diff --git a/CLAUDE.md b/CLAUDE.md
index 295ae0c..684d8e5 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -9,7 +9,7 @@ plugins/
   ai-psychosis/          v1.0.0  — Interaction awareness (sycophancy, reinforcement loops)
   config-audit/          v3.0.1  — Configuration intelligence (health, opportunities, auto-fix)
   linkedin-thought-leadership/  v1.1.0  — LinkedIn content pipeline + analytics
-  llm-security/          v5.1.0  — Security scanning, auditing, threat modeling
+  llm-security/          v6.0.0  — Security scanning, auditing, threat modeling
   ms-ai-architect/       v1.8.0  — Microsoft AI architecture (Cosmo Skyberg persona)
   okr/                   v1.0.0  — OKR guidance for Norwegian public sector
   ultraplan-local/       v1.6.0  — Deep planning, research, execution
diff --git a/README.md b/README.md
index e3fa240..e43ff27 100644
--- a/README.md
+++ b/README.md
@@ -22,19 +22,20 @@ Then open Claude Code and type `/plugin` to browse and install plugins from the
 
 ## Plugins
 
-### [LLM Security](plugins/llm-security/) `v5.1.0`
+### [LLM Security](plugins/llm-security/) `v6.0.0`
 
 Security scanning, auditing, and threat modeling for agentic AI projects.
 
 Built on OWASP LLM Top 10 (2025), OWASP Agentic AI Top 10, and the AI Agent Traps taxonomy (Google DeepMind, 2025). Three layers of protection:
 
 - **Automated enforcement** — 8 hooks that block dangerous operations in real time (prompt injection, secrets in code, destructive commands, supply chain guardrails)
-- **Deterministic scanning** — 15 Node.js scanners for byte-level analysis: Shannon entropy, Unicode codepoints, typosquatting detection, taint flow, DNS resolution, git forensics
+- **Deterministic scanning** — 16 Node.js scanners for byte-level analysis: Shannon entropy, Unicode codepoints, typosquatting detection, taint flow, DNS resolution, git forensics, AI-BOM
 - **Advisory analysis** — 18 commands that scan, audit, and model threats with structured reports, letter grades, and actionable remediation
+- **Enterprise governance** — Compliance mapping (EU AI Act, NIST AI RMF, ISO 42001), SARIF 2.1.0 output, structured audit trail, policy-as-code, standalone CLI
 
 Key commands: `/security posture`, `/security audit`, `/security scan`, `/security threat-model`, `/security plugin-audit`
 
-6 specialized agents · 15 scanners · 8 hooks · 13 knowledge docs
+6 specialized agents · 16 scanners · 8 hooks · 15 knowledge docs
 
 → [Full documentation](plugins/llm-security/README.md)
 
diff --git a/plugins/llm-security/.claude-plugin/plugin.json b/plugins/llm-security/.claude-plugin/plugin.json
index 3cb251c..54ad24f 100644
--- a/plugins/llm-security/.claude-plugin/plugin.json
+++ b/plugins/llm-security/.claude-plugin/plugin.json
@@ -1,5 +1,5 @@
 {
   "name": "llm-security",
   "description": "Security scanning, auditing, and threat modeling for Claude Code projects. Detects secrets, validates MCP servers, assesses security posture, and generates threat models aligned with OWASP LLM Top 10.",
-  "version": "5.1.0"
+  "version": "6.0.0"
 }
diff --git a/plugins/llm-security/CHANGELOG.md b/plugins/llm-security/CHANGELOG.md
index ecec23e..26b3de8 100644
--- a/plugins/llm-security/CHANGELOG.md
+++ b/plugins/llm-security/CHANGELOG.md
@@ -4,6 +4,26 @@ All notable changes to the LLM Security Plugin are documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
+## [6.0.0] - 2026-04-10
+
+### Added
+- **Compliance mapping** — `knowledge/compliance-mapping.md` maps plugin capabilities to EU AI Act (Art. 9, 15, 17), NIST AI RMF (Map, Measure, Manage, Govern), ISO 42001 (Annex A), and MITRE ATLAS techniques (AML.T IDs)
+- **Norwegian regulatory context** — `knowledge/norwegian-context.md` covers Datatilsynet (DPIA for AI), NSM (basic security principles), and Digitaliseringsdirektoratet guidance
+- **SARIF 2.1.0 output** — `scanners/lib/sarif-formatter.mjs` converts scan output to OASIS SARIF standard format. Use `--format sarif` with scan/deep-scan commands
+- **Structured audit trail** — `scanners/lib/audit-trail.mjs` writes JSONL audit events with ISO 8601 timestamps, OWASP category tags, and SIEM-ready schema. Configurable via `LLM_SECURITY_AUDIT_*` env vars
+- **AI-BOM generator** — `scanners/ai-bom-generator.mjs` + `scanners/lib/bom-builder.mjs` produce CycloneDX 1.6 Bills of Materials for AI components (models, MCP servers, plugins, knowledge, hooks)
+- **Policy-as-code** — `scanners/lib/policy-loader.mjs` reads `.llm-security/policy.json` for distributable hook configuration. Integrated into all 8 hooks. Env vars always take precedence
+- **Standalone CLI** — `bin/llm-security.mjs` provides `npx llm-security` entry point. Subcommands: `scan`, `deep-scan`, `posture`, `audit-bom`, `benchmark`
+- **Posture compliance categories** — 3 new posture categories (14: EU AI Act, 15: NIST AI RMF, 16: ISO 42001). Advisory only — do not affect Grade A threshold
+- **Attack simulator benchmark mode** — `--benchmark` flag outputs structured pass/fail metrics for CI integration
+
+### Changed
+- Version bump: 5.1.0 → 6.0.0 across all files
+- Knowledge base expanded from 13 to 15 files
+- Scanner count: 15 → 16 (AI-BOM generator added)
+- Posture scanner: 13 → 16 categories
+- All hooks now read policy from `.llm-security/policy.json` (backward-compatible — defaults match hardcoded values)
+
 ## [5.1.0] - 2026-04-07
 
 ### Added
diff --git a/plugins/llm-security/CLAUDE.md b/plugins/llm-security/CLAUDE.md
index 59f56f1..c48f62e 100644
--- a/plugins/llm-security/CLAUDE.md
+++ b/plugins/llm-security/CLAUDE.md
@@ -1,6 +1,6 @@
-# LLM Security Plugin (v5.1.0)
+# LLM Security Plugin (v6.0.0)
 
-Security scanning, auditing, and threat modeling for Claude Code projects. 5 frameworks: OWASP LLM Top 10, Agentic AI Top 10 (ASI), Skills Top 10 (AST), MCP Top 10, AI Agent Traps (DeepMind). 1147 tests.
+Security scanning, auditing, and threat modeling for Claude Code projects. 5 frameworks: OWASP LLM Top 10, Agentic AI Top 10 (ASI), Skills Top 10 (AST), MCP Top 10, AI Agent Traps (DeepMind). 1242+ tests.
 
 ## Commands
 
@@ -77,7 +77,11 @@ Memory-poisoning (MEM) detects cognitive state poisoning in CLAUDE.md, memory fi
 Toxic-flow (TFA) is a post-processing correlator that runs LAST — detects "lethal trifecta" (untrusted input + sensitive data access + exfiltration sink) by correlating output from prior scanners.
 Utility: `node scanners/lib/fs-utils.mjs <backup|restore|cleanup|tmppath> [args]`.
 
-**Standalone (5):** `posture-scanner.mjs` — deterministic posture assessment, 13 categories, <50ms. NOT in scan-orchestrator (meta-level, not code-level).
+Lib: `sarif-formatter.mjs` — converts scan output to OASIS SARIF 2.1.0 format. Used by `--format sarif` flag.
+Lib: `audit-trail.mjs` — writes structured JSONL audit events (ISO 8601, OWASP tags, SIEM-ready). Env: `LLM_SECURITY_AUDIT_*`.
+Lib: `policy-loader.mjs` — reads `.llm-security/policy.json` for distributable hook configuration. Defaults match hardcoded values.
+
+**Standalone (7):** `posture-scanner.mjs` — deterministic posture assessment, 16 categories (incl. EU AI Act, NIST AI RMF, ISO 42001), <50ms. NOT in scan-orchestrator (meta-level, not code-level).
 Run: `node scanners/posture-scanner.mjs [path]` → JSON stdout. Scanner prefix: PST. Used by `/security posture` and `/security audit`.
 `mcp-live-inspect.mjs` — NOT in scan-orchestrator. MCP servers are running processes, not files.
 Run: `node scanners/mcp-live-inspect.mjs [target] [--timeout 10000] [--skip-global]`
@@ -86,7 +90,8 @@ Scanner prefix: MCI. OWASP: MCP03, MCP06, MCP09. Invoked by `mcp-inspect` and `m
 `reference-config-generator.mjs` — generates Grade A reference config based on posture gaps. Detects project type (plugin/monorepo/standalone). Templates in `templates/reference-config/`. Run: `node scanners/reference-config-generator.mjs [path] [--apply]`
 `dashboard-aggregator.mjs` — cross-project security dashboard. Discovers Claude Code projects under ~/ (depth 3) and ~/.claude/plugins/, runs posture-scanner on each, aggregates to machine-grade (weakest link). Cache in `~/.cache/llm-security/dashboard-latest.json` (24h staleness). Run: `node scanners/dashboard-aggregator.mjs [--no-cache] [--max-depth N]`
 
-`attack-simulator.mjs` — red-team harness. Data-driven: 64 scenarios in 12 categories from `knowledge/attack-scenarios.json`. Payloads constructed at runtime (fragment assembly to avoid triggering hooks on source). Uses `runHook()` from test helper. Adaptive mode (`--adaptive`): 5 mutation rounds per passing scenario (homoglyph, encoding, zero-width, case alternation, synonym). Mutation rules in `knowledge/attack-mutations.json`. Run: `node scanners/attack-simulator.mjs [--category <name>] [--json] [--verbose] [--adaptive]`
+`attack-simulator.mjs` — red-team harness. Data-driven: 64 scenarios in 12 categories from `knowledge/attack-scenarios.json`. Payloads constructed at runtime (fragment assembly to avoid triggering hooks on source). Uses `runHook()` from test helper. Adaptive mode (`--adaptive`): 5 mutation rounds per passing scenario (homoglyph, encoding, zero-width, case alternation, synonym). Mutation rules in `knowledge/attack-mutations.json`. Benchmark mode (`--benchmark`): outputs structured pass/fail metrics. Run: `node scanners/attack-simulator.mjs [--category <name>] [--json] [--verbose] [--adaptive] [--benchmark]`
+`ai-bom-generator.mjs` — AI Bill of Materials generator. Discovers AI components (models, MCP servers, plugins, knowledge, hooks) and outputs CycloneDX 1.6 JSON. Scanner prefix: BOM. Run: `node scanners/ai-bom-generator.mjs <target> [--output-file <path>]`
 
 ## Token Budget (ENFORCED)
 
@@ -99,7 +104,13 @@ All commands total ~600 lines. All commands use registered subagent types.
 - Agents run sequentially to avoid burst rate limits
 - `pre-install-supply-chain.mjs` queries OSV.dev for CVEs on every package install
 
-## Knowledge Files (13)
+## CLI
+
+`bin/llm-security.mjs` — standalone CLI entry point. Works without Claude Code via `npx llm-security` or `node bin/llm-security.mjs`.
+Subcommands: `scan`, `deep-scan`, `posture`, `audit-bom`, `benchmark`. Dispatches to scanner scripts via `child_process.spawn`.
+`package.json` `bin` field: `"llm-security": "./bin/llm-security.mjs"`.
+
+## Knowledge Files (15)
 
 | File | Content |
 |------|---------|
@@ -116,6 +127,8 @@ All commands total ~600 lines. All commands use registered subagent types.
 | `deepmind-agent-traps.md` | DeepMind AI Agent Traps — 6 categories, 43 techniques, coverage matrix |
 | `attack-scenarios.json` | 64 red-team scenarios across 12 categories for attack simulation |
 | `attack-mutations.json` | Synonym tables and mutation rules for adaptive red-team testing |
+| `compliance-mapping.md` | EU AI Act, NIST AI RMF, ISO 42001, MITRE ATLAS mappings to plugin capabilities |
+| `norwegian-context.md` | Norwegian regulatory landscape — Datatilsynet, NSM, Digitaliseringsdirektoratet |
 
 ## Reports
 
diff --git a/plugins/llm-security/README.md b/plugins/llm-security/README.md
index 3c61117..efdf0c2 100644
--- a/plugins/llm-security/README.md
+++ b/plugins/llm-security/README.md
@@ -4,12 +4,12 @@
 
 *Built for my own Claude Code workflow and shared openly for anyone who finds it useful. This is a solo project — bug reports and feature requests are welcome, but pull requests are not accepted.*
 
-![Version](https://img.shields.io/badge/version-5.1.0-blue)
+![Version](https://img.shields.io/badge/version-6.0.0-blue)
 ![Platform](https://img.shields.io/badge/platform-Claude_Code_Plugin-purple)
 ![Agents](https://img.shields.io/badge/agents-6-orange)
-![Scanners](https://img.shields.io/badge/scanners-15-cyan)
+![Scanners](https://img.shields.io/badge/scanners-16-cyan)
 ![Hooks](https://img.shields.io/badge/hooks-8-red)
-![Knowledge](https://img.shields.io/badge/knowledge_docs-13-green)
+![Knowledge](https://img.shields.io/badge/knowledge_docs-15-green)
 ![License](https://img.shields.io/badge/license-MIT-lightgrey)
 
 A Claude Code plugin that provides security scanning, auditing, and threat modeling for agentic AI projects. Built on [OWASP LLM Top 10 (2025)](https://genai.owasp.org/llm-top-10/), [OWASP Agentic AI Top 10](https://genai.owasp.org/agentic-ai/), and the [AI Agent Traps](https://papers.ssrn.com/sol3/papers.cfm?abstract_id=6372438) taxonomy (Google DeepMind, 2025), with threat intelligence from ToxicSkills, ClawHavoc, MCPTox, Pillar Security, Invariant Labs, and Operant AI research.
@@ -404,7 +404,7 @@ All hooks are Node.js (`.mjs`) for cross-platform compatibility (macOS, Linux, W
 
 ## Knowledge Base
 
-9 research-backed reference files grounding all analysis in published threat intelligence:
+15 research-backed reference files grounding all analysis in published threat intelligence:
 
 | File | Scope |
 |------|-------|
@@ -417,12 +417,38 @@ All hooks are Node.js (`.mjs`) for cross-platform compatibility (macOS, Linux, W
 | `mitigation-matrix.md` | OWASP LLM Top 10 → Claude Code control mapping with verification checks and coverage scores |
 | `top-packages.json` | Top 200 npm + top 100 PyPI package names for typosquatting detection (Levenshtein baseline) |
 | `skill-registry.json` | Seed data for skill signature registry — known fingerprints and risk profiles |
+| `compliance-mapping.md` | EU AI Act, NIST AI RMF, ISO 42001, MITRE ATLAS — article/control mappings to plugin capabilities |
+| `norwegian-context.md` | Norwegian regulatory landscape — Datatilsynet, NSM, Digitaliseringsdirektoratet guidance for AI security |
+| `prompt-injection-research-2025-2026.md` | 7 research papers (2025-2026) with implications for hook defenses |
+| `deepmind-agent-traps.md` | DeepMind AI Agent Traps — 6 categories, 43 techniques, coverage matrix |
+| `attack-scenarios.json` | 64 red-team scenarios across 12 categories for attack simulation |
+| `attack-mutations.json` | Synonym tables and mutation rules for adaptive red-team testing |
 
 > [!NOTE]
 > All knowledge base content is derived from published OWASP standards and peer-reviewed security research. The knowledge files provide grounding for agent analysis — agents read relevant sections before producing findings.
 
 ---
 
+## Compliance & Governance
+
+v6.0.0 adds an enterprise governance layer for standards-aware security operations:
+
+| Capability | Description |
+|------------|-------------|
+| **Compliance Mapping** | Maps plugin capabilities to EU AI Act (Art. 9, 15, 17), NIST AI RMF (Map, Measure, Manage, Govern), ISO 42001 (Annex A), and MITRE ATLAS techniques. Posture categories 14-16 assess compliance readiness. |
+| **Norwegian Context** | Regulatory guidance from Datatilsynet (DPIA for AI), NSM (basic security principles), and Digitaliseringsdirektoratet. Relevant for Norwegian public sector AI deployments. |
+| **SARIF 2.1.0 Output** | `--format sarif` flag on scan/deep-scan produces OASIS SARIF standard output for CI/CD integration (GitHub Advanced Security, Azure DevOps, SonarQube). |
+| **Structured Audit Trail** | JSONL audit events (`audit-trail.mjs`) with ISO 8601 timestamps, OWASP category tags, and SIEM-ready schema. Configurable via `LLM_SECURITY_AUDIT_*` env vars. |
+| **AI-BOM** | CycloneDX 1.6 Bill of Materials for AI components — models, MCP servers, plugins, knowledge files, hooks. `llm-security audit-bom <target>`. |
+| **Policy-as-Code** | `.llm-security/policy.json` for distributable hook configuration. Teams can enforce consistent security thresholds without per-developer env var setup. |
+| **Standalone CLI** | `npx llm-security scan <target>` — runs scanners without Claude Code. Subcommands: `scan`, `posture`, `audit-bom`, `benchmark`. |
+
+### Benchmarks
+
+The attack simulator (`llm-security benchmark`) tests hook defenses with 64 crafted scenarios across 12 categories. Adaptive mode (`--adaptive`) applies 5 mutation rounds per passing scenario (homoglyph substitution, encoding variations, zero-width injection, case alternation, synonym replacement).
+
+---
+
 ## OWASP Coverage
 
 | Category | Automated (Hooks) | Deterministic (Scanners) | Advisory (Commands) | Coverage |
@@ -730,6 +756,7 @@ This plugin provides full-stack security hardening (static analysis + supply cha
 
 | Version | Date | Highlights |
 |---------|------|------------|
+| **6.0.0** | 2026-04-10 | **CAISS-readiness release.** Enterprise compliance and governance layer: compliance mapping (EU AI Act, NIST AI RMF, ISO 42001, MITRE ATLAS), Norwegian regulatory context (Datatilsynet, NSM, Digitaliseringsdirektoratet), SARIF 2.1.0 output format (`--format sarif`), structured JSONL audit trail (`audit-trail.mjs`), AI-BOM generator (CycloneDX 1.6), policy-as-code (`.llm-security/policy.json`), standalone CLI (`bin/llm-security.mjs` — `npx llm-security scan`). Posture scanner expanded to 16 categories (+EU AI Act, NIST AI RMF, ISO 42001). Attack simulator benchmark mode (`--benchmark`). 15 knowledge docs, 16 scanners, 1242+ tests. |
 | **5.1.0** | 2026-04-07 | **Sandboxed remote cloning.** Defense-in-depth for `git clone` attack surface: (1) 8 git config flags disable hooks, symlinks, filter/smudge drivers, fsmonitor, local file protocol; 4 env vars isolate from system/user config. (2) OS sandbox: macOS `sandbox-exec` + Linux `bubblewrap` restrict file writes to only the clone temp dir. Graceful fallback on Windows (git config only). Post-clone size check (100MB max). UUID-unique evidence filenames prevent race conditions. Cleanup guarantee in scan/plugin-audit commands. 1147 tests (was 1115). |
 | **5.0.0** | 2026-04-06 | **Prompt Injection Hardening (v5.0).** 8-session defense-in-depth overhaul driven by 7 research papers (2025-2026). MEDIUM advisory for obfuscation signals (leetspeak, homoglyphs, zero-width, multi-language). Unicode Tag steganography detection (U+E0000-E007F). Bash expansion normalization (`bash-normalize.mjs`). Rule of Two enforcement (configurable `LLM_SECURITY_TRIFECTA_MODE=block\|warn\|off`). 100-call long-horizon monitoring window with slow-burn trifecta detection. Behavioral drift via Jensen-Shannon divergence. HITL trap detection (approval urgency, summary suppression, scope minimization). Sub-agent delegation tracking (escalation-after-input advisory). NL indirection patterns. Hybrid attacks (P2SQL, recursive injection, XSS-in-agent). CaMeL-inspired data flow tagging (SHA-256 provenance, output-to-input linking). Adaptive red-team (5 mutation rounds per scenario: homoglyph, encoding, zero-width, case alternation, synonym). Knowledge base expanded: `prompt-injection-research-2025-2026.md`, `deepmind-agent-traps.md`, `attack-mutations.json`. Posture scanner expanded to 13 categories (+Prompt Injection Hardening, Rule of Two, Long-Horizon Monitoring). Defense Philosophy section documenting honest limitations. 1115 tests. |
 | **4.5.1** | 2026-04-04 | **Cross-platform support.** Windows/Linux compatibility: `fileURLToPath()`, `path.dirname()`, native `fetch()` replaces `curl` subprocess, fixed tilde expansion regex. 11 files, 782 tests pass. |
diff --git a/plugins/llm-security/scanners/dashboard-aggregator.mjs b/plugins/llm-security/scanners/dashboard-aggregator.mjs
index 1e122e9..f466810 100644
--- a/plugins/llm-security/scanners/dashboard-aggregator.mjs
+++ b/plugins/llm-security/scanners/dashboard-aggregator.mjs
@@ -19,7 +19,7 @@ import { scan } from './posture-scanner.mjs';
 // Constants
 // ---------------------------------------------------------------------------
 
-const VERSION = '5.1.0';
+const VERSION = '6.0.0';
 
 /** Cache location */
 const CACHE_DIR = join(homedir(), '.cache', 'llm-security');