Agentic AI Security CMM — Standards Crosswalk Matrix
This is the crosswalk matrix the validation page (Validation: Agentic AI Security CMM vs Widely Adopted Standards §6 rec #1) called out as the single highest-leverage addition to the CMM. Without it, D1 L4/L5 and D8 L5 are unfalsifiable: an organization cannot demonstrate AIUC-1 / ISO 42001 / EU AI Act compliance against a CMM that names the standards but doesn’t map controls.
The matrix is intentionally lossy: it surfaces the anchor controls in each standard for each CMM domain. Full Annex-by-Annex maps remain future work.
The CSA MAESTRO / ATF column was corrected by the 2026-Q2 standards review: MAESTRO cells now cite verified layer names (Layer 1 is Foundation Models, Layer 2 is Data Operations), and the ATF cells cite the five elements (Identity, Behavior, Data Governance, Segmentation, Incident Response) that anchor domains rather than the numbered promotion gates, which govern level advancement and do not map one-to-one onto a domain.
The CoSAI / SAIF column was reconciled by the Google SAIF and CoSAI standards review (2026-06-22): CoSAI cells now cite the verified deliverable dates — Model Context Protocol (MCP) Security (2026-01-20), Agentic Identity and Access Management (2026-04-17), and the AI Incident Response Framework (2025-10-30) — and the four verbatim workstream names (WS1–WS4). The “40 threats / 12 categories” MCP figure is flagged as not re-verifiable in that pass.
On this page
- Master matrix: CMM domain × standard
- Annex IV (EU AI Act) crosswalk
- AIUC-1 six pillars crosswalk
- ISO/IEC 42001 Annex A 38-control crosswalk
- NIST SP 800-53 control families via IR 8605A COSAiS
- Microsoft ZT4AI control-level crosswalk
- Mapping consumption pattern
- Open gaps in the crosswalk
- Relations
Recalibration note (2026-05-25). The domain-to-standard mappings below remain valid after the D1–D9 recalibration — a domain still anchors to the same standards. One framing change matters for this page: AIUC-1 is no longer a D1-L5 mandate. D1-L5 is now scheme-neutral third-party assurance with ISO/IEC 42001 preferred; AIUC-1 is one accepted option among several (with documented concentration and freshness caveats — see the AIUC-1 evaluation). The AIUC-1 six-pillars crosswalk below is retained as a mapping for organizations that choose that scheme, not as the required anchor. For the recalibrated per-domain criteria, the nine deep dives (linked from the CMM) are authoritative.
Master matrix — CMM domain × standard
flowchart LR CMM[CMM Domain] --> S1[NIST AI RMF / 600-1 / 800-4] CMM --> S2[ISO/IEC 42001 Annex A] CMM --> S3[MITRE ATLAS v5.6.0] CMM --> S4[OWASP ASI / AIVSS / LLM] CMM --> S5[Microsoft ZT4AI] CMM --> S6[CSA MAESTRO / ATF] CMM --> S7[EU AI Act] CMM --> S8[AIUC-1] CMM --> S9[CoSAI / SAIF]
Cell semantics: each cell names the anchor control(s) the CMM domain maps into, where evidence from the CMM (the artifacts in the level table) can be re-presented for each standard’s audit. Empty cell = no clean anchor; the CMM domain is exceeding the standard’s coverage there (see Validation: Agentic AI Security CMM vs Widely Adopted Standards §4).
The Microsoft column was split by Agent 365 review: the RAI Standard is a responsible-AI goals standard (seventeen goals across six principles), distinct from the ZT4AI control catalogue. The master matrix now carries a separate RAI-goals column alongside the ZT4AI-control column so the goals-standard-versus-catalogue distinction is visible at a glance; Agent 365 is the management plane over the ZT4AI controls, not a separate standard.
| CMM Domain | NIST AI RMF + 600-1 / 800-4 | IEC 42001 Annex A | MITRE ATLAS v5.6.0 | OWASP ASI / AIVSS / LLM | Microsoft RAI (goals) | Microsoft ZT4AI (controls) | ATF | EU AI Act | AIUC-1 | CoSAI / SAIF |
|---|---|---|---|---|---|---|---|---|---|---|
| D1 Governance | Govern function (all 6 categories); IR 8605A SP 800-53 PM-* family | A.2 Policies; A.3 Internal organization; A.5 Impact assessment | (no anchor — ATLAS is attack-only) | (no direct anchor — ASI is risk-only) | A1 Impact Assessment; A2 Oversight; A3 Fit for purpose; A4 Data governance; T1-T2 Transparency | ZT4AI Pillar 1 (Agent governance) — exec sponsorship | ATF Gate 5 (Governance Sign-off); Incident Response element (governance overlay) | Art. 9 Risk Mgmt; Art. 17 Quality Mgmt; Art. 50 GPAI transparency | Pillar: Accountability | SAIF Foundation: Govern; CoSAI Shared Accountability principle |
| D2 Identity & Authorization | (AI 600-1 has no non-human-identity content — see review); NIST CAISI Concept Paper Feb 2026; SP 800-207 ZTA; SP 800-63 IAL/AAL | A.3 Internal organization (roles allocated to people, not agent/NHI identity); ISO 27090 §Identity (FDIS Mar 2026, unpublished) | AML.T0055 (Unsecured Credentials); AML.T0083 (Credentials from AI Agent Configuration); AML.T0098 (AI Agent Tool Credential Harvesting) | ASI03 Identity and Privilege Abuse; AIVSS factors: Execution Autonomy, External Tool Control Surface, Dynamic Identity; LLM06:2025 Excessive Agency (agency facet only — names excessive permissions as a consequence, no identity/authorization control, per the LLM Top 10 review) | (no identity goal — PS1 defers to the Privacy Standard) | ZT4AI Pillar 1 (verify explicitly + least privilege); Entra Agent ID; Agent 365 Registry (management plane) | ATF Identity element (“Who are you?”) | Art. 14 Human oversight (delegation chain) | Pillar: Security (identity controls subset) | SAIF Element 2 (Identity); CoSAI Agentic Identity and Access Management (2026-04-17) |
| D3 Control & Least-Agency | AI 600-1 refusal/disengage actions GV-3.2-003 / MS-2.6-006 / MG-2.4-001…004 (no least-privilege control — see review); SP 800-53 AC-* family | A.9 Responsible/intended use (process framing only — no least-agency control) | AML.T0053 (AI Agent Tool Invocation); AML.T0081 (Modify AI Agent Configuration); AML.T0105 (Escape to Host) | ASI02 Tool Misuse and Exploitation (least-privilege tool profiles, Intent Gate PEP/PDP); Least-Agency principle; ASI08 blast-radius guardrails; AIVSS factor: Execution Autonomy; LLM06:2025 | A5 Human oversight and control (goal-level only — no least-agency control) | ZT4AI Pillar 1 (least privilege); Prompt Shields policy | ATF Segmentation element (“Where can you go?”); 4 maturity levels (Intern→Junior→Senior→Principal) gated by 5 promotion gates | Art. 14 Human oversight (HITL); Art. 13 Transparency to deployers | Pillar: Safety (autonomy boundaries) | CoSAI Maximize Oversight While Minimizing Intervention |
| D4 Runtime & Guardrails | NIST SP 800-218A PW.1.1.R1 (AI threat modeling), PW.5.2/PW.5.3 (input/output handling), PO.4.1.R1 (guardrails) — build-time only, no runtime enforcement (review claim 2); AI 600-1 §2.1 (CBRN), §2.2 (Confabulation), §2.3 (Dangerous/Hateful Content); groundedness action MS-2.5-005 (prompt injection is red-team-only MS-2.7-007); AI 800-4 post-deployment monitoring | A.6 AI system life cycle (operation/monitoring, generic); ISO 27090 §Runtime safeguards (FDIS, unpublished) | AML.T0051 (LLM Prompt Injection); AML.T0054 (LLM Jailbreak); AML.T0053 (AI Agent Tool Invocation); AML.M0020 (Generative AI Guardrails) | ASI01 Goal Hijack; ASI02 Tool Misuse; LLM01:2025 Prompt Injection; LLM05:2025 Improper Output Handling | RS1 Reliability and safety; RS2 Failures and remediations (outcome goals — control deferred to ZT4AI) | ZT4AI Pillar 3 (Prompt security); Microsoft Prompt Shields; Groundedness Detection; FIDES research | MAESTRO Layer 1 (Foundation Models) + Layer 3 (Agent Frameworks); ATF Behavior element (“What are you doing?”) | Art. 15 Accuracy/Robustness/Cybersecurity | Pillar: Security (guardrails subset) | SAIF Element 4 (Application defense); CoSAI WS4 Secure Design |
| D5 Egress & Network | AI 600-1 §2.9 (Information Security — exfil as threat only, MS-2.7-001; no egress control — see review); SP 800-207 ZTA; SP 800-53 SC-* family | (no specific Annex A control); ISO 27090 §Inter-system (FDIS, unpublished) | AML.T0024 (Exfiltration via AI Agent Tool Invocation); AML.T0048 (External Harms via tool actions) | ASI02 Tool Misuse; ASI07 Insecure Inter-Agent Comms | (no egress goal) | ZT4AI Pillar 2 (Data security at egress); Defender for Cloud Apps | MAESTRO Layer 4 (Deployment and Infrastructure) + Layer 7 (Agent Ecosystem); ATF Segmentation element (blast radius); CoSAI MCP Security (2026-01-20) | Art. 15 Cybersecurity | Pillar: Security (network/protocol subset) | SAIF Element 3 (Infrastructure); CoSAI Model Context Protocol (MCP) Security (2026-01-20) |
| D6 Data, Memory & RAG | NIST SP 800-218A PW.3 (PW.3.1 poisoning/tampering screen, PW.3.2 provenance, PW.3.3 adversarial samples) + PS.1.2 (training-data protection) — training-data integrity is 218A’s strongest contribution, but no RAG/runtime-memory content (review); AI 600-1 §2.4 (Data Privacy), §2.8 (Information Integrity); data/poisoning actions MP-4.1-004/005, MS-2.7-007 (no agent-memory poisoning — see review); AI 800-4 distribution-shift/drift §3.2.1 | A.7 Data (acquisition, quality, provenance — data only) | AML.T0080 (AI Agent Context Poisoning); AML.T0070 (RAG Poisoning); AML.T0020 (Poison Training Data) | ASI06 Memory & Context Poisoning (validate memory writes, per-tenant namespaces, expire unverified memory); LLM04:2025 Data and Model Poisoning; LLM07:2025 System Prompt Leakage; LLM08:2025 Vector/Embedding Weaknesses | A4 Data governance and management; PS1 Privacy Standard compliance (goal-level) | ZT4AI Pillar 2 (Data security incl. Purview tuned for AI) | MAESTRO Layer 2 (Data Operations); ATF Data Governance element (“What are you eating? What are you serving?”) | Art. 10 Data and data governance; Art. 11 Technical documentation (corpus provenance) | Pillar: Data & Privacy | SAIF Element 1 (Data); CoSAI MCP server data threats |
| D7 Observability & Detection | NIST CSF 2.0 Detect; AI 800-4 (six monitoring categories, §3 challenge taxonomy); AI 600-1 monitoring actions MS-2.6-005 / MG-3.2-006 / MG-4.1-001…006 | A.6 AI system life cycle (event logging, plausible); A.8 Information for interested parties (incident communication) | AML.M0007 (Detection mitigations); ATLAS Detection Layer in Navigator | ASI08 Cascading Failures; ASI10 Rogue Agents; AIVSS Multi-Agent Interactions amp factor | RS3 Ongoing monitoring, feedback, and evaluation (monitoring goal) | ZT4AI Pillar 1 (assume breach) — Sentinel + Defender for Cloud Apps; Agent 365 observe (registry, Registry sync, Agent Map) | MAESTRO Layer 5 (Evaluation and Observability); ATF Behavior element (continuous monitoring, anomaly detection) | Art. 12 Logging and record-keeping; Art. 72 Post-market monitoring | Pillar: Reliability (monitoring subset) | SAIF Element 5 (Auto-defense / detect); OTel gen_ai.* |
| D8 Supply Chain & AI-BOM | NIST SP 800-218A PS.3.2 (model provenance via SBOM/SLSA), PW.4.4.R1 (verify integrity of acquired models), PS.1.3.R4 (weight protection) — but no AI-BOM artifact schema (review claim 3); AI 600-1 §2.12 (Value Chain), third-party block GV-6.1-001…010 (no AI-BOM artifact — see review) | A.4 Resources; A.10 Third-party relationships (no AI-BOM requirement); ISO 27036-* | AML.T0010 (AI Supply Chain Compromise); AML.T0104 (Publish Poisoned AI Agent Tool); AML.T0109 (AI Supply Chain Rug Pull); AML.T0019 (Publish Poisoned Datasets) | ASI04 Supply Chain Vulnerabilities; AIVSS amp factor: Self-Modification | A4 Data governance (training-data provenance, partial — no AI-BOM goal) | ZT4AI: Microsoft ML scan in Defender for Cloud (Agent 365 inventory ≠ AI-BOM) | MAESTRO Layer 3 (Agent Frameworks) supply-chain threat — named, not a control; ATF silent; CSAI Foundation AI Risk Observatory March 2026 | Art. 11 + Annex IV (technical documentation incl. AI-BOM-like) | Pillar: Security (supply chain subset) | SAIF Element 1 (Data) supply-chain provenance; CoSAI Project CodeGuard |
| D9 Operations & Human Factors | AI 800-4 (human factors flagged as biggest blind spot); CSF 2.0 Govern.OS (Oversight); CoSAI AI Incident Response Framework (2025-10-30) | A.4 Resources (human); A.6 AI system life cycle (deployment, documentation); A.8 Information for interested parties | AML.M0008 (User training); AML.M0009 (Restrict library loading) | ASI09 Human-Agent Trust Exploitation (over-reliance, automation/authority bias, oversight training); ASI08 Cascading Failures (operator-side); LLM07:2025 System Prompt Leakage (confidentiality) | A5 Human oversight and control; A2 Oversight of significant adverse impacts | ZT4AI Pillar 1 (continuous verification); Agent 365 lifecycle + Entra ID Governance sponsors; FIDES rate-limit / cost-budget research | ATF Incident Response element (“What if you go rogue?” — kill switch, demotion-to-Intern) | Art. 12 Logging; Art. 14 Human oversight; Art. 72 Post-market monitoring; Art. 73 Reporting of serious incidents | Pillar: Reliability + Society | CoSAI AI Incident Response Framework (2025-10-30) |
ZT4AI column is anchor-level
The Microsoft ZT4AI cells above stay anchor-level (one pillar reference per domain) for parity with the other standards. The control-level ZT4AI crosswalk — named, deep-linked controls with GA/preview status per domain — is in the dedicated section below and in the 2026-Q2 ZT4AI review. Note the “700 controls / 116 groups / 33 swim lanes” figure is the whole Zero Trust Workshop, not an AI-pillar count.
Five threat classes crosswalk
The master matrix maps published standards to domains. The wiki’s five threat classes are the expansion the standards under-serve, and they map to domains on a different axis: cross-cutting adversary models rather than per-component risks. The authoritative threat-to-domain mapping for every taxonomy, including these classes, is the Threat Taxonomy Reconciliation matrix. The per-class summary below is the CMM-side view.
| Threat class | Primary CMM domains | Highest-leverage control |
|---|---|---|
| Class 1 — AI-aware insider | D2, D3, D6, D8 (D9) | Customer-owned, version-pinned eval harness over every artifact (AI-BOM + always-on eval) |
| Class 2 — Long-running APT campaign | D4, D5, D7 (D9) | Cross-version eval continuity + sustained AI-workload threat hunting |
| Class 3 — Collusion | D3, D4, D7 (D9) | Monitor isolation + output canonicalization + deception probes |
| Class 4 — Model-version degradation | D4, D6, D8 (D9) | Customer eval suite versioned independently of the vendor; pin-by-hash |
| Class 5 — Jurisdictional adversary | D1 (D9) | Multi-vendor abstraction; jurisdiction tagging; vendor-cutoff playbook |
D9 Operations is the shared denominator across all five, which is why its bus-factor and continuity prerequisites gate every other domain’s L5 claim. Classes 1, 2, and 4 collapse to a single observable — the eval-harness delta against a trusted baseline — so D6 and D8 carry the load-bearing control for three of the five.
Annex IV (EU AI Act) crosswalk
EU AI Act Annex IV requires technical documentation for high-risk AI systems. Mapping the items most relevant to agentic AI. The Annex IV point and sub-point labels below were corrected against the verified Annex IV structure in the EU AI Act standards review: Annex IV has nine top-level points; point 2 carries sub-points (a)-(h), with cybersecurity at 2(h) and validation/testing at 2(g); the risk management system is point 5 (per Art. 9), and changes through the lifecycle is point 6.1
| Annex IV Item | CMM evidence at L3+ | CMM domain |
|---|---|---|
| 1. General description (purpose, intended use) | Agent Card / system manifest | D1 + D2 |
| 2. Detailed description (architecture) | Reference architecture instance per agent | D1 + reference to Agentic AI Security Reference Architecture |
| 2(c). System architecture / computational resources used | Latency / cost dashboard | D9 |
| 2(d). Data requirements / datasheets / provenance | Per-source attribution; AI-BOM | D6 + D8 |
| 2(e). Human oversight measures | HITL coverage telemetry; least-agency tier register | D3 + D9 |
| 2(g). Validation and testing procedures | Red-team / eval reports; acceptance-test records | D1 + D4 |
| 2(h). Cybersecurity measures | Cred-proxy logs; gateway config; sandbox; firewall | D2 + D4 + D5 |
| 3. Detailed monitoring information | Behavioral-monitoring dashboards; OTel gen_ai.* traces; AI-SPM | D7 |
| 5. Risk management system (per Art. 9) | Risk Committee minutes; incident register; ID-tagged finding registry (ASI / AIVSS / ATLAS) | D1 + D7 + D8 |
| 6. Changes through the lifecycle | Decommission lifecycle artifacts; version pinning policy | D9 |
AIUC-1 six pillars crosswalk
AIUC-1 organizes safeguards under six pillars (Security / Safety / Reliability / Accountability / Data & Privacy / Society). This mapping applies when an organization chooses AIUC-1 as its assurance scheme; after the recalibration it is one option among several for D1-L5, not the mandated anchor (ISO/IEC 42001 preferred). Mapping to CMM:
For a requirement-level view of how AIUC-1 lines up against the OWASP ASI agentic threat taxonomy, see the OWASP ASI to AIUC-1 crosswalk. It records eight AIUC-1 coverage gaps against the ASI prevention guidelines (inter-agent authentication, agent identity attestation, cascading-failure containment, tool-call observability, runtime monitoring, resource-abuse controls, supply-chain attestation, and I/O schema controls) that the six-pillar mapping below does not surface.
| AIUC-1 Pillar | Primary CMM domains | Notes |
|---|---|---|
| Security | D2, D4, D5, D8 | Largest overlap — credential isolation, guardrails, egress, supply chain |
| Safety | D3, D4 | Least-agency tiers, alignment-check, content safety |
| Reliability | D7, D9 | Behavioral drift detection, latency budgets, decommission cadence |
| Accountability | D1, D2 | Identity binding, action-to-human tracing, governance committee |
| Data & Privacy | D6 | RAG provenance, memory poisoning, system-prompt confidentiality |
| Society | (gap — see CMM §“Open questions”) | The CMM has no analogue for catastrophic-misuse / national-security externalities. Acknowledged. |
ISO/IEC 42001 Annex A 38-control crosswalk (high-leverage subset)
Mapping the ISO 42001 Annex A control objectives (~38 controls) to CMM domains. Cells show which CMM domain provides primary evidence; controls map to multiple domains where applicable. The control-objective IDs use the public Annex A objective scheme (A.2-A.10) verified in the IEC 42001 + 27090 review; an earlier version of this table mislabelled the management-system clauses 5-10 under A. prefixes (A.5.* Leadership, A.6.* Planning, A.7.1-A.7.9), conflating clauses with Annex A controls.
Summary-sourced, paywall-bounded
The ISO 42001 normative text is paywalled and was not read. The objective IDs and titles below are the public Annex A objective scheme; the full per-control 38-item map remains summary-sourced (isms.online, cyberzoni.com) and is not verified against the primary Annex. Treat the mapping as the public skeleton, not as read clauses.
| Annex A objective | CMM domain | Notes |
|---|---|---|
| A.2 Policies related to AI | D1 | AI policy framework |
| A.3 Internal organization (roles & responsibilities) | D1 | Role/accountability allocation — to people, not non-human/agent identity |
| A.4 Resources (data, tooling, compute, human) | D8, D6 | Resource inventory; model/data registry scope |
| A.5 AI system impact assessment | D1 | Impact/risk assessment process |
| A.6 AI system life cycle | D6, D9 | Development, deployment, documentation, operation — no decommission/version-lifecycle control |
| A.7 Data for AI systems | D6 | Data acquisition, quality, provenance (data only — not model/artifact provenance) |
| A.8 Information for interested parties | D9 | Documentation + incident communication |
| A.9 Responsible/intended use | D3 | Process framing of intended use only — no least-agency or HITL technical control |
| A.10 Third-party relationships | D8 | Supplier/customer responsibility allocation — no AI-BOM requirement |
The full 38-control map remains summary-sourced and paywall-bounded; a control-by-control mapping from the primary Annex is the next iteration, contingent on acquiring the normative text.
NIST SP 800-53 control families via IR 8605A COSAiS
For organizations mapping to NIST SP 800-53 (federal compliance), the IR 8605A COSAiS overlay is the bridge. Primary control families per CMM domain:
| CMM Domain | SP 800-53 control families |
|---|---|
| D1 | PM (Program Management), PL (Planning), CA (Assessment) |
| D2 | AC (Access Control), IA (Identification and Authentication), AU (Audit) |
| D3 | AC, AC-2, AC-3, AC-6 (least privilege) |
| D4 | SI (System and Information Integrity), SA (System and Services Acquisition) |
| D5 | SC (System and Communications Protection), SC-7 (boundary), SC-8 (transmission) |
| D6 | MP (Media Protection), SI-7 (integrity), SC-28 (at-rest) |
| D7 | AU (Audit and Accountability), SI-4 (monitoring), IR (Incident Response) |
| D8 | SR (Supply Chain Risk Management), SA (Acquisition) |
| D9 | IR (Incident Response), CP (Contingency Planning), AT (Awareness and Training) |
Microsoft ZT4AI control-level crosswalk
Named Microsoft controls per CMM domain, from the 2026-Q2 ZT4AI review (deep links and primary-source dates there). Status reflects May 2026 Microsoft documentation. The control-level evidence validated the 2026-05 recalibration: the controls Microsoft ships as preview or guidance match the rungs the recalibration graded preview or off-stack.
| CMM domain | Named ZT4AI / Microsoft controls | Zero Trust pillar | Status |
|---|---|---|---|
| D1 Governance | Responsible AI Standard (impact assessments, named owners); Purview Compliance Manager AI templates; Agent 365 registry | Verify explicitly | Guidance + GA |
| D2 Identity | Entra Agent ID; three access patterns (OBO / app-only / agent’s-user-account); attribute + blueprint Conditional Access; ID Protection for agents; Entra PIM time-limited active role assignment for agents (auto-expiring; agents cannot be PIM-eligible) | Verify explicitly + least privilege | GA |
| D3 Control & Least-Agency | Deny-by-default least-action design; Agent Governance Toolkit PDP (OPA/Cedar/YAML, trust decay, kill switch). No progressive-autonomy tier model (that comes from CSA ATF) | Least privilege + assume breach | Guidance + OSS |
| D4 Runtime & Guardrails | Prompt Shields (direct + indirect); Protected Material; Groundedness + Task Adherence (preview); Defender AI-agent runtime protection (preview) | Assume breach | GA + preview |
| D5 Egress & Network | Entra Internet Access prompt-injection protection (GA); APIM AI Gateway token limits + inline Content Safety + MCP brokering. MCP tool-integrity / rug-pull is guidance-only — no single Azure service | Assume breach + least privilege | GA + guidance |
| D6 Data, Memory & RAG | Purview answer-time entitlement (VIEW + EXTRACT); DSPM for AI oversharing remediation; label-aware DLP; Risky AI Usage insider-risk template | Least privilege + assume breach | GA |
| D7 Observability & Detection | Defender XDR AI-agent detections + AIAgentsInfo / CloudAppEvents hunting tables (preview); Sentinel data-lake MCP server, Entity Analyzer, Playbook Generator (preview); Agent 365 telemetry (GA) | Assume breach | GA + preview |
| D8 Supply Chain & AI-BOM | Defender for Cloud AI-SPM generative AI-BOM discovery across Azure/Bedrock/Vertex (GA), extended to MCP-server and AI-model-provider catalog coverage in Defender for Cloud Apps; AI model scanning in CI/CD (preview); Intune app inventory + Shadow AI dashboard | Verify explicitly | GA + preview |
| D9 Operations & Human Factors | Entra ID Governance sponsors with automatic manager-transfer; time-bound access packages; decommission/disable. No HITL-fatigue / human-factors tooling | Verify explicitly + least privilege | GA (human-factors absent) |
Mapping consumption pattern
flowchart LR A[ID-tagged finding<br/>ASI / AIVSS / ATLAS / CVE] --> B[CMM Domain] B --> C{Crosswalk} C --> D1[Annex IV section] C --> D2[AIUC-1 pillar] C --> D3[ISO 42001 Annex A] C --> D4[SP 800-53 family] D1 & D2 & D3 & D4 --> E[Audit-ready artifact]
Adopting org workflow:
- Tag every finding with the appropriate ID (ASI/AIVSS/ATLAS/CVE).
- Look up the CMM domain via the architecture mapping.
- Use this crosswalk to surface the corresponding Annex IV / AIUC-1 / ISO 42001 / SP 800-53 anchor.
- Re-present the same evidence under the format each standard expects.
Open gaps in the crosswalk
Known unfilled spots in this crosswalk
- Full 38-control ISO 42001 Annex A map. Current map shows control families and high-leverage anchors; a control-by-control mapping is next iteration.
- AIUC-1 Society pillar. The CMM has no analogue for catastrophic-misuse / national-security externalities. This is a real gap, not a mapping bug.
- EU AI Act high-risk classification trigger. The crosswalk assumes high-risk classification; for limited-risk and minimal-risk systems Annex IV does not apply and the crosswalk simplifies.
- CSF 2.0 subcategory map. A finer-grained NIST CSF 2.0 subcategory mapping (106 subcategories) would help organizations using CSF as their primary control catalogue.
- AIUC-1 quarterly drift. AIUC-1 updates quarterly. The crosswalk shows the Q2 2026 state; refresh required after each quarterly drop.
- L5+ Leading Edge tier (added 2026-05-04). This crosswalk maps to the CMM’s L5 (Optimizing — achievable today) tier only. L5+ research-stage capabilities (TEE-backed guardrail attestation, CaMeL split, multi-agent cascade-detection rule libraries, cross-vendor AI-BOM federation, sigstore-for-MCP) do not yet have standards anchors because they predate the relevant specs. As CoSAI / OWASP / NIST CAISI publish leading-edge guidance through 2026–2027, this crosswalk will gain an L5+ column; until then, L5+ is anchored to the underlying research literature, not to formal standards.
Relations
- Companion to: Agentic AI Security Capability Maturity Model — provides the standards-anchor evidence map the CMM
D1 L4/L5requires. - Resolves: Validation: Agentic AI Security CMM vs Widely Adopted Standards §6 recommendation #1.
- Built from: framework summaries in Frameworks Index.
- Complemented by: the OWASP ASI to AIUC-1 crosswalk — a requirement-level AIUC-1 ↔ OWASP ASI map with eight observed AIUC-1 coverage gaps.
Footnotes
-
Annex IV structure verified against the primary source (artificialintelligenceact.eu/annex/4/, retrieved 2026-06-22) in the EU AI Act standards review. The prior version of this table mislabelled three points: cybersecurity measures (2(h), previously “point 5”), the risk management system (point 5 / Art. 9, previously “2(g)”), and changes through the lifecycle (point 6, previously “risk register”). ↩