Skip to content

v0.1.5 — Crosswalk expansion + citation accuracy

Choose a tag to compare

View all tags
@jacobideji jacobideji released this 17 Jun 23:39
· 83 commits to main since this release
v0.1.5
726c143
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

v0.1.5 — Crosswalk expansion + citation accuracy

A substantial content release: two new industry-standard crosswalks (NIST CSF 2.0 and OWASP Agentic Top 10 2026), NIST AI RMF citations brought to verbatim spec-accuracy, and README discoverability improvements. No framework substance changes — the four MVO controls, Six Triage Questions, Kill-Switch Modes M0–M5, Minimum Evidence Set A–F, and four-level Maturity Model are byte-identical to v0.1.4.

New crosswalks

  • crosswalks/nist-csf-2.md (10.8KB · 1,478 words) — Maps the four MVO controls, Six Triage Questions, Mental Model, and Maturity Roadmap to NIST Cybersecurity Framework 2.0 across all six functions. Cites 30 distinct CSF 2.0 subcategory IDs (GV, ID, PR, DE, RS, RC) verified spec-accurate against authoritative NIST sources. Documents the layered relationship: SP 800-61 r3 is a CSF 2.0 Community Profile; the AI IR Overlay is an AI-specific extension of SP 800-61 r3.

  • crosswalks/owasp-agentic-top-10.md (14.8KB · 2,055 words) — Maps the AI IR Overlay to all 10 ASI risks (ASI01–ASI10) of OWASP Top 10 for Agentic Applications 2026 (released December 2025 by the OWASP GenAI Security Project). For each ASI, identifies the primary MVO controls, most relevant evidence types, and operational priority for incident response.

Citation accuracy fixes — NIST AI RMF crosswalk

crosswalks/nist-ai-rmf.md has been brought to the same spec-accuracy bar as the new CSF crosswalk:

  • MANAGE 4.1 — restored full official text: "…appeal and override, decommissioning, incident response, recovery, and change management." Strengthens the MVO-3 Evidence Set mapping since the official text already covers IR/recovery scope.
  • GOVERN 1.6 — corrected "resource them" → "are resourced" (passive voice per spec).
  • MEASURE 2.7 — restored "– as identified in the map function –" qualifying clause.
  • MANAGE 1.3 — corrected "MAP function" → "map function" (lowercase per spec).
  • At-a-Glance table — refined three imprecise labels: GOVERN 1.1 (was "org policy", now "legal/regulatory"), GOVERN 1.4 (was "continuous improvement", now "risk-management process" with MANAGE 4.2 correctly attributed for continual improvement), GOVERN 3.2 (was "risk tolerance", now "human-AI roles").

Citation accuracy fixes — README

  • ISO/IEC 42001:2023 — switched to full official ISO catalog title: "Information technology — Artificial intelligence — Management system (AIMS)".
  • MITRE ATLAS — restored hyphenated official expansion: "Adversarial Threat Landscape for Artificial-Intelligence Systems" per the MITRE ATLAS Fact Sheet.

Citation accuracy fixes — CSF 2.0 crosswalk

  • PR.AA-01 description — corrected "identity assertion" (which is actually PR.AA-04) to "identity/credential management" (the actual PR.AA-01 text per NIST CSF 2.0).

OWASP Agentic — misattribution removed

  • README dropped the unverifiable "Least Agency" attribution. After source review, that term appears in third-party characterizations but not in OWASP's own materials. Replaced with "OWASP GenAI Security Project."

README discoverability

  • Templates added to the reading order (#7)templates/ai-bom.yaml (AI-BOM schema for MVO-1 Inventory) and templates/agent-privilege-matrix.csv (tool-tier matrix for MVO-2 Mode M3). Crosswalks renumbered to #8.
  • Acronyms glossary appended — 11 entries (AI-BOM, ASI, CSF, IC, IR, MVO, PAM, RAG, RMF, SOC, TTA) with SOC explicitly disambiguated from SOC 2 (the AICPA audit standard).

What did NOT change

  • The four MVO controls (Inventory, Safe Modes, Minimum Evidence Set, Controlled Re-Enable)
  • The Six Triage Questions
  • The Kill-Switch Modes M0–M5 (definitions and TTA targets)
  • The Minimum Evidence Set A–F
  • The four-level Maturity Model
  • Apache 2.0 + Trademark Notice in LICENSE
  • All 4 OSS-convention files (CITATION.cff, SECURITY.md, CONTRIBUTING.md, CODE_OF_CONDUCT.md)
  • All 5 .github/ templates (3 issue forms + config + PR template)
  • 100/100 GitHub Community Standards

Cite this release

Ideji, J. (2026). The AI IR Overlay Framework (v0.1.5). https://github.com/jacobideji/aiiroverlay

Citation-accuracy scorecard

All 10 cited industry standards now have:

  • Verified formal titles
  • Verified publication dates
  • For NIST CSF 2.0, NIST AI RMF, and OWASP Agentic: verbatim or spec-accurate subcategory citations
Standard Citations
NIST CSF 2.0 30 subcategory IDs verified
NIST AI RMF 1.0 16 subcategory texts verbatim
OWASP Agentic Top 10 2026 All 10 ASI categories verified

Next

v0.2.0 ships Playbook 1 — the first practitioner playbook from the LinkedIn newsletter series. Per the framework's release model, every playbook is its own MINOR release.

Acknowledgments

This release captures the work of multiple deep content audits — verifying every cited subcategory ID against authoritative sources (NIST CSRC, csf.tools, NIST AIRC Knowledge Base, OWASP GenAI Security Project) and tightening discoverability for new readers.

Assets 2
Loading