Document version: 0.4.1 Agent Gate version: 0.4.1 (Phase 8A: Sub-agent Governance Clarity) Date: 2026-02-24 Status: Implementation mapping — this is NOT a certification or accreditation claim
This document maps Agent Gate's implemented capabilities to controls and requirements in established security, AI governance, and federal policy frameworks. The goal is transparency: showing which controls Agent Gate directly supports, which it partially addresses, and where gaps remain.
Agent Gate is an execution authority layer — it intercepts AI agent tool calls before execution and enforces policy-based authorization with vault-backed rollback and operational tempo controls. It does not replace a complete security program, identity management system, or organizational AI governance framework. It addresses a specific and critical gap: controlling what AI agents do before they do it, and how fast they do it.
For alignment with the Autonomous Action Runtime Management (AARM) specification, see AARM_Alignment.md.
SP 800-53 defines the security control catalog used across federal systems. Agent Gate maps to controls in several families. Each mapping references the specific implementation mechanism.
| Control | Title | Agent Gate Mapping | Status |
|---|---|---|---|
| AC-3 | Access Enforcement | Gate evaluates every tool call against policy before execution. The Gate.evaluate() method is the enforcement function — no tool call reaches execution without passing through it. Tiered classification (read-only, destructive, network, blocked, unclassified, rate-limited) implements differentiated access decisions. Rate limits and circuit breaker provide dynamic enforcement that adapts to operational context. |
✅ Implemented |
| AC-3(7) | Role-Based Access Control | Identity roles defined in policy YAML with per-role overrides for rate limits, gate behavior (action tier handling), and envelope restrictions. RBAC evaluation in both Python and OPA backends. Role resolved from environment or configuration at gate initialization. | ✅ Implemented |
| AC-3(8) | Revocation of Access Authorizations | Policy changes take effect on next gate initialization. There is no runtime revocation mechanism for in-flight sessions. | |
| AC-4 | Information Flow Enforcement | Envelope enforcement restricts which paths the agent can access. Denied paths (e.g., ~/.ssh/**, ~/.aws/**, /etc/**) define information flow boundaries. Symlink resolution prevents path traversal. |
✅ Implemented |
| AC-6 | Least Privilege | Default-deny posture for unclassified actions. The agent operates within a declared envelope — anything outside the envelope is denied. Network access requires explicit policy enablement or human escalation. | ✅ Implemented |
| AC-6(1) | Authorize Access to Security Functions | The vault directory is explicitly denied in the agent's envelope. The gate that enforces the envelope is the same gate that protects the vault — the agent cannot modify its own safety mechanisms. | ✅ Implemented |
| AC-6(9) | Log Use of Privileged Functions | All tool calls are logged to a structured JSONL audit log, including tool name, arguments, verdict, tier, reason, and timing. Destructive actions include vault snapshot paths. | ✅ Implemented |
| AC-6(10) | Prohibit Non-Privileged Users from Executing Privileged Functions | Blocked tier actions (rm -rf /, `curl |
bash, mkfs`) are unconditionally denied regardless of context. No policy override allows them — the pattern match is evaluated before any other logic. |
| Control | Title | Agent Gate Mapping | Status |
|---|---|---|---|
| AU-2 | Event Logging | All tool calls through the MCP proxy generate audit records. Allow, deny, escalate, and passthrough events are all logged. Proxy lifecycle events (startup, shutdown, error) are logged separately. | ✅ Implemented |
| AU-3 | Content of Audit Records | Each record contains: timestamp (ISO 8601), tool name, arguments, verdict, tier, reason, server name, session ID, message ID, vault path (if applicable), gate evaluation duration in milliseconds, policy_hash (SHA-256 of governing policy), rate_context (operational state snapshot on rate-limited decisions), agent_depth (sub-agent nesting level, when AGENT_GATE_DEPTH is set), parent_agent_id (parent session identifier, when AGENT_GATE_PARENT_SESSION is set), inherited_policy (bool indicating sub-agent context, when applicable). |
✅ Implemented |
| AU-3(1) | Additional Audit Information | Duration of gate evaluation is captured per record. Session IDs link records within a proxy lifecycle. Server names identify which MCP backend was being proxied. Agent hierarchy context (agent_depth, parent_agent_id, inherited_policy) is now capturable per audit record when operators configure AGENT_GATE_DEPTH and AGENT_GATE_PARENT_SESSION, enabling session-level multi-agent attribution. | ✅ Implemented |
| AU-8 | Time Stamps | Timestamps use datetime.now(timezone.utc).isoformat() — UTC with timezone designation. |
✅ Implemented |
| AU-9 | Protection of Audit Information | The audit log file resides in a configurable path (default: ~/.config/agent-gate/audit.jsonl). The vault directory — which is envelope-denied — protects vault manifests. However, the audit log file itself is not in the vault and could theoretically be modified by an agent with sufficient file system access. |
|
| AU-9(3) | Cryptographic Protection of Audit Information | SHA-256 hash chaining implemented. Each audit record includes prev_hash (hash of previous record) and record_hash (hash of current record content), creating a tamper-evident chain from a deterministic genesis value. verify_chain() walks the log and detects any modification, insertion, or deletion. Records also include policy_hash binding each decision to the governing policy version. Records are not yet signed with a cryptographic key. |
|
| AU-10 | Non-repudiation | Hash-chained audit records with policy hash binding AND identity binding (operator, agent_id, service_account, role on every record). Identity fields included in record hash, providing tamper evidence for identity claims. Still needs cryptographic signing for full non-repudiation. | |
| AU-11 | Audit Record Retention | Vault snapshots have configurable retention (max_snapshots_per_file, max_age_days). The audit log itself has no automated retention management. |
|
| AU-12 | Audit Generation | All gate decisions generate audit records automatically. MODIFY decisions produce combined records capturing both original and modified tool call parameters, the modification rule applied, and the reinvocation verdict. Records are generated at the enforcement point, not as a separate logging step. | ✅ Implemented |
| Control | Title | Agent Gate Mapping | Status |
|---|---|---|---|
| IA-2 | Identification and Authentication | Identity context resolved from environment/config at startup. Identity claims propagated through evaluation pipeline and bound to audit records. Not yet authenticated against external IdP. | |
| IA-4 | Identifier Management | Unique session_id auto-generated per gate/proxy lifecycle. operator, agent_id, and service_account identifiers configurable via environment or policy. |
| Control | Title | Agent Gate Mapping | Status |
|---|---|---|---|
| CP-9 | System Backup | Vault-backed rollback is the core safety mechanism. Every destructive action triggers a mandatory backup to the vault before the action proceeds. If the backup fails and policy specifies on_failure: deny, the destructive action is blocked. |
✅ Implemented |
| CP-9(1) | Testing for Reliability and Integrity | SHA-256 hashes are computed for every vault snapshot. The vault manifest (JSONL) records original path, vault path, timestamp, file size, and hash for each backup. Integrity can be verified by recomputing the hash. | ✅ Implemented |
| CP-9(8) | Cryptographic Protection of Backup Information | Vault snapshots are stored as plain copies with SHA-256 integrity hashes. Snapshots are not encrypted at rest. | |
| CP-10 | System Recovery and Reconstitution | The CLI (agent_gate.cli) provides list, history, restore, and diff commands for vault-based recovery. Restore is a file copy from the vault to the original location. Multiple snapshots of the same file provide point-in-time recovery options. |
✅ Implemented |
| Control | Title | Agent Gate Mapping | Status |
|---|---|---|---|
| CM-3 | Configuration Change Control | Every audit record includes policy_hash, a truncated SHA-256 hash of the governing policy bundle. This creates a cryptographic binding between each authorization decision and the exact policy version that produced it. Retroactive policy modifications cannot disguise the original authorization logic — the hash in historical records will not match the modified policy. MODIFY decisions include a full audit trail of original and modified parameters, proving exactly what change was applied and why. |
✅ Implemented |
| CM-7 | Least Functionality | Default-deny for unclassified actions means the agent can only execute commands explicitly classified in the policy. The policy defines the complete set of allowed functionality. | ✅ Implemented |
| CM-7(5) | Authorized Software — Allowlisting | Literal-only argument enforcement functions as a command allowlist. Shell expansion syntax ($VAR, $(cmd), backticks, globs) is rejected before classification — the gate defines what "clean" looks like and rejects anything else. |
✅ Implemented |
| Control | Title | Agent Gate Mapping | Status |
|---|---|---|---|
| SC-5 | Denial-of-Service Protection | Per-tool, per-tier, and global rate limits prevent agents from overwhelming target systems through rapid execution of allowed operations. Sliding window counters enforce configurable call rates (e.g., rm at 10/minute, global at 200/minute). Exponential backoff on repeated violations prevents tight retry loops from becoming a DoS vector. The circuit breaker trips to read-only mode when failure rates exceed thresholds, halting cascading failures. |
✅ Implemented |
| SC-7 | Boundary Protection | The MCP proxy is a protocol-level boundary enforcement point. All MCP communication between client and server transits the proxy — there is no bypass path. The proxy inspects tools/call messages and enforces policy at the protocol boundary. |
✅ Implemented |
| SC-7(5) | Deny by Default / Allow by Exception | Unclassified actions are denied by default. Network actions require explicit policy enablement. The agent must operate within declared boundaries, not outside them. | ✅ Implemented |
| Control | Title | Agent Gate Mapping | Status |
|---|---|---|---|
| SI-4 | System Monitoring | The audit log captures all tool calls with timing, verdicts, and tiers. Sub-millisecond evaluation timing is recorded for performance monitoring. The circuit breaker continuously monitors failure rates and slow call rates across a sliding window, automatically transitioning to protective states when thresholds are exceeded — this is automated system monitoring with automated response. | ✅ Implemented |
| SI-10 | Information Input Validation | Tool call arguments are validated for literal-only content before classification. The gate rejects shell expansion, variable references, command substitution, and glob patterns — ensuring the gate evaluates the same paths the shell would execute. Rate limit context is validated before each action (remaining budget, breaker state, backoff status). MODIFY operations rewrite non-compliant arguments to safe forms (permission clamping, flag stripping, flag injection, argument appending, depth limiting) rather than simply rejecting them. | ✅ Implemented |
| SI-17 | Fail-Safe Procedures | The three-state circuit breaker (CLOSED → OPEN → HALF_OPEN → CLOSED) implements fail-safe behavior. When failure rates exceed the configured threshold, the system transitions to a known-safe state (read-only mode) rather than continuing to operate in degraded conditions. HALF_OPEN probing enables automatic recovery without human intervention. If vault backup fails and policy specifies on_failure: deny, destructive actions fail safe to denial. |
✅ Implemented |
The AI RMF defines four functions: Govern, Map, Measure, and Manage. Agent Gate directly addresses subcategories within the Manage function, with supporting contributions to Govern and Measure.
| Subcategory | Description | Agent Gate Mapping | Status |
|---|---|---|---|
| GV-1.1 | Legal and regulatory requirements involving AI are understood, managed, and documented | Agent Gate's policy-as-code approach makes authorization rules explicit, version-controlled, and auditable. YAML and Rego policies serve as machine-readable documentation of what the agent is and is not authorized to do. | |
| GV-1.3 | Processes, procedures, and practices are in place to determine the needed level of risk management activities | Tiered classification (read-only → destructive → network → blocked) implements graduated risk management. The tier determines the gate response: auto-allow, vault-backup-then-allow, escalate, or hard-deny. | ✅ Implemented |
| GV-1.7 | Processes and procedures are in place for decommissioning and phasing out AI systems safely and in a manner that does not increase risk or decrease the organization's trustworthiness | Rate limiting and circuit breaker provide operational risk management during AI agent execution. Sliding window counters enforce tempo limits. The circuit breaker automatically constrains agent operations when failure rates indicate degraded conditions, preventing cascading failures without requiring manual intervention. | ✅ Implemented |
| Subcategory | Description | Agent Gate Mapping | Status |
|---|---|---|---|
| MP-2.3 | Scientific integrity and TEVV considerations are identified and documented | Agent Gate's test suite (444+ passing across twenty-four test suites) provides evidence of systematic verification. Known limitations are documented in the README and this compliance mapping. |
| Subcategory | Description | Agent Gate Mapping | Status |
|---|---|---|---|
| MS-2.5 | The AI system is evaluated regularly for safety risks | Sub-millisecond gate evaluation timing recorded in every audit record enables performance regression detection. The circuit breaker continuously evaluates safety risk through failure rate and slow call rate monitoring, automatically constraining agent operations when thresholds are exceeded. Rate-limited decisions include rate_context snapshots for forensic analysis. The OPA/Rego backend supports formal policy testing with opa test (including rate limit threshold tests). |
✅ Implemented |
| MS-2.6 | AI system performance or assurance criteria are measured qualitatively or quantitatively and demonstrated for conditions similar to deployment | Integration tests run against real MCP server implementations (12/12 passing against @modelcontextprotocol/server-filesystem). This tests the gate under conditions that match deployment. |
✅ Implemented |
| MS-4.1 | Measurement approaches for identifying AI risks are connected to deployment context and informed by domain knowledge | The policy definition encodes deployment context: allowed paths define the workspace, denied paths protect sensitive directories, and tier definitions reflect the risk profile of specific commands in the deployment environment. | ✅ Implemented |
| Subcategory | Description | Agent Gate Mapping | Status |
|---|---|---|---|
| MG-2.1 | Resources required to manage AI risks are taken into account | Agent Gate operates with zero additional infrastructure in its default configuration (Python backend, YAML policies). The OPA backend adds a single external dependency. This minimizes the resource burden of adding execution authority to an AI agent deployment. | ✅ Implemented |
| MG-2.2 | Mechanisms are in place to determine if AI system risks exceed organizational risk tolerance | Escalation verdict returns tool calls that exceed the policy envelope to human operators with structured denial feedback, including the specific reason for denial and what would be required to proceed. | ✅ Implemented |
| MG-2.4 | Mechanisms are in place and applied to sustain the value of deployed AI systems, including containment of impact | This is Agent Gate's core function. Vault-backed rollback contains the impact of destructive actions. Envelope enforcement contains the scope of agent operations. Default-deny contains the risk of unknown actions. Rate limiting and circuit breaker contain operational tempo, preventing runaway loops from overwhelming target systems. The gate ensures that even authorized destructive actions are recoverable and that agent operations stay within sustainable operational parameters. | ✅ Implemented |
| MG-3.1 | AI risks and benefits from third-party resources are regularly monitored, and risk controls are applied and documented | The MCP proxy operates transparently between client and server, monitoring all tool calls to third-party MCP servers. Every interaction is logged with the server name, enabling per-server risk analysis. | ✅ Implemented |
| MG-3.2 | Pre-trained models are monitored as part of AI system regular monitoring | Not applicable — Agent Gate operates at the tool execution layer, not the model layer. It does not monitor model weights, training data, or inference behavior. | — |
| MG-4.1 | Post-deployment AI system monitoring plans are implemented, including mechanisms for capturing and evaluating input from users and affected communities | The JSONL audit log provides a structured, machine-parseable record of every agent action and gate decision. This serves as the raw data for post-deployment monitoring and analysis. | ✅ Implemented |
ISO 42001 defines requirements for establishing and maintaining an AI management system. Agent Gate provides technical controls that support several clauses, but does not constitute an AIMS on its own.
| Clause | Requirement | Agent Gate Mapping | Status |
|---|---|---|---|
| 6.1.2 | AI risk assessment | Tiered classification is a risk assessment mechanism applied at the tool call level. Each action is assessed against policy and routed to the appropriate risk response. | |
| 6.1.3 | AI risk treatment | The six tiers (read-only, destructive, network, blocked, unclassified, rate-limited) define six risk treatment strategies: accept, mitigate-then-accept, escalate, avoid, escalate-with-default-deny, and tempo-constrain. Rate limiting adds a treatment strategy where actions are individually acceptable but collectively risky at high velocity. | |
| 8.4 | AI system impact assessment | Vault-backed rollback bounds the impact of destructive actions. The audit log provides evidence for impact assessment after incidents. | |
| 9.1 | Monitoring, measurement, analysis and evaluation | Audit logging with sub-millisecond timing and structured records supports monitoring and measurement requirements. | |
| A.6.2.6 | AI system operation and monitoring | The MCP proxy provides real-time operational monitoring of all agent-server interactions. The circuit breaker continuously monitors failure rates and slow call rates, automatically transitioning to protective states when operational parameters degrade. Rate-limited decisions include rate_context snapshots for operational analysis. Every audit record includes policy_hash for configuration traceability. |
✅ Implemented |
| A.10.3 | Sourcing of data | Not applicable — Agent Gate does not manage training data or data sourcing. | — |
M-24-10 establishes requirements for federal agencies deploying AI. Agent Gate addresses several of the technical requirements for "safety-impacting" and "rights-impacting" AI systems.
| M-24-10 Requirement | Agent Gate Mapping | Status |
|---|---|---|
| §5(c)(i)(A) — Complete an AI impact assessment before deployment | Tiered classification and the policy definition process function as a structured impact assessment at the tool call level — defining what the agent can do, what requires backup, and what is prohibited. | |
| §5(c)(i)(B) — Conduct testing prior to deployment and on a regular basis | 444+ tests across twenty-four suites, including integration tests against real MCP servers. OPA backend has formal Rego policy tests including rate limit threshold tests. Test infrastructure is included in the repository for ongoing testing. | ✅ Implemented |
| §5(c)(i)(D) — Independently evaluate the AI before deployment | Agent Gate's enforcement is deterministic and fully testable. Policy evaluation can be independently verified by providing a tool call and confirming the expected verdict — no model inference or non-deterministic behavior is involved. | ✅ Implemented |
| §5(c)(ii)(A) — Implement adequate human oversight | Escalation verdict routes actions that exceed the policy envelope to human operators. Network actions default to escalation. Unclassified actions default to denial with instructions for human review. | ✅ Implemented |
| §5(c)(ii)(B) — Halt AI operations in cases of imminent risk | Blocked tier actions are unconditionally denied. If the vault backup fails and policy specifies on_failure: deny, the destructive action is halted. The circuit breaker automatically halts non-read operations when failure rates exceed configurable thresholds, transitioning the agent to read-only mode. All halt mechanisms are deterministic — no confidence threshold or model judgment is involved. |
✅ Implemented |
| §5(c)(iv) — Maintain appropriate human oversight for consequential decisions | Agent Gate does not replace human oversight — it enforces boundaries within which the agent operates autonomously and escalates decisions that exceed those boundaries. The policy definition itself is the human oversight artifact: a human defines the authority envelope before the agent operates. | ✅ Implemented |
| Framework | Controls Mapped | ✅ Implemented | ❌ Gap | |
|---|---|---|---|---|
| SP 800-53 | 32 controls | 24 | 8 | 0 |
| AI RMF | 12 subcategories | 9 | 2 | 1 (n/a) |
| ISO 42001 | 6 clauses | 1 | 4 | 1 (n/a) |
| OMB M-24-10 | 5 requirements | 4 | 1 | 0 |
- AC-3 (Access Enforcement) — Agent Gate's core function is access enforcement at the tool execution boundary, now including dynamic enforcement via rate limits and circuit breaker.
- CP-9 (System Backup) — Vault-backed rollback is a direct, working implementation of pre-destruction backup.
- SC-5 (Denial-of-Service Protection) — Per-tool, per-tier, and global rate limits with circuit breaker prevent agents from overwhelming target systems. Exponential backoff prevents retry loops.
- SI-17 (Fail-Safe Procedures) — Three-state circuit breaker transitions to known-safe state (read-only) when failure rates exceed thresholds. Automatic recovery via HALF_OPEN probing.
- CM-3 (Configuration Change Control) —
policy_hashon every audit record creates cryptographic binding between decisions and governing policy versions. - AC-3(7) (Role-Based Access Control) — Identity roles with per-role policy overrides for rate limits, gate behavior, and envelope restrictions. RBAC in both Python and OPA backends.
- MG-2.4 (Containment of Impact) — Envelope enforcement, vault backup, rate limiting, circuit breaker, and default-deny collectively bound the impact of agent operations.
- M-24-10 §5(c)(ii)(B) (Halt Operations) — Deterministic blocking of prohibited actions and automatic circuit breaker tripping with no model-in-the-loop uncertainty.
- AU-9(3) (Cryptographic audit protection) — Was ❌ Gap, now
⚠️ Partial. SHA-256 hash chaining implemented withprev_hash/record_hashandverify_chain(). Policy hash binding on every record. Remaining gap: records are not signed with a cryptographic key. - AU-10 (Non-repudiation) — Was ❌ Gap, now
⚠️ Partial. Hash-chained records with policy hash binding provide integrity evidence. Remaining gap: no digital signature binding decisions to identity.
- No ❌ gaps remaining in SP 800-53 mapping. All previously identified gaps have been closed or narrowed to partial.
- AU-10 (Non-repudiation, full) — Hash chaining with identity binding proves integrity and associates decisions with identity claims, but records are not digitally signed. Full non-repudiation requires cryptographic signing with identity-bound keys.
- IA-2 / IA-4 (Identification) — Identity claims are environment/config-based, not authenticated against external IdP.
- AC-3(7) (Role-based access control) — Was ❌ Gap, now ✅ Implemented. Identity roles with per-role overrides for rate limits, gate behavior, and envelope. RBAC in Python and OPA backends.
- AU-10 (Non-repudiation) — Improved from
⚠️ Partial to⚠️ Improved. Identity fields (operator, agent_id, service_account, role) now included in every audit record and in the record hash.
- AU-9(3) — Hash chaining detects tampering, but records are not encrypted at rest or signed. An attacker with file system access can detect that records were modified but could still replace the entire log.
- MS-2.5 — Moved from
⚠️ Supportive to ✅ Implemented. Circuit breaker provides continuous safety risk evaluation during execution, not just post-hoc analysis.
The AARM Alignment Assessment covers Agent Gate's mapping to the Autonomous Action Runtime Management specification, which defines requirements specific to AI agent runtime security. The rate limiting and circuit breaker implementation advanced AARM alignment on four requirements (R2, R3, R5, R8). AARM and the frameworks in this document are complementary: AARM addresses what an AI agent runtime security system must do, while SP 800-53, AI RMF, ISO 42001, and M-24-10 address how security and governance systems are evaluated in federal and enterprise contexts.
Phase 8A confirmed that Agent Gate's enforcement propagates to sub-agents automatically and added documentation, optional audit hierarchy fields, and a CLI tree command.
Controls updated:
- AU-3 — Field list expanded: agent_depth, parent_agent_id, inherited_policy added as optional fields populated from operator-configured environment variables.
- AU-3(1) — Agent hierarchy context now capturable per record for multi-agent session attribution.
Test count: 428+ → 444+ (7 new audit hierarchy tests, 9 new CLI tree tests).
Net effect: SP 800-53 controls mapped: 32 (24 implemented, 8 partial/supportive, 0 gaps). No status symbols changed. Phase 8A additions are incremental evidence within existing control mappings.
Phase 7 implementation added MODIFY verdict support:
New controls mapped:
- AU-12 (Audit Generation) — Combined audit records for MODIFY decisions capturing original + modified parameters ✅
Controls upgraded:
- CM-3 — MODIFY audit trail adds change control evidence for parameter rewriting
- SI-10 — Argument rewriting via modify operations extends input validation beyond rejection to correction
Net effect: SP 800-53 controls mapped: 32 (24 implemented, 8 partial/supportive, 0 gaps).
Phase 6 implementation closed the last remaining SP 800-53 gap:
Gaps closed:
- AC-3(7) (RBAC) — ❌ → ✅ Role-based access control with per-role policy overrides
Controls upgraded:
- AU-10 —
⚠️ →⚠️ Improved Identity binding in audit records provides stronger non-repudiation evidence
New controls mapped:
- IA-2 (Identification and Authentication) — Identity context resolved from environment/config
⚠️ - IA-4 (Identifier Management) — Session, operator, agent, and service identifiers managed
⚠️
Net effect: SP 800-53 gaps reduced from 1 to 0. Total controls mapped: 31 (23 implemented, 8 partial/supportive, 0 gaps).
Phase 5 implementation expanded compliance coverage significantly:
New controls mapped:
- CM-3 (Configuration Change Control) —
policy_hashon every audit record ✅ - SC-5 (Denial-of-Service Protection) — Per-tool, per-tier, global rate limits with circuit breaker ✅
- SI-17 (Fail-Safe Procedures) — Three-state circuit breaker with automatic recovery ✅
- GV-1.7 (Operational Risk Management) — Rate limiting and circuit breaker as operational controls ✅
Controls upgraded:
- AU-9(3) — ❌ →
⚠️ Hash chaining implemented - AU-10 — ❌ →
⚠️ Policy hash provides partial non-repudiation - MS-2.5 —
⚠️ → ✅ Circuit breaker provides continuous safety evaluation - A.6.2.6 —
⚠️ → ✅ Circuit breaker and rate context provide operational monitoring
Net effect: SP 800-53 gaps reduced from 2 to 1. Total implemented controls increased from 14 to 22 (across 29 controls, up from 20).
Baseline compliance mapping. 20 SP 800-53 controls, 10 AI RMF subcategories, 6 ISO 42001 clauses, 5 M-24-10 requirements.
- NIST SP 800-53 Rev. 5: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
- NIST AI Risk Management Framework 1.0: https://www.nist.gov/itl/ai-risk-management-framework
- ISO/IEC 42001:2023: https://www.iso.org/standard/81230.html
- OMB Memorandum M-24-10: https://www.whitehouse.gov/wp-content/uploads/2024/03/M-24-10-Advancing-Governance-Innovation-and-Risk-Management-for-Agency-Use-of-Artificial-Intelligence.pdf
- Agent Gate repository: https://github.com/SeanFDZ/agent-gate