cd /news/ai-safety/show-hn-crosswalk-mapping-ai-agent-d… · home topics ai-safety article
[ARTICLE · art-44580] src=agent-kits.com ↗ pub= topic=ai-safety verified=true sentiment=· neutral

Show HN: Crosswalk mapping AI-agent design controls to NIST, ISO 42001, OWASP

AgentAz, a design-time governance vocabulary for AI agents, published a crosswalk mapping its dimensions to controls in NIST AI RMF 1.0, ISO/IEC 42001:2023, and OWASP Agentic Security. The mapping helps enterprises produce machine-readable evidence toward compliance with these frameworks, though it explicitly excludes runtime defenses and certification.

read3 min views1 publishedJun 30, 2026
Show HN: Crosswalk mapping AI-agent design controls to NIST, ISO 42001, OWASP
Image: Agent-Kits (auto-discovered)

AgentAz is a design-time governance vocabulary. This crosswalk maps each AgentAz dimension to the controls it helps satisfy in three frameworks an enterprise is likely already audited against — so a machine-readable agentaz.json

becomes a shortcut through the governance section of a security questionnaire.

A spec’s worth is what it maps up to. Read each row as: “an agent that declares this AgentAz dimension is producing design-time evidence toward these controls.” It is evidence toward, not a certification — the mapping shows intent is documented, not that an auditor has verified the running system.

AgentAz dimension NIST AI RMF 1.0 ISO/IEC 42001:2023 OWASP Agentic (ASI)
Worst-case action & Trust Level (A1–A5)Classifying an agent by the maximum impact it could have. MAP 1.1 (context), MAP 5.1 (impact likelihood & magnitude) A.5 — AI system impact assessment ASI01 Agent Goal Hijack · ASI10 Rogue Agents
Authority boundaryWhat the agent is permitted to modify, send, spend, or delete. MAP 2 (system categorization), GOVERN 1.4 (oversight policy) A.9.4 (intended use) · A.9.2 (responsible-use boundaries) ASI03 Identity & Privilege Abuse
Tool boundary (least privilege)A scoped tool registry; gated vs. auto-executable; absent capabilities. MANAGE 2 (risk treatment) A.4 (resources/tooling) · A.9.2 (usage limits) ASI02 Tool Misuse · ASI03 Privilege Abuse (“Least Agency”)
Human approval gateHuman-in-the-loop sign-off before an irreversible action runs. MANAGE 4.1 (override mechanisms), GOVERN 1.4 (human oversight) A.9.2 — human oversight / override of AI decisions ASI09 Human-Agent Trust Exploitation (supports ASI02)
Confidence escalationRouting low-confidence or ambiguous cases to a human instead of acting. MANAGE 4.1 (appeal & override), MANAGE 2 A.6.2 (operation/monitoring) · A.9.2 ASI09 (decision-fatigue) · ASI01
Cost ceilingA spend cap per run, with an alert threshold.partial mapping MANAGE 2 (risk treatment) A.6.2 (operation) ASI08 Cascading Failures (blast-radius limit)
Loop bound / escape hatchAn iteration cap so the agent can't spin indefinitely. MANAGE 4.1 (monitoring) A.6.2 (operation) ASI08 Cascading Failures (circuit breakers)
Output boundaryA constrained, declared set of outputs the agent may emit.partial mapping MEASURE 2 (evaluation) A.8 (information for interested parties) · A.9.2 ASI02 Tool Misuse · ASI05 Unexpected Code Execution
Audit trail (tamper-evident)An append-only, verifiable record of decisions and approvals. MANAGE 4 (monitoring), GOVERN (documentation) A.6.2 (lifecycle logging) · A.5 Cross-cutting — detection signal for ASI06 / ASI10

What this crosswalk does not claim #

Honest scope is the point — a governance mapping is only useful if its gaps are stated. AgentAz stays in one lane: design-time, machine-readable, blueprint-level. It does not cover runtime proof, agent identity, or certification. Specifically out of scope:

  • OWASP ASI04 (Supply Chain), ASI05 (sandboxing of code execution), ASI06 (memory/RAG poisoning), and ASI07 (inter-agent communication) are runtime and infrastructure defenses. AgentAz documents design-time intent; it does not implement these — they belong to your runtime and security layers.

  • NIST MEASURE bias/fairness depth and full TEVV methodology. AgentAz is boundary-focused, not a fairness-testing methodology; treat these as partial at best.

  • ISO/IEC 42001 A.7 (data governance) and A.10 (third-party relationships). Largely outside a single blueprint's design-time spec. A mapping is a starting point for a questionnaire, not a compliance verdict. Your auditor still determines whether a control is satisfied in your environment.

Sources & version #

Mapped against the published structure of NIST AI RMF 1.0 (2023), ISO/IEC 42001:2023, and the OWASP Top 10 for Agentic Applications (ASI01–ASI10, December 2025).

Crosswalk version 1.0 · Last reviewed 2026-06-30. These frameworks are revised over time (the OWASP agentic list especially is new and evolving) — verify any row against the current published control text before relying on it in an audit.

── more in #ai-safety 4 stories · sorted by recency
── more on @agentaz 3 stories trending now
sponsored brought to you by zahid.host 4,200+ EU-deployed projects
reading about agents? ship yours in a single git push.

Run your AI side-project on zahid.host

EU-based hosting, git-push deploys, automatic HTTPS, no cold starts. Free tier with a custom domain — perfect for shipping the agent you just read about.

$git push zahid main
Live at https://your-agent.zahid.host
Get free account → Pricing
from €0/mo · no card required
LIVE [news/show-hn-crosswalk-ma…] indexed:0 read:3min 2026-06-30 ·