# Compliance Framework Coverage Highflame's detectors and Cedar policy profiles are mapped to the major AI security threat frameworks. Each Cedar policy in the built-in library carries `@tags` annotations that reference the specific framework controls it addresses. These annotations are surfaced in Observatory's policy metadata and are available for export in audit reports. *** ## OWASP LLM Top 10 The OWASP LLM Top 10 (2025) is the primary reference taxonomy for large language model security risks. | OWASP ID | Threat | Highflame controls | | --------- | -------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **LLM01** | Prompt Injection | Injection detector (ML confidence), indirect injection detector (`indirect_injection_score`), jailbreak detector; `code_agent/supply_chain.cedar`, `a2a_security/inter_agent_injection.cedar`, `data_pipeline/security.cedar` | | **LLM02** | Sensitive Information Disclosure | PII detector, secrets detector (16+ formats); `advanced_detection/pii.cedar`, `advanced_detection/secrets.cedar`, `data_pipeline/privacy.cedar` | | **LLM03** | Supply Chain | Tool poisoning detector (`tool_poisoning_score`), MCP server verification; `code_agent/supply_chain.cedar`, `a2a_security/supply_chain.cedar` | | **LLM04** | Data and Model Poisoning | Indirect injection in retrieval contexts; `data_pipeline/security.cedar` indirect injection threshold | | **LLM05** | Insecure Output Handling | Output-side guardrail evaluations; bidirectional PII block in `chat_assistant/privacy.cedar`; secrets in outputs blocked in `data_pipeline/security.cedar` | | **LLM06** | Excessive Agency | Dangerous and sensitive tool gating (`tool_risk_score`, `tool_category`); shell execution block; loop detection and token budget overrun; `code_agent/agentic_security.cedar` | | **LLM07** | System Prompt Leakage | System prompt leak patterns in injection detector; `a2a_security/identity_enforcement.cedar` | | **LLM08** | Vector and Embedding Weaknesses | Cross-origin detection (`cross_origin_score`); `a2a_security/cross_origin.cedar` | | **LLM09** | Misinformation | Hallucination detection (base guardrails) | | **LLM10** | Unbounded Consumption | Token budget overrun (`budget_exceeded`); loop detection (`loop_detected`, `loop_count`); `code_agent/agentic_security.cedar` | *** ## OWASP AI Security Initiative (ASI) The OWASP AI Security Initiative extends the LLM Top 10 with agent-specific attack vectors. | ASI ID | Threat | Highflame controls | | --------- | ------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------- | | **ASI01** | Indirect Prompt Injection | `indirect_injection_score` detector; `a2a_security/inter_agent_injection.cedar`; `code_agent/supply_chain.cedar` | | **ASI03** | Confused Deputy / Cross-Origin | `cross_origin_score` detector (mixed origins, URL injection, proxy patterns); `a2a_security/cross_origin.cedar` | | **ASI04** | Supply Chain Attacks | Tool poisoning and rug pull detectors; `a2a_security/supply_chain.cedar`; `code_agent/supply_chain.cedar` | | **ASI05** | Agent Identity Spoofing | Anonymous agent detection, unregistered framework detection; `a2a_security/identity_enforcement.cedar`; ZeroID agent identity integration | *** ## OWASP MCP Security The OWASP MCP Security guidelines (2025) address threats specific to the Model Context Protocol tool ecosystem. | MCP ID | Threat | Highflame controls | | --------- | --------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **MCP01** | Tool Poisoning | `tool_poisoning_score` detector; `a2a_security/supply_chain.cedar`; `code_agent/supply_chain.cedar`; MCP server verification in `multi_agent/agent_trust.cedar` | | **MCP02** | Rug Pull / Behavioral Drift | `rug_pull_score` detector; `a2a_security/supply_chain.cedar` rug pull rule | | **MCP03** | MCP Supply Chain Compromise | Server poisoning threshold (≥ 55); unverified MCP server connection blocking; Agent Gateway MCP registry | *** ## MITRE ATLAS MITRE ATLAS (Adversarial Threat Landscape for AI Systems) catalogs adversarial attack techniques against ML and AI systems. | ATLAS ID | Technique | Highflame controls | | ----------------- | ----------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------- | | **AML.T0051** | LLM Prompt Injection | Injection detector, jailbreak detector, multi-turn deep context model | | **AML.T0051.002** | Indirect Prompt Injection via Retrieved Content | `indirect_injection_score` detector; `data_pipeline/security.cedar` lowered threshold for RAG | | **AML.T0054** | LLM Jailbreak | Jailbreak detector; `chat_assistant/security.cedar` tighter threshold (≥ 65) | | **AML.T0016** | Obtain Capabilities via LLM | Dangerous tool blocking; shell execution block in `code_agent/agentic_security.cedar` | | **AML.T0048** | Exfiltration via ML API | Sequence pattern detector (`data_exfiltration`, `db_exfiltration`); `code_agent/supply_chain.cedar` credential theft chain | *** ## MITRE ATT\&CK Relevant MITRE ATT\&CK techniques applicable to AI agent deployments. | ATT\&CK ID | Technique | Highflame controls | | ---------- | ----------------------------------------- | ------------------------------------------------------------------------------------------------------------------ | | **T1552** | Unsecured Credentials | Credential file path blocking (`.env*`, `.ssh/*`, `.aws/*`); `code_agent/path_security.cedar`; secrets detector | | **T1530** | Data from Cloud Storage | Exfiltration sequence detection; tool risk gating for cloud storage tools | | **T1059** | Command and Scripting Interpreter | Shell execution block in `code_agent/agentic_security.cedar`; command injection detector in base security patterns | | **T1190** | Exploit Public-Facing Application | Injection and jailbreak detection on public-facing chat applications; `chat_assistant/security.cedar` | | **T1071** | Application Layer Protocol (exfiltration) | Network tool lockdown post-PII in `multi_agent/agent_safety.cedar`; `data_pipeline` exfiltration block | *** ## NIST AI Risk Management Framework (AI RMF) The NIST AI RMF (2023) provides a voluntary framework for managing risks in AI systems across four core functions: Govern, Map, Measure, and Manage. | AI RMF Function | How Highflame addresses it | | --------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Govern** | Cedar policy authorship, version control, and deployment via Highflame Studio; role-based access controls; audit archive for policy evidence | | **Map** | Threat detection coverage across OWASP, ATLAS, and ATT\&CK frameworks; coverage mesh in Observatory Command Center | | **Measure** | Real-time detection rates, block rates, and false positive tracking in Observatory; detector drift heatmap for coverage regression | | **Manage** | Guardrail enforcement (Block / Monitor / Alert modes); session circuit breakers; incident response workflow via threat alerts and Observatory investigation | *** ## NIST SP 800-53 Selected NIST SP 800-53 controls relevant to AI agent deployments, mapped to Highflame capabilities. | Control | Name | Highflame implementation | | --------- | ------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------- | | **AC-4** | Information Flow Enforcement | Cross-origin policy (`a2a_security/cross_origin.cedar`); data exfiltration blocks; network tool lockdown post-PII | | **IA-2** | Identification and Authentication | ZeroID agent identity; `agent_id` enforcement in A2A identity policies | | **IA-8** | Identification and Authentication — Non-Org Users | Agent trust level enforcement (`first_party`, `verified_third_party`, `unverified`) | | **IR-4** | Incident Handling | Session escalation detection and circuit breakers; Observatory threat investigation workflow | | **SC-28** | Protection of Information at Rest | Credential file path blocking; secrets in file write detection | | **SI-4** | System Monitoring | Real-time event ingestion in Observatory; UEBA entity risk scoring; detector drift heatmap | | **SI-7** | Software, Firmware, and Information Integrity | Supply chain attack detection; tool poisoning and rug pull detectors | *** ## Regulatory frameworks Highflame's data protection controls map to common regulatory requirements. | Regulation | Relevant requirement | Highflame controls | | ----------------- | ------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------- | | **GDPR** | Data minimization; preventing unlawful processing of personal data | PII detection and blocking (inputs and outputs); bidirectional PII block in `chat_assistant`; zero-tolerance PII in `data_pipeline` | | **HIPAA** | Protection of protected health information (PHI) | Medical ID detection in `advanced_detection/pii.cedar`; audit archive for access records | | **PCI-DSS** | Prevention of cardholder data exposure | Credit card number detection in all profiles; zero-tolerance in `data_pipeline`; `advanced_detection` bulk PII block | | **SOC 2 Type II** | Security, availability, and confidentiality controls | Audit archive; policy-backed enforcement decisions; Observatory governance evidence | | **EU AI Act** | Transparency and risk management for high-risk AI systems | Cedar policy audit trail; governance evidence from Observatory; reporting for compliance documentation | *** ## Exporting compliance evidence All detection events include the Cedar policy annotations (`@tags`, `@severity`, `@id`) that reference the framework controls above. You can filter and export this data from Observatory: * **Observatory → Threats** → filter by `policy_category` or `policy_severity` → **Export CSV** * For streaming ingestion into your GRC platform or SIEM, configure a webhook or Splunk HEC destination in [Alerts](/integrations/alerts.md) The export includes the `determining_policies` field for each event, which lists the specific Cedar policy IDs and their annotations — giving your compliance team the direct link from a detected event to the framework control it satisfies. *** ## Related * [Audit Archive & Reporting](/governance-and-reporting/audit-archive.md) — configuring data capture, retention, and data warehouse export * [Observatory → Threats](/observatory/threats.md) — filtering and investigating Shield events by framework tag * [Policy Templates](/agent-authorization-and-control-shield/policy-templates.md) — pre-built Cedar profiles with built-in framework annotations --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.highflame.ai/governance-and-reporting/compliance-frameworks.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.