Agentic AI Security CMM — Standards Crosswalk Matrix

This is the crosswalk matrix the validation page (Validation: Agentic AI Security CMM vs Widely Adopted Standards §6 rec #1) called out as the single highest-leverage addition to the CMM. Without it, D1 L4/L5 and D8 L5 are unfalsifiable: an organization cannot demonstrate AIUC-1 / ISO 42001 / EU AI Act compliance against a CMM that names the standards but doesn’t map controls.

The matrix is intentionally lossy: it surfaces the anchor controls in each standard for each CMM domain. Full Annex-by-Annex maps remain future work.

The CSA MAESTRO / ATF column was corrected by the 2026-Q2 standards review: MAESTRO cells now cite verified layer names (Layer 1 is Foundation Models, Layer 2 is Data Operations), and the ATF cells cite the five elements (Identity, Behavior, Data Governance, Segmentation, Incident Response) that anchor domains rather than the numbered promotion gates, which govern level advancement and do not map one-to-one onto a domain.

The CoSAI / SAIF column was reconciled by the Google SAIF and CoSAI standards review (2026-06-22): CoSAI cells now cite the verified deliverable dates — Model Context Protocol (MCP) Security (2026-01-20), Agentic Identity and Access Management (2026-04-17), and the AI Incident Response Framework (2025-10-30) — and the four verbatim workstream names (WS1–WS4). The “40 threats / 12 categories” MCP figure is flagged as not re-verifiable in that pass.

On this page

Recalibration note (2026-05-25). The domain-to-standard mappings below remain valid after the D1–D9 recalibration — a domain still anchors to the same standards. One framing change matters for this page: AIUC-1 is no longer a D1-L5 mandate. D1-L5 is now scheme-neutral third-party assurance with ISO/IEC 42001 preferred; AIUC-1 is one accepted option among several (with documented concentration and freshness caveats — see the AIUC-1 evaluation). The AIUC-1 six-pillars crosswalk below is retained as a mapping for organizations that choose that scheme, not as the required anchor. For the recalibrated per-domain criteria, the nine deep dives (linked from the CMM) are authoritative.

Master matrix — CMM domain × standard

flowchart LR
    CMM[CMM Domain] --> S1[NIST AI RMF / 600-1 / 800-4]
    CMM --> S2[ISO/IEC 42001 Annex A]
    CMM --> S3[MITRE ATLAS v5.6.0]
    CMM --> S4[OWASP ASI / AIVSS / LLM]
    CMM --> S5[Microsoft ZT4AI]
    CMM --> S6[CSA MAESTRO / ATF]
    CMM --> S7[EU AI Act]
    CMM --> S8[AIUC-1]
    CMM --> S9[CoSAI / SAIF]

Cell semantics: each cell names the anchor control(s) the CMM domain maps into, where evidence from the CMM (the artifacts in the level table) can be re-presented for each standard’s audit. Empty cell = no clean anchor; the CMM domain is exceeding the standard’s coverage there (see Validation: Agentic AI Security CMM vs Widely Adopted Standards §4).

The Microsoft column was split by Agent 365 review: the RAI Standard is a responsible-AI goals standard (seventeen goals across six principles), distinct from the ZT4AI control catalogue. The master matrix now carries a separate RAI-goals column alongside the ZT4AI-control column so the goals-standard-versus-catalogue distinction is visible at a glance; Agent 365 is the management plane over the ZT4AI controls, not a separate standard.

CMM DomainNIST AI RMF + 600-1 / 800-4IEC 42001 Annex AMITRE ATLAS v5.6.0OWASP ASI / AIVSS / LLMMicrosoft RAI (goals)Microsoft ZT4AI (controls) ATFEU AI ActAIUC-1CoSAI / SAIF
D1 GovernanceGovern function (all 6 categories); IR 8605A SP 800-53 PM-* familyA.2 Policies; A.3 Internal organization; A.5 Impact assessment(no anchor — ATLAS is attack-only)(no direct anchor — ASI is risk-only)A1 Impact Assessment; A2 Oversight; A3 Fit for purpose; A4 Data governance; T1-T2 TransparencyZT4AI Pillar 1 (Agent governance) — exec sponsorshipATF Gate 5 (Governance Sign-off); Incident Response element (governance overlay)Art. 9 Risk Mgmt; Art. 17 Quality Mgmt; Art. 50 GPAI transparencyPillar: AccountabilitySAIF Foundation: Govern; CoSAI Shared Accountability principle
D2 Identity & Authorization(AI 600-1 has no non-human-identity content — see review); NIST CAISI Concept Paper Feb 2026; SP 800-207 ZTA; SP 800-63 IAL/AALA.3 Internal organization (roles allocated to people, not agent/NHI identity); ISO 27090 §Identity (FDIS Mar 2026, unpublished)AML.T0055 (Unsecured Credentials); AML.T0083 (Credentials from AI Agent Configuration); AML.T0098 (AI Agent Tool Credential Harvesting)ASI03 Identity and Privilege Abuse; AIVSS factors: Execution Autonomy, External Tool Control Surface, Dynamic Identity; LLM06:2025 Excessive Agency (agency facet only — names excessive permissions as a consequence, no identity/authorization control, per the LLM Top 10 review)(no identity goal — PS1 defers to the Privacy Standard)ZT4AI Pillar 1 (verify explicitly + least privilege); Entra Agent ID; Agent 365 Registry (management plane)ATF Identity element (“Who are you?”)Art. 14 Human oversight (delegation chain)Pillar: Security (identity controls subset)SAIF Element 2 (Identity); CoSAI Agentic Identity and Access Management (2026-04-17)
D3 Control & Least-AgencyAI 600-1 refusal/disengage actions GV-3.2-003 / MS-2.6-006 / MG-2.4-001004 (no least-privilege control — see review); SP 800-53 AC-* familyA.9 Responsible/intended use (process framing only — no least-agency control)AML.T0053 (AI Agent Tool Invocation); AML.T0081 (Modify AI Agent Configuration); AML.T0105 (Escape to Host)ASI02 Tool Misuse and Exploitation (least-privilege tool profiles, Intent Gate PEP/PDP); Least-Agency principle; ASI08 blast-radius guardrails; AIVSS factor: Execution Autonomy; LLM06:2025A5 Human oversight and control (goal-level only — no least-agency control)ZT4AI Pillar 1 (least privilege); Prompt Shields policyATF Segmentation element (“Where can you go?”); 4 maturity levels (Intern→Junior→Senior→Principal) gated by 5 promotion gatesArt. 14 Human oversight (HITL); Art. 13 Transparency to deployersPillar: Safety (autonomy boundaries)CoSAI Maximize Oversight While Minimizing Intervention
D4 Runtime & GuardrailsNIST SP 800-218A PW.1.1.R1 (AI threat modeling), PW.5.2/PW.5.3 (input/output handling), PO.4.1.R1 (guardrails) — build-time only, no runtime enforcement (review claim 2); AI 600-1 §2.1 (CBRN), §2.2 (Confabulation), §2.3 (Dangerous/Hateful Content); groundedness action MS-2.5-005 (prompt injection is red-team-only MS-2.7-007); AI 800-4 post-deployment monitoringA.6 AI system life cycle (operation/monitoring, generic); ISO 27090 §Runtime safeguards (FDIS, unpublished)AML.T0051 (LLM Prompt Injection); AML.T0054 (LLM Jailbreak); AML.T0053 (AI Agent Tool Invocation); AML.M0020 (Generative AI Guardrails)ASI01 Goal Hijack; ASI02 Tool Misuse; LLM01:2025 Prompt Injection; LLM05:2025 Improper Output HandlingRS1 Reliability and safety; RS2 Failures and remediations (outcome goals — control deferred to ZT4AI)ZT4AI Pillar 3 (Prompt security); Microsoft Prompt Shields; Groundedness Detection; FIDES researchMAESTRO Layer 1 (Foundation Models) + Layer 3 (Agent Frameworks); ATF Behavior element (“What are you doing?”)Art. 15 Accuracy/Robustness/CybersecurityPillar: Security (guardrails subset)SAIF Element 4 (Application defense); CoSAI WS4 Secure Design
D5 Egress & NetworkAI 600-1 §2.9 (Information Security — exfil as threat only, MS-2.7-001; no egress control — see review); SP 800-207 ZTA; SP 800-53 SC-* family(no specific Annex A control); ISO 27090 §Inter-system (FDIS, unpublished)AML.T0024 (Exfiltration via AI Agent Tool Invocation); AML.T0048 (External Harms via tool actions)ASI02 Tool Misuse; ASI07 Insecure Inter-Agent Comms(no egress goal)ZT4AI Pillar 2 (Data security at egress); Defender for Cloud AppsMAESTRO Layer 4 (Deployment and Infrastructure) + Layer 7 (Agent Ecosystem); ATF Segmentation element (blast radius); CoSAI MCP Security (2026-01-20)Art. 15 CybersecurityPillar: Security (network/protocol subset)SAIF Element 3 (Infrastructure); CoSAI Model Context Protocol (MCP) Security (2026-01-20)
D6 Data, Memory & RAGNIST SP 800-218A PW.3 (PW.3.1 poisoning/tampering screen, PW.3.2 provenance, PW.3.3 adversarial samples) + PS.1.2 (training-data protection) — training-data integrity is 218A’s strongest contribution, but no RAG/runtime-memory content (review); AI 600-1 §2.4 (Data Privacy), §2.8 (Information Integrity); data/poisoning actions MP-4.1-004/005, MS-2.7-007 (no agent-memory poisoning — see review); AI 800-4 distribution-shift/drift §3.2.1A.7 Data (acquisition, quality, provenance — data only)AML.T0080 (AI Agent Context Poisoning); AML.T0070 (RAG Poisoning); AML.T0020 (Poison Training Data)ASI06 Memory & Context Poisoning (validate memory writes, per-tenant namespaces, expire unverified memory); LLM04:2025 Data and Model Poisoning; LLM07:2025 System Prompt Leakage; LLM08:2025 Vector/Embedding WeaknessesA4 Data governance and management; PS1 Privacy Standard compliance (goal-level)ZT4AI Pillar 2 (Data security incl. Purview tuned for AI)MAESTRO Layer 2 (Data Operations); ATF Data Governance element (“What are you eating? What are you serving?”)Art. 10 Data and data governance; Art. 11 Technical documentation (corpus provenance)Pillar: Data & PrivacySAIF Element 1 (Data); CoSAI MCP server data threats
D7 Observability & DetectionNIST CSF 2.0 Detect; AI 800-4 (six monitoring categories, §3 challenge taxonomy); AI 600-1 monitoring actions MS-2.6-005 / MG-3.2-006 / MG-4.1-001006A.6 AI system life cycle (event logging, plausible); A.8 Information for interested parties (incident communication)AML.M0007 (Detection mitigations); ATLAS Detection Layer in NavigatorASI08 Cascading Failures; ASI10 Rogue Agents; AIVSS Multi-Agent Interactions amp factorRS3 Ongoing monitoring, feedback, and evaluation (monitoring goal)ZT4AI Pillar 1 (assume breach) — Sentinel + Defender for Cloud Apps; Agent 365 observe (registry, Registry sync, Agent Map)MAESTRO Layer 5 (Evaluation and Observability); ATF Behavior element (continuous monitoring, anomaly detection)Art. 12 Logging and record-keeping; Art. 72 Post-market monitoringPillar: Reliability (monitoring subset)SAIF Element 5 (Auto-defense / detect); OTel gen_ai.*
D8 Supply Chain & AI-BOMNIST SP 800-218A PS.3.2 (model provenance via SBOM/SLSA), PW.4.4.R1 (verify integrity of acquired models), PS.1.3.R4 (weight protection) — but no AI-BOM artifact schema (review claim 3); AI 600-1 §2.12 (Value Chain), third-party block GV-6.1-001010 (no AI-BOM artifact — see review)A.4 Resources; A.10 Third-party relationships (no AI-BOM requirement); ISO 27036-*AML.T0010 (AI Supply Chain Compromise); AML.T0104 (Publish Poisoned AI Agent Tool); AML.T0109 (AI Supply Chain Rug Pull); AML.T0019 (Publish Poisoned Datasets)ASI04 Supply Chain Vulnerabilities; AIVSS amp factor: Self-ModificationA4 Data governance (training-data provenance, partial — no AI-BOM goal)ZT4AI: Microsoft ML scan in Defender for Cloud (Agent 365 inventory ≠ AI-BOM)MAESTRO Layer 3 (Agent Frameworks) supply-chain threat — named, not a control; ATF silent; CSAI Foundation AI Risk Observatory March 2026Art. 11 + Annex IV (technical documentation incl. AI-BOM-like)Pillar: Security (supply chain subset)SAIF Element 1 (Data) supply-chain provenance; CoSAI Project CodeGuard
D9 Operations & Human FactorsAI 800-4 (human factors flagged as biggest blind spot); CSF 2.0 Govern.OS (Oversight); CoSAI AI Incident Response Framework (2025-10-30)A.4 Resources (human); A.6 AI system life cycle (deployment, documentation); A.8 Information for interested partiesAML.M0008 (User training); AML.M0009 (Restrict library loading)ASI09 Human-Agent Trust Exploitation (over-reliance, automation/authority bias, oversight training); ASI08 Cascading Failures (operator-side); LLM07:2025 System Prompt Leakage (confidentiality)A5 Human oversight and control; A2 Oversight of significant adverse impactsZT4AI Pillar 1 (continuous verification); Agent 365 lifecycle + Entra ID Governance sponsors; FIDES rate-limit / cost-budget researchATF Incident Response element (“What if you go rogue?” — kill switch, demotion-to-Intern)Art. 12 Logging; Art. 14 Human oversight; Art. 72 Post-market monitoring; Art. 73 Reporting of serious incidentsPillar: Reliability + SocietyCoSAI AI Incident Response Framework (2025-10-30)

ZT4AI column is anchor-level

The Microsoft ZT4AI cells above stay anchor-level (one pillar reference per domain) for parity with the other standards. The control-level ZT4AI crosswalk — named, deep-linked controls with GA/preview status per domain — is in the dedicated section below and in the 2026-Q2 ZT4AI review. Note the “700 controls / 116 groups / 33 swim lanes” figure is the whole Zero Trust Workshop, not an AI-pillar count.

Five threat classes crosswalk

The master matrix maps published standards to domains. The wiki’s five threat classes are the expansion the standards under-serve, and they map to domains on a different axis: cross-cutting adversary models rather than per-component risks. The authoritative threat-to-domain mapping for every taxonomy, including these classes, is the Threat Taxonomy Reconciliation matrix. The per-class summary below is the CMM-side view.

Threat classPrimary CMM domainsHighest-leverage control
Class 1 — AI-aware insiderD2, D3, D6, D8 (D9)Customer-owned, version-pinned eval harness over every artifact (AI-BOM + always-on eval)
Class 2 — Long-running APT campaignD4, D5, D7 (D9)Cross-version eval continuity + sustained AI-workload threat hunting
Class 3 — CollusionD3, D4, D7 (D9)Monitor isolation + output canonicalization + deception probes
Class 4 — Model-version degradationD4, D6, D8 (D9)Customer eval suite versioned independently of the vendor; pin-by-hash
Class 5 — Jurisdictional adversaryD1 (D9)Multi-vendor abstraction; jurisdiction tagging; vendor-cutoff playbook

D9 Operations is the shared denominator across all five, which is why its bus-factor and continuity prerequisites gate every other domain’s L5 claim. Classes 1, 2, and 4 collapse to a single observable — the eval-harness delta against a trusted baseline — so D6 and D8 carry the load-bearing control for three of the five.

Annex IV (EU AI Act) crosswalk

EU AI Act Annex IV requires technical documentation for high-risk AI systems. Mapping the items most relevant to agentic AI. The Annex IV point and sub-point labels below were corrected against the verified Annex IV structure in the EU AI Act standards review: Annex IV has nine top-level points; point 2 carries sub-points (a)-(h), with cybersecurity at 2(h) and validation/testing at 2(g); the risk management system is point 5 (per Art. 9), and changes through the lifecycle is point 6.1

Annex IV ItemCMM evidence at L3+CMM domain
1. General description (purpose, intended use)Agent Card / system manifestD1 + D2
2. Detailed description (architecture)Reference architecture instance per agentD1 + reference to Agentic AI Security Reference Architecture
2(c). System architecture / computational resources usedLatency / cost dashboardD9
2(d). Data requirements / datasheets / provenancePer-source attribution; AI-BOMD6 + D8
2(e). Human oversight measuresHITL coverage telemetry; least-agency tier registerD3 + D9
2(g). Validation and testing proceduresRed-team / eval reports; acceptance-test recordsD1 + D4
2(h). Cybersecurity measuresCred-proxy logs; gateway config; sandbox; firewallD2 + D4 + D5
3. Detailed monitoring informationBehavioral-monitoring dashboards; OTel gen_ai.* traces; AI-SPMD7
5. Risk management system (per Art. 9)Risk Committee minutes; incident register; ID-tagged finding registry (ASI / AIVSS / ATLAS)D1 + D7 + D8
6. Changes through the lifecycleDecommission lifecycle artifacts; version pinning policyD9

AIUC-1 six pillars crosswalk

AIUC-1 organizes safeguards under six pillars (Security / Safety / Reliability / Accountability / Data & Privacy / Society). This mapping applies when an organization chooses AIUC-1 as its assurance scheme; after the recalibration it is one option among several for D1-L5, not the mandated anchor (ISO/IEC 42001 preferred). Mapping to CMM:

For a requirement-level view of how AIUC-1 lines up against the OWASP ASI agentic threat taxonomy, see the OWASP ASI to AIUC-1 crosswalk. It records eight AIUC-1 coverage gaps against the ASI prevention guidelines (inter-agent authentication, agent identity attestation, cascading-failure containment, tool-call observability, runtime monitoring, resource-abuse controls, supply-chain attestation, and I/O schema controls) that the six-pillar mapping below does not surface.

AIUC-1 PillarPrimary CMM domainsNotes
SecurityD2, D4, D5, D8Largest overlap — credential isolation, guardrails, egress, supply chain
SafetyD3, D4Least-agency tiers, alignment-check, content safety
ReliabilityD7, D9Behavioral drift detection, latency budgets, decommission cadence
AccountabilityD1, D2Identity binding, action-to-human tracing, governance committee
Data & PrivacyD6RAG provenance, memory poisoning, system-prompt confidentiality
Society(gap — see CMM §“Open questions”)The CMM has no analogue for catastrophic-misuse / national-security externalities. Acknowledged.

ISO/IEC 42001 Annex A 38-control crosswalk (high-leverage subset)

Mapping the ISO 42001 Annex A control objectives (~38 controls) to CMM domains. Cells show which CMM domain provides primary evidence; controls map to multiple domains where applicable. The control-objective IDs use the public Annex A objective scheme (A.2-A.10) verified in the IEC 42001 + 27090 review; an earlier version of this table mislabelled the management-system clauses 5-10 under A. prefixes (A.5.* Leadership, A.6.* Planning, A.7.1-A.7.9), conflating clauses with Annex A controls.

Summary-sourced, paywall-bounded

The ISO 42001 normative text is paywalled and was not read. The objective IDs and titles below are the public Annex A objective scheme; the full per-control 38-item map remains summary-sourced (isms.online, cyberzoni.com) and is not verified against the primary Annex. Treat the mapping as the public skeleton, not as read clauses.

Annex A objectiveCMM domainNotes
A.2 Policies related to AID1AI policy framework
A.3 Internal organization (roles & responsibilities)D1Role/accountability allocation — to people, not non-human/agent identity
A.4 Resources (data, tooling, compute, human)D8, D6Resource inventory; model/data registry scope
A.5 AI system impact assessmentD1Impact/risk assessment process
A.6 AI system life cycleD6, D9Development, deployment, documentation, operation — no decommission/version-lifecycle control
A.7 Data for AI systemsD6Data acquisition, quality, provenance (data only — not model/artifact provenance)
A.8 Information for interested partiesD9Documentation + incident communication
A.9 Responsible/intended useD3Process framing of intended use only — no least-agency or HITL technical control
A.10 Third-party relationshipsD8Supplier/customer responsibility allocation — no AI-BOM requirement

The full 38-control map remains summary-sourced and paywall-bounded; a control-by-control mapping from the primary Annex is the next iteration, contingent on acquiring the normative text.

NIST SP 800-53 control families via IR 8605A COSAiS

For organizations mapping to NIST SP 800-53 (federal compliance), the IR 8605A COSAiS overlay is the bridge. Primary control families per CMM domain:

CMM DomainSP 800-53 control families
D1PM (Program Management), PL (Planning), CA (Assessment)
D2AC (Access Control), IA (Identification and Authentication), AU (Audit)
D3AC, AC-2, AC-3, AC-6 (least privilege)
D4SI (System and Information Integrity), SA (System and Services Acquisition)
D5SC (System and Communications Protection), SC-7 (boundary), SC-8 (transmission)
D6MP (Media Protection), SI-7 (integrity), SC-28 (at-rest)
D7AU (Audit and Accountability), SI-4 (monitoring), IR (Incident Response)
D8SR (Supply Chain Risk Management), SA (Acquisition)
D9IR (Incident Response), CP (Contingency Planning), AT (Awareness and Training)

Microsoft ZT4AI control-level crosswalk

Named Microsoft controls per CMM domain, from the 2026-Q2 ZT4AI review (deep links and primary-source dates there). Status reflects May 2026 Microsoft documentation. The control-level evidence validated the 2026-05 recalibration: the controls Microsoft ships as preview or guidance match the rungs the recalibration graded preview or off-stack.

CMM domainNamed ZT4AI / Microsoft controlsZero Trust pillarStatus
D1 GovernanceResponsible AI Standard (impact assessments, named owners); Purview Compliance Manager AI templates; Agent 365 registryVerify explicitlyGuidance + GA
D2 IdentityEntra Agent ID; three access patterns (OBO / app-only / agent’s-user-account); attribute + blueprint Conditional Access; ID Protection for agents; Entra PIM time-limited active role assignment for agents (auto-expiring; agents cannot be PIM-eligible)Verify explicitly + least privilegeGA
D3 Control & Least-AgencyDeny-by-default least-action design; Agent Governance Toolkit PDP (OPA/Cedar/YAML, trust decay, kill switch). No progressive-autonomy tier model (that comes from CSA ATF)Least privilege + assume breachGuidance + OSS
D4 Runtime & GuardrailsPrompt Shields (direct + indirect); Protected Material; Groundedness + Task Adherence (preview); Defender AI-agent runtime protection (preview)Assume breachGA + preview
D5 Egress & NetworkEntra Internet Access prompt-injection protection (GA); APIM AI Gateway token limits + inline Content Safety + MCP brokering. MCP tool-integrity / rug-pull is guidance-only — no single Azure serviceAssume breach + least privilegeGA + guidance
D6 Data, Memory & RAGPurview answer-time entitlement (VIEW + EXTRACT); DSPM for AI oversharing remediation; label-aware DLP; Risky AI Usage insider-risk templateLeast privilege + assume breachGA
D7 Observability & DetectionDefender XDR AI-agent detections + AIAgentsInfo / CloudAppEvents hunting tables (preview); Sentinel data-lake MCP server, Entity Analyzer, Playbook Generator (preview); Agent 365 telemetry (GA)Assume breachGA + preview
D8 Supply Chain & AI-BOMDefender for Cloud AI-SPM generative AI-BOM discovery across Azure/Bedrock/Vertex (GA), extended to MCP-server and AI-model-provider catalog coverage in Defender for Cloud Apps; AI model scanning in CI/CD (preview); Intune app inventory + Shadow AI dashboardVerify explicitlyGA + preview
D9 Operations & Human FactorsEntra ID Governance sponsors with automatic manager-transfer; time-bound access packages; decommission/disable. No HITL-fatigue / human-factors toolingVerify explicitly + least privilegeGA (human-factors absent)

Mapping consumption pattern

flowchart LR
    A[ID-tagged finding<br/>ASI / AIVSS / ATLAS / CVE] --> B[CMM Domain]
    B --> C{Crosswalk}
    C --> D1[Annex IV section]
    C --> D2[AIUC-1 pillar]
    C --> D3[ISO 42001 Annex A]
    C --> D4[SP 800-53 family]
    D1 & D2 & D3 & D4 --> E[Audit-ready artifact]

Adopting org workflow:

  1. Tag every finding with the appropriate ID (ASI/AIVSS/ATLAS/CVE).
  2. Look up the CMM domain via the architecture mapping.
  3. Use this crosswalk to surface the corresponding Annex IV / AIUC-1 / ISO 42001 / SP 800-53 anchor.
  4. Re-present the same evidence under the format each standard expects.

Open gaps in the crosswalk

Known unfilled spots in this crosswalk

  1. Full 38-control ISO 42001 Annex A map. Current map shows control families and high-leverage anchors; a control-by-control mapping is next iteration.
  2. AIUC-1 Society pillar. The CMM has no analogue for catastrophic-misuse / national-security externalities. This is a real gap, not a mapping bug.
  3. EU AI Act high-risk classification trigger. The crosswalk assumes high-risk classification; for limited-risk and minimal-risk systems Annex IV does not apply and the crosswalk simplifies.
  4. CSF 2.0 subcategory map. A finer-grained NIST CSF 2.0 subcategory mapping (106 subcategories) would help organizations using CSF as their primary control catalogue.
  5. AIUC-1 quarterly drift. AIUC-1 updates quarterly. The crosswalk shows the Q2 2026 state; refresh required after each quarterly drop.
  6. L5+ Leading Edge tier (added 2026-05-04). This crosswalk maps to the CMM’s L5 (Optimizing — achievable today) tier only. L5+ research-stage capabilities (TEE-backed guardrail attestation, CaMeL split, multi-agent cascade-detection rule libraries, cross-vendor AI-BOM federation, sigstore-for-MCP) do not yet have standards anchors because they predate the relevant specs. As CoSAI / OWASP / NIST CAISI publish leading-edge guidance through 2026–2027, this crosswalk will gain an L5+ column; until then, L5+ is anchored to the underlying research literature, not to formal standards.

Relations

Footnotes

  1. Annex IV structure verified against the primary source (artificialintelligenceact.eu/annex/4/, retrieved 2026-06-22) in the EU AI Act standards review. The prior version of this table mislabelled three points: cybersecurity measures (2(h), previously “point 5”), the risk management system (point 5 / Art. 9, previously “2(g)”), and changes through the lifecycle (point 6, previously “risk register”).