Standards Alignment
How IntentGate's agent runtime authorization controls map to the security and AI-governance frameworks security teams, auditors, and procurement reference during evaluation. This page provides the explicit per-standard mapping; the underlying mechanism for each mapping is documented on the individual control pages and in the IntentGate Vendor Security Pack §1.5.
OWASP Top 10 for LLM Applications (2025)
Security risks specific to large language model applications.
| Risk | Coverage | IntentGate mechanism |
|---|---|---|
| LLM01 Prompt Injection | Direct | Intent enforcement (-32011) |
| LLM02 Sensitive Information Disclosure | Direct | Bidirectional PII filtering (-32015) |
| LLM03 Supply Chain | Out of scope | Addressed by SCA tooling and signed-release attestation |
| LLM04 Data and Model Poisoning | Out of scope | Training-time concern, not runtime |
| LLM05 Improper Output Handling | Direct | Output schema validation (-32016) |
| LLM06 Excessive Agency | Direct | Capability tokens + policy engine destructive-verb deny-list (-32010 / -32012) |
| LLM07 System Prompt Leakage | Out of scope | Model-internal concern, not in-path |
| LLM08 Vector & Embedding Weaknesses | Direct | Tenant scope check (-32017) |
| LLM09 Misinformation | Partial | Memory provenance for verified high-stakes reads (-32014); factuality eval is a partner-product layer |
| LLM10 Unbounded Consumption | Direct | Budget tracking (-32013) |
OWASP Top 10 for Agentic AI Applications (2025)
Security risks specific to multi-step autonomous agent behaviour.
| Risk | Coverage | IntentGate mechanism |
|---|---|---|
| AGENT01 Agent Goal Hijack | Direct | Intent enforcement (-32011) |
| AGENT02 Tool Misuse & Exploitation | Direct | Capability tokens + policy engine (-32010 / -32012) |
| AGENT03 Identity & Privilege Abuse | Direct | Capability tokens with HMAC binding (-32010) |
| AGENT04 Agentic Supply Chain | Out of scope | Addressed by agent code review and orchestrator vendor due diligence |
| AGENT05 Code Execution (RCE) | Out of scope | Addressed by sandboxing of code-execution tools |
| AGENT06 Memory & Context Poisoning | Direct (opt-in) | Memory provenance (-32014) |
| AGENT07 Insecure Inter-Agent Communications | Direct | Capability attenuation across sub-agents |
| AGENT08 Cascading Failures | Direct | Per-tool circuit breaker + bulkhead isolation (-32018) |
| AGENT09 Human-Agent Trust Exploitation | Direct | Tenant scope check + step-up MFA workflows (-32017) |
| AGENT10 Rogue Agents | Direct | Capability tokens as registration; revocation list |
NIST AI Risk Management Framework (AI RMF 1.0)
Govern, Map, Measure, Manage — IntentGate implements technical controls under Manage, with audit-chain support for Measure.
- Manage (MG-2.1) — Runtime risk-response controls: capability tokens, intent enforcement, policy engine.
- Manage (MG-2.3) — Incident response: hash-chained audit log for forensic integrity.
- Measure (MS-2.6) — Computational efficiency and accuracy monitoring: budget tracking provides cost telemetry.
- Measure (MS-2.7) — Security & resilience: per-tool circuit breaker telemetry, fail-closed semantics.
MITRE ATLAS — Adversarial Threat Landscape for AI Systems
ATT&CK-style catalogue of tactics and techniques against AI. IntentGate addresses several runtime techniques.
- TA0043 Reconnaissance / T1591 Gather Victim Org Info — Intent enforcement refuses out-of-scope enumeration.
- T1660.001 Prompt Injection — Intent enforcement is the primary defence.
- T1657 Cost Harvesting — Budget tracking enforces fail-closed ceilings.
- Persistence via Memory Poisoning — Memory provenance defeats.
EU AI Act (Regulation 2024/1689)
High-risk AI systems must implement risk management, data governance, transparency, human oversight, accuracy / robustness / cybersecurity. IntentGate implements the cybersecurity and human-oversight technical surfaces for AI agents.
- Article 9 (Risk management) — Operational risk controls on agent actions.
- Article 14 (Human oversight) — Policy engine value thresholds enforce human-in-the-loop on high-stakes verbs.
- Article 15 (Accuracy, robustness, cybersecurity) — Capability tokens, intent enforcement, fail-closed semantics, tamper-evident audit chain.
- Article 12 (Record-keeping) — Hash-chained audit log provides per-tenant retention.
ISO/IEC 42001:2023 — AI management systems
Requirements for an organisation to establish, implement, maintain, and continually improve an AI management system. IntentGate provides the runtime technical controls referenced in several Annex A objectives.
- A.6.2.4 (AI system impact assessment) — Audit chain supports impact reconstruction.
- A.7.4 (Quality of data for AI systems) — Memory provenance ensures input data has verified provenance.
- A.8.4 (Communication of AI system operation) — SIEM forwarding for downstream visibility.
- A.9.2 (AI system objectives) — Intent enforcement aligns runtime behaviour with declared objectives.
SOC 2 / ISO 27001 / GDPR
The general security and privacy standards that apply to any system processing customer data. IntentGate's controls map to several common-control objectives.
- SOC 2 CC6 (Logical & physical access) — Capability tokens, tenant scope.
- SOC 2 CC7 (System operations) — Per-tool circuit breakers, audit chain.
- ISO 27001 A.9 (Access control) — Capability tokens, attenuation across sub-agents.
- ISO 27001 A.12 (Operations security) — Budget tracking, fail-closed semantics.
- GDPR Article 32 (Security of processing) — Bidirectional PII filtering with counts-only audit; tamper-evident audit chain.
- GDPR Article 25 (Data protection by design) — Counts-only audit pattern.
Summary tally
Across the combined OWASP Top 10 for LLM and OWASP Top 10 for Agentic AI (twenty risks total), IntentGate provides:
- Direct mitigation on 14 risks — LLM01, LLM02, LLM05, LLM06, LLM08, LLM10, AGENT01, AGENT02, AGENT03, AGENT06 (opt-in), AGENT07, AGENT08, AGENT09, AGENT10.
- Partial coverage on 1 risk — LLM09 (memory provenance addresses chain-of-custody; factuality assessment is a partner-product layer).
- Out of scope on 5 risks by deployment model — LLM03 supply chain, LLM04 model poisoning, LLM07 system prompt leakage, AGENT04 agentic supply chain, AGENT05 RCE.
Source documentation
The per-standard mappings are maintained in the IntentGate Vendor Security Pack and reviewed quarterly. Procurement teams requesting formal evidence for an audit or RFP can request the latest signed version of the Vendor Security Pack via contact. The OWASP coverage page provides the same matrix in a CISO-readable format for the OWASP-specific subset.