From 5bb9d5bd11a7cc774bfa00dad8bad5e174f62947 Mon Sep 17 00:00:00 2001 From: Kjell Tore Guttormsen Date: Fri, 10 Apr 2026 12:29:14 +0200 Subject: [PATCH] =?UTF-8?q?feat(knowledge):=20add=20compliance-mapping=20d?= =?UTF-8?q?ocument=20=E2=80=94=20EU=20AI=20Act,=20NIST=20AI=20RMF,=20ISO?= =?UTF-8?q?=2042001?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../knowledge/compliance-mapping.md | 119 ++++++++++++++++++ .../scanners/compliance-mapping.test.mjs | 68 ++++++++++ 2 files changed, 187 insertions(+) create mode 100644 plugins/llm-security/knowledge/compliance-mapping.md create mode 100644 plugins/llm-security/tests/scanners/compliance-mapping.test.mjs diff --git a/plugins/llm-security/knowledge/compliance-mapping.md b/plugins/llm-security/knowledge/compliance-mapping.md new file mode 100644 index 0000000..b2ebb34 --- /dev/null +++ b/plugins/llm-security/knowledge/compliance-mapping.md @@ -0,0 +1,119 @@ +# Compliance Mapping + +Maps the llm-security plugin's 13 posture categories and mitigation controls to three enterprise compliance frameworks: EU AI Act, NIST AI RMF, and ISO 42001. + +Used by `posture-assessor-agent` and compliance-aware posture categories (14-16) to evaluate framework alignment. + +## How to Read This Matrix + +- **Plugin Control:** One of the 13 posture scanner categories +- **Control Type:** Automated (hooks), Configured (settings), Advisory (scans/audits) +- **EU AI Act:** Regulation (EU) 2024/1689 article(s) the control satisfies +- **NIST AI RMF:** AI 100-1 function(s) the control supports (Govern, Map, Measure, Manage) +- **ISO 42001:** ISO/IEC 42001:2023 clause(s) the control aligns with +- **Coverage Level:** Full (directly satisfies), Partial (contributes to), Supports (enables but does not fully satisfy) + +--- + +## Framework Summary + +| Framework | Full Reference | Scope | Key Requirements | +|-----------|---------------|-------|------------------| +| EU AI Act | Regulation (EU) 2024/1689 | High-risk AI systems in EU | Art. 9 risk management, Art. 12 record-keeping, Art. 13 transparency, Art. 14 human oversight, Art. 15 accuracy/robustness/cybersecurity, Art. 17 quality management | +| NIST AI RMF | NIST AI 100-1 (Jan 2023) | Voluntary framework for AI risk | Four functions: Govern, Map, Measure, Manage. GenAI profile: AI 600-1 | +| ISO 42001 | ISO/IEC 42001:2023 | AI management system (certifiable) | Cl. 4 context, Cl. 5 leadership, Cl. 6 planning/risk, Cl. 7 support, Cl. 8 operation, Cl. 9 performance evaluation, Cl. 10 improvement | + +--- + +## Mapping Matrix + +| Plugin Control | Control Type | EU AI Act | NIST AI RMF | ISO 42001 | Coverage | +|----------------|-------------|-----------|-------------|-----------|----------| +| Deny-First Configuration | Configured | Art. 15 (cybersecurity — attack surface reduction) | Govern (GV-1: policies), Manage (MG-2: risk response) | Cl. 8.1 (operational planning), Cl. 6.1 (risk assessment) | Partial | +| Secrets Protection | Automated | Art. 15 (cybersecurity — credential protection) | Manage (MG-2: risk controls) | Cl. 8.3 (risk treatment) | Full | +| Path Guarding | Automated | Art. 15 (cybersecurity — unauthorized access prevention) | Manage (MG-2: risk response) | Cl. 8.3 (risk treatment) | Full | +| MCP Server Trust | Configured | Art. 15 (robustness — third-party dependency trust) | Map (MP-3: identify risks from third parties), Govern (GV-6: supply chain) | Cl. 4.1 (external issues), Cl. 8.2 (AI risk assessment) | Partial | +| Destructive Command Blocking | Automated | Art. 15 (robustness — preventing harmful outputs), Art. 14 (human oversight mechanism) | Manage (MG-3: risk treatment) | Cl. 8.3 (risk treatment), Cl. 8.4 (system impact assessment) | Full | +| Sandbox Configuration | Configured | Art. 15 (robustness — execution isolation) | Manage (MG-2: risk response) | Cl. 8.1 (operational planning) | Partial | +| Human Review Requirements | Configured | Art. 14 (human oversight — meaningful human control) | Govern (GV-1: accountability), Map (MP-5: human-AI interaction) | Cl. 5.1 (leadership commitment), Cl. 9.3 (management review) | Full | +| Skill and Plugin Sources | Advisory | Art. 15 (cybersecurity — supply chain integrity) | Map (MP-3: third-party risks), Govern (GV-6: supply chain) | Cl. 4.1 (external issues), Cl. 8.2 (AI risk assessment) | Partial | +| Session Isolation | Configured | Art. 15 (robustness — fault isolation), Art. 12 (record-keeping — session boundaries) | Manage (MG-2: containment) | Cl. 8.1 (operational planning) | Partial | +| Cognitive State Security | Automated | Art. 15 (robustness — data integrity), Art. 9 (risk management — adversarial threats) | Map (MP-2: AI risk identification), Measure (MS-2: detect emergent risks) | Cl. 8.2 (AI risk assessment), Cl. 9.1 (monitoring) | Partial | +| Prompt Injection Hardening | Automated | Art. 15 (cybersecurity — input validation), Art. 9 (risk management) | Measure (MS-2: detect and track risks), Manage (MG-3: active response) | Cl. 8.3 (risk treatment), Cl. 9.1 (monitoring) | Full | +| Rule of Two | Automated | Art. 14 (human oversight — intervention capability), Art. 15 (robustness — multi-signal detection) | Measure (MS-2: detect trifecta patterns), Manage (MG-3: escalation) | Cl. 9.1 (monitoring), Cl. 8.4 (system impact assessment) | Full | +| Long-Horizon Monitoring | Automated | Art. 12 (record-keeping — behavioral audit trail), Art. 15 (robustness — continuous monitoring) | Measure (MS-1: performance monitoring), Manage (MG-4: continuous monitoring) | Cl. 9.1 (monitoring), Cl. 10.1 (continual improvement) | Full | + +--- + +## Per-Framework Coverage Summary + +### EU AI Act Coverage + +| Article | Requirement | Plugin Controls Covering | Coverage | +|---------|-------------|-------------------------|----------| +| Art. 9 | Risk management system | Cognitive State Security, Prompt Injection Hardening, posture scanner, threat-model command | Partial — plugin provides risk detection tooling but is not a full risk management system | +| Art. 12 | Record-keeping | Long-Horizon Monitoring, Session Isolation, audit trail (v6.0) | Partial — session-level logging; structured audit trail adds SIEM-ready events | +| Art. 13 | Transparency | Posture reports, scan reports, AI-BOM (v6.0) | Partial — provides transparency tooling for AI components | +| Art. 14 | Human oversight | Human Review Requirements, Rule of Two, Destructive Command Blocking | Full — enforces human-in-the-loop via deny-first config and trifecta detection | +| Art. 15 | Accuracy, robustness, cybersecurity | All 13 categories contribute | Full — comprehensive automated + configured controls for robustness and cybersecurity | +| Art. 17 | Quality management system | Posture scanner, scan-orchestrator, test suite (1147 tests) | Partial — provides quality measurement; not a full QMS | + +### NIST AI RMF Coverage + +| Function | Subcategories Addressed | Plugin Controls | Coverage | +|----------|------------------------|-----------------|----------| +| Govern | GV-1 (policies), GV-6 (supply chain) | Deny-First Configuration, Human Review, Skill Sources, policy-as-code (v6.0) | Partial — provides governance enforcement tooling | +| Map | MP-2 (risk identification), MP-3 (third-party), MP-5 (human-AI) | MCP Server Trust, Cognitive State, Skill Sources, Human Review, threat-model | Partial — identifies AI-specific risks via scanning and threat modeling | +| Measure | MS-1 (monitoring), MS-2 (detection) | Long-Horizon Monitoring, Rule of Two, Prompt Injection, posture scanner | Full — continuous measurement via hooks and periodic scanning | +| Manage | MG-2 (response), MG-3 (treatment), MG-4 (monitoring) | Secrets Protection, Path Guarding, Destructive Blocking, Sandbox, clean command | Full — active risk management via automated blocking and remediation | + +### ISO 42001 Coverage + +| Clause | Requirement | Plugin Controls | Coverage | +|--------|-------------|-----------------|----------| +| Cl. 4 (Context) | Identify internal/external factors | MCP Server Trust, Skill Sources (external dependency tracking) | Supports | +| Cl. 5 (Leadership) | AI policy, accountability | Human Review Requirements, policy-as-code (v6.0) | Supports | +| Cl. 6 (Planning) | Risk assessment, AI objectives | Posture scanner, threat-model command | Partial | +| Cl. 7 (Support) | Resources, competence, awareness | Documentation (README, CLAUDE.md, knowledge base) | Supports | +| Cl. 8 (Operation) | Risk assessment, treatment, impact assessment | All automated hooks (risk treatment), posture/audit scans (assessment) | Full | +| Cl. 9 (Performance evaluation) | Monitoring, internal audit, management review | Long-Horizon Monitoring, posture scanner, scan-orchestrator, dashboard | Full | +| Cl. 10 (Improvement) | Continual improvement, corrective action | Baseline diff, watch/cron, clean command, version history | Partial | + +--- + +## Coverage Limitations + +The llm-security plugin is a **security tooling layer**, not a complete compliance solution. It provides: + +- **Detection and measurement** (satisfies technical control requirements) +- **Enforcement at runtime** (satisfies operational control requirements) +- **Reporting and transparency** (contributes to documentation requirements) + +It does **not** provide: + +- Organizational governance processes (board-level AI policy, accountability structures) +- Full risk management lifecycle documentation +- Third-party audit certification +- Data governance or privacy controls (GDPR, data quality per Art. 10) +- Model training oversight (Art. 10, 11) + +--- + +## Verification Log + +Each compliance framework reference was web-verified on 2026-04-10: + +| Reference | Verified Against | Source URL | +|-----------|-----------------|------------| +| EU AI Act Art. 9 (risk management) | Official text, Regulation (EU) 2024/1689 | https://artificialintelligenceact.eu/article/9/ | +| EU AI Act Art. 12 (record-keeping) | Official text | https://artificialintelligenceact.eu/article/12/ | +| EU AI Act Art. 13 (transparency) | Section 3-2 overview | https://artificialintelligenceact.eu/section/3-2/ | +| EU AI Act Art. 14 (human oversight) | Official text | https://artificialintelligenceact.eu/article/14/ | +| EU AI Act Art. 15 (accuracy, robustness, cybersecurity) | Official text | https://artificialintelligenceact.eu/article/15/ | +| EU AI Act Art. 17 (quality management) | Official text | https://artificialintelligenceact.eu/article/17/ | +| NIST AI RMF functions (Govern, Map, Measure, Manage) | NIST AI 100-1 | https://airc.nist.gov/airmf-resources/airmf/ | +| NIST AI RMF Core subcategories | NIST AI RMF Playbook | https://www.nist.gov/itl/ai-risk-management-framework/nist-ai-rmf-playbook | +| NIST AI 600-1 GenAI profile | NIST publication | https://nvlpubs.nist.gov/nistpubs/ai/NIST.AI.600-1.pdf | +| ISO 42001 Clauses 4-10 structure | Barr Advisory guide | https://www.barradvisory.com/resource/iso-42001-requirements-explained/ | +| ISO 42001 Cl. 6.1 risk, Cl. 8 operation, Cl. 9 monitoring, Cl. 10 improvement | RSI Security analysis | https://blog.rsisecurity.com/the-10-comprehensive-clauses-of-iso-42001/ | +| ISO 42001 Cl. 8.2 risk assessment, Cl. 8.4 impact assessment | Cyberzoni clause guide | https://cyberzoni.com/standards/iso-42001/ | diff --git a/plugins/llm-security/tests/scanners/compliance-mapping.test.mjs b/plugins/llm-security/tests/scanners/compliance-mapping.test.mjs new file mode 100644 index 0000000..00f4ed1 --- /dev/null +++ b/plugins/llm-security/tests/scanners/compliance-mapping.test.mjs @@ -0,0 +1,68 @@ +// compliance-mapping.test.mjs — Tests for knowledge/compliance-mapping.md content +// Verifies: file exists, contains expected framework headers, all 13 posture categories, verification log + +import { describe, it } from 'node:test'; +import assert from 'node:assert/strict'; +import { readFileSync } from 'node:fs'; +import { resolve } from 'node:path'; +import { fileURLToPath } from 'node:url'; + +const __dirname = fileURLToPath(new URL('.', import.meta.url)); +const ROOT = resolve(__dirname, '../..'); +const COMPLIANCE_PATH = resolve(ROOT, 'knowledge/compliance-mapping.md'); + +let content; +try { + content = readFileSync(COMPLIANCE_PATH, 'utf-8'); +} catch { + content = null; +} + +describe('knowledge/compliance-mapping.md', () => { + it('file exists', () => { + assert.ok(content !== null, 'compliance-mapping.md should exist'); + }); + + it('contains EU AI Act header', () => { + assert.ok(content.includes('EU AI Act'), 'Should reference EU AI Act'); + }); + + it('contains NIST AI RMF header', () => { + assert.ok(content.includes('NIST AI RMF'), 'Should reference NIST AI RMF'); + }); + + it('contains ISO 42001 header', () => { + assert.ok(content.includes('ISO 42001'), 'Should reference ISO 42001'); + }); + + // All 13 existing posture category names must appear + const categories = [ + 'Deny-First Configuration', + 'Secrets Protection', + 'Path Guarding', + 'MCP Server Trust', + 'Destructive Command Blocking', + 'Sandbox Configuration', + 'Human Review Requirements', + 'Skill and Plugin Sources', + 'Session Isolation', + 'Cognitive State Security', + 'Prompt Injection Hardening', + 'Rule of Two', + 'Long-Horizon Monitoring', + ]; + + for (const cat of categories) { + it(`contains posture category: ${cat}`, () => { + assert.ok(content.includes(cat), `Should reference posture category "${cat}"`); + }); + } + + it('contains Verification Log section', () => { + assert.ok(content.includes('Verification Log'), 'Should have a Verification Log section'); + }); + + it('contains at least one source URL', () => { + assert.ok(/https?:\/\//.test(content), 'Should contain at least one verification URL'); + }); +});