Agentic AI Security CMM — Standards Crosswalk Matrix

This is the crosswalk matrix the validation page (Validation: Agentic AI Security CMM vs Widely Adopted Standards §6 rec #1) called out as the single highest-leverage addition to the CMM. Without it, D1 L4/L5 and D8 L5 are unfalsifiable — an organization cannot demonstrate AIUC-1 / ISO 42001 / EU AI Act compliance against a CMM that names the standards but doesn’t map controls.

The matrix is intentionally lossy: it surfaces the anchor controls in each standard for each CMM domain. Full Annex-by-Annex maps are scoped for follow-up sessions.

Master matrix — CMM domain × standard

flowchart LR
    CMM[CMM Domain] --> S1[NIST AI RMF / 600-1 / 800-4]
    CMM --> S2[ISO/IEC 42001 Annex A]
    CMM --> S3[MITRE ATLAS v5.4.0]
    CMM --> S4[OWASP ASI / AIVSS / LLM]
    CMM --> S5[Microsoft ZT4AI]
    CMM --> S6[CSA MAESTRO / ATF]
    CMM --> S7[EU AI Act]
    CMM --> S8[AIUC-1]
    CMM --> S9[CoSAI / SAIF]

Cell semantics: each cell names the anchor control(s) the CMM domain maps into, where evidence from the CMM (the artifacts in the level table) can be re-presented for each standard’s audit. Empty cell = no clean anchor; the CMM domain is exceeding the standard’s coverage there (see Validation: Agentic AI Security CMM vs Widely Adopted Standards §4).

CMM Domain	NIST AI RMF + 600-1 / 800-4	ISO/IEC 42001 Annex A	MITRE ATLAS v5.4.0	OWASP ASI / AIVSS / LLM	Microsoft ZT4AI	CSA MAESTRO / ATF	EU AI Act	AIUC-1	CoSAI / SAIF
D1 Governance	Govern function (all 6 categories); IR 8605A SP 800-53 PM-* family	A.5 (Leadership), A.6 (Planning), A.9 (Performance Eval)	(no anchor — ATLAS is attack-only)	(no direct anchor — ASI is risk-only)	ZT4AI Pillar 1 (Agent governance) — exec sponsorship	Agentic Trust Framework gates 0–4 governance overlay	Art. 9 Risk Mgmt; Art. 17 Quality Mgmt; Art. 50 GPAI transparency	Pillar: Accountability	SAIF Foundation: Govern; CoSAI Shared Accountability principle
D2 Identity & Authorization	AI 600-1 §2.4; NIST CAISI Concept Paper Feb 2026; SP 800-207 ZTA; SP 800-63 IAL/AAL	A.7.5 Roles & responsibilities; ISO 27090 §Identity (FDIS Mar 2026)	AML.T0019 (Acquire Public ML Artifacts) sub-techniques where agents act as service identities	ASI03 Identity & Privilege Abuse; AIVSS amp factors: Autonomy Level, Tool Use Scope; LLM06:2025 Excessive Agency	ZT4AI Pillar 1 (verify explicitly + least privilege); Entra Agent ID; Agent 365 Registry	ATF Gate 1 (Identity binding)	Art. 14 Human oversight (delegation chain)	Pillar: Security (identity controls subset)	SAIF Element 2 (Identity); CoSAI Agentic IAM Apr 2026
D3 Control & Least-Agency	AI 600-1 §2.10 (Excessive Agency); SP 800-53 AC-* family	A.7.4 Operational planning; A.7.6 Decision making	AML.TA0040 (Impact tactic — least-agency limits blast radius); AML.T0048 (External Harms)	ASI09 Missing Guardrails; AIVSS amp factor: Autonomy Level; LLM06:2025	ZT4AI Pillar 1 (least privilege); Prompt Shields policy	ATF Gates 2–4 (progressive autonomy promotion)	Art. 14 Human oversight (HITL); Art. 13 Transparency to deployers	Pillar: Safety (autonomy boundaries)	CoSAI Maximize Oversight While Minimizing Intervention
D4 Runtime & Guardrails	AI 600-1 §2.5 (CBRN, harmful), §2.7 (Confabulation); AI 800-4 §post-deployment monitoring	A.7.3 (Operations); ISO 27090 §Runtime safeguards	AML.T1612 (Adversarial AI); AML.T0051 (LLM Prompt Injection); AML.T0054 (LLM Jailbreak); AML.M#### mitigations	ASI01 Goal Hijack; ASI02 Tool Misuse; LLM01:2025 Prompt Injection; LLM05:2025 Improper Output Handling	ZT4AI Pillar 3 (Prompt security); Microsoft Prompt Shields; Groundedness Detection; FIDES research	MAESTRO Layers 3–4 (Model + Reasoning); ATF Gate 3 (runtime guardrails)	Art. 15 Accuracy/Robustness/Cybersecurity	Pillar: Security (guardrails subset)	SAIF Element 4 (Application defense); CoSAI WS4 Secure Design
D5 Egress & Network	AI 600-1 §2.11 (Information Security — exfil); SP 800-207 ZTA; SP 800-53 SC-* family	A.7.2 Communications; ISO 27090 §Inter-system	AML.T0024 (Exfiltration via AI Agent Tool Invocation); AML.T0048 (External Harms via tool actions)	ASI02 Tool Misuse; ASI07 Insecure Inter-Agent Comms	ZT4AI Pillar 2 (Data security at egress); Defender for Cloud Apps	MAESTRO Layers 4–5 (Reasoning + Agent ecosystem); CoSAI MCP white paper 12 categories	Art. 15 Cybersecurity	Pillar: Security (network/protocol subset)	SAIF Element 3 (Infrastructure); CoSAI MCP Security white paper Jan 2026
D6 Data, Memory & RAG	AI 600-1 §2.4 (Data privacy), §2.7 (Confabulation), §2.8 (Information integrity); AI 800-4 §model-and-data drift	A.7.1 Resources; A.7.7 Data quality	AML.T1565 (Data Manipulation); AML.T0080 (AI Agent Context Poisoning: Memory); AML.T0019 (Public ML Artifacts)	ASI05 Sensitive Data Disclosure; ASI06 Memory Poisoning; LLM04:2025 Data and Model Poisoning; LLM07:2025 System Prompt Leakage; LLM08:2025 Vector/Embedding Weaknesses	ZT4AI Pillar 2 (Data security incl. Purview tuned for AI)	MAESTRO Layer 1 (Data); ATF Gate 5 (memory integrity)	Art. 10 Data and data governance; Art. 11 Technical documentation (corpus provenance)	Pillar: Data & Privacy	SAIF Element 1 (Data); CoSAI MCP server data threats
D7 Observability & Detection	NIST CSF 2.0 Detect; AI 800-4 (six monitoring categories); AI 600-1 §2.12 (Value Chain and Component Integration)	A.8 (Operational planning) — monitoring; A.9 (Performance evaluation)	AML.M0007 (Detection mitigations); ATLAS Detection Layer in Navigator	ASI08 Cascading Failures; ASI10 Rogue Agents; AIVSS Multi-Agent Interactions amp factor	ZT4AI Pillar 1 (assume breach) — Sentinel + Defender for Cloud Apps; Agent 365 lifecycle telemetry	MAESTRO Layer 6 (Observability); ATF Gate 4 (continuous monitoring)	Art. 12 Logging and record-keeping; Art. 72 Post-market monitoring	Pillar: Reliability (monitoring subset)	SAIF Element 5 (Auto-defense / detect); OTel gen_ai.*
D8 Supply Chain & AI-BOM	NIST SP 800-218A SSDF AI Profile; AI 600-1 §2.12	A.7.8 Suppliers; A.7.9 Third-party; ISO 27036-*	AML.T0019 Acquire Public ML Artifacts (incl. v5.4.0 “Publish Poisoned AI Agent Tool”); AML.CS0050 (OpenClaw Investigation supply-chain)	ASI04 Supply Chain Vulnerabilities; AIVSS amp factor: Self-Modification	ZT4AI: Microsoft ML scan in Defender for Cloud	MAESTRO Layer 7 (Supply chain); CSAI Foundation AI Risk Observatory March 2026	Art. 11 + Annex IV (technical documentation incl. AI-BOM-like)	Pillar: Security (supply chain subset)	SAIF Element 1 (Data) supply-chain provenance; CoSAI Project CodeGuard
D9 Operations & Human Factors	AI 800-4 (human factors flagged as biggest blind spot); CSF 2.0 Govern.OS (Oversight); CoSAI IR Framework v1.0	A.7.4 Resources continuity; A.10 (Improvement)	AML.M0008 (User training); AML.M0009 (Restrict library loading)	LLM07:2025 System Prompt Leakage (confidentiality); ASI08 Cascading Failures (operator-side)	ZT4AI Pillar 1 (continuous verification); FIDES rate-limit / cost-budget research	ATF Gate 4 + Gate 5 (sustained autonomy and operations)	Art. 12 Logging; Art. 14 Human oversight; Art. 72 Post-market monitoring; Art. 73 Reporting of serious incidents	Pillar: Reliability + Society	CoSAI AI Incident Response Framework v1.0

Annex IV (EU AI Act) crosswalk

EU AI Act Annex IV requires technical documentation for high-risk AI systems. Mapping the items most relevant to agentic AI:

Annex IV Item	CMM evidence at L3+	CMM domain
1. General description (purpose, intended use)	Agent Card / system manifest	D1 + D2
2. Detailed description (architecture)	Reference architecture instance per agent	D1 + reference to Agentic AI Security Reference Architecture (2026)
2(c). Computational resources used	Latency / cost dashboard	D9
2(d). Data requirements / sheets / provenance	Per-source attribution; AI-BOM	D6 + D8
2(e). Human oversight measures	HITL coverage telemetry; least-agency tier register	D3 + D9
2(g). Risk management	Risk Committee minutes; incident register	D1
2(h). Changes through lifecycle	Decommission lifecycle artifacts; version pinning policy	D9
3. Detailed monitoring information	Behavioral-monitoring dashboards; OTel gen_ai.* traces; AI-SPM	D7
5. Cybersecurity measures	Cred-proxy logs; gateway config; sandbox; firewall	D2 + D4 + D5
6. Risk register and mitigation	ID-tagged finding registry (ASI / AIVSS / ATLAS)	D1 + D7 + D8

AIUC-1 six pillars crosswalk

AIUC-1 organizes safeguards under six pillars (Security / Safety / Reliability / Accountability / Data & Privacy / Society). Mapping to CMM:

AIUC-1 Pillar	Primary CMM domains	Notes
Security	D2, D4, D5, D8	Largest overlap — credential isolation, guardrails, egress, supply chain
Safety	D3, D4	Least-agency tiers, alignment-check, content safety
Reliability	D7, D9	Behavioral drift detection, latency budgets, decommission cadence
Accountability	D1, D2	Identity binding, action-to-human tracing, governance committee
Data & Privacy	D6	RAG provenance, memory poisoning, system-prompt confidentiality
Society	(gap — see CMM §“Open questions”)	The CMM has no analogue for catastrophic-misuse / national-security externalities. Acknowledged.

ISO/IEC 42001 Annex A 38-control crosswalk (high-leverage subset)

Mapping the 38 ISO 42001 Annex A controls to CMM domains. Cells show which CMM domain provides primary evidence; controls map to multiple domains where applicable.

Annex A Control	CMM domain	Notes
A.5.* Leadership and policies (5 controls)	D1	AI policy + roles
A.6.* Planning (3 controls)	D1, D8	AI Risk Committee, AI-BOM scope
A.7.1 Resources	D6, D8	Compute + data + model registry
A.7.2 Communications	D5	Inter-system, A2A
A.7.3 Operations	D4	Runtime guardrails
A.7.4 Operational planning	D3, D9	Least-agency tiers; decommission
A.7.5 Roles & responsibilities	D2	Identity binding
A.7.6 Decision-making	D3	HITL gates
A.7.7 Data quality	D6	RAG provenance
A.7.8 Suppliers	D8	Supply-chain scanning
A.7.9 Third-party	D8	Third-party AI risk
A.8.* Operational planning & control (4 controls)	D7, D9	Monitoring + ops
A.9.* Performance evaluation (4 controls)	D7	KPIs, audit
A.10.* Improvement (3 controls)	D9	Closed-loop ops

A full 38-control map is the next iteration; this surfaces the high-leverage anchors.

NIST SP 800-53 control families via IR 8605A COSAiS

For organizations mapping to NIST SP 800-53 (federal compliance), the IR 8605A COSAiS overlay is the bridge. Primary control families per CMM domain:

CMM Domain	SP 800-53 control families
D1	PM (Program Management), PL (Planning), CA (Assessment)
D2	AC (Access Control), IA (Identification and Authentication), AU (Audit)
D3	AC, AC-2, AC-3, AC-6 (least privilege)
D4	SI (System and Information Integrity), SA (System and Services Acquisition)
D5	SC (System and Communications Protection), SC-7 (boundary), SC-8 (transmission)
D6	MP (Media Protection), SI-7 (integrity), SC-28 (at-rest)
D7	AU (Audit and Accountability), SI-4 (monitoring), IR (Incident Response)
D8	SR (Supply Chain Risk Management), SA (Acquisition)
D9	IR (Incident Response), CP (Contingency Planning), AT (Awareness and Training)

Mapping consumption pattern

flowchart LR
    A[ID-tagged finding<br/>ASI / AIVSS / ATLAS / CVE] --> B[CMM Domain]
    B --> C{Crosswalk}
    C --> D1[Annex IV section]
    C --> D2[AIUC-1 pillar]
    C --> D3[ISO 42001 Annex A]
    C --> D4[SP 800-53 family]
    D1 & D2 & D3 & D4 --> E[Audit-ready artifact]

Adopting org workflow:

1. Tag every finding with the appropriate ID (ASI/AIVSS/ATLAS/CVE).
2. Look up the CMM domain via the architecture mapping.
3. Use this crosswalk to surface the corresponding Annex IV / AIUC-1 / ISO 42001 / SP 800-53 anchor.
4. Re-present the same evidence under the format each standard expects.

Open gaps in the crosswalk

Known unfilled spots in this crosswalk

1. Full 38-control ISO 42001 Annex A map. Current map shows control families and high-leverage anchors; a control-by-control mapping is next iteration.
2. AIUC-1 Society pillar. The CMM has no analogue for catastrophic-misuse / national-security externalities. This is a real gap, not a mapping bug.
3. EU AI Act high-risk classification trigger. The crosswalk assumes high-risk classification; for limited-risk and minimal-risk systems Annex IV does not apply and the crosswalk simplifies.
4. CSF 2.0 subcategory map. A finer-grained NIST CSF 2.0 subcategory mapping (106 subcategories) would help organizations using CSF as their primary control catalogue.
5. AIUC-1 quarterly drift. AIUC-1 updates quarterly. The crosswalk shows the Q2 2026 state; refresh required after each quarterly drop.
6. L5+ Leading Edge tier (added 2026-05-04). This crosswalk maps to the CMM’s L5 (Optimizing — achievable today) tier only. L5+ research-stage capabilities (TEE-backed guardrail attestation, CaMeL split, multi-agent cascade-detection rule libraries, cross-vendor AI-BOM federation, sigstore-for-MCP) do not yet have standards anchors because they predate the relevant specs. As CoSAI / OWASP / NIST CAISI publish leading-edge guidance through 2026–2027, this crosswalk will gain an L5+ column; until then, L5+ is anchored to the underlying research literature, not to formal standards.

Relations

• Companion to: Agentic AI Security Capability Maturity Model — A 2026 Practical Proposal — provides the standards-anchor evidence map the CMM D1 L4/L5 requires.
• Resolves: Validation: Agentic AI Security CMM vs Widely Adopted Standards §6 recommendation #1.
• Built from: framework summaries in Frameworks Index.