Agentic Standards Crosswalk
What this is. The standards crosswalk is the reviewer-facing evidence map for SecurityRecipes. It answers which current agentic AI standards and guidance are tracked, which SecurityRecipes capability covers each control, and which generated JSON or MCP tool proves it.
SecurityRecipes is positioned as the secure context layer for agentic AI. That claim needs more than a strong homepage. Enterprise reviewers, AI platform teams, and reviewers will ask whether the project tracks the current external control language: OWASP Agentic Top 10, CSA AI Controls Matrix, NIST agent standards work, MCP authorization, critical-infrastructure AI review expectations, prompt-injection defenses, evals, context provenance, telemetry, and runtime evidence.
The Agentic Standards Crosswalk turns those references into a generated artifact:
- Standards and source anchors from OWASP, NIST, CSA, MCP, OpenAI, and Anthropic.
- Control mappings for goal hijack, tool misuse, identity abuse, supply-chain risk, unexpected code execution, memory/context poisoning, inter-agent communication, cascading failures, human-agent trust exploitation, rogue agents, MCP token safety, scope minimization, sandboxing, AI governance, shared responsibility, telemetry/SOC readiness, critical-infrastructure readiness, and secure prompt-injection defenses.
- Capability mappings to the Secure Context Trust Pack, Context Poisoning Guard, MCP Gateway Policy, MCP Authorization Conformance, Agent Identity Ledger, Run Receipts, Red-Team Drills, Measurement Probes, Readiness Scorecard, Agentic System BOM, and related packs.
- MCP tool exposure through
recipes_agentic_standards_crosswalk.
Generated artifact
- Source model:
data/assurance/agentic-standards-crosswalk.json - Generator:
- Evidence pack:
data/evidence/agentic-standards-crosswalk.json - MCP tool:
recipes_agentic_standards_crosswalk
Regenerate and validate the pack:
Why this matters
The most valuable version of SecurityRecipes is not a static prompt library. It is a standards-aware secure context control plane that can answer a reviewer’s first hard questions:
| reviewer question | Crosswalk answer |
|---|---|
| Which agentic risks are covered? | OWASP Agentic Top 10 controls map to generated capabilities and MCP tools. |
| Which MCP authorization requirements matter? | Resource binding, audience validation, token-passthrough denial, PKCE, scope minimization, and local-server sandboxing map to concrete packs. |
| How does this map to enterprise AI control frameworks? | CSA AI Controls Matrix-style governance, data lifecycle, access, monitoring, supply-chain, and resilience controls map to generated evidence. |
| How does this track NIST agent and GenAI guidance? | Identity, protocols, security evaluations, governance, access constraints, monitoring, data provenance, and lifecycle risk map to evidence artifacts. |
| How are prompt-injection defenses made operational? | Context poisoning scans, egress decisions, handoff boundaries, sandboxed tool use, red-team replay, and readiness checks are linked to frontier-lab guidance. |
| What changes for high-impact deployments? | Critical-infrastructure readiness maps fail-safe action boundaries, operational monitoring, incident response, and lifecycle change control to MCP-readable evidence. |
| What should a diligence team inspect first? | The generated crosswalk returns standards, controls, sources, evidence paths, MCP tools, and vendorization hooks in one packet. |
Core mappings
| Standard area | SecurityRecipes evidence |
|---|---|
| OWASP Agentic Top 10 | Context Poisoning Guard, Secure Context Evals, MCP Gateway Policy, Authorization Conformance, Identity Ledger, Skill Supply Chain, Handoff Boundary, Readiness Scorecard |
| MCP Authorization and Security | MCP Authorization Conformance, MCP Gateway Policy, Connector Intake, Connector Trust, STDIO Launch Boundary, Context Egress Boundary |
| CSA AI Controls Matrix | Agentic Assurance Pack, Enterprise Trust Center Export, Secure Context Trust Pack, Entitlement Review, Telemetry Contract, SOC Detection Pack |
| NIST agent and GenAI risk guidance | Agent Identity Ledger, Agentic System BOM, Agentic Assurance Pack, Measurement Probes, Red-Team Drills, Enterprise Trust Center Export |
| NIST critical-infrastructure AI readiness | Catastrophic Risk Annex, Action Runtime Pack, Approval Receipts, Telemetry Contract, SOC Detection Pack, Incident Response Pack |
| Frontier-lab prompt-injection defenses | Context Poisoning Guard, Context Egress Boundary, Run Receipts, Handoff Boundary, Action Runtime Pack, Telemetry Contract, Red-Team Drills, Readiness Scorecard |
MCP examples
Get the crosswalk summary:
{}
Get one standard:
{
"standard_id": "owasp-agentic-top-10-2026"
}
Get one control:
{
"control_id": "ASI06"
}
Get every standard control mapped to a capability:
{
"capability_id": "context-poisoning-guard-pack"
}
Get a source anchor:
{
"source_id": "mcp-authorization-2025-11-25"
}
Source anchors
Review and regenerate the crosswalk when these sources change:
- OWASP Top 10 for Agentic Applications 2026
- OWASP Agentic AI Threats and Mitigations
- OWASP Securing Agentic Applications Guide 1.0
- OWASP GenAI Exploit Round-up Report Q1 2026
- NIST AI Agent Standards Initiative
- NIST CAISI RFI on Securing AI Agent Systems
- NIST AI RMF
- NIST AI RMF Generative AI Profile
- CSA AI Controls Matrix
- MCP Authorization Specification
- MCP Security Best Practices
- OpenAI prompt-injection guidance
- OpenAI guidance on designing agents to resist prompt injection
- OpenAI Agents SDK guardrails
- Anthropic prompt-injection defenses for browser use