Appendices
Appendix C: External Standards Mapping
Working draft
This page renders the current aws2 working draft. It is not a released standard, certification program, compliance framework, legal analysis, endorsement, or public conformance claim.
This appendix provides a compact source-by-source mapping baseline derived from the detailed source-first and family-first crosswalk notes maintained in references/crosswalk/aws2-crosswalk.md and references/crosswalk/aws2-crosswalk-family-view.md. It is informative in this working draft. It is not a normative crosswalk, legal analysis, certification basis, conformance claim, or statement of equivalence to any external source.
Source-specific rows preserve the access dates, mapping postures, evidence angles, and claim limits from the crosswalk baseline at a compact level. A future released profile may expand these rows into requirement-level mappings only after mapping governance, claim-review rules, and release criteria exist.
| External source | Access date and status signal | aws2 families mapped in this baseline | Postures represented | Evidence angle summary | Claim limit |
|---|---|---|---|---|---|
| EU AI Act official sources | Accessed 2026-05-28; official European Commission and AI Act Service Desk pages used for role-sensitive, risk-based obligations | AWS2-SCP, AWS2-DEL, AWS2-RUN, AWS2-GOV, AWS2-LOG, AWS2-VAL, AWS2-CTX, AWS2-SEC, AWS2-SRC | candidate control; supports evidence for | scoped system records, authority matrix, guardrail tests, retained logs, oversight records, disclosure workflow evidence, supplier due-diligence notes | supports selected governance, oversight, transparency, logging, and due-diligence evidence only; no legal compliance, high-risk classification, conformity assessment, GDPR, biometric-lawfulness, or GPAI-provider compliance claim |
| CSA AARM | Accessed 2026-05-28; CSA page says AARM v1.0 is published with Core and Extended conformance review structure | AWS2-RUN, AWS2-LOG | candidate control; supports evidence for | runtime policy exports, step-up approval records, denied-action logs, action receipts, policy-decision logs | maps to AARM-style runtime controls only where a real runtime implements and preserves those artifacts; no AARM conformance claim |
| OWASP AISVS | Accessed 2026-05-28; OWASP incubator project, public docs show Version 0.1 | AWS2-SRC, AWS2-CTX, AWS2-DEL, AWS2-WSB, AWS2-RUN, AWS2-SEC, AWS2-LOG, AWS2-VAL, AWS2-GOV | candidate control; supports evidence for | source records, version pins, context-boundary tests, identity and approval records, sandbox tests, entitlement tests, interaction metadata, adversarial testing, oversight policy | strong testable-control input, but incubator v0.1 does not prove AISVS conformance, organizational accountability, runtime enforcement completeness, or full safety |
| AIUC-1 | Accessed 2026-05-28; commercial AI-agent security, safety, and reliability scheme with latest public release on 2026-04-15 and next listed release on 2026-07-15 | AWS2-SRC, AWS2-LOG, AWS2-GOV, AWS2-DEL, AWS2-RUN, AWS2-WSB, AWS2-SEC, AWS2-VAL | candidate control; supports evidence for; advisory input | agent identity records, agent cards, permission matrices, MCP and tool allowlists, runtime policy configuration, deployment architecture, DLP evidence, human-review and testing packets | useful certification-style comparator and evidence signal, but no AIUC-1 certificate equivalence, privacy/legal sufficiency, AARM equivalence, or proof of complete safety |
| CCSS, AISVS, and AIUC-1 comparison | Accessed 2026-05-28 in Agent planning notes; structural comparison of assurance models, levels, evidence, audits, and certification claims | AWS2-VAL | advisory input | test plans, validation summaries, recurring review cadence | structural analogy only; not a direct control mapping or certification model for aws2 |
| OWASP Agentic Skills Top 10 | Accessed 2026-05-28; OWASP incubator project with active-development and 2026-edition signals | AWS2-SCP, AWS2-WSB, AWS2-SRC, AWS2-SEC, AWS2-VAL, AWS2-GOV | candidate control; supports evidence for | skill inventory, owner map, installation approvals, sandbox configuration, permission manifests, scan reports, incident-response procedures | high-value skill-layer input, but emerging guidance rather than a mature assurance standard; no proof of full workspace boundary, endpoint hardening, or absence of leakage |
| OWASP AIVSS | Accessed 2026-05-28; latest public release is v0.8 scoring methodology | AWS2-VAL, AWS2-GOV | advisory input; supports evidence for | vulnerability score records, assessment reports, severity rationale, exception decisions, remediation backlog | scoring can support prioritization and governance evidence, but it does not implement preventive controls or provide standalone governance or certification |
| CSA AI Controls Matrix | Accessed 2026-05-28; released 2025-07-09 and updated 2025-10-30 with AI-CAIQ, implementation guidance, auditing guidance, and mappings | AWS2-SCP, AWS2-RUN, AWS2-VAL, AWS2-GOV | candidate control; supports evidence for; advisory input | scoped AI-CAIQ responses, role assignments, control-applicability notes, governance maps, audit-guideline notes | supports enterprise AI control mapping and assessment preparation, but remains broader than agentic workspace security and does not imply STAR for AI or third-party attestation |
| CSA MAESTRO | Accessed 2026-05-28; CSA describes MAESTRO as a layer-by-layer Agentic AI threat-modeling framework | AWS2-SCP, AWS2-DEL, AWS2-WSB, AWS2-SRC, AWS2-CTX, AWS2-LOG, AWS2-VAL, AWS2-GOV | candidate control; advisory input | layer-scoped threat models, architecture maps, identity abuse cases, deployment threat models, RAG and context-risk tests, observability reviews, change-review records | threat-modeling and design input only where no specific control exists; not a control catalogue, scoring method, certification, or evidence of enforcement |
| NIST AI RMF 1.0 | Accessed 2026-05-28; voluntary framework released 2023-01-26 around GOVERN, MAP, MEASURE, and MANAGE | AWS2-SCP, AWS2-DEL, AWS2-SRC, AWS2-VAL, AWS2-GOV | candidate control; supports evidence for; advisory input | intended-use statements, impact maps, owner matrices, supplier inventories, measurement plans, risk policies, exception registers | strong governance and risk-management input, but not an agentic-workspace-specific conformance standard or runtime identity-enforcement proof |
| NIST AI 600-1 | Accessed 2026-05-28; 2024 Generative AI Profile for AI RMF with risk-management actions across harm categories | AWS2-SCP, AWS2-CTX, AWS2-SEC, AWS2-SRC, AWS2-LOG, AWS2-VAL, AWS2-GOV | candidate control; supports evidence for | generative-AI risk profiles, data-flow maps, component inventories, privacy and misuse tests, incident records, provenance records, evaluation reports | useful generative-AI risk-profile input, but does not decide workspace boundaries, prove leakage controls, or define aws2-specific agentic-workspace tests |
| ISO/IEC 42001 | Accessed 2026-05-28; ISO lists ISO/IEC 42001:2023 as published Edition 1 for an Artificial Intelligence Management System | AWS2-SCP, AWS2-DEL, AWS2-LOG, AWS2-VAL, AWS2-GOV | candidate control; supports evidence for | AIMS scope statements, AI system inventories, policy-owner matrices, management-system records, risk-treatment plans, management review notes | management-system mapping only; no ISO/IEC 42001 certification claim without an actual accredited certification path |
| ISO/IEC 23894 | Accessed 2026-05-28; ISO lists ISO/IEC 23894:2023 as published Edition 1 AI risk-management guidance | AWS2-SCP, AWS2-SEC, AWS2-CTX, AWS2-VAL, AWS2-GOV | candidate control; supports evidence for; advisory input | AI risk registers, context assumptions, risk assessments, data and activity maps, treatment decisions, review cadence, risk acceptance records | public ISO pages expose only high-level metadata and descriptions; no detailed control or certifiable management-system claim is made from this mapping |
| Five Eyes guidance on careful adoption of agentic AI services | Accessed 2026-05-28; joint guidance first published 2026-05-01 by ASD ACSC, CISA, NSA, Cyber Centre, NCSC-NZ, and NCSC-UK | AWS2-SCP, AWS2-DEL, AWS2-RUN, AWS2-WSB, AWS2-SRC, AWS2-CTX, AWS2-SEC, AWS2-LOG, AWS2-VAL, AWS2-GOV | candidate control; supports evidence for | component inventories, delegation matrices, JIT credential records, approval gates, rollout and rollback records, context-boundary tests, logs, red-team summaries, adoption gates | strong practical guidance for agentic AI adoption, but not a conformance test suite, legal requirement, certification, or proof that all prompt-injection, exposure, retention, or endpoint risks are solved |
| MITRE ATLAS | Accessed 2026-05-28; living knowledge base of AI-enabled adversary tactics, techniques, mitigations, and case studies | AWS2-SCP, AWS2-DEL, AWS2-RUN, AWS2-SRC, AWS2-CTX, AWS2-SEC, AWS2-LOG, AWS2-VAL, AWS2-GOV | candidate control; supports evidence for; advisory input | ATLAS coverage maps, identity threat models, tool-call abuse tests, provenance checks, prompt and context-poisoning tests, secret scanning, detection mapping, red-team cases, prioritized remediation | threat taxonomy and scenario-design input only; not a control catalogue, required log format, audit method, assurance-level model, or substitute for management-system and legal obligations |
Context-only sources from section 10.3 that are not represented with source-specific rows above are intentionally excluded from this appendix until specific family-level mapping rows are added and reviewed. The current context-only sources are the CryptoCurrency Security Standard, OWASP Agentic AI Threats and Mitigations, and the NIST AI Agent Standards Initiative.
Claim limit:
- This appendix is a compact informative mapping baseline. It is not a complete crosswalk, legal analysis, certification basis, audit method, standards-body endorsement, or equivalence claim.