OWASP ASI to AIUC-1 Crosswalk

A bidirectional mapping between the OWASP Top 10 for Agentic Applications (ASI Top 10) threat taxonomy and the AIUC-1 certification requirements, published by the OWASP GenAI Security Project’s Agentic Security Initiative in collaboration with AIUC.1 The two artifacts cover different sides of the same problem: ASI names ten agentic threat classes; AIUC-1 specifies certification requirements organized under six principles. This crosswalk connects threats to the controls that address them, in both directions, and records where AIUC-1 has no requirement for a threat the ASI prevention guidelines treat as essential.

Source. AIUC-1: Crosswalks OWASP Top 10 For Agentic Applications, v1.0, May 2026, OWASP GenAI Security Project (Agentic Security Initiative), CC BY-SA 4.0.1 Archived: .raw/papers/owasp-agentic-top10-aiuc1-crosswalk-2026-05.pdf.

The crosswalk uses the published ASI labels. ASI05 is “Unexpected Code Execution” (RCE) and ASI09 is “Human-Agent Trust Exploitation,” matching the published 2026 edition recorded in the 2026-Q2 standards review. The pre-release draft labels (ASI05 “Sensitive Data Disclosure”, ASI09 “Missing Guardrails”) do not appear in this document.

Mapping method

Each mapping is Primary (directly mitigates the core risk) or Secondary (addresses a related consequence or supplies a supporting control).1 Primary versus Secondary is set by threat context, not by control type: preventive and scope-constraining controls tend to be Primary; detective and governance controls tend to be Secondary, except where detection is the only way a persistent, cross-session, or multi-agent threat becomes visible (logging is Primary for ASI06 memory poisoning, Secondary for ASI01).

Each mapping also carries a rationale code from a controlled taxonomy of eight control functions.1

CodeLabelFunction
PREVPreventBlocks the core attack mechanism before it succeeds
SCOPEConstrain scopeLimits what a compromised or misbehaving agent can reach
GATEHuman gateEnforces a required human approval, review, or intervention point
DETECTDetect and traceRuntime detection, behavioral monitoring, or forensic traceability
VALIDValidate and testTests or audits that other controls function against the threat
GOVERNPolicy and governanceOrganizational policy, accountability, or response-plan framework
ISOLATEIsolate and containArchitectural separation that stops cross-agent or cross-tenant propagation
DISCLOSEDisclose and calibrateTransparency or provenance that lets humans calibrate trust

The document states the crosswalk identifies relevance, not sufficiency: a Primary mapping means the requirement addresses the core risk, not that it fully mitigates it.1

ASI threat to AIUC-1 requirement (Part B)

Each ASI category and the AIUC-1 requirements that address it. Counts are Primary / Secondary mappings drawn from the master table.1

ASIThreatPrimary AIUC-1 requirementsSecondary AIUC-1 requirements
ASI01Agent Goal HijackB001, B002, B005, B006, C009, D003A004, C002, C003, C004, C006, C011, E008, E010, E015
ASI02Tool Misuse and ExploitationA003, B006, B007, D003, D004, E009A004, A007, B008, C009, E015
ASI03Identity and Privilege AbuseB006, B007, B008, D003, E009A004, A007, B003, D004, E010, E015
ASI04Agentic Supply Chain VulnerabilitiesB008, E006, E009A004, A007, E005, E007, E015
ASI05Unexpected Code Execution (RCE)B006, B008, C006, D003, D004B001, B002, B005, B009, C002, C004, C005, E015, F001
ASI06Memory & Context PoisoningA003, A005, B001, B002, B005, E015A006, B006, B009, D003
ASI07Insecure Inter-Agent CommunicationB006, B008, E009, E015D003
ASI08Cascading FailuresD001, D002, D003, E001, E002, E003, E015B005, B006, C003, C007, C009
ASI09Human-Agent Trust ExploitationC003, C007, C009, C010, D001, D002, E016A003, B004, B007, B009, C005, C006, E004, E009, E015, E017
ASI10Rogue AgentsB006, B008, D003, D004, E001, E015B003, B007, B009, C007, C008, C009, D002, E016, F001, F002

ASI05 and ASI09 carry the largest secondary footprints. E015 (Log model activity) maps to all ten threats, Primary for the four that are persistent, cross-session, or multi-agent (ASI06, ASI07, ASI08, ASI10).1

Rationale by ASI category

The control function each ASI category’s mappings lean on, from the master table.1

ASIThreatDominant rationale codes
ASI01Agent Goal HijackVALID, DETECT, PREV, SCOPE, GATE, GOVERN
ASI02Tool Misuse and ExploitationSCOPE, PREV, VALID, DETECT, ISOLATE
ASI03Identity and Privilege AbuseSCOPE, ISOLATE, DETECT, PREV, VALID, GOVERN
ASI04Agentic Supply Chain VulnerabilitiesISOLATE, VALID, DETECT, SCOPE, GOVERN
ASI05Unexpected Code Execution (RCE)SCOPE, ISOLATE, PREV, VALID, DETECT
ASI06Memory & Context PoisoningSCOPE, ISOLATE, VALID, PREV, DETECT
ASI07Insecure Inter-Agent CommunicationSCOPE, ISOLATE, DETECT
ASI08Cascading FailuresPREV, VALID, SCOPE, GOVERN, DETECT, GATE
ASI09Human-Agent Trust ExploitationPREV, GATE, VALID, DISCLOSE, SCOPE, GOVERN, DETECT
ASI10Rogue AgentsSCOPE, ISOLATE, VALID, GOVERN, DETECT, GATE, DISCLOSE, PREV

DISCLOSE appears only against ASI09 and ASI10, mapped to E016 (AI disclosure mechanisms) and E017 (transparency policy).1

Observed AIUC-1 gaps

The crosswalk records eight areas where AIUC-1 has no requirement that the ASI prevention guidelines treat as essential. Four (Gaps 1, 2, 4, 5) describe control surfaces with no dedicated requirement; four (Gaps 3, 6, 7, 8) describe expansions of partial-coverage requirements.1

GapAreaSurfaces at
1Inter-agent communication security (mutual auth, message integrity, replay protection, signed agent cards)ASI07, ASI08, ASI10
2Agent identity attestation and containment (per-agent crypto identity, signed behavioral manifests, kill switches)ASI03, ASI10
3Agentic supply chain attestation (SBOMs/AIBOMs, prompt provenance, code signing for agents and tools)ASI02, ASI04
4Cascading failure containment (circuit breakers, blast-radius caps, planner-executor isolation)ASI08
5Agent tool-use infrastructure controls (tool registration, tool authentication, agent-tool-call logging)ASI02, ASI03, ASI05
6Runtime agent security monitoring (malicious model/container/payload detection inside the agent)ASI05, ASI10
7Resource and cost abuse controls (AI service entitlement, monetary-budget and token-consumption monitoring)ASI01, ASI10
8Input/output schema controls and determinism (schematic controls at the agent-model boundary)ASI01, ASI06, ASI08

Two further items are framed as scope-expansion recommendations rather than new mappings: guardrail placement architecture for C003/C004 (enforce pre-AI and post-AI guardrails in agent code, not at the model layer alone) and data sovereignty for agentic operations under E011 (cross-region data use during inference and retrieval, distinct from training-time data governance).1

Newly validated mappings

Contributor review added five Secondary mappings for four previously unmapped AIUC-1 requirements, each a governance, accountability, or transparency layer that supports technical mitigation rather than implementing it.1

AIUC-1 requirementASI categoryRelevance
E004 Assign accountabilityASI09Secondary
E008 Review internal processesASI01Secondary
E010 Establish AI acceptable use policyASI01Secondary
E010 Establish AI acceptable use policyASI03Secondary
E017 Document system transparency policyASI09Secondary

After validation, eight AIUC-1 requirements remain unmapped to any ASI category (A001, A002, C001, C012, E011, E012, E013, E014), described as policy and process requirements that operate at a governance layer above specific agentic threat scenarios.1

What each side covers that the other does not

The ASI Top 10 supplies threat-level coverage AIUC-1 lacks at the agentic-control layer: per-agent identity, inter-agent authentication, cascading-failure containment, agent-tool-call observability, and runtime behavioral monitoring all surface as AIUC-1 gaps in this document. The ASI prevention guidelines also reference companion artifacts (Multi-Agentic System Threat Modeling Guide, Agent Name Service) that propose mechanisms with no AIUC-1 counterpart.

AIUC-1 supplies the governance, accountability, and certification layer the ASI Top 10 lacks: assigned accountability (E001–E004), failure response plans (E001–E003), acceptable-use and transparency policy (E010, E016, E017), vendor due diligence (E006), and the catastrophic-misuse Society pillar (F001, F002) that the ASI list addresses only through Rogue Agents. The eight unmapped AIUC-1 requirements are governance and process controls that have no single ASI threat to anchor to but remain part of an enterprise certification. The relationship is bidirectional rather than one-to-one: AIUC-1 data-protection controls also constrain the blast radius available to a compromised agent.1

Relations

Footnotes

  1. AIUC-1: Crosswalks OWASP Top 10 For Agentic Applications, v1.0, May 2026, OWASP GenAI Security Project (Agentic Security Initiative), CC BY-SA 4.0. Archived at .raw/papers/owasp-agentic-top10-aiuc1-crosswalk-2026-05.pdf. 2 3 4 5 6 7 8 9 10 11 12 13 14