Standards Review Backlog
Live tracking has moved to GitHub Issues
The live status board is now the Standards Reviews milestone on GitHub (
agpwc/ai-era, milestone #2): one issue per pending standard, tiered withp1/p2/p3labels, closed as each review lands. Update the milestone, not this page. This page is retained as a reference snapshot and for the durable process notes below (how a review retires the first-pass validation).
This board tracks the per-standard deep dives defined by the Standards Validation Methodology. The methodology fixes the process (source primary docs, build a clause-level coverage matrix, state falsifiable absence claims, run an adversarial second pass) and the priority tiers. Each completed review lands at wiki/reviews/standards-review-<standard>-YYYY-Qn.md and becomes the load-bearing evidence for any gap claim the wiki makes against that standard.
The wiki anchors gap claims against 11 priority standards. All 11 are now reviewed (Standards Reviews milestone closed 2026-06-22). The four 2026-Q2 first-wave reviews (Microsoft ZT4AI, MITRE ATLAS, the 800-4), and the OWASP ASI Top 10 + AIVSS pair) were joined by the seven that close the milestone:
- CSA MAESTRO + ATF: seven-layer threat model plus the Agentic Trust Framework’s five elements, four maturity levels, and five promotion gates (corrected from fabricated gate names).
- EU AI Act incl. Annex IV: risk-management and conformity-assessment law; Art. 15 cybersecurity is outcome-stated; the Annex IV item-map mislabels were corrected.
- IEC 42001 + 27090 FDIS: citation-only (paywall-bounded per methodology §8); the non-public Annex A numbering was corrected to the A.2 to A.10 objective scheme.
- OWASP LLM Top 10 (2025): application-level awareness list; two taxonomy-drift errors were fixed (LLM07 vs LLM08, stale LLM03).
- NIST SP 800-218A: development-time SSDF AI profile; the “three vs six net-new tasks” miscount was corrected.
- Google SAIF + CoSAI: a broad-but-shallow control vocabulary alongside deep-but-discontinuous workstream outputs; CoSAI deliverable dates were reconciled.
- Microsoft RAI + Agent 365: a responsible-AI goals standard (17 goals) plus the Agent 365 management plane, separated from the ZT4AI control catalogue.
Each review replaces wiki-summary-level gap claims against its standard with bounded, clause-cited absence claims. Before a standard was reviewed, its gap claims rested on the 2026-04-30 first-pass validation, a wiki-summary-level snapshot rather than a clause-level audit.
How a review retires the first-pass validation
The 2026-04-30 validation page is a frozen snapshot superseded section by section as reviews land. When a standard’s review completes, its GitHub issue closes, the review page is filed under wiki/reviews/, and the corresponding verdict in the old validation §2 gains a correction marker pointing to the new review. The old page is archived in full only once most P1 reviews exist.
See also
- Standards Validation Methodology — the process and priority tiers this board tracks.
- 2026-04-30 Validation (superseded) — the first-pass snapshot being retired.
- Agentic AI Security CMM — Standards Crosswalk — the anchor-level CMM-domain × standard map that clause-level reviews deepen.