "https://resilience4j.readme.io"
|
|
691
|
+
},
|
|
692
|
+
{
|
|
693
|
+
"name": "LangSmith",
|
|
694
|
+
"type": "commercial",
|
|
695
|
+
"url": "https://smith.langchain.com"
|
|
696
|
+
},
|
|
697
|
+
{
|
|
698
|
+
"name": "Claroty",
|
|
699
|
+
"type": "commercial",
|
|
700
|
+
"url": "https://claroty.com"
|
|
701
|
+
},
|
|
702
|
+
{
|
|
703
|
+
"name": "Prometheus",
|
|
704
|
+
"type": "open-source",
|
|
705
|
+
"url": "https://prometheus.io"
|
|
706
|
+
},
|
|
707
|
+
{
|
|
708
|
+
"name": "Netflix Hystrix",
|
|
709
|
+
"type": "open-source",
|
|
710
|
+
"url": "https://github.com/Netflix/Hystrix"
|
|
711
|
+
},
|
|
712
|
+
{
|
|
713
|
+
"name": "LiteLLM",
|
|
714
|
+
"type": "open-source",
|
|
715
|
+
"url": "https://github.com/BerriAI/litellm"
|
|
716
|
+
},
|
|
717
|
+
{
|
|
718
|
+
"name": "Kong Gateway",
|
|
719
|
+
"type": "open-source",
|
|
720
|
+
"url": "https://github.com/Kong/kong"
|
|
721
|
+
},
|
|
722
|
+
{
|
|
723
|
+
"name": "Istio",
|
|
724
|
+
"type": "open-source",
|
|
725
|
+
"url": "https://istio.io"
|
|
726
|
+
},
|
|
727
|
+
{
|
|
728
|
+
"name": "PagerDuty",
|
|
729
|
+
"type": "commercial",
|
|
730
|
+
"url": "https://www.pagerduty.com"
|
|
731
|
+
},
|
|
732
|
+
{
|
|
733
|
+
"name": "AgentOps",
|
|
734
|
+
"url": "https://github.com/AgentOps-AI/agentops",
|
|
735
|
+
"type": "open-source"
|
|
736
|
+
},
|
|
737
|
+
{
|
|
738
|
+
"name": "Agentic Security",
|
|
739
|
+
"url": "https://github.com/msoedov/agentic_security",
|
|
740
|
+
"type": "open-source"
|
|
741
|
+
}
|
|
742
|
+
],
|
|
743
|
+
"incidents": [
|
|
744
|
+
{
|
|
745
|
+
"name": "AutoGPT and BabyAGI — uncontrolled web browsing and file system access",
|
|
746
|
+
"url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
|
|
747
|
+
"year": 2023,
|
|
748
|
+
"incident_id": "INC-017"
|
|
749
|
+
},
|
|
750
|
+
{
|
|
751
|
+
"name": "Multi-agent prompt injection cascade — demonstrated cross-agent goal propagation",
|
|
752
|
+
"url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
|
|
753
|
+
"year": 2024,
|
|
754
|
+
"incident_id": "INC-020"
|
|
755
|
+
},
|
|
756
|
+
{
|
|
757
|
+
"name": "Nassi et al. \"ComPromptMized\" Morris II multi-agent worm",
|
|
758
|
+
"url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
|
|
759
|
+
"year": 2024,
|
|
760
|
+
"incident_id": "INC-023"
|
|
761
|
+
},
|
|
762
|
+
{
|
|
763
|
+
"name": "Multi-agent financial trading system flash crash — cascading autonomous failures",
|
|
764
|
+
"url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
|
|
765
|
+
"year": 2025,
|
|
766
|
+
"incident_id": "INC-041"
|
|
767
|
+
}
|
|
768
|
+
],
|
|
769
|
+
"crossrefs": {
|
|
770
|
+
"llm_top10": [
|
|
771
|
+
"LLM10",
|
|
772
|
+
"LLM01",
|
|
773
|
+
"LLM04"
|
|
774
|
+
],
|
|
775
|
+
"dsgai_2026": [
|
|
776
|
+
"DSGAI17",
|
|
777
|
+
"DSGAI05"
|
|
778
|
+
]
|
|
779
|
+
},
|
|
780
|
+
"changelog": [
|
|
781
|
+
{
|
|
782
|
+
"date": "2026-03-27",
|
|
783
|
+
"version": "1.0.0",
|
|
784
|
+
"change": "Initial entry — generated from GenAI Security Crosswalk v1.5.1 mapping files",
|
|
785
|
+
"author": "emmanuelgjr"
|
|
786
|
+
}
|
|
787
|
+
]
|
|
788
|
+
}
|