Show HN: Crosswalk mapping AI-agent design controls to NIST, ISO 42001, OWASP AgentAz, a design-time governance vocabulary for AI agents, published a crosswalk mapping its dimensions to controls in NIST AI RMF 1.0, ISO/IEC 42001:2023, and OWASP Agentic Security. The mapping helps enterprises produce machine-readable evidence toward compliance with these frameworks, though it explicitly excludes runtime defenses and certification. AgentAz™ Regulatory Crosswalk AgentAz is a design-time governance vocabulary. This crosswalk maps each AgentAz dimension to the controls it helps satisfy in three frameworks an enterprise is likely already audited against — so a machine-readable agentaz.json becomes a shortcut through the governance section of a security questionnaire. A spec’s worth is what it maps up to. Read each row as: “an agent that declares this AgentAz dimension is producing design-time evidence toward these controls.” It is evidence toward , not a certification — the mapping shows intent is documented, not that an auditor has verified the running system. | AgentAz dimension | NIST AI RMF 1.0 | ISO/IEC 42001:2023 | OWASP Agentic ASI | |---|---|---|---| | Worst-case action & Trust Level A1–A5 Classifying an agent by the maximum impact it could have. | MAP 1.1 context , MAP 5.1 impact likelihood & magnitude | A.5 — AI system impact assessment | ASI01 Agent Goal Hijack · ASI10 Rogue Agents | | Authority boundaryWhat the agent is permitted to modify, send, spend, or delete. | MAP 2 system categorization , GOVERN 1.4 oversight policy | A.9.4 intended use · A.9.2 responsible-use boundaries | ASI03 Identity & Privilege Abuse | | Tool boundary least privilege A scoped tool registry; gated vs. auto-executable; absent capabilities. | MANAGE 2 risk treatment | A.4 resources/tooling · A.9.2 usage limits | ASI02 Tool Misuse · ASI03 Privilege Abuse “Least Agency” | | Human approval gateHuman-in-the-loop sign-off before an irreversible action runs. | MANAGE 4.1 override mechanisms , GOVERN 1.4 human oversight | A.9.2 — human oversight / override of AI decisions | ASI09 Human-Agent Trust Exploitation supports ASI02 | | Confidence escalationRouting low-confidence or ambiguous cases to a human instead of acting. | MANAGE 4.1 appeal & override , MANAGE 2 | A.6.2 operation/monitoring · A.9.2 | ASI09 decision-fatigue · ASI01 | | Cost ceilingA spend cap per run, with an alert threshold.partial mapping | MANAGE 2 risk treatment | A.6.2 operation | ASI08 Cascading Failures blast-radius limit | | Loop bound / escape hatchAn iteration cap so the agent can't spin indefinitely. | MANAGE 4.1 monitoring | A.6.2 operation | ASI08 Cascading Failures circuit breakers | | Output boundaryA constrained, declared set of outputs the agent may emit.partial mapping | MEASURE 2 evaluation | A.8 information for interested parties · A.9.2 | ASI02 Tool Misuse · ASI05 Unexpected Code Execution | | Audit trail tamper-evident An append-only, verifiable record of decisions and approvals. | MANAGE 4 monitoring , GOVERN documentation | A.6.2 lifecycle logging · A.5 | Cross-cutting — detection signal for ASI06 / ASI10 | What this crosswalk does not claim Honest scope is the point — a governance mapping is only useful if its gaps are stated. AgentAz stays in one lane: design-time, machine-readable, blueprint-level. It does not cover runtime proof, agent identity, or certification. Specifically out of scope: - OWASP ASI04 Supply Chain , ASI05 sandboxing of code execution , ASI06 memory/RAG poisoning , and ASI07 inter-agent communication are runtime and infrastructure defenses. AgentAz documents design-time intent; it does not implement these — they belong to your runtime and security layers. - NIST MEASURE bias/fairness depth and full TEVV methodology. AgentAz is boundary-focused, not a fairness-testing methodology; treat these as partial at best. - ISO/IEC 42001 A.7 data governance and A.10 third-party relationships . Largely outside a single blueprint's design-time spec. A mapping is a starting point for a questionnaire, not a compliance verdict. Your auditor still determines whether a control is satisfied in your environment. Sources & version Mapped against the published structure of NIST AI RMF 1.0 https://www.nist.gov/itl/ai-risk-management-framework 2023 , ISO/IEC 42001:2023 https://www.iso.org/standard/81230.html , and the OWASP Top 10 for Agentic Applications https://genai.owasp.org/ ASI01–ASI10, December 2025 . Crosswalk version 1.0 · Last reviewed 2026-06-30. These frameworks are revised over time the OWASP agentic list especially is new and evolving — verify any row against the current published control text before relying on it in an audit.