# Compliance Mapping

Maps the llm-security plugin's 13 posture categories and mitigation controls to three enterprise compliance frameworks: EU AI Act, NIST AI RMF, and ISO 42001.

Used by `posture-assessor-agent` and compliance-aware posture categories (14-16) to evaluate framework alignment.

## How to Read This Matrix

- **Plugin Control:** One of the 13 posture scanner categories
- **Control Type:** Automated (hooks), Configured (settings), Advisory (scans/audits)
- **EU AI Act:** Regulation (EU) 2024/1689 article(s) the control satisfies
- **NIST AI RMF:** AI 100-1 function(s) the control supports (Govern, Map, Measure, Manage)
- **ISO 42001:** ISO/IEC 42001:2023 clause(s) the control aligns with
- **Coverage Level:** Full (directly satisfies), Partial (contributes to), Supports (enables but does not fully satisfy)

---

## Framework Summary

| Framework | Full Reference | Scope | Key Requirements |
|-----------|---------------|-------|------------------|
| EU AI Act | Regulation (EU) 2024/1689 | High-risk AI systems in EU | Art. 9 risk management, Art. 12 record-keeping, Art. 13 transparency, Art. 14 human oversight, Art. 15 accuracy/robustness/cybersecurity, Art. 17 quality management |
| NIST AI RMF | NIST AI 100-1 (Jan 2023) | Voluntary framework for AI risk | Four functions: Govern, Map, Measure, Manage. GenAI profile: AI 600-1 |
| ISO 42001 | ISO/IEC 42001:2023 | AI management system (certifiable) | Cl. 4 context, Cl. 5 leadership, Cl. 6 planning/risk, Cl. 7 support, Cl. 8 operation, Cl. 9 performance evaluation, Cl. 10 improvement |

---

## Mapping Matrix

| Plugin Control | Control Type | EU AI Act | NIST AI RMF | ISO 42001 | Coverage |
|----------------|-------------|-----------|-------------|-----------|----------|
| Deny-First Configuration | Configured | Art. 15 (cybersecurity — attack surface reduction) | Govern (GV-1: policies), Manage (MG-2: risk response) | Cl. 8.1 (operational planning), Cl. 6.1 (risk assessment) | Partial |
| Secrets Protection | Automated | Art. 15 (cybersecurity — credential protection) | Manage (MG-2: risk controls) | Cl. 8.3 (risk treatment) | Full |
| Path Guarding | Automated | Art. 15 (cybersecurity — unauthorized access prevention) | Manage (MG-2: risk response) | Cl. 8.3 (risk treatment) | Full |
| MCP Server Trust | Configured | Art. 15 (robustness — third-party dependency trust) | Map (MP-3: identify risks from third parties), Govern (GV-6: supply chain) | Cl. 4.1 (external issues), Cl. 8.2 (AI risk assessment) | Partial |
| Destructive Command Blocking | Automated | Art. 15 (robustness — preventing harmful outputs), Art. 14 (human oversight mechanism) | Manage (MG-3: risk treatment) | Cl. 8.3 (risk treatment), Cl. 8.4 (system impact assessment) | Full |
| Sandbox Configuration | Configured | Art. 15 (robustness — execution isolation) | Manage (MG-2: risk response) | Cl. 8.1 (operational planning) | Partial |
| Human Review Requirements | Configured | Art. 14 (human oversight — meaningful human control) | Govern (GV-1: accountability), Map (MP-5: human-AI interaction) | Cl. 5.1 (leadership commitment), Cl. 9.3 (management review) | Full |
| Skill and Plugin Sources | Advisory | Art. 15 (cybersecurity — supply chain integrity) | Map (MP-3: third-party risks), Govern (GV-6: supply chain) | Cl. 4.1 (external issues), Cl. 8.2 (AI risk assessment) | Partial |
| Session Isolation | Configured | Art. 15 (robustness — fault isolation), Art. 12 (record-keeping — session boundaries) | Manage (MG-2: containment) | Cl. 8.1 (operational planning) | Partial |
| Cognitive State Security | Automated | Art. 15 (robustness — data integrity), Art. 9 (risk management — adversarial threats) | Map (MP-2: AI risk identification), Measure (MS-2: detect emergent risks) | Cl. 8.2 (AI risk assessment), Cl. 9.1 (monitoring) | Partial |
| Prompt Injection Hardening | Automated | Art. 15 (cybersecurity — input validation), Art. 9 (risk management) | Measure (MS-2: detect and track risks), Manage (MG-3: active response) | Cl. 8.3 (risk treatment), Cl. 9.1 (monitoring) | Full |
| Rule of Two | Automated | Art. 14 (human oversight — intervention capability), Art. 15 (robustness — multi-signal detection) | Measure (MS-2: detect trifecta patterns), Manage (MG-3: escalation) | Cl. 9.1 (monitoring), Cl. 8.4 (system impact assessment) | Full |
| Long-Horizon Monitoring | Automated | Art. 12 (record-keeping — behavioral audit trail), Art. 15 (robustness — continuous monitoring) | Measure (MS-1: performance monitoring), Manage (MG-4: continuous monitoring) | Cl. 9.1 (monitoring), Cl. 10.1 (continual improvement) | Full |

---

## Per-Framework Coverage Summary

### EU AI Act Coverage

| Article | Requirement | Plugin Controls Covering | Coverage |
|---------|-------------|-------------------------|----------|
| Art. 9 | Risk management system | Cognitive State Security, Prompt Injection Hardening, posture scanner, threat-model command | Partial — plugin provides risk detection tooling but is not a full risk management system |
| Art. 12 | Record-keeping | Long-Horizon Monitoring, Session Isolation, audit trail (v6.0) | Partial — session-level logging; structured audit trail adds SIEM-ready events |
| Art. 13 | Transparency | Posture reports, scan reports, AI-BOM (v6.0) | Partial — provides transparency tooling for AI components |
| Art. 14 | Human oversight | Human Review Requirements, Rule of Two, Destructive Command Blocking | Full — enforces human-in-the-loop via deny-first config and trifecta detection |
| Art. 15 | Accuracy, robustness, cybersecurity | All 13 categories contribute | Full — comprehensive automated + configured controls for robustness and cybersecurity |
| Art. 17 | Quality management system | Posture scanner, scan-orchestrator, test suite (1147 tests) | Partial — provides quality measurement; not a full QMS |

### NIST AI RMF Coverage

| Function | Subcategories Addressed | Plugin Controls | Coverage |
|----------|------------------------|-----------------|----------|
| Govern | GV-1 (policies), GV-6 (supply chain) | Deny-First Configuration, Human Review, Skill Sources, policy-as-code (v6.0) | Partial — provides governance enforcement tooling |
| Map | MP-2 (risk identification), MP-3 (third-party), MP-5 (human-AI) | MCP Server Trust, Cognitive State, Skill Sources, Human Review, threat-model | Partial — identifies AI-specific risks via scanning and threat modeling |
| Measure | MS-1 (monitoring), MS-2 (detection) | Long-Horizon Monitoring, Rule of Two, Prompt Injection, posture scanner | Full — continuous measurement via hooks and periodic scanning |
| Manage | MG-2 (response), MG-3 (treatment), MG-4 (monitoring) | Secrets Protection, Path Guarding, Destructive Blocking, Sandbox, clean command | Full — active risk management via automated blocking and remediation |

### ISO 42001 Coverage

| Clause | Requirement | Plugin Controls | Coverage |
|--------|-------------|-----------------|----------|
| Cl. 4 (Context) | Identify internal/external factors | MCP Server Trust, Skill Sources (external dependency tracking) | Supports |
| Cl. 5 (Leadership) | AI policy, accountability | Human Review Requirements, policy-as-code (v6.0) | Supports |
| Cl. 6 (Planning) | Risk assessment, AI objectives | Posture scanner, threat-model command | Partial |
| Cl. 7 (Support) | Resources, competence, awareness | Documentation (README, CLAUDE.md, knowledge base) | Supports |
| Cl. 8 (Operation) | Risk assessment, treatment, impact assessment | All automated hooks (risk treatment), posture/audit scans (assessment) | Full |
| Cl. 9 (Performance evaluation) | Monitoring, internal audit, management review | Long-Horizon Monitoring, posture scanner, scan-orchestrator, dashboard | Full |
| Cl. 10 (Improvement) | Continual improvement, corrective action | Baseline diff, watch/cron, clean command, version history | Partial |

---

## Coverage Limitations

The llm-security plugin is a **security tooling layer**, not a complete compliance solution. It provides:

- **Detection and measurement** (satisfies technical control requirements)
- **Enforcement at runtime** (satisfies operational control requirements)
- **Reporting and transparency** (contributes to documentation requirements)

It does **not** provide:

- Organizational governance processes (board-level AI policy, accountability structures)
- Full risk management lifecycle documentation
- Third-party audit certification
- Data governance or privacy controls (GDPR, data quality per Art. 10)
- Model training oversight (Art. 10, 11)

---

## Verification Log

Each compliance framework reference was web-verified on 2026-04-10:

| Reference | Verified Against | Source URL |
|-----------|-----------------|------------|
| EU AI Act Art. 9 (risk management) | Official text, Regulation (EU) 2024/1689 | https://artificialintelligenceact.eu/article/9/ |
| EU AI Act Art. 12 (record-keeping) | Official text | https://artificialintelligenceact.eu/article/12/ |
| EU AI Act Art. 13 (transparency) | Section 3-2 overview | https://artificialintelligenceact.eu/section/3-2/ |
| EU AI Act Art. 14 (human oversight) | Official text | https://artificialintelligenceact.eu/article/14/ |
| EU AI Act Art. 15 (accuracy, robustness, cybersecurity) | Official text | https://artificialintelligenceact.eu/article/15/ |
| EU AI Act Art. 17 (quality management) | Official text | https://artificialintelligenceact.eu/article/17/ |
| NIST AI RMF functions (Govern, Map, Measure, Manage) | NIST AI 100-1 | https://airc.nist.gov/airmf-resources/airmf/ |
| NIST AI RMF Core subcategories | NIST AI RMF Playbook | https://www.nist.gov/itl/ai-risk-management-framework/nist-ai-rmf-playbook |
| NIST AI 600-1 GenAI profile | NIST publication | https://nvlpubs.nist.gov/nistpubs/ai/NIST.AI.600-1.pdf |
| ISO 42001 Clauses 4-10 structure | Barr Advisory guide | https://www.barradvisory.com/resource/iso-42001-requirements-explained/ |
| ISO 42001 Cl. 6.1 risk, Cl. 8 operation, Cl. 9 monitoring, Cl. 10 improvement | RSI Security analysis | https://blog.rsisecurity.com/the-10-comprehensive-clauses-of-iso-42001/ |
| ISO 42001 Cl. 8.2 risk assessment, Cl. 8.4 impact assessment | Cyberzoni clause guide | https://cyberzoni.com/standards/iso-42001/ |