1. ETSI
1.1. EN 304 223 - Securing Artificial Intelligence (SAI); Baseline Cyber Security Requirements for AI Models and Systems
1.1.1. Provision 5.1.2-1
1.1.2. Provision 5.1.2-1.1
1.1.3. Provision 5.1.2-2
1.1.4. Provision 5.1.2-3
1.1.5. Provision 5.1.2-4
1.1.6. Provision 5.1.2-5
1.1.7. Provision 5.1.2-5.1
1.1.8. Provision 5.1.2-6
1.1.9. Provision 5.1.2-7
1.2. TR 104 128 - Securing Artificial Intelligence (SAI); Guide to Cyber Security for AI Models and Systems
1.2.1. Provision 5.1.2-1
1.2.2. Provision 5.1.2-1.1
1.2.3. Provision 5.1.2-2
1.2.4. Provision 5.1.2-3
1.2.5. Provision 5.1.2-4
1.2.6. Provision 5.1.2-5
1.2.7. Provision 5.1.2-5.1
1.2.8. Provision 5.1.2-6
1.2.9. Provision 5.1.2-7
1.3. TR 104 222 - Securing Artificial Intelligence; Mitigation Strategy Report
1.3.1. 5.2.2 - Enhance data quality - 2
1.3.2. 5.2.2 - Data sanitisation - 2
1.3.3. 5.2.2 - Data sanitisation - 3
1.3.4. 5.2.2 - Data sanitisation - 4
1.3.5. 5.2.2 - Blocking poisoning
1.3.6. 5.3.2 Model enhancement mitigations against backdoor attacks - 1
1.3.7. 5.3.2 Model enhancement mitigations against backdoor attacks - 2
1.3.8. 5.3.2 Model enhancement mitigations against backdoor attacks - 3
1.3.9. 5.3.2 Model enhancement mitigations against backdoor attacks - 4
1.3.10. 5.3.2 Model enhancement mitigations against backdoor attacks - 5
1.3.11. 5.3.2 Model enhancement mitigations against backdoor attacks - 6
1.3.12. 5.3.3 Model-agnostic mitigations against backdoor attacks - 1
1.3.13. 5.3.3 Model-agnostic mitigations against backdoor attacks - 2
1.3.14. 5.3.3 Model-agnostic mitigations against backdoor attacks - 3
1.3.15. 5.3.3 Model-agnostic mitigations against backdoor attacks - 4
1.3.16. 5.3.3 Model-agnostic mitigations against backdoor attacks - 5
1.3.17. 5.3.3 Model-agnostic mitigations against backdoor attacks - 6
1.3.18. 5.3.3 Model-agnostic mitigations against backdoor attacks - 7
1.3.19. 5.3.3 Model-agnostic mitigations against backdoor attacks - 8
1.3.20. 6.2.1 - Transferability
1.3.21. 6.2.2 - 1
1.3.22. 6.2.2 - 2
1.3.23. 6.2.2 - 3
1.3.24. 6.2.2 - 4
1.3.25. 6.2.2 - 5
1.3.26. 6.2.2 - 6
1.3.27. 6.2.2 - 7
1.3.28. 6.2.2 - 9
1.3.29. 6.2.3 - 1
1.3.30. 6.2.3 - 2
1.3.31. 6.2.3 - 4
1.3.32. 6.2.3 - 5
1.3.33. 6.3.3 - 2
1.3.34. 6.3.3 - 4
1.3.35. 6.3.3 - 5
1.3.36. 6.3.3 - 6
1.3.37. 6.3.3 - 7
1.3.38. 6.4.2 - 2
1.3.39. 6.4.2 - 3
1.3.40. 6.4.2 - 4
1.3.41. 6.4.3 - 1
1.3.42. 6.4.3 - 2
1.4. ETSI SAI 002 - Securing Artificial Intelligence (SAI); Data Supply Chain Security
1.4.1. 6.1.2 Cybersecurity hygiene - 4
1.4.2. 6.1.3 Supply chain security - 5
1.4.3. 6.5 - Following standard cybersecurity good practice
2. NIST
2.1. AI RMF 1.0
2.1.1. MAP 1.1
2.1.2. MAP 1.3
2.1.3. MAP 1.4
2.1.4. MAP 1.6
2.1.5. MAP 3.1
2.1.6. MAP 3.3
2.1.7. MANAGE 1.1
2.1.8. MANAGE 2.2
2.2. SP 800-218A
2.2.1. PO.1.1
2.2.2. PO.1.2
2.2.3. PO.2.3
2.3. AI 800-1
2.3.1. Practice 1.1: Anticipate model capabilities - 2
2.3.2. Practice 1.1: Anticipate model capabilities - 3
2.3.3. Practice 1.1: Anticipate model capabilities - 4
2.3.4. Practice 2.2 Establish an organizational plan to manage misuse risk - 1
2.3.5. Practice 2.2 Establish an organizational plan to manage misuse risk - 2
2.3.6. Practice 2.2 Establish an organizational plan to manage misuse risk - 3
2.3.7. Practice 3.2: Maintain security practices sufficient to prevent unauthorized access - 5
2.3.8. Practice 5.1: Implement safeguards proportionate to the model’s misuse risk - 2
2.3.9. Practice 5.2: Assess misuse risk based on implemented safeguards - 1
2.3.10. Practice 5.3: Adopt appropriate deployment strategies based on misuse risk assessments - 2
2.3.11. Practice 6.2: Respond to incidents of model misuse - 3
3. OWASP
3.1. OWASP Top 10 for Agentic Applications for 2026
3.1.1. ASI01: Agent Goal Hijack - 5
3.1.2. ASI02: Tool Misuse and Exploitation - 1
3.1.3. ASI03: Identity and Privilege Abuse - 1
3.1.4. ASI03: Identity and Privilege Abuse - 2
3.1.5. ASI03: Identity and Privilege Abuse - 3
3.1.6. ASI03: Identity and Privilege Abuse - 5
3.1.7. ASI03: Identity and Privilege Abuse - 6
3.1.8. ASI03: Identity and Privilege Abuse - 7
3.1.9. ASI03: Identity and Privilege Abuse - 8
3.1.10. ASI04: Agentic Supply Chain Vulnerabilities - 9
3.1.11. ASI06: Memory & Context Poisoning - 6
3.1.12. ASI06: Memory & Context Poisoning - 8
3.1.13. ASI06: Memory & Context Poisoning - 9
3.1.14. ASI07: Insecure Inter-Agent Communication - 9
3.1.15. ASI08: Cascading Failures - 1
3.1.16. ASI08: Cascading Failures - 4
3.2. LLM Top 10
3.2.1. LLM01: Prompt Injection - 1
3.2.2. LLM01: Prompt Injection - 4
3.2.3. LLM03: Supply Chain - 2
3.2.4. LLM03: Supply Chain - 10
3.2.5. LLM04: Data and Model Poisoning - 4
3.2.6. LLM06: Excessive Agency - 1
3.2.7. LLM06: Excessive Agency - 2
3.2.8. LLM06: Excessive Agency - 3
3.2.9. LLM06: Excessive Agency - 4
3.2.10. LLM06: Excessive Agency - 5
3.2.11. LLM06: Excessive Agency - 7
3.2.12. LLM09: Misinformation - 6
3.2.13. LLM10: Unbounded Consumption - 6
3.2.14. LLM10: Unbounded Consumption - 9
3.2.15. LLM10: Unbounded Consumption - 11
3.2.16. LLM10: Unbounded Consumption - 12
3.3. OWASP Model Context Protocol (MCP) Top 10
3.3.1. MCP01:2025 - Token Mismanagement and Secret Exposure - 2
3.3.2. MCP01:2025 - Token Mismanagement and Secret Exposure - 3
3.3.3. MCP02:2025 - Privilege Escalation via Scope Creep - 1
3.3.4. MCP02:2025 - Privilege Escalation via Scope Creep - 3
3.3.5. MCP03:2025 - Tool Poisoning - 3
3.3.6. MCP05:2025 – Command Injection & Execution - 1
3.3.7. MCP05:2025 – Command Injection & Execution - 2
3.3.8. MCP05:2025 – Command Injection & Execution - 4
3.3.9. MCP06:2025 – Intent Flow Subversion - 2
3.3.10. MCP07:2025 – Insufficient Authentication & Authorization - 4
3.3.11. MCP09:2025 – Shadow MCP Servers - 12
3.3.12. MCP10:2025 – Context Injection & Over-Sharing - 2
3.3.13. MCP10:2025 – Context Injection & Over-Sharing - 8
3.3.14. MCP10:2025 – Context Injection & Over-Sharing - 9
3.4. AI Exchange
3.4.1. 1.1 General governance controls - SEC DEV PROGRAM
3.4.2. 1.1 General governance controls - DEV PROGRAM
3.4.3. 1.3. Controls to limit the effects of unwanted behaviour - LEAST MODEL PRIVILEGE
3.4.4. 1.3. Controls to limit the effects of unwanted behaviour - MODEL ALIGNMENT
4. MITRE
4.1. ATLAS Framework
4.1.1. AML.M0006 - Use Ensemble Methods
4.1.2. AML.M0009 - Use Multi-Modal Sensors
4.1.3. AML.M0020 - Generative AI Guardrails
4.1.4. AML.M0021 - Generative AI Guidelines
4.1.5. AML.M0022 - Generative AI Model Alignment
4.1.6. AML.M0026 - Privileged AI Agent Permissions Configuration
4.1.7. AML.M0027 - Single-User AI Agent Permissions Configuration
4.1.8. AML.M0028 - AI Agent Tools Permissions Configuration
4.1.9. AML.M0030 - Restrict AI Agent Tool Invocation on Untrusted Data
4.1.10. AML.M0031 - Memory Hardening
4.2. SAFE-AI
4.2.1. Unauthorized access to environment, platform/tool
4.2.2. Insecure deserialization – embedding and executing remote unapproved code or other malicious activities
4.2.3. Backdoor and malware insertion
4.2.4. Indirect Prompt Injection
4.2.5. Direct Prompt Injection
4.2.6. Excessive Agency
4.2.7. Content Manipulation
4.2.8. Evade AI model
4.2.9. Robotic Process Automation Permissions
5. Multi Agency
5.1. Guidelines for secure AI system development
5.1.1. Design your system for security as well as functionality and performance
5.1.2. Consider security benefits and trade-offs when selecting your AI model
5.1.3. Collect and share lessons learned
6. European Commission
6.1. Assessment List for Trustworthy Artificial Intelligence (ALTAI)
6.1.1. REQUIREMENT #2 Technical Robustness and Safety
6.1.2. REQUIREMENT #3 Privacy and Data Governance
6.2. Ethics guidelines for trustworthy AI
6.2.1. 1.2.4 Reliability and Reproducability
6.2.2. 1.5.1 Avoidance of unfair bias
6.2.3. 2.2.3 Standardisation
7. Personal Data Protection Commission Singapore (PDPC)
7.1. Model Artificial Intelligence Governance Framework Second Edition
7.1.1. Repeatability - c)
8. Google
8.1. Secure AI Framework
8.1.1. Privacy Enhancing Technologies
8.1.2. Input Validation and Sanitization
8.1.3. Adversarial Training and Testing
8.1.4. Agent Permissions
9. CoSAI
9.1. Establish Risks and Controls for the AI Supply Chain
9.1.1. 3.1.1 Data Poisoning: Threats and Mitigations in AI Supply Chains - Unauthorized Data
9.1.2. 3.2.3 Application - Insecure Function Calling
9.2. Model Context Protocol (MCP) Security
9.2.1. 3.2.2 Secure Delegation and Access Control
10. Microsoft
10.1. Cloud Adoption Framework - Secure AI
10.1.1. Secure AI resources 3 - Apply platform-specific security controls
10.2. Responsible AI Standard
10.2.1. A3.1
10.2.2. A3.2
10.2.3. A3.3
10.2.4. A3.6
10.2.5. A4.1
10.2.6. T1.6
10.2.7. F1.6
10.2.8. F1.7
10.2.9. F2.6
10.2.10. F3.5
10.2.11. RS1.5
11. IBM
11.1. IBM Framework for Securing Generative AI
11.1.1. Secure the usage
12. Cloud Security Alliance (CSA)
12.1. AI Controls Matrix
12.1.1. AIS-02
12.1.2. AIS-04
12.1.3. AIS-11
12.1.4. AIS-15
12.1.5. DSP-07
12.1.6. DSP-08
12.1.7. DSP-24
12.1.8. IAM-11
12.1.9. IAM-14
12.1.10. IAM-17
12.1.11. IAM-18
12.1.12. IAM-19
12.1.13. IPY-01
12.1.14. MDS-07
12.1.15. MDS-13
12.1.16. TVM-02
13. OpenAI
13.1. Preparedness Framework
13.1.1. Undermining Safeguards
13.1.2. Safeguards Against Malicious Users - Robustness
13.1.3. Safeguards Against Malicious Users - Trust-based Access
13.1.4. Safeguards Against a Misaligned Model - Lack of Autonomous Capability
13.1.5. Safeguards Against a Misaligned Model - System Architecture
13.2. Safety Best Practices
13.2.1. Prompt engineering
13.2.2. Constrain user input and limit output tokens
13.2.3. Understand and communicate limitations
14. CISA
14.1. Principles for the Secure Integration of Artificial Intelligence in Operational Technology
14.1.1. 1.2.1 Understand the Secure AI System Development Lifecycle
14.1.2. 1.3.2 Educate Personnel on AI - Developing Clear Standard Operating Procedures
14.1.3. 2.1 Consider the OT Business Case for OT
14.1.4. 2.2.7 - Prioritising OT Data Protection
14.1.5. 2.4.2
14.1.6. 2.4.3
14.1.7. 2.4.4
14.1.8. 2.4.5
14.1.9. 2.4.6
14.1.10. 2.4.7
14.1.11. 3.1.5 - Continuously validate and verify the performance of AI systems
14.1.12. 3.2 Integrating AI into Existing Security and Cyber Security Frameworks
14.1.13. 3.4 Navigating Regulatory and Compliance Considerations for AI in OT
14.1.14. 4.2.2 - Design functional safety procedures that account for the AI system
15. NCSC/NSA/CISA etc
15.1. AI Data Security
15.1.1. 3.4 Ensemble Methods/ collaborative learning
16. SANS
16.1. Critical AI Security Guidelines
16.1.1. 3.3 Implement Access Controls Outside of the Model
16.1.2. 4.3 Sanitize, Validate, and Filter LLM Outputs/Responses
16.1.3. 4.4 Employ the Principle of Focused Functionality (and Agency)
17. OECD
17.1. Due Diligence Guidance for Responsible AI
17.1.1. Step 1.1 – RBC policies
17.1.2. Step 3.2 – Addressing risks directly linked to the enterprise throughout the AI value chain
18. IETF
18.1. Security Requirements for AI Agents
18.1.1. 5.3. Converting to Internal Workflow
19. IMDA
19.1. Model AI Governance Framework for Agentic AI
19.1.1. 2.1.2 Bound risks through design by defining agents limits and permissions - Agent limits
19.1.2. 2.3.1 During design and development, use technical controls
20. SDAIA (Saudi Arabia)
20.1. AI Ethics Principles
20.1.1. Principle 2 – Privacy & Security - Plan and Design - 1
20.1.2. Principle 2 – Privacy & Security - Plan and Design - 2
20.1.3. Principle 2 – Privacy & Security - Plan and Design - 3
20.1.4. Principle 2 – Privacy & Security - Plan and Design - 4
20.1.5. Principle 2 – Privacy & Security - Plan and Design - 5
20.1.6. Principle 2 – Privacy & Security - Build and Validate - 1
20.1.7. Principle 2 – Privacy & Security - Build and Validate - 2
20.1.8. Principle 5 – Reliability & Safety - Plan and Design - 1
20.1.9. Principle 5 – Reliability & Safety - Plan and Design - 3
20.1.10. Principle 6 – Transparency & Explainability - Build and Validate - 1
20.2. Generative AI Guidelines
20.2.1. 4.5 Privacy & Security - 4
20.3. AI Adoption Framework
20.3.1. 5.1.2 Privacy and Safety - Embedding Cybersecurity and Privacy
21. Cyber Security Council (UAE)
21.1. National Cyber Security Policy for Artificial Intelligence
21.1.1. 2.1.1
21.1.2. 2.1.4
21.1.3. 2.2.2
21.1.4. 2.2.5
21.1.5. 2.3.1
21.1.6. 2.3.2
21.1.7. 2.4.1
21.1.8. 3.1.1 Cyber Security Policies & Procedures - 1
21.1.9. 3.2.5 Application Security - 1
21.1.10. 3.3.1 Security by Design for AI/ML Models - 1
21.1.11. 3.3.1 Security by Design for AI/ML Models - 3
21.1.12. 3.3.2 AI/ML Model Security - 3
21.1.13. 3.3.3 Inference Security - 1
21.1.14. 3.3.3 Inference Security - 2
21.1.15. 3.3.3 Inference Security - 3
21.1.16. 3.4.1 Context-Specific AI/ML Security - 1
21.1.17. 3.4.1 Context-Specific AI/ML Security - 2
21.1.18. 3.4.1 Context-Specific AI/ML Security - 3
21.1.19. 3.4.1 Context-Specific AI/ML Security - 4
21.1.20. 3.4.2 Fail-Safe & Backup for AI/ML Systems - 1
21.1.21. 3.5.2 Defending Against AI/ML Attacks - 2
22. Smart Dubai (UAE)
22.1. AI Ethics Principles & Guidelines
22.1.1. 1.1.1.2
22.1.2. 1.2.2.1
23. Central Bank of the UAE
23.1. Guidance Note on the Consumer Protection and Responsible Adoption and Use of Artificial Intelligence and Machine Learning by Licensed Financial Institutions in the U.A.E
23.1.1. 5. Data Quality, Privacy and Security - c
23.1.2. 7. Human Oversight and Consumer Protection - d
24. Qatar Central Bank
24.1. Artificial Intelligence Guidelines
24.1.1. 6.3
24.1.2. 6.4
24.1.3. 6.5
24.1.4. 9.2
24.1.5. 12.9
24.1.6. 13.7.5
24.1.7. 16.2
24.1.8. 17.3
24.1.9. 17.4
24.1.10. 17.5
24.1.11. 17.6
24.1.12. 17.7
25. MIC/METI (Japan)
25.1. AI Guidelines for Business
25.1.1. Human-Centric - 3
25.1.2. Safety - 2
25.1.3. Fairness - 1 (a)
25.1.4. Ensuring security - 2 (a)
25.1.5. Ensuring security - 1 (b)
26. METI (Japan)
26.1. Governance Guidelines for Implementation of AI Principles
26.1.1. Action Target 3-4
26.1.2. Action Target 5-1
27. EU
27.1. EU AI Act
27.1.1. 10.1 Data and Data Governance
27.1.2. 10.2 Data and Data Governance
27.1.3. 14.3 Human Oversight
27.1.4. 15.1 Accuracy, Robustness and Cybersecurity
27.1.5. 17.1 Quality Management Systems
27.1.6. 17.2 Quality Management Systems
27.1.7. 17.4 Quality Management Systems
27.1.8. 50.1 Transparency obligations for providers and deployers of certain AI systems
28. ISO/IEC
28.1. DIS 27090
28.1.1. 7.2
28.2. TR 27563:2023
28.2.1. 7.2
28.3. TR 27091
28.3.1. 6.2
28.3.2. 7.2.1
29. CEN/CENELEC
29.1. prEN 40000-1-1
29.1.1. product control
29.2. prEN 40000-1-2: Cybersecurity requirements for products with digital elements - Part 1-2: Principles for cyber resilience
29.2.1. 5.3
29.2.2. 5.4
29.2.3. 6.2
29.2.4. 7.2
29.2.5. 7.3
29.2.6. 7.11