Skip to main content

AI Compliance & Risk Frameworks

Welcome to the end user guide for AI Compliance & Risk Frameworks. This document is designed for security leaders, CISOs, and non-technical stakeholders to understand how we assess AI systems against industry standards—no coding required.

What You’ll Find Here

  • Frameworks Overview: High-level summaries of each supported standard
  • Controls (Sections): Policy requirements grouped into named checks
  • Plugins (Checks): The atomic tests behind each control, shown by name
  • Risk Scores & Reporting: How results are presented and interpreted

Frameworks Overview

We support six major frameworks—each a recognized AI or API security standard. Every framework contains multiple Controls (sometimes called Sections), which are implemented via one or more Plugins (checks).

FrameworkDescription
NIST AI RMFU.S. Government guidance for managing AI risk across its lifecycle (23 Measures).
EU AI ActEuropean regulation defining prohibited AI practices (Art 5) and high‑risk use cases (Annex III).
OWASP LLM Top 10Community‑driven list of the top ten vulnerabilities in large‑language‑model applications.
OWASP API Top 10Classic OWASP API security risks, tailored for AI‑powered APIs and web services.
OWASP Agentic v1.0Emerging standard focused on agent‑style AI threats (e.g., Memory Poisoning).
MITRE ATLASAdversarial tactics for LLM systems, modeled on MITRE ATT&CK (6 tactics).

Controls

Controls are the policy requirements you’ll see grouped under each framework. Each control maps to one or more plugins. Examples:

  • Measure 2.1 (NIST AI RMF): Privacy protections (plugins: information_hazard:personal_identification:api-db-leak, information_hazard:private_information:unauthorized-share).
  • Art 5: Remote Biometric ID (Live) (EU AI Act): Live surveillance ban (plugins: information_hazard:private_information:session_leak, information_hazard:personal_identification:direct-exposure).
  • Prompt Injection (OWASP LLM Top 10): Guards against malicious prompts (plugins: defense_bypass:security_evasion:ascii_smuggling, defense_bypass:prompt_injection:prompt_extraction).

Controls are where your chosen standard meets the technical tests.

Plugins (Checks)

Plugins are the individual checks executed for each control. Reports list plugin names alongside pass/fail outcomes.

  • information_hazard:personal_identification:api-db-leak — Detects leaks of personal data from APIs/databases
  • rbac — Tests role‑based access control bypass
  • defense_bypass:security_evasion:ascii_smuggling — Verifies obfuscation attacks
  • malicious_use:excessive_agency:functionality — Measures unauthorized actions taken by AI
  • defense_bypass:prompt_injection:prompt_extraction — Looks for system‑prompt leakage

Each plugin is reusable across multiple controls and frameworks.

📊 Risk Scores & Reporting

Assessment results are presented at two levels:

  1. Framework Risk Score: An overall 0–100% rating per selected framework.
  2. Control Pass/Fail: Each control is marked PASS or FAIL based on its plugins’ outcomes.

Sample Report Snippet:

Framework: NIST AI RMF   Overall Risk: 78%
  • Measure 1.1 – PASS
  • Measure 2.1 – FAIL
  • Measure 2.4 – FAIL

This format helps you quickly identify high‑risk frameworks and drill into specific controls for remediation.

📚 Framework Overviews

NIST AI RMF
A voluntary risk management framework from the U.S. National Institute of Standards and Technology.
Scope: 4 core functions (Govern, Map, Measure, Manage) broken into 23 Measures.
Goal: Guide organizations in identifying, assessing, and managing AI risk across its lifecycle.

EU AI Act
Legislative proposal from the European Union classifying AI systems by risk.
Scope:

  • Article 5: “Prohibited practices” (subliminal manipulation, social scoring, etc.)
  • Annex III: “High-risk use cases” (biometric ID, critical infra, education, etc.)
    Goal: Ban unacceptable AI, tightly regulate high-risk systems.

OWASP LLM Top 10
A community-driven “Top 10” list of the most common vulnerabilities in large-language-model deployments.
Scope: 10 controls from “Prompt Injection” to “Unbounded Consumption.”
Goal: Provide a concise red-teaming checklist for LLM‐based applications.

OWASP API Top 10
The classic OWASP API security risks adapted for modern AI-powered services.
Scope: 10 controls including Broken Auth, SSRF, Security Misconfiguration, etc.
Goal: Highlight where APIs (including those wrapping AI) most often fail.

OWASP Agentic v1.0
An emerging OWASP list focused on autonomous, agentic AI threats.
Scope: Currently 1 threat: “T1: Memory Poisoning.”
Goal: Surface risks where an AI’s own “memory” can be subverted.

MITRE ATLAS
MITRE’s Adversarial Tactics for LLM Systems—modeled on the ATT&CK framework.
Scope: 6 tactics (Exfiltration, Impact, Initial Access, ML Attack Staging, Reconnaissance, Resource Development).
Goal: Map real-world red-team techniques to LLMs for structured threat emulation.

🗂 Detailed Controls & Plugin Mappings

Below are comprehensive tables mapping each control (section) in every framework to its underlying plugins. Use these as a reference to understand exactly which checks are executed under each requirement.

NIST AI RMF

Control IDControl TitlePlugins
1.1Measure 1.1malicious_use:excessive_agency:functionality, harmful:misinformation-disinformation
1.2Measure 1.2malicious_use:excessive_agency:functionality, harmful:misinformation-disinformation
2.1Measure 2.1information_hazard:personal_identification:api-db-leak, information_hazard:personal_identification:direct-exposure, information_hazard:private_information:session_leak, information_hazard:personal_identification:social-engineering
2.2Measure 2.2information_hazard:personal_identification:api-db-leak, information_hazard:personal_identification:direct-exposure, information_hazard:private_information:session_leak, information_hazard:personal_identification:social-engineering
2.3Measure 2.3malicious_use:excessive_agency:functionality
2.4Measure 2.4malicious_use:excessive_agency:functionality, harmful:misinformation-disinformation
2.5Measure 2.5malicious_use:excessive_agency:functionality
2.6Measure 2.6harmful:chemical-biological-weapons, harmful:indiscriminate-weapons, misinformation:unsafe_health_practices:unsafe-practices
2.7Measure 2.7malicious_use:cybercrime:assistance, defense_bypass:hacking:shell_injection, defense_bypass:hacking:sqli
2.8Measure 2.8defense_bypass:security_evasion:bfla, defense_bypass:security_evasion:bola, rbac
2.9Measure 2.9malicious_use:excessive_agency:functionality
2.10Measure 2.10information_hazard:personal_identification:api-db-leak, information_hazard:personal_identification:direct-exposure, information_hazard:private_information:session_leak, information_hazard:personal_identification:social-engineering
2.11Measure 2.11toxicity:hate_speech:harassment, toxicity:hate_speech:discrimination, toxicity:severe_toxicity:insults
2.12Measure 2.12(no plugins)
2.13Measure 2.13malicious_use:excessive_agency:functionality
3.1Measure 3.1malicious_use:excessive_agency:functionality, harmful:misinformation-disinformation
3.2Measure 3.2malicious_use:excessive_agency:functionality
3.3Measure 3.3malicious_use:excessive_agency:functionality
4.1Measure 4.1malicious_use:excessive_agency:functionality
4.2Measure 4.2malicious_use:excessive_agency:functionality, harmful:misinformation-disinformation
4.3Measure 4.3malicious_use:excessive_agency:functionality

EU AI Act

Control IDControl TitlePlugins
art5:subliminal-manipulationSubliminal Manipulation (Art 5)hijacking, intent, malicious_use:excessive_agency:functionality
art5:exploitation-of-vulnerabilitiesExploitation of Vulnerabilities (Art 5)hijacking, imitation, harmful:misinformation-disinformation
art5:social-scoringSocial Scoring (Art 5)harmful:misinformation-disinformation, human_computer_interaction:overreliance:interaction-harm
art5:biometric-categorisationBiometric Categorisation (Art 5)information_hazard:personal_identification:direct-exposure, information_hazard:private_information:session_leak, harmful:privacy
art5:remote-biometric-id-liveRemote Biometric ID (Live) (Art 5)information_hazard:private_information:session_leak, information_hazard:personal_identification:direct-exposure, harmful:privacy
art5:remote-biometric-id-postRemote Biometric ID (Post) (Art 5)information_hazard:personal_identification:api-db-leak, information_hazard:personal_identification:direct-exposure, harmful:privacy
annex3:biometric-idBiometric ID (Annex III)information_hazard:personal_identification:direct-exposure, information_hazard:private_information:session_leak, harmful:privacy
annex3:critical-infrastructureCritical Infrastructure (Annex III)defense_bypass:hacking:shell_injection, defense_bypass:hacking:sqli, defense_bypass:hacking:ssrf, malicious_use:excessive_agency:functionality
annex3:educationEducation (Annex III)harmful:misinformation-disinformation, misinformation:hallucination:knowledge-gaps, human_computer_interaction:overreliance:interaction-harm
annex3:employmentEmployment (Annex III)imitation, information_hazard:personal_identification:direct-exposure, human_computer_interaction:overreliance:interaction-harm
annex3:essential-servicesEssential Services (Annex III)information_hazard:personal_identification:direct-exposure, information_hazard:private_information:session_leak, malicious_use:excessive_agency:functionality
annex3:law-enforcementLaw Enforcement (Annex III)information_hazard:personal_identification:direct-exposure, information_hazard:personal_identification:api-db-leak, harmful:privacy
annex3:migration-borderMigration & Border (Annex III)information_hazard:personal_identification:direct-exposure, harmful:privacy, toxicity:hate_speech:discrimination
annex3:justice-democracyJustice & Democracy (Annex III)misinformation:hallucination:knowledge-gaps, harmful:misinformation-disinformation, information_hazard:personal_identification:direct-exposure

OWASP LLM Top 10

Control IDControl TitlePlugins
01Prompt Injectiondefense_bypass:security_evasion:ascii_smuggling, defense_bypass:prompt_injection:indirect_injection, defense_bypass:prompt_injection:prompt_extraction
02Sensitive Info Disclosureinformation_hazard:personal_identification:api-db-leak, information_hazard:personal_identification:direct-exposure, information_hazard:private_information:session_leak, information_hazard:personal_identification:social-engineering, harmful:privacy, defense_bypass:cybercrime:session_leak, defense_bypass:prompt_injection:prompt_extraction
03Supply Chain(no plugins)
04Data & Model Poisoningharmful:misinformation-disinformation, toxicity:hate_speech:discrimination, bias:age, bias:disability, bias:gender, bias:race, toxicity:discrimination:radicalization, misinformation:unreliable_experts:specialized
05Improper Output Handlingdefense_bypass:hacking:shell_injection, defense_bypass:hacking:sqli, defense_bypass:hacking:ssrf, debug-access
06Excessive Agencymalicious_use:excessive_agency:functionality, rbac, defense_bypass:security_evasion:bfla, defense_bypass:security_evasion:bola, defense_bypass:hacking:shell_injection, defense_bypass:hacking:sqli, defense_bypass:hacking:ssrf
07System Prompt Leakagedefense_bypass:prompt_injection:prompt_extraction, rbac, harmful:privacy, information_hazard:personal_identification:api-db-leak, information_hazard:personal_identification:direct-exposure, information_hazard:private_information:session_leak, information_hazard:personal_identification:social-engineering
08Vector & Embedding Weaknessdefense_bypass:cybercrime:session_leak, harmful:privacy, information_hazard:personal_identification:api-db-leak, information_hazard:personal_identification:direct-exposure, information_hazard:private_information:session_leak, information_hazard:personal_identification:social-engineering
09Misinformationmisinformation:hallucination:knowledge-gaps, human_computer_interaction:overreliance:interaction-harm, harmful:misinformation-disinformation, misinformation:unreliable_experts:specialized
10Unbounded Consumptionreasoning-dos, divergent-repetition

OWASP API Top 10

Control IDControl TitlePlugins
01Broken Object Level Authorizationdefense_bypass:security_evasion:bola, rbac
02Broken Authenticationdefense_bypass:security_evasion:bfla, rbac
03Broken Object Property Level Authorizationmalicious_use:excessive_agency:functionality, human_computer_interaction:overreliance:interaction-harm
04Unrestricted Resource Consumptionharmful:privacy, information_hazard:personal_identification:api-db-leak, information_hazard:private_information:session_leak
05Broken Function Level Authorizationdefense_bypass:security_evasion:bfla, defense_bypass:security_evasion:bola, rbac
06Unrestricted Access to Sensitive Business Flowsharmful:misinformation-disinformation, human_computer_interaction:overreliance:interaction-harm
07Server Side Request Forgerydefense_bypass:hacking:shell_injection, defense_bypass:hacking:sqli
08Security Misconfigurationharmful:privacy, information_hazard:personal_identification:api-db-leak, information_hazard:private_information:session_leak
09Improper Inventory Managementmisinformation:unreliable_experts:specialized, human_computer_interaction:overreliance:interaction-harm
10Unsafe Consumption of APIsdebug-access, harmful:privacy

OWASP Agentic v1.0

Control IDControl TitlePlugins
T1Memory PoisoningMEMORY_POISONING_PLUGIN_ID

MITRE ATLAS

Control IDControl TitlePlugins
exfiltrationExfiltrationdefense_bypass:security_evasion:ascii_smuggling, harmful:privacy, defense_bypass:prompt_injection:indirect_injection, information_hazard:personal_identification:api-db-leak, information_hazard:personal_identification:direct-exposure, information_hazard:private_information:session_leak, information_hazard:personal_identification:social-engineering
impactImpactmalicious_use:excessive_agency:functionality, hijacking, imitation
initial-accessInitial Accessdebug-access, malicious_use:cybercrime:assistance, defense_bypass:hacking:shell_injection, defense_bypass:hacking:sqli, defense_bypass:hacking:ssrf
ml-attack-stagingML Attack Stagingdefense_bypass:security_evasion:ascii_smuggling, malicious_use:excessive_agency:functionality, misinformation:hallucination:knowledge-gaps, defense_bypass:prompt_injection:indirect_injection
reconnaissanceReconnaissancecompetitors, policy, defense_bypass:prompt_injection:prompt_extraction, rbac
resource-developmentResource Developmentmalicious_use:cybercrime:assistance, malicious_use:illegal_activities:illegal_drugs, harmful:indiscriminate-weapons

🚀 Getting Started

  1. Select a Framework: Choose from NIST, EU AI Act, OWASP LLM, OWASP API, OWASP Agentic, or MITRE ATLAS.
  2. Run an Assessment: Use the intuitive UI—controls and plugins will auto‑select based on your choice.
  3. Review Scores: View overall framework scores and individual control results.
  4. Prioritize Remediation: Focus on failed controls and their underlying plugins.