v0.7.0 — Playbook 20: AI IR Maturity Roadmap (Operating View)

PB20 ships the operating view of the AI IR Maturity Roadmap.

v0.6.2 — Structural Reviewed

Documentation accuracy and navigation polish. No framework substance changes.

v0.6.1 — Documentation Reviewed

Accuracy and OSS convention round. No framework substance changes.

v0.6.0 — Measurement Release

Measurement Release Playbook

v0.5.0 — Playbook 24: Board-Ready Scorecard (Executive Layer)

v0.5.0 — Playbook 24: Board-Ready Scorecard (Executive Layer)

Milestone release. The framework now ships its first executive-layer artifact. Where v0.2.0–v0.4.0 shipped the technical IR lifecycle (proactive · reactive · post-incident), v0.5.0 translates that machinery into board-verifiable posture — closing the gap between what CISOs know and what their boards can ask, audit, and defend.

What's new

• playbooks/24-board-ready-scorecard.md (18.3KB · 2,489 words · ~9 min read) — The executive-layer playbook. Introduces a four-domain AI IR scorecard (Containment · Evidence · Governance · Recovery), a 10-item checklist matching Issue #24's structure, a GREEN/AMBER/RED rating rubric, an Executive Incident Snapshot template, a quarterly cadence as governance engine, and the "documentation-ready vs board-ready" distinction.

• README reading order #9 — Playbooks — Now lists all FOUR playbooks (PB01 + PB04 + PB18 + PB24).

Playbook 24 — sections shipped (CONTRIBUTING template compliant)

• Premise — The disconnect between technical IR machinery and executive language; the five enduring board questions that have not changed in twenty years
• First-Hour Actions — The 60-minute Executive Incident Snapshot delivery (baseline pull → GREEN/AMBER/RED rating per domain → top-two-risks identification → snapshot send to board chair + CISO + Counsel + Comms)
• Containment Options — Domain A scorecard items (A1 read-only mode · A2 approvals mode · A3 emergency stoppage), each mapped to Kill-Switch Modes M1/M2/M4 with the GREEN-AMBER-RED test
• Evidence Priorities — Domain B scorecard items (B1 60-minute export SLA · B2 chain-of-custody · B3 action-sequence reconstruction), each mapped to Evidence Set A–F types
• Recovery Sequence — Domain D scorecard items (D1 staged re-enable · D2 recurrence-containment validation), with the Playbook 18 replay test as the acceptance gate
• Post-Incident Hardening — Domain C governance items (C1 tiered permissions · C2 dynamic write-target limits) AND the Quarterly Cadence as Hardening model:
  • Top 3–5 production agents scored quarterly
  • Top two gaps per agent identified
  • One gap closed per quarter (commitment, with owners + deadlines)
  • Board-meeting risk-committee integration
  • Annual maturity-roadmap aggregation
• The Executive Incident Snapshot Template — A one-page board-ready format covering Top agents in scope · Containment readiness · Evidence readiness · Governance boundaries · Recovery readiness · Top two risks (plain language) · Quarterly improvements shipped · Next quarter commitments
• Common Pitfalls — 10 highest-frequency failure modes (jargon briefings · documentation confused with capability · opinion scoring · annual-only reviews · no gap-closure commitment · aggregated single-score posture hiding agents · technical risk language · vague improvement bullets · security theater · no risk-committee tie)
• Key Metrics for Board-Ready Posture — Three measurable floors (TT-read-only < 10 min · TT-evidence-export < 60 min · output-distribution clarity)
• Related — 13 framework cross-references
• The Question to Carry Forward — "If your most advanced AI agent caused harm for 30 minutes, could you demonstrate to leadership today — using concrete evidence rather than opinion — how you would stop it, verify what occurred, define the scope, and restore operations safely?"

Scoring rubric

For each agent, count gaps across the 10 scorecard items:

  0–3 gaps  →  Strong baseline      "Capabilities are operational and tested"
  4–6 gaps  →  Exposed               "Documented procedures, unverified capabilities"
  7+ gaps   →  Urgent remediation    "Operating without board-ready IR posture"

The scoring is deliberately blunt. Boards do not need nuance; they need can-we-or-can't-we.

Crosswalk coverage

Playbook 24 supports the following industry-standard subcategories (11 IDs, all spec-verified):

• NIST AI RMF 1.0: GOVERN 1.4 (continuous improvement), GOVERN 1.6 (AI inventory mechanisms), GOVERN 3.2 (human-AI roles), MANAGE 4.2 (continual improvements)
• NIST CSF 2.0: GV.OV-01 (strategy outcomes reviewed), GV.OV-02 (strategy adjusted to coverage), GV.RR-02 (roles/responsibilities), ID.IM-01 (improvements from evaluations), RC.CO-03 (recovery communication)
• OWASP Agentic Top 10 2026: ASI03 Identity & Privilege Abuse (governance dimension), ASI09 Human-Agent Trust Exploitation (board trust dimension)

Forward-reference closure

Playbook 24 closes both load-bearing multi-file forward references that have existed since v0.1.0:

• ✅ framework/01-minimum-viable-overlay.md → playbook-24 (Board-Ready Scorecard for conformance documentation)
• ✅ framework/03-maturity-roadmap.md → playbook-24 (Board-Ready Scorecard for maturity-level board questions)

What the framework now spans

            ┌─────────────────────────────┐
            │  PB 04 (Proactive)           │  Design BEFORE  →  v0.3.0
            │  Tool Design Is Containment  │
            └──────────────▲───────────────┘
                           │
            ┌─────────────────────────────┐
            │  PB 01 (Reactive)            │  Respond DURING  →  v0.2.0
            │  Agent Is Privileged Identity│
            └──────────────▲───────────────┘
                           │
            ┌─────────────────────────────┐
            │  PB 18 (Post-Incident)       │  Harden AFTER  →  v0.4.0
            │  Post-Incident Hardening     │
            └──────────────▲───────────────┘
                           │
            ┌─────────────────────────────┐
            │  PB 24 (Executive Layer)     │  Translate to BOARD  →  v0.5.0  🆕
            │  Board-Ready Scorecard       │
            └─────────────────────────────┘

A CISO can now download v0.5.0.zip and present a defensible quarterly AI IR posture briefing to their board within the hour — using the 4-domain scorecard, the 10-item checklist, the GREEN/AMBER/RED rating, and the Executive Incident Snapshot template. The framework is now citable in academic, regulatory, AND boardroom contexts.

What did NOT change

• The four MVO controls
• The Six Triage Questions
• The Kill-Switch Modes M0–M5
• The Minimum Evidence Set A–F
• The four-level Maturity Model
• All 3 crosswalks (NIST AI RMF + NIST CSF 2.0 + OWASP Agentic)
• All templates (AI-BOM, Privilege Matrix)
• All 4 OSS-convention files
• All 5 .github/ templates
• Apache 2.0 + Trademark Notice in LICENSE
• Playbook 01 (byte-identical to v0.2.0)
• Playbook 04 (byte-identical to v0.3.0)
• Playbook 18 (byte-identical to v0.4.0)
• Branch protection on main (enforced from v0.2.0 onward)
• 100/100 GitHub Community Standards

CITATION.cff

• Top-level version: "0.5.0"
• preferred-citation.version: "0.5.0"
• date-released: "2026-06-20"

Cite this release

Ideji, J. (2026). The AI IR Overlay Framework (v0.5.0). https://github.com/jacobideji/aiiroverlay

Forward references — remaining playbook roadmap

After v0.5.0, 7 playbooks remain, all single-file forward references. Suggested sequence (per the roadmap):

• v0.6.0 — playbook-03 RAG / Knowledge-Base Forensics (closes Evidence Type C gap)
• v0.7.0 — playbook-13 Six Metrics (operational measurement; naming continuity with Six Questions and Six Modes)
• v0.8.0 — playbook-14 Testing for Agent Failure Modes (tabletop / drill content; bridges PB04 to practice)
• v0.9.0 — playbook-12 Insider Threat 3.0 (different threat-model angle)
• v0.10.0 — playbook-15 Records, Retention, and Proving What Happened (regulator-facing depth)
• v0.11.0 — playbook-20 Operating Cadence (Maturity Level 3–4 transitional)
• v0.12.0 — playbook-23 Multi-Stakeholder Logging and Privacy (privacy/legal complement)
• v1.0.0 — Framework complete (11 playbooks · 3 crosswalks · all forward references resolved)

Acknowledgments

The thesis behind this playbook — that AI risk only becomes governance when measured, tracked, and reported with the same discipline organizations bring to financial controls — comes from Issue #24 of the AI IR Overlay LinkedIn newsletter. v0.5.0 makes that discipline enforceable through the four-domain scorecard, the quarterly cadence as governance engine, and the documentation-ready-versus-board-ready test.

The framework now has the complete cross-layer coverage to claim:

Any AI incident can be prepared for (PB04), responded to (PB01), closed defensively (PB18), and reported credibly to leadership (PB24) — using framework artifacts that exist in the repository, with industry-standard citations and measurable acceptance criteria at every stage.

v0.4.0 — Playbook 18: Post-Incident Hardening (IR Arc Complete)

v0.4.0 — Playbook 18: Post-Incident Hardening (IR Arc Complete)

Milestone release. With Playbook 18, the AI IR Overlay framework now ships the complete incident-response temporal arc — preparation, response, AND closure — as three sequenced, executable playbooks. The framework moves from "comprehensive reference + execution-ready runbook" to a closed-loop operational system.

What's new

• playbooks/18-post-incident-hardening.md (18.7KB · 2,561 words · ~10 min read) — The closure playbook. Converts incident lessons into permanent guardrails within a five-business-day SLA. Operationalizes the Tiered Hardening Framework across four boundary categories (Tool · Retrieval · Evidence · Human) and introduces the B/E/R/V classification (Blast radius · Evidence · Recurrence · Validation) for the post-incident Fix List.

• README reading order #9 — Playbooks — Now lists all THREE playbooks (PB01 + PB04 + PB18) with descriptive one-liners.

Playbook 18 — sections shipped (CONTRIBUTING template compliant)

• Premise — Why prompt-only hardening fails; the 5-business-day SLA; Mental Model clause "if it can change, manage it as software"
• First-Hour Actions — The 60-minute Fix List build (open → classify B/E/R/V → select 3-5 → assign owner + deadline + acceptance criteria)
• Containment Options — The hardening dividend per Kill-Switch Mode (each mode becomes faster, more surgical, more reliable after hardening)
• Evidence Priorities — How hardening shapes future evidence captures (target: 45-minute export, 25% faster than baseline) + retrieval-specific hardening (the gap that surprises most teams)
• Recovery Sequence — Hardening as the M5 → M0 validation gate; the replay test as the acceptance criterion
• Post-Incident Hardening — The Tiered Hardening Framework across four boundaries:
  • Tool Controls (Containment) — tiering, approvals, allowlists, caps, reversibility
  • Retrieval Controls (Provenance) — dominance alerting (>40% threshold), corpus isolation, KB-as-production
  • Evidence Controls (Provability) — structured logging, versioning, export procedure testing
  • Human Controls (Training) — micro drills (TTSM, TTE), templates, decision logging
  • What does NOT count as hardening — prompt-only changes, vendor tickets, untemplated tabletops
• Common Pitfalls — 10 highest-frequency failure modes (quick-fix dependence · prompt-only changes · no SLA · owner-as-agent-owner · fix list >5 items · no measurable acceptance · no replay test · retrieval boundary skipped · evidence gaps unaddressed · no metric tracking)
• Iterating the Hardening Practice — quarterly metric review for Maturity Level 4 (Resilient): on-time shipping rate · efficacy under subsequent incidents · zero-hardening incident count · TTSM and TTE trend
• Related — 12 framework cross-references
• The Question to Carry Forward — "Would a recurrence of the triggering prompt be contained by the controls you shipped in the five business days after the incident?"

Crosswalk coverage

Playbook 18 supports the following industry-standard subcategories — referenced citation chain:

• NIST AI RMF 1.0: MANAGE 4.2 (continual improvements), MANAGE 4.3 (incidents/errors communicated; processes followed and documented)
• NIST CSF 2.0: ID.IM-01 (improvements from evaluations), ID.IM-02 (improvements from tests and exercises), RC.RP-04 (post-incident operational norms), RC.CO-03 (recovery communication), GV.OV-01 (strategy outcomes reviewed)
• OWASP Agentic Top 10 2026: ASI02 Tool Misuse & Exploitation (addressed via tool hardening), ASI06 Memory & Context Poisoning (addressed via retrieval hardening), ASI08 Cascading Failures (addressed via the improvement loop)

The IR Temporal Arc is now COMPLETE

            ┌──────────────────────────────┐
            │  PB 04 (Proactive)            │  Design tools BEFORE  →  v0.3.0
            │  Tool Design Is Containment   │
            └──────────────▲────────────────┘
                           │ informs
            ┌──────────────────────────────┐
            │  PB 01 (Reactive)             │  Respond DURING  →  v0.2.0
            │  Agent Is Privileged Identity │
            └──────────────▲────────────────┘
                           │ produces lessons for
            ┌──────────────────────────────┐
            │  PB 18 (Post-Incident)        │  Harden AFTER  →  v0.4.0
            │  Post-Incident Hardening      │
            └──────────────────────────────┘
                           │ feeds back into
                          ▼
                      [Next PB 04 cycle]

A reader downloading v0.4.0.zip gets — for the first time — the complete closed-loop incident-response system for AI agents. Each playbook references the others; the arc reinforces itself.

What did NOT change

• The four MVO controls
• The Six Triage Questions
• The Kill-Switch Modes M0–M5
• The Minimum Evidence Set A–F
• The four-level Maturity Model
• All 3 crosswalks (NIST AI RMF + NIST CSF 2.0 + OWASP Agentic)
• All templates (AI-BOM, Privilege Matrix)
• All 4 OSS-convention files
• All 5 .github/ templates
• Apache 2.0 + Trademark Notice in LICENSE
• Playbook 01 (byte-identical to v0.2.0)
• Playbook 04 (byte-identical to v0.3.0)
• Branch protection on main (enforced from v0.2.0 onward)
• 100/100 GitHub Community Standards

CITATION.cff

• Top-level version: "0.4.0"
• preferred-citation.version: "0.4.0"
• date-released: "2026-06-19"

Cite this release

Ideji, J. (2026). The AI IR Overlay Framework (v0.4.0). https://github.com/jacobideji/aiiroverlay

Forward references — playbook roadmap

Remaining load-bearing forward references:

• playbook-24 Board-Ready Scorecard — v0.5.0 candidate (referenced from framework/01-minimum-viable-overlay.md + framework/03-maturity-roadmap.md). Translates the framework's operational state into board-level posture reporting.

Single-reference forward refs (lower priority but available): playbook-03 (RAG Forensics), playbook-12 (Insider Threat 3.0), playbook-13 (Six Metrics), playbook-14 (Testing for Agent Failure Modes), playbook-15 (Records and Retention), playbook-20 (Operating Cadence), playbook-23 (Multi-Stakeholder Logging).

Acknowledgments

The "transforming lessons learned into guardrails" thesis — that post-incident hardening is the difference between incidents that recur and incidents that strengthen the system — comes from Issue #18 of the AI IR Overlay LinkedIn newsletter. v0.4.0 makes that thesis enforceable through the five-business-day SLA, the Tiered Hardening Framework, and the recurrence-containment acceptance test.

The framework now has the complete temporal coverage to claim:

Any AI incident can be prepared for (PB04), responded to (PB01), and closed defensively (PB18) — using framework artifacts that exist in the repository, with industry-standard citations and measurable acceptance criteria at every stage.

v0.3.0 — Playbook 04: Tool Design Is Containment

v0.3.0 — Playbook 04: Tool Design Is Containment

The second practitioner playbook ships in this release — the pre-incident preparation playbook that pairs with the Agent Privilege Matrix template shipped in v0.1.0. Per the framework's release model, every playbook is its own MINOR release; v0.3.0 captures Playbook 04.

What's new

• playbooks/04-tool-design-is-containment.md (15.5KB · 2,298 words · ~9 min read) — Pre-incident playbook for designing the agent tool layer as a containment boundary. Operationalizes the Tier 0 / Tier 1 / Tier 2 model, the five per-tool controls (what / where / how-much / irreversibility / accountability), the 60-minute first-hour drill, and the tier-ordered Recovery Sequence.

• README reading order #9 — Playbooks — Now lists both PB01 and PB04 with one-line descriptions.

Why Playbook 04 closes a critical gap

The Agent Privilege Matrix template (templates/agent-privilege-matrix.csv) shipped in v0.1.0 and was the artifact M3 Tool Tiering depends on. But until v0.3.0, the template had no companion playbook. A reader picking up the framework today saw:

• A CSV template with columns like risk_tier, approval_required, reversible
• A README explaining the columns
• Forward references to playbook-04 that pointed at nothing

v0.3.0 closes that gap. Playbook 04 is the operational guide for using the matrix — the thing that converts "I downloaded the template" into "my highest-risk agent has its tools tiered with one upgrade shipped this week."

Playbook 04 — sections shipped (CONTRIBUTING template compliant)

• Premise — Why tool design IS containment, and why this work is done on a quiet Tuesday rather than under incident pressure
• First-Hour Actions — The 60-minute drill on one production agent (pick → audit → tier → identify top risk → ship one upgrade)
• Containment Options — The Tool-Tiering Model (T0/T1/T2 with examples) + the Five Controls (what / where / how-much / irreversibility / accountability)
• Evidence Priorities — How tool-design choices shape the Minimum Evidence Set Type B (Tool-Call Ledger) and Type F (SaaS audit correlation)
• Recovery Sequence — Tier-ordered re-enablement (T0 → T1 with tightened caps → T2 one tool at a time with approvals → baseline)
• Post-Incident Hardening — 9-action checklist that converts incident lessons into code changes (split god tools, add allowlists, tighten caps, add diff previews, instrument structured logging)
• Common Pitfalls — 10 highest-frequency failure modes (God Tools · no read/write split · T2 defaulted to no-approval · allowlist as comment not code · no diff preview · cap counts requests not blast radius · success-only logging · tools not in AI-BOM · T2 without approver identity contract · DRY-reusing tool definitions across agents with different risk profiles)
• Related — 11 framework cross-references

Crosswalk coverage

Playbook 04 supports the following industry-standard subcategories — referenced citation chain:

• NIST AI RMF 1.0: MAP 4.1, MANAGE 1.3, MANAGE 2.4
• NIST CSF 2.0: ID.AM-05 (asset prioritization), PR.AA-05 (access permissions with least privilege), RS.MI-01 (incidents contained)
• OWASP Agentic Top 10 2026: ASI02 Tool Misuse & Exploitation (direct), ASI03 Identity & Privilege Abuse, ASI05 Unexpected Code Execution

What this unlocks

The framework now spans the complete temporal arc for the privileged-identity-class scenario:

PB 04 (Proactive)      →  Design tools BEFORE the incident
       ↓
PB 01 (Reactive)       →  Respond when the incident happens
       ↓
[PB 18 forthcoming]    →  Harden AFTER the incident (v0.4.0 candidate)
       ↓
[PB 24 forthcoming]    →  Report to the board (v0.5.0 candidate)

A reader who downloads v0.3.0.zip gets — for the first time — both the pre-incident preparation playbook AND the incident response playbook. The framework is now executable on both sides of the incident timeline.

What did NOT change

• The four MVO controls (Inventory, Safe Modes, Minimum Evidence Set, Controlled Re-Enable)
• The Six Triage Questions
• The Kill-Switch Modes M0–M5
• The Minimum Evidence Set A–F
• The four-level Maturity Model
• All 3 crosswalks (NIST AI RMF + NIST CSF 2.0 + OWASP Agentic)
• All templates (AI-BOM, Privilege Matrix)
• All 4 OSS-convention files
• All 5 .github/ templates
• Apache 2.0 + Trademark Notice in LICENSE
• Playbook 01 (byte-identical to v0.2.0)
• Branch protection on main (enforced from v0.2.0 onward)
• 100/100 GitHub Community Standards

CITATION.cff

• Top-level version: "0.3.0"
• preferred-citation.version: "0.3.0"
• date-released: "2026-06-18"

Cite this release

Ideji, J. (2026). The AI IR Overlay Framework (v0.3.0). https://github.com/jacobideji/aiiroverlay

Forward references — playbook roadmap

Remaining load-bearing forward references (multi-file citations):

• playbook-18 Post-Incident Hardening — v0.4.0 candidate (referenced from crosswalks/nist-csf-2.md + kill-switches/overview.md)
• playbook-24 Board-Ready Scorecard — v0.5.0 candidate (referenced from framework/01-minimum-viable-overlay.md + framework/03-maturity-roadmap.md)

Single-reference forward refs (lower priority but available): playbook-03 (RAG Forensics), playbook-12 (Insider Threat 3.0), playbook-13 (Six Metrics), playbook-14 (Testing for Agent Failure Modes), playbook-15 (Records and Retention), playbook-20 (Operating Cadence), playbook-23 (Multi-Stakeholder Logging).

Acknowledgments

The "Tool Design Is Containment" thesis — prompts guide, tools contain — comes from Issue #4 of the AI IR Overlay LinkedIn newsletter. v0.3.0 makes that thesis concrete in an executable pre-incident runbook with a Tier 0/1/2 model, five-control checklist, and 60-minute first-hour drill that any platform team can run starting today.

v0.2.0 — Playbook 01: The Agent Is a Privileged Identity

v0.2.0 — Playbook 01: The Agent Is a Privileged Identity

The first practitioner playbook ships in this release. Per the framework's release model, every playbook is its own MINOR release — v0.2.0 captures Playbook 01.

What's new

• playbooks/01-agent-as-privileged-identity.md (14.7KB · 1,978 words) — The foundational orchestration playbook. Walks an Incident Commander through the framework's existing pieces in operational sequence for the privileged-identity-class scenario: prompt injection, context poisoning, or excessive agency.

• README reading order #9 — Playbooks — New section linking to the playbook(s); more playbooks ship as v0.2+ MINOR releases.

Playbook 01 — sections shipped (CONTRIBUTING template compliant)

• Premise — the privileged-identity mental shift, when to use this playbook, Mental Model clauses engaged
• First-Hour Actions — Six Triage Questions in operational order with a what-it-scopes column
• Containment Options — Kill-Switch Modes selected by confidence × impact matrix, plus the critical M4 sequence (snapshot → evidence → rotation)
• Evidence Priorities — A, B, F load-bearing for this class; C, D, E conditional on attack vector; type A retention concern (24–72h TTL)
• Recovery Sequence — MVO-4 with two scenario-specific gates: pre-incident AI-BOM scope validation, tool-tier-order re-enablement
• Post-Incident Hardening — 6 disciplines (PAM, tier classification, AI-BOM update, tabletop, detection thresholds, comms)
• Common Pitfalls — 10 highest-frequency failure modes specific to this scenario class
• Related — 10 framework cross-references

Crosswalk coverage

Playbook 01 supports the following industry-standard subcategories — referenced citation chain:

• NIST AI RMF 1.0: MANAGE 1.3, MANAGE 2.3, MANAGE 2.4, MANAGE 4.1
• NIST CSF 2.0: RS.MA-01, RS.MA-04, RS.MI-01, RS.MI-02
• OWASP Agentic Top 10 2026: ASI01 Agent Goal Hijack, ASI02 Tool Misuse & Exploitation, ASI03 Identity & Privilege Abuse, ASI05 Unexpected Code Execution

What this unlocks

A CISO downloading v0.2.0 gets — for the first time — a complete IR workflow for AI agents:

• The Mental Model says what shift to make (agent = privileged identity)
• The MVO controls say what to build (inventory, safe modes, evidence set, controlled re-enable)
• The Six Triage Questions say what to ask first
• The Kill-Switch Modes say how to contain
• The Minimum Evidence Set says what to preserve
• Playbook 01 says how to execute all of the above as a coherent sequence under pressure.

This is the first release where the framework moves from "comprehensive reference" to "execution-ready runbook."

What did NOT change

• The four MVO controls
• The Six Triage Questions
• The Kill-Switch Modes M0–M5
• The Minimum Evidence Set A–F
• The four-level Maturity Model
• All 3 crosswalks (NIST AI RMF + NIST CSF 2.0 + OWASP Agentic)
• All templates (AI-BOM, Privilege Matrix)
• All 4 OSS-convention files
• All 5 .github/ issue + PR templates
• Apache 2.0 + Trademark Notice in LICENSE
• 100/100 Community Standards score

CITATION.cff

• Top-level version: "0.2.0"
• preferred-citation.version: "0.2.0"
• date-released: "2026-06-18" (newsletter Issue #1 was published 2025; this is the framework-release date for the corresponding playbook)

Cite this release

Ideji, J. (2026). The AI IR Overlay Framework (v0.2.0). https://github.com/jacobideji/aiiroverlay

Next

v0.3.0+ — additional playbooks. Per the release model, each one ships as its own MINOR release. Load-bearing forward references that are now multi-file load-bearing (high-priority candidates):

• playbook-04 Tool Design Is Containment (referenced in kill-switches + templates)
• playbook-18 Post-Incident Hardening (referenced in kill-switches + CSF crosswalk)
• playbook-24 Board-Ready Scorecard (referenced in framework/01 + maturity roadmap)

Source material: LinkedIn newsletter Issues #4, #18, #24 (already drafted; framework synthesis available).

Acknowledgments

The foundational mental shift this playbook documents — if it can act, govern it as a privileged identity — comes from Issue #1 of the AI IR Overlay LinkedIn newsletter. v0.2.0 makes that shift concrete in an operational runbook other practitioners can execute.

v0.1.5 — Crosswalk expansion + citation accuracy

v0.1.5 — Crosswalk expansion + citation accuracy

A substantial content release: two new industry-standard crosswalks (NIST CSF 2.0 and OWASP Agentic Top 10 2026), NIST AI RMF citations brought to verbatim spec-accuracy, and README discoverability improvements. No framework substance changes — the four MVO controls, Six Triage Questions, Kill-Switch Modes M0–M5, Minimum Evidence Set A–F, and four-level Maturity Model are byte-identical to v0.1.4.

New crosswalks

• crosswalks/nist-csf-2.md (10.8KB · 1,478 words) — Maps the four MVO controls, Six Triage Questions, Mental Model, and Maturity Roadmap to NIST Cybersecurity Framework 2.0 across all six functions. Cites 30 distinct CSF 2.0 subcategory IDs (GV, ID, PR, DE, RS, RC) verified spec-accurate against authoritative NIST sources. Documents the layered relationship: SP 800-61 r3 is a CSF 2.0 Community Profile; the AI IR Overlay is an AI-specific extension of SP 800-61 r3.

• crosswalks/owasp-agentic-top-10.md (14.8KB · 2,055 words) — Maps the AI IR Overlay to all 10 ASI risks (ASI01–ASI10) of OWASP Top 10 for Agentic Applications 2026 (released December 2025 by the OWASP GenAI Security Project). For each ASI, identifies the primary MVO controls, most relevant evidence types, and operational priority for incident response.

Citation accuracy fixes — NIST AI RMF crosswalk

crosswalks/nist-ai-rmf.md has been brought to the same spec-accuracy bar as the new CSF crosswalk:

• MANAGE 4.1 — restored full official text: "…appeal and override, decommissioning, incident response, recovery, and change management." Strengthens the MVO-3 Evidence Set mapping since the official text already covers IR/recovery scope.
• GOVERN 1.6 — corrected "resource them" → "are resourced" (passive voice per spec).
• MEASURE 2.7 — restored "– as identified in the map function –" qualifying clause.
• MANAGE 1.3 — corrected "MAP function" → "map function" (lowercase per spec).
• At-a-Glance table — refined three imprecise labels: GOVERN 1.1 (was "org policy", now "legal/regulatory"), GOVERN 1.4 (was "continuous improvement", now "risk-management process" with MANAGE 4.2 correctly attributed for continual improvement), GOVERN 3.2 (was "risk tolerance", now "human-AI roles").

Citation accuracy fixes — README

• ISO/IEC 42001:2023 — switched to full official ISO catalog title: "Information technology — Artificial intelligence — Management system (AIMS)".
• MITRE ATLAS — restored hyphenated official expansion: "Adversarial Threat Landscape for Artificial-Intelligence Systems" per the MITRE ATLAS Fact Sheet.

Citation accuracy fixes — CSF 2.0 crosswalk

• PR.AA-01 description — corrected "identity assertion" (which is actually PR.AA-04) to "identity/credential management" (the actual PR.AA-01 text per NIST CSF 2.0).

OWASP Agentic — misattribution removed

• README dropped the unverifiable "Least Agency" attribution. After source review, that term appears in third-party characterizations but not in OWASP's own materials. Replaced with "OWASP GenAI Security Project."

README discoverability

• Templates added to the reading order (#7) — templates/ai-bom.yaml (AI-BOM schema for MVO-1 Inventory) and templates/agent-privilege-matrix.csv (tool-tier matrix for MVO-2 Mode M3). Crosswalks renumbered to #8.
• Acronyms glossary appended — 11 entries (AI-BOM, ASI, CSF, IC, IR, MVO, PAM, RAG, RMF, SOC, TTA) with SOC explicitly disambiguated from SOC 2 (the AICPA audit standard).

What did NOT change

• The four MVO controls (Inventory, Safe Modes, Minimum Evidence Set, Controlled Re-Enable)
• The Six Triage Questions
• The Kill-Switch Modes M0–M5 (definitions and TTA targets)
• The Minimum Evidence Set A–F
• The four-level Maturity Model
• Apache 2.0 + Trademark Notice in LICENSE
• All 4 OSS-convention files (CITATION.cff, SECURITY.md, CONTRIBUTING.md, CODE_OF_CONDUCT.md)
• All 5 .github/ templates (3 issue forms + config + PR template)
• 100/100 GitHub Community Standards

Cite this release

Ideji, J. (2026). The AI IR Overlay Framework (v0.1.5). https://github.com/jacobideji/aiiroverlay

Citation-accuracy scorecard

All 10 cited industry standards now have:

• Verified formal titles
• Verified publication dates
• For NIST CSF 2.0, NIST AI RMF, and OWASP Agentic: verbatim or spec-accurate subcategory citations

Standard	Citations
NIST CSF 2.0	30 subcategory IDs verified
NIST AI RMF 1.0	16 subcategory texts verbatim
OWASP Agentic Top 10 2026	All 10 ASI categories verified

Next

v0.2.0 ships Playbook 1 — the first practitioner playbook from the LinkedIn newsletter series. Per the framework's release model, every playbook is its own MINOR release.

Acknowledgments

This release captures the work of multiple deep content audits — verifying every cited subcategory ID against authoritative sources (NIST CSRC, csf.tools, NIST AIRC Knowledge Base, OWASP GenAI Security Project) and tightening discoverability for new readers.

v0.1.4 — Content accuracy: NIST r3, OWASP Agentic 2026, nomenclature polish

v0.1.4 — Content accuracy: NIST r3 + OWASP Agentic 2026 + nomenclature polish

Five citation/accuracy fixes surfaced during a deep content audit. No framework substance changes — the four MVO controls, Six Triage Questions, Kill-Switch Modes M0–M5, Minimum Evidence Set A–F, and four-level maturity model are byte-identical to v0.1.3.

What changed

• NIST SP 800-61 r2 → r3 — NIST officially withdrew r2 in April 2025 and published r3 (Incident Response Recommendations and Considerations for Cybersecurity Risk Management: A CSF 2.0 Community Profile). README.md now cites r3 in three places (intro paragraph, diagram note, Related work). The r2 six-phase lifecycle diagram is retained as widely-understood operational shorthand; a full AI IR Overlay ↔ CSF 2.0 (Govern/Identify/Protect/Detect/Respond/Recover) crosswalk is planned for v0.2.
• OWASP Top 10 split — OWASP Top 10 for LLM Applications (2025.1) and OWASP Top 10 for Agentic Applications 2026 (ASI01–ASI10, including the "Least Agency" principle) are separate publications. README.md now cites both. An AI IR Overlay ↔ OWASP Agentic Top 10 crosswalk is on the roadmap.
• MVO-N nomenclature — framework/01-minimum-viable-overlay.md now defines the MVO-1 … MVO-4 shorthand explicitly, so downstream files (crosswalks/nist-ai-rmf.md, framework/03-maturity-roadmap.md) reference a canonical source.
• CommonMark code-fence syntax — Removed stray text info strings from the closing fences in framework/03-maturity-roadmap.md and triage/six-questions-card.md (per CommonMark spec, closing fences must be bare).
• CITATION.cff — Version bumped to 0.1.4 (both top-level and preferred-citation).

What did NOT change

• The MVO controls (Inventory, Safe Modes, Minimum Evidence Set, Controlled Re-Enable)
• The Six Triage Questions
• The Kill-Switch Modes M0–M5 (definitions and TTA targets)
• The Minimum Evidence Set A–F
• The four-level Maturity Model
• The NIST AI RMF crosswalk (already correctly cited)
• ISO/IEC 42001:2023 and EU AI Act references (already correctly cited)

Cite this release

Ideji, J. (2026). The AI IR Overlay Framework (v0.1.4). https://github.com/jacobideji/aiiroverlay

Next

v0.2.0 ships Playbook 1 — the first practitioner playbook from the LinkedIn newsletter series. Per the framework's release model, every playbook is its own MINOR release. v0.2 will also include the AI IR Overlay ↔ CSF 2.0 crosswalk.

Acknowledgments

Thanks to the deep content audit process for surfacing the NIST r3 supersession and the OWASP Agentic 2026 distinction. Both are the kind of findings a regulator or savvy reader would catch on first read.