Skip to content

add(control): Agent Threat Rules guideline-mappings for CCC.GenAI catalog#986

Draft
eeee2345 wants to merge 1 commit into
finos:mainfrom
eeee2345:feat/atr-mapping-genai
Draft

add(control): Agent Threat Rules guideline-mappings for CCC.GenAI catalog#986
eeee2345 wants to merge 1 commit into
finos:mainfrom
eeee2345:feat/atr-mapping-genai

Conversation

@eeee2345
Copy link
Copy Markdown

@eeee2345 eeee2345 commented May 11, 2026

Per discussion in #985 with @eddie-knight: this adds Agent Threat Rules (ATR) as a Gemara MappingReference for the CCC GenAI catalog, plus EntryMapping blocks under four GenAI controls. Non-invasive, no schema changes, mirrors the existing FINOS-AIGF / SAIF / MITRE-ATLAS mapping pattern.

What this adds

catalogs/ai-ml/gen-ai/metadata.yaml: one new agent-threat-rules entry in mapping-references (id, title, version pinned to v2.1.2, description, url).

catalogs/ai-ml/gen-ai/controls.yaml: ATR guideline-mappings entries under four controls:

Control ATR rules Rationale
CCC.GenAI.CN01 (Model Input Filtering) ATR-2026-00001, 00002, 00003, 00440 prompt-injection category coverage at input layer; CVE-2026-26030 Semantic Kernel lambda+eval RCE
CCC.GenAI.CN02 (Model Output Filtering) ATR-2026-00020, 00021, 00132 system-prompt leak / API-key exposure / covert-instruction output
CCC.GenAI.CN04 (Sanitisation of Ingested Data) ATR-2026-00002, 00021 indirect injection via RAG; credential disclosure in ingested content
CCC.GenAI.CN06 (Least Privilege for Plugins) ATR-2026-00010, 00040, 00060, 00441 tool-poisoning, privilege escalation, plugin impersonation, CVE-2026-25592 SessionsPythonPlugin sandbox escape

Total: 14 control-to-rule references across 4 of the 8 GenAI controls.

What this does NOT do

  • No schema changes. additionalProperties constraints on existing controls / metadata / capability schemas are not touched.
  • No mapping in the reverse direction. ATR rule files do not learn about CCC. The mapping is one-way and lives entirely in the CCC catalog.
  • No speculative mappings. Every entry has an explicit remarks field naming the specific adjacency. Controls where the relationship is unclear (CN03, CN05, CN07, CN08) are intentionally not mapped in this first batch — easier to add than to retract.
  • No coverage of threats.yaml yet. The threat-level mapping (TH01 Prompt Injection → ATR prompt-injection category, etc.) is a sibling change that can land separately if the maintainers want it.

On the one-way / lossy framing

ATR is a detection-rule corpus (runtime / scanner-time / regex-based pattern matching), not a governance / control framework. The mapping should be read as "this CCC control's intent is operationally validated by these ATR detection rules at the runtime level". It is not "ATR rule X is equivalent to CCC control Y". The metadata description field makes this distinction explicit, and each EntryMapping remarks field reinforces it for the specific control.

Pattern alignment

  • Follows the Gemara mapping_inline.cue spec used by the CCC delivery-toolkit.
  • Mirrors the existing CCM / NIST-CSF / NIST_800_53 / ISO_27001 / FINOS-AIGF / SAIF / MITRE-ATLAS shapes already present in catalogs/ai-ml/gen-ai/controls.yaml.
  • strength: 0 placeholder used consistently with the existing GenAI catalog entries that have not yet been graded.

Validation

  • YAML parses cleanly with PyYAML 6.x.
  • Pre-existing schema validation errors in metadata.yaml (category-ids typing) and controls.yaml (control-families.id requirement) are NOT introduced by this PR — they exist on main and my changes neither extend nor newly trigger them. Verified by running check-jsonschema against both upstream main and my branch.

On scope and next steps

Per @eddie-knight's suggestion in #985 of starting with a 5–10 mapping first batch, this PR is intentionally narrow. Happy to:

  1. Extend to CN03 + CN08 in a follow-up commit on this branch if the shape is approved.
  2. Add the threat-level mappings (threats.yaml) as a separate PR once the control-level shape is reviewed.
  3. Adjust the remarks granularity, or drop / rephrase specific entries if the adjacency reasoning isn't strong enough.

Background context

ATR is referenced by the MISP taxonomy and galaxy threat-intel sharing layers (MISP/misp-taxonomies#323 + MISP/misp-galaxy#1207, both merged 2026-05-10 by Alexandre Dulaunoy as the MISP project lead) and is shipped in production by Cisco AI Defense and Microsoft Agent Governance Toolkit. Different distribution paths than CCC, but if a CCC consumer ever chains through to MISP-tagged threat-intel events, the rule-ID namespace is now stable across both. Mentioning since it informs the description text in the MappingReference.

ATR repo: https://github.com/Agent-Threat-Rule/agent-threat-rules — MIT, v2.1.2 (338 rules at the time of this PR).

Closes / addresses #985.

@eeee2345
add(mapping): Agent Threat Rules cross-reference for CCC GenAI catalog
b1bf909 
Adds Agent Threat Rules (ATR) as a Gemara MappingReference in the
CCC GenAI catalog metadata, plus EntryMapping blocks under four
GenAI controls where ATR's detection coverage is genuinely adjacent
to the control's intent:

- CCC.GenAI.CN01 (Model Input Filtering)        → ATR prompt-injection rules (00001, 00002, 00003, 00440)
- CCC.GenAI.CN02 (Model Output Filtering)       → ATR context-exfiltration + agent-manipulation rules (00020, 00021, 00132)
- CCC.GenAI.CN04 (Sanitisation of Ingested Data)→ ATR indirect-injection + credential-disclosure rules (00002, 00021)
- CCC.GenAI.CN06 (Least Privilege for Plugins)  → ATR tool-poisoning / privilege-escalation rules (00010, 00040, 00060, 00441)

The mapping is one-way and lossy by design: ATR is a detection-rule
corpus (runtime / scanner-time pattern-based), not a control
framework. Consumers of the CCC controls reading the mapping should
understand that an ATR rule offers a detection signal adjacent to a
control's intent, not a control equivalent. Each EntryMapping's
remarks field clarifies the specific adjacency.

This follows the directional guidance in finos#985
from @eddie-knight to use a Gemara mapping document rather than a
schema-invasive integration. Implementation mirrors the existing
MappingReference / EntryMapping pattern used by CCC for FINOS-AIGF,
SAIF, MITRE-ATLAS, etc.

Scope is intentionally narrow (4 controls × 14 rule-references)
rather than a full sweep of all 8 GenAI controls. After this first
batch lands, the same pattern can extend to CN03, CN08, and the
threat-level mappings.

ATR upstream: https://github.com/Agent-Threat-Rule/agent-threat-rules
(MIT, v2.1.2, 338 rules across 10 attack categories).
@netlify
Copy link
Copy Markdown

netlify Bot commented May 11, 2026
edited
Loading

Deploy Preview for common-cloud-controls canceled.

Name Link
🔨 Latest commit b1bf909
🔍 Latest deploy log https://app.netlify.com/projects/common-cloud-controls/deploys/6a019a7cfc6ca300084b4df7

@linux-foundation-easycla
Copy link
Copy Markdown

linux-foundation-easycla Bot commented May 11, 2026
edited
Loading

CLA Signed
The committers listed above are authorized under a signed CLA.

  • ✅ login: eeee2345 / name: Adamthereal (b1bf909)

@eeee2345 eeee2345 mentioned this pull request May 11, 2026
Open
@eeee2345 eeee2345 changed the title add(mapping): Agent Threat Rules cross-reference for CCC GenAI catalog add(control): Agent Threat Rules guideline-mappings for CCC.GenAI catalog May 11, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@eeee2345