# Show HN: Crosswalk mapping AI-agent design controls to NIST, ISO 42001, OWASP

> Source: <https://www.agent-kits.com/agentaz-crosswalk>
> Published: 2026-06-30 08:57:38+00:00

# AgentAz™ Regulatory Crosswalk

AgentAz is a design-time governance vocabulary. This crosswalk maps each AgentAz dimension to the controls it helps satisfy in three frameworks an enterprise is likely already audited against — so a machine-readable `agentaz.json`

becomes a shortcut through the governance section of a security questionnaire.

A spec’s worth is what it maps up to. Read each row as: “an agent that declares this AgentAz dimension is producing design-time evidence toward these controls.” It is **evidence toward**, not a certification — the mapping shows intent is documented, not that an auditor has verified the running system.

| AgentAz dimension | NIST AI RMF 1.0 | ISO/IEC 42001:2023 | OWASP Agentic (ASI) |
|---|---|---|---|
| Worst-case action & Trust Level (A1–A5)Classifying an agent by the maximum impact it could have. | MAP 1.1 (context), MAP 5.1 (impact likelihood & magnitude) | A.5 — AI system impact assessment | ASI01 Agent Goal Hijack · ASI10 Rogue Agents |
| Authority boundaryWhat the agent is permitted to modify, send, spend, or delete. | MAP 2 (system categorization), GOVERN 1.4 (oversight policy) | A.9.4 (intended use) · A.9.2 (responsible-use boundaries) | ASI03 Identity & Privilege Abuse |
| Tool boundary (least privilege)A scoped tool registry; gated vs. auto-executable; absent capabilities. | MANAGE 2 (risk treatment) | A.4 (resources/tooling) · A.9.2 (usage limits) | ASI02 Tool Misuse · ASI03 Privilege Abuse (“Least Agency”) |
| Human approval gateHuman-in-the-loop sign-off before an irreversible action runs. | MANAGE 4.1 (override mechanisms), GOVERN 1.4 (human oversight) | A.9.2 — human oversight / override of AI decisions | ASI09 Human-Agent Trust Exploitation (supports ASI02) |
| Confidence escalationRouting low-confidence or ambiguous cases to a human instead of acting. | MANAGE 4.1 (appeal & override), MANAGE 2 | A.6.2 (operation/monitoring) · A.9.2 | ASI09 (decision-fatigue) · ASI01 |
| Cost ceilingA spend cap per run, with an alert threshold.partial mapping | MANAGE 2 (risk treatment) | A.6.2 (operation) | ASI08 Cascading Failures (blast-radius limit) |
| Loop bound / escape hatchAn iteration cap so the agent can't spin indefinitely. | MANAGE 4.1 (monitoring) | A.6.2 (operation) | ASI08 Cascading Failures (circuit breakers) |
| Output boundaryA constrained, declared set of outputs the agent may emit.partial mapping | MEASURE 2 (evaluation) | A.8 (information for interested parties) · A.9.2 | ASI02 Tool Misuse · ASI05 Unexpected Code Execution |
| Audit trail (tamper-evident)An append-only, verifiable record of decisions and approvals. | MANAGE 4 (monitoring), GOVERN (documentation) | A.6.2 (lifecycle logging) · A.5 | Cross-cutting — detection signal for ASI06 / ASI10 |

## What this crosswalk does *not* claim

Honest scope is the point — a governance mapping is only useful if its gaps are stated. AgentAz stays in one lane: design-time, machine-readable, blueprint-level. It does not cover runtime proof, agent identity, or certification. Specifically out of scope:

- OWASP ASI04 (Supply Chain), ASI05 (sandboxing of code execution), ASI06 (memory/RAG poisoning), and ASI07 (inter-agent communication) are runtime and infrastructure defenses. AgentAz documents design-time intent; it does not implement these — they belong to your runtime and security layers.
- NIST MEASURE bias/fairness depth and full TEVV methodology. AgentAz is boundary-focused, not a fairness-testing methodology; treat these as partial at best.
- ISO/IEC 42001 A.7 (data governance) and A.10 (third-party relationships). Largely outside a single blueprint's design-time spec.

A mapping is a starting point for a questionnaire, not a compliance verdict. Your auditor still determines whether a control is satisfied in your environment.

## Sources & version

Mapped against the published structure of [NIST AI RMF 1.0](https://www.nist.gov/itl/ai-risk-management-framework) (2023), [ISO/IEC 42001:2023](https://www.iso.org/standard/81230.html), and the [OWASP Top 10 for Agentic Applications](https://genai.owasp.org/) (ASI01–ASI10, December 2025).

Crosswalk version 1.0 · Last reviewed 2026-06-30. These frameworks are revised over time (the OWASP agentic list especially is new and evolving) — verify any row against the current published control text before relying on it in an audit.
