Compliance Framework Coverage
Highflame's detectors and Cedar policy profiles are mapped to the major AI security threat frameworks. Each Cedar policy in the built-in library carries @tags annotations that reference the specific framework controls it addresses. These annotations are surfaced in Observatory's policy metadata and are available for export in audit reports.
OWASP LLM Top 10
The OWASP LLM Top 10 (2025) is the primary reference taxonomy for large language model security risks.
LLM01
Prompt Injection
Injection detector (ML confidence), indirect injection detector (indirect_injection_score), jailbreak detector; code_agent/supply_chain.cedar, a2a_security/inter_agent_injection.cedar, data_pipeline/security.cedar
LLM02
Sensitive Information Disclosure
PII detector, secrets detector (16+ formats); advanced_detection/pii.cedar, advanced_detection/secrets.cedar, data_pipeline/privacy.cedar
LLM03
Supply Chain
Tool poisoning detector (tool_poisoning_score), MCP server verification; code_agent/supply_chain.cedar, a2a_security/supply_chain.cedar
LLM04
Data and Model Poisoning
Indirect injection in retrieval contexts; data_pipeline/security.cedar indirect injection threshold
LLM05
Insecure Output Handling
Output-side guardrail evaluations; bidirectional PII block in chat_assistant/privacy.cedar; secrets in outputs blocked in data_pipeline/security.cedar
LLM06
Excessive Agency
Dangerous and sensitive tool gating (tool_risk_score, tool_category); shell execution block; loop detection and token budget overrun; code_agent/agentic_security.cedar
LLM07
System Prompt Leakage
System prompt leak patterns in injection detector; a2a_security/identity_enforcement.cedar
LLM08
Vector and Embedding Weaknesses
Cross-origin detection (cross_origin_score); a2a_security/cross_origin.cedar
LLM09
Misinformation
Hallucination detection (base guardrails)
LLM10
Unbounded Consumption
Token budget overrun (budget_exceeded); loop detection (loop_detected, loop_count); code_agent/agentic_security.cedar
OWASP AI Security Initiative (ASI)
The OWASP AI Security Initiative extends the LLM Top 10 with agent-specific attack vectors.
ASI01
Indirect Prompt Injection
indirect_injection_score detector; a2a_security/inter_agent_injection.cedar; code_agent/supply_chain.cedar
ASI03
Confused Deputy / Cross-Origin
cross_origin_score detector (mixed origins, URL injection, proxy patterns); a2a_security/cross_origin.cedar
ASI04
Supply Chain Attacks
Tool poisoning and rug pull detectors; a2a_security/supply_chain.cedar; code_agent/supply_chain.cedar
ASI05
Agent Identity Spoofing
Anonymous agent detection, unregistered framework detection; a2a_security/identity_enforcement.cedar; ZeroID agent identity integration
OWASP MCP Security
The OWASP MCP Security guidelines (2025) address threats specific to the Model Context Protocol tool ecosystem.
MCP01
Tool Poisoning
tool_poisoning_score detector; a2a_security/supply_chain.cedar; code_agent/supply_chain.cedar; MCP server verification in multi_agent/agent_trust.cedar
MCP02
Rug Pull / Behavioral Drift
rug_pull_score detector; a2a_security/supply_chain.cedar rug pull rule
MCP03
MCP Supply Chain Compromise
Server poisoning threshold (≥ 55); unverified MCP server connection blocking; Agent Gateway MCP registry
MITRE ATLAS
MITRE ATLAS (Adversarial Threat Landscape for AI Systems) catalogs adversarial attack techniques against ML and AI systems.
AML.T0051
LLM Prompt Injection
Injection detector, jailbreak detector, multi-turn deep context model
AML.T0051.002
Indirect Prompt Injection via Retrieved Content
indirect_injection_score detector; data_pipeline/security.cedar lowered threshold for RAG
AML.T0054
LLM Jailbreak
Jailbreak detector; chat_assistant/security.cedar tighter threshold (≥ 65)
AML.T0016
Obtain Capabilities via LLM
Dangerous tool blocking; shell execution block in code_agent/agentic_security.cedar
AML.T0048
Exfiltration via ML API
Sequence pattern detector (data_exfiltration, db_exfiltration); code_agent/supply_chain.cedar credential theft chain
MITRE ATT&CK
Relevant MITRE ATT&CK techniques applicable to AI agent deployments.
T1552
Unsecured Credentials
Credential file path blocking (.env*, .ssh/*, .aws/*); code_agent/path_security.cedar; secrets detector
T1530
Data from Cloud Storage
Exfiltration sequence detection; tool risk gating for cloud storage tools
T1059
Command and Scripting Interpreter
Shell execution block in code_agent/agentic_security.cedar; command injection detector in base security patterns
T1190
Exploit Public-Facing Application
Injection and jailbreak detection on public-facing chat applications; chat_assistant/security.cedar
T1071
Application Layer Protocol (exfiltration)
Network tool lockdown post-PII in multi_agent/agent_safety.cedar; data_pipeline exfiltration block
NIST AI Risk Management Framework (AI RMF)
The NIST AI RMF (2023) provides a voluntary framework for managing risks in AI systems across four core functions: Govern, Map, Measure, and Manage.
Govern
Cedar policy authorship, version control, and deployment via Highflame Studio; role-based access controls; audit archive for policy evidence
Map
Threat detection coverage across OWASP, ATLAS, and ATT&CK frameworks; coverage mesh in Observatory Command Center
Measure
Real-time detection rates, block rates, and false positive tracking in Observatory; detector drift heatmap for coverage regression
Manage
Guardrail enforcement (Block / Monitor / Alert modes); session circuit breakers; incident response workflow via threat alerts and Observatory investigation
NIST SP 800-53
Selected NIST SP 800-53 controls relevant to AI agent deployments, mapped to Highflame capabilities.
AC-4
Information Flow Enforcement
Cross-origin policy (a2a_security/cross_origin.cedar); data exfiltration blocks; network tool lockdown post-PII
IA-2
Identification and Authentication
ZeroID agent identity; agent_id enforcement in A2A identity policies
IA-8
Identification and Authentication — Non-Org Users
Agent trust level enforcement (first_party, verified_third_party, unverified)
IR-4
Incident Handling
Session escalation detection and circuit breakers; Observatory threat investigation workflow
SC-28
Protection of Information at Rest
Credential file path blocking; secrets in file write detection
SI-4
System Monitoring
Real-time event ingestion in Observatory; UEBA entity risk scoring; detector drift heatmap
SI-7
Software, Firmware, and Information Integrity
Supply chain attack detection; tool poisoning and rug pull detectors
Regulatory frameworks
Highflame's data protection controls map to common regulatory requirements.
GDPR
Data minimization; preventing unlawful processing of personal data
PII detection and blocking (inputs and outputs); bidirectional PII block in chat_assistant; zero-tolerance PII in data_pipeline
HIPAA
Protection of protected health information (PHI)
Medical ID detection in advanced_detection/pii.cedar; audit archive for access records
PCI-DSS
Prevention of cardholder data exposure
Credit card number detection in all profiles; zero-tolerance in data_pipeline; advanced_detection bulk PII block
SOC 2 Type II
Security, availability, and confidentiality controls
Audit archive; policy-backed enforcement decisions; Observatory governance evidence
EU AI Act
Transparency and risk management for high-risk AI systems
Cedar policy audit trail; governance evidence from Observatory; reporting for compliance documentation
Exporting compliance evidence
All detection events include the Cedar policy annotations (@tags, @severity, @id) that reference the framework controls above. You can filter and export this data from Observatory:
Observatory → Threats → filter by
policy_categoryorpolicy_severity→ Export CSVFor streaming ingestion into your GRC platform or SIEM, configure a webhook or Splunk HEC destination in Alerts
The export includes the determining_policies field for each event, which lists the specific Cedar policy IDs and their annotations — giving your compliance team the direct link from a detected event to the framework control it satisfies.
Related
Audit Archive & Reporting — configuring data capture, retention, and data warehouse export
Observatory → Threats — filtering and investigating Shield events by framework tag
Policy Templates — pre-built Cedar profiles with built-in framework annotations
Last updated