Twelve months ago, AI procurement questionnaires asked about SOC 2 and called it a day. They do not stop there anymore. Security teams are learning to ask about OWASP's new Agentic AI threat model, the OWASP Top 10 for LLM Applications, and the NIST AI Risk Management Framework. If you are deploying agents in production, these questions are coming.
We spent the last quarter doing the homework: an honest, control-by-control mapping of ARXsec's runtime to all three frameworks. This post is the summary. The full coverage matrix ships in every compliance package we generate.
Why three frameworks, not one
Different audiences ask different questions. Developers trust OWASP because it is threat-focused and written by practitioners. CISOs trust NIST because it is the US government's procurement language and maps cleanly to board-level risk reporting. Neither audience accepts the other's document as a substitute.
So the compliance story has to answer both. Here is the short version: ARXsec is a runtime enforcement layer for agents — policy interception, immutable audit, credential scope, drift detection, approval gating. That layer maps well to the threat-focused frameworks (OWASP Agentic AI, OWASP LLM Top 10) and to the operational subset of NIST AI RMF. It does not substitute for model-layer defenses (prompt filters, output sanitization, fairness evaluation) or for organizational governance (training, workforce policy, board oversight).
Below is the coverage matrix. We mark gaps honestly. "Covered" means an ARXsec feature directly satisfies the control. "Partial" means we cover part of the control with the product; the rest is customer-side or model-layer. "Gap" means the product does not address this threat today. "Out of scope" means it is real but not a runtime-infra concern.
OWASP Agentic AI — Threats and Mitigations v1.0
The Agentic Security Initiative enumerates 15 threats specific to autonomous agents. ARXsec covers eight directly, partially covers four, and has three gaps — all in the multi-agent-system category, which is on our roadmap.
| Threat | Title | Coverage |
|---|---|---|
| T1 | Memory Poisoning | Partial |
| T2 | Tool Misuse | Covered |
| T3 | Privilege Compromise | Covered |
| T4 | Resource Overload | Covered |
| T5 | Cascading Hallucination | Partial |
| T6 | Intent Breaking & Goal Manipulation | Covered |
| T7 | Misaligned & Deceptive Behaviors | Partial |
| T8 | Repudiation & Untraceability | Covered |
| T9 | Identity Spoofing & Impersonation | Covered |
| T10 | Overwhelming Human-in-the-Loop | Partial |
| T11 | Unexpected RCE and Code Attacks | Covered |
| T12 | Agent Communication Poisoning | Gap |
| T13 | Rogue Agents in Multi-Agent Systems | Gap |
| T14 | Human Attacks on Multi-Agent Systems | Gap |
| T15 | Human Manipulation | Out of scope |
OWASP Top 10 for LLM Applications (2025)
The Top 10 is the most widely cited LLM security baseline. ARXsec covers three entries fully, partially covers four, and has three gaps — all in prompt-layer and embedding-layer territory where a runtime enforcement tool has no mechanism to act.
| ID | Title | Coverage |
|---|---|---|
| LLM01 | Prompt Injection | Partial |
| LLM02 | Sensitive Information Disclosure | Covered |
| LLM03 | Supply Chain | Partial |
| LLM04 | Data and Model Poisoning | Gap |
| LLM05 | Improper Output Handling | Partial |
| LLM06 | Excessive Agency | Covered |
| LLM07 | System Prompt Leakage | Gap |
| LLM08 | Vector and Embedding Weaknesses | Gap |
| LLM09 | Misinformation | Partial |
| LLM10 | Unbounded Consumption | Covered |
Excessive Agency (LLM06) is the headline win for runtime platforms like ARXsec: declared intent, drift detection, per-agent credential scope, and PERMIT/ESCALATE/DENY policy verdicts are exactly the mitigations the Top 10 calls for.
NIST AI RMF 1.0 — selected subcategories
NIST AI RMF has 72 subcategories across four functions. Most are organizational — workforce diversity, executive responsibility, personnel training — and belong to the customer, not to a runtime product. We honestly mapped the 20 subcategories where an agent runtime can concretely help, and marked the rest out of scope in our package. Here are the highlights.
| Subcategory | Theme | Coverage |
|---|---|---|
| GOVERN 1.5 | Ongoing monitoring and periodic review | Covered |
| GOVERN 1.6 | AI system inventory | Covered |
| GOVERN 1.7 | Safe decommissioning | Covered |
| MAP 2.1 | Tasks and methods defined | Covered |
| MAP 3.5 | Human oversight processes | Covered |
| MEASURE 2.4 | Functionality monitored in production | Covered |
| MEASURE 2.7 | Security and resilience evaluated | Covered |
| MEASURE 3.1 | Track existing and emergent risks | Covered |
| MANAGE 2.4 | Supersede, disengage, deactivate | Covered |
| MANAGE 3.1 | Third-party monitored with controls | Covered |
| MANAGE 4.1 | Post-deployment monitoring plan | Covered |
| MANAGE 4.3 | Incidents communicated and tracked | Covered |
The five partial items (GOVERN 1.4, 6.1, 6.2; MEASURE 2.6; MANAGE 2.3) describe places where the runtime provides the technical substrate — audit trail, rate limiting, approval escalation — but the full NIST expectation requires customer processes we cannot ship in software (risk tolerances, legal IP review, recovery runbooks).
What this means in practice
When procurement asks whether your agent deployment aligns with OWASP Agentic AI, OWASP LLM Top 10, or NIST AI RMF, the answer is no longer "we read the PDF." It is: here is the control-by-control mapping generated from our actual runtime, here are the audit events that evidence each control, and here are the honest gaps with mitigation notes.
Every ARXsec compliance package now includes the framework coverage matrix alongside the SOC 2 Trust Service Criteria mapping. It regenerates from live runtime data, so the evidence is always current.
A final note on ISO/IEC 42001. We see the questions coming and are tracking the standard. But 42001 is an AI management system standard, not a control checklist — proper alignment requires governance processes on the customer side that a runtime product cannot ship. We will map it once those processes are commonly in place, not before. Overclaiming certification is worse than saying "not yet."