Compliance mapping data — OWASP/NIST/ISO tags for all findings #5
Description
Goal
Create the reference data file that maps every PP check and action type to compliance framework controls. Used by both the CLI reporter and the PP app's audit receipts.
Mapping Table
PP Checks → Compliance Standards
Every check ID (PP-GI-001 through PP-MCP-020) needs mappings to:
| Standard | Identifier Format | Example |
|---|---|---|
| OWASP Agentic Top 10 | ASI01 - ASI10 |
OWASP:ASI01 |
| OWASP LLM Top 10 | LLM01 - LLM10 |
OWASP:LLM01 |
| NIST AI RMF | Function.Category | NIST:GOVERN-1.2 |
| ISO 42001 | Annex control | ISO42001:A.5.2 |
| EU AI Act | Article | EUAIA:Art.14 |
| MITRE ATLAS | Technique | ATLAS:AML.T0051 |
PP Actions → Compliance Evidence
When PP generates audit receipts, each action type maps to compliance controls it satisfies:
{
"action_mappings": {
"authorize": {
"satisfies": ["OWASP:ASI01", "NIST:GOVERN-1.2", "ISO42001:A.8.2", "EUAIA:Art.14.1"],
"evidence_type": "Authority receipt with approval chain"
},
"deny": {
"satisfies": ["OWASP:ASI03", "NIST:GOVERN-1.5", "ISO42001:A.6.2"],
"evidence_type": "Denial receipt with policy reference"
},
"escalate": {
"satisfies": ["OWASP:ASI01", "NIST:GOVERN-1.3", "ISO42001:A.5.4", "EUAIA:Art.14.3"],
"evidence_type": "Escalation receipt with human-in-loop proof"
},
"veto": {
"satisfies": ["OWASP:ASI10", "NIST:GOVERN-1.5", "ISO42001:A.8.4", "EUAIA:Art.14.4"],
"evidence_type": "Founder veto receipt with kill-switch activation"
},
"timeout": {
"satisfies": ["OWASP:ASI09", "NIST:GOVERN-1.4"],
"evidence_type": "Timeout receipt — action blocked by safety default"
}
}
}File Format
src/data/compliance.json — single JSON file with two sections:
check_mappings— each check ID to relevant standard controlsaction_mappings— each PP action type to standards it satisfies
OWASP Agentic Top 10 Reference
- ASI01: Agent Goal Manipulation
- ASI02: Tool Misuse
- ASI03: Privilege Escalation
- ASI04: Supply Chain Compromise
- ASI05: Code Execution
- ASI06: Memory & Context Poisoning
- ASI07: Data Leakage
- ASI08: Model Theft
- ASI09: Cascading Failures
- ASI10: Rogue Agent
Acceptance Criteria
- All 20 check IDs mapped to at least OWASP + NIST
- All 5 PP action types mapped with evidence descriptions
- Valid JSON, importable by both analyzer and reporter
- Mappings are accurate (cross-reference against published standards)
- README section explaining the mapping methodology
Depends On
- Issue Repo scaffold + CLI package setup #1 (scaffold — for file location)
Used By
- Issue Permission gap analyzer — find unprotected agent actions #3 (analyzer — attaches tags to findings)
- Issue CLI reporter — beautiful terminal output + Three Questions framing #4 (reporter — displays compliance tags)
- Future: PP app audit receipt enrichment