Standards Mapping. Cross-referenced with OWASP AIVSS v0.8.
AIUC-1 Controls Mapping
CapiscIO capabilities mapped to AIUC-1 responsible AI controls
Cross-referenced with OWASP AIVSS v0.8 agentic AI core security risk categories via the official AIUC–AIVSS crosswalk.
CapiscIO provides agent identity, integrity verification, and access control. This page maps those capabilities to AIUC-1 controls and is transparent about what we cover, what's partial, and what's out of scope.
Coverage at a Glance
CapiscIO coverage across the 10 OWASP AIVSS agentic AI core security risks. Shipped, partial, roadmap, and out of scope — all visible.
| AIVSS Core Risk | CapiscIO Coverage | Status |
|---|---|---|
| Agent Identity Impersonation | Trust badges, Ed25519 signatures, Key Ownership Proof | Shipped |
| Agent Access Control Violation | Trust Levels 0–4, Guard middleware, per-request verification | Shipped |
| Agentic AI Tool Misuse | MCP Guard trust-level access control per tool (RFC-006) | Shipped |
| Agent Untraceability | Structured decision logs, agent identity binding, telemetry schema | Shipped |
| Agent Supply Chain & Dependency Risk | Registry catalog, CLI pre-deployment validation, third-party access logs | Partial |
| Agent Goal & Instruction Manipulation | Payload integrity verification (SHA-256 body hash). Does not inspect content semantics. | Partial |
| Insecure Agent Critical Systems Interaction | MCP Guard restricts tool access to critical systems by trust level | Partial |
| Agent Orchestration & Multi-Agent Exploitation | RFC-004 chain-of-custody tracing for multi-agent delegation | Roadmap |
| Agent Cascading Failures | RFC-004 chain-of-custody tracing enables cascade detection. Cross-org policy (RFC-005) will add hop-depth limits. | Roadmap |
| Agent Memory & Context Manipulation | Not addressed. CapiscIO does not inspect or protect agent memory or context state. | — |
AIUC-1 Control Detail
Each row maps an AIUC-1 control to the AIVSS core risk it addresses (per the official crosswalk) and the CapiscIO capability that implements it.
| AIUC-1 Control | Principle | AIVSS Core Risk | CapiscIO Capability | Status |
|---|---|---|---|---|
| B004: Prevent AI endpoint scraping | Security | Agentic AI Tool Misuse | MCP Guard trust-level access control restricts tool invocation to badge-holders (RFC-006). Unauthenticated scraping is blocked at the gateway. RFC-006 | Shipped |
| B006: Prevent unauthorized AI agent actions | Security | Agent Access Control Violation | Agent Guard enforces trust badge verification per request. Only agents holding a valid badge at the required trust level can invoke protected endpoints. RFC-002 | Shipped |
| B007: Enforce user access privileges to AI systems | Security | Agent Access Control Violation | Trust Levels 0–4 (RFC-002) provide graduated identity assurance. Guard middleware passes verified claims to downstream authorization logic. RFC-002CapiscIO handles agent authentication; user-level authorization remains the deployer's responsibility. | Partial |
| B001: Third-party testing of adversarial robustness | Security | Agent Goal & Instruction Manipulation | CLI validates agent card schemas, endpoint availability, and signature correctness in CI pipelines. Does not test model-level adversarial robustness. RFC-001CapiscIO tests protocol-layer robustness, not model-layer adversarial inputs. | Partial |
| B002: Detect adversarial input | Security | Agent Goal & Instruction Manipulation | Guard verifies payload integrity via SHA-256 body hash binding (bh claim). Detects tampering but not semantic adversarial content. RFC-001Covers integrity (tamper detection), not semantic or prompt-level adversarial input detection. | Partial |
| B005: Implement real-time input filtering | Security | Agent Goal & Instruction Manipulation | Guard runs inline per-request validation with sub-millisecond latency. Filters on identity and integrity, not content. RFC-001Filters by agent identity and payload integrity. Content-level filtering is out of scope. | Partial |
| A005: Prevent cross-customer data exposure | Data & Privacy | Agent Access Control Violation | Trust badges bind identity to a specific organization. Guard rejects requests from agents whose badge issuer does not match the expected tenant. RFC-002 | Shipped |
| A007: Prevent IP violations | Data & Privacy | Agent Supply Chain & Dependency Risk | Agent Card validation (RFC-004) verifies declared capabilities and provenance. Registry tracks which agents are authorized within an organization. RFC-004CapiscIO verifies agent identity and provenance, not IP/licensing compliance of underlying models. | Partial |
| E004: Assign accountability | Accountability | Agent Untraceability | Every badge binds a cryptographic key to an agent identity and organization. Guard decision logs record which agent acted, when, and with what outcome. RFC-002 | Shipped |
| E009: Monitor third-party access | Accountability | Agent Supply Chain & Dependency Risk | Guard logs every inbound agent request with agent ID, key ID, trust level, and decision outcome. Integrates with Datadog, Splunk, and OpenTelemetry. RFC-001 | Shipped |
| E015: Log model activity | Accountability | Agent Untraceability | Structured telemetry events for every Guard decision (allow/deny), including agent ID, key ID, latency, endpoint, and failure reason. RFC-001 | Shipped |
| E016: Implement AI disclosure mechanisms | Accountability | Agent Identity Impersonation | Trust badges are publicly verifiable. Agent Cards declare identity, capabilities, and trust level. Agents cryptographically prove they are what they claim. RFC-002 | Shipped |
| E006: Conduct vendor due diligence | Accountability | Agent Supply Chain & Dependency Risk | Registry provides a searchable catalog of badged agents with trust level, issuer, and organization. CLI can validate any agent on demand. RFC-002CapiscIO surfaces verifiable identity and trust level. Full vendor risk assessment remains a human process. | Partial |
| E014: Share transparency reports | Accountability | Agent Untraceability | Guard telemetry schema is documented and exportable. Platform dashboard provides aggregate decision analytics. RFC-001Provides the data. Generating and publishing transparency reports is the deployer's responsibility. | Partial |
| C002: Conduct pre-deployment testing | Safety | Agent Supply Chain & Dependency Risk | CLI validates agent cards, signatures, endpoint availability, and protocol compliance in CI/CD pipelines before deployment. RFC-001 | Shipped |
| C008: Monitor AI risk categories | Safety | Agent Untraceability | Guard decision logs categorize outcomes (allow/deny) with structured reasons. Platform dashboard surfaces anomalies and trends. RFC-001Monitors protocol-layer risk events. Model behavior risk monitoring is out of scope. | Partial |
| D003: Restrict unsafe tool calls | Reliability | Agentic AI Tool Misuse | MCP Guard enforces trust-level access control per tool. Agents below the required trust level are blocked from invoking sensitive tools. RFC-006 | Shipped |
| F001: Prevent AI cyber misuse | Society | Agent Identity Impersonation | Trust badges with cryptographic identity verification prevent agent spoofing. Guard blocks requests from unverified or revoked agents. RFC-002 | Shipped |
| F002: Prevent catastrophic misuse | Society | Insecure Agent Critical Systems Interaction | MCP Guard restricts tool access to critical systems based on trust level. RFC-004 chain-of-custody tracing will detect unauthorized delegation paths. RFC-006Restricts access to critical tools. Does not govern what the model itself decides to do. | Partial |
What CapiscIO Does Not Address
CapiscIO is an identity and integrity layer. These domains require purpose-built tooling.
Full policy engine
Basic cross-org policy enforcement is in active development — Org A can set inbound rules for agents from Org B based on badge claims, trust level, and scope. Full policy engine integration (OPA, Cedar, or custom engines) is planned via RFC-005.
Model behavior governance
CapiscIO does not govern what a model says or does. It does not address bias, hallucination, harmful outputs, or alignment. These require dedicated model evaluation and safety tooling.
Prompt injection detection
Guard verifies the identity of the caller and the integrity of the payload. It does not inspect prompt content for injection attacks. Use dedicated prompt security tools (Rebuff, Lakera, or similar) for content filtering.
Runtime containment
CapiscIO does not sandbox agent execution, limit resource consumption, or prevent runaway agent loops. Use container isolation, Kubernetes resource limits, or dedicated agent runtime platforms for execution containment.
References
Official mapping of AIUC-1 requirements to OWASP AIVSS agentic AI core security risks. 51 controls across 6 principles.
AI Vulnerability Scoring System for OWASP Agentic AI Core Security Risks. Scoring methodology and 10 core risk categories.
Protocol specifications: RFC-001 (AGCP), RFC-002 (Trust Badge), RFC-003 (Key Ownership Proof), RFC-004 (TCHB), RFC-005 (Policy), RFC-006 (MCP Tool Authority), RFC-007 (MCP Server Identity).
Working examples demonstrating Guard, MCP Guard, and CLI validation with LangChain, CrewAI, and LangGraph agents.
See the full OWASP Agentic threat model
For CapiscIO's complete OWASP Top 10 for Agentic Applications coverage, threat model, and trust level documentation, see the Security & Trust page.