{
  "name": "MLASVS Control Register",
  "version": "0.1",
  "generated": "2026-06-28",
  "source": "https://github.com/bb1nfosec/MLASTG",
  "summary": {
    "by_category": {
      "DATA": {
        "name": "Data Security & Privacy",
        "defined": 30,
        "referenced": 30,
        "l1": 18,
        "l2": 12,
        "undocumented": []
      },
      "MODEL": {
        "name": "Model Security",
        "defined": 30,
        "referenced": 30,
        "l1": 13,
        "l2": 17,
        "undocumented": []
      },
      "LLM": {
        "name": "LLM-Specific Security",
        "defined": 24,
        "referenced": 24,
        "l1": 14,
        "l2": 10,
        "undocumented": []
      },
      "SUPPLY": {
        "name": "Supply Chain Security",
        "defined": 22,
        "referenced": 22,
        "l1": 12,
        "l2": 10,
        "undocumented": []
      },
      "PIPELINE": {
        "name": "Pipeline & MLOps",
        "defined": 20,
        "referenced": 20,
        "l1": 10,
        "l2": 10,
        "undocumented": []
      },
      "INFRA": {
        "name": "Runtime & Infrastructure",
        "defined": 22,
        "referenced": 22,
        "l1": 12,
        "l2": 10,
        "undocumented": []
      },
      "GOV": {
        "name": "Governance & Compliance",
        "defined": 20,
        "referenced": 20,
        "l1": 10,
        "l2": 10,
        "undocumented": []
      }
    },
    "totals": {
      "defined": 168,
      "referenced": 168,
      "l1": 89,
      "l2": 79,
      "with_atlas": 148,
      "with_test": 168,
      "with_weakness": 48,
      "with_references": 36,
      "format_block": 109,
      "format_table": 59,
      "missing_atlas": [
        "GOV-001",
        "GOV-002",
        "GOV-003",
        "GOV-004",
        "GOV-005",
        "GOV-006",
        "GOV-007",
        "GOV-008",
        "GOV-009",
        "GOV-010",
        "GOV-011",
        "GOV-012",
        "GOV-013",
        "GOV-014",
        "GOV-015",
        "GOV-016",
        "GOV-017",
        "GOV-018",
        "GOV-019",
        "GOV-020"
      ]
    }
  },
  "controls": [
    {
      "id": "DATA-001",
      "category": "DATA",
      "category_name": "Data Security & Privacy",
      "title": "Data Provenance Tracking",
      "level": "L1",
      "description": "All datasets used for ML training must have documented provenance including source, collection method, date, and responsible party.",
      "atlas": "AML.TA0009",
      "atlas_raw": "AML.TA0009 (Discovery)",
      "owasp": null,
      "test": "MLASTG-TEST-DATA-001",
      "mlaswe": [
        "MLASWE-0009"
      ],
      "references": {
        "owasp": "ML04 (Supply Chain), ML08 (Transfer Learning)",
        "nist_ai_rmf": "MAP-1, MAP-2, MEASURE-2",
        "owasp_ai_exchange": "Data Limitation, Development-time Threats"
      },
      "source": "docs/MLASVS/V1-DATA/MLASVS-DATA-1-Provenance.md",
      "format": "block"
    },
    {
      "id": "DATA-002",
      "category": "DATA",
      "category_name": "Data Security & Privacy",
      "title": "Cryptographic Data Integrity",
      "level": "L1",
      "description": "All training datasets must have cryptographic hashes (SHA-256 or stronger) recorded at time of acquisition and verifiable at time of use.",
      "atlas": "AML.TA0010",
      "atlas_raw": "AML.TA0010 (Collection)",
      "owasp": null,
      "test": "MLASTG-TEST-DATA-001",
      "mlaswe": [
        "MLASWE-0002",
        "MLASWE-0009"
      ],
      "references": {
        "owasp": "ML04 (Supply Chain), ML08 (Transfer Learning)",
        "nist_ai_rmf": "MAP-1, MAP-2, MEASURE-2",
        "owasp_ai_exchange": "Data Limitation, Development-time Threats"
      },
      "source": "docs/MLASVS/V1-DATA/MLASVS-DATA-1-Provenance.md",
      "format": "block"
    },
    {
      "id": "DATA-003",
      "category": "DATA",
      "category_name": "Data Security & Privacy",
      "title": "Data access control enforcement",
      "level": "L1",
      "description": "Enforce role-based access control on all ML data stores",
      "atlas": "AML.TA0002",
      "atlas_raw": "AML.TA0002",
      "owasp": null,
      "test": "TEST-DATA-004",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V1-DATA/MLASVS-DATA-4-Access-Control.md",
      "format": "table"
    },
    {
      "id": "DATA-004",
      "category": "DATA",
      "category_name": "Data Security & Privacy",
      "title": "Input validation and sanitization",
      "level": "L1",
      "description": "Validate all data inputs against defined schemas and ranges",
      "atlas": "AML.TA0005",
      "atlas_raw": "AML.TA0005",
      "owasp": null,
      "test": "TEST-DATA-002",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V1-DATA/MLASVS-DATA-2-Sanitization.md",
      "format": "table"
    },
    {
      "id": "DATA-005",
      "category": "DATA",
      "category_name": "Data Security & Privacy",
      "title": "PII/PHI detection in training data",
      "level": "L1",
      "description": "Detect and handle personally identifiable information in training data",
      "atlas": "AML.TA0010",
      "atlas_raw": "AML.TA0010",
      "owasp": null,
      "test": "TEST-DATA-002",
      "mlaswe": [
        "MLASWE-0012"
      ],
      "references": {},
      "source": "docs/MLASVS/V1-DATA/MLASVS-DATA-2-Sanitization.md",
      "format": "table"
    },
    {
      "id": "DATA-006",
      "category": "DATA",
      "category_name": "Data Security & Privacy",
      "title": "Data Lineage Documentation",
      "level": "L1",
      "description": "All data transformations, preprocessing steps, and augmentations applied to training data must be documented and reproducible.",
      "atlas": "AML.TA0009",
      "atlas_raw": "AML.TA0009 (Discovery)",
      "owasp": null,
      "test": "MLASTG-TEST-DATA-001",
      "mlaswe": [],
      "references": {
        "owasp": "ML04 (Supply Chain), ML08 (Transfer Learning)",
        "nist_ai_rmf": "MAP-1, MAP-2, MEASURE-2",
        "owasp_ai_exchange": "Data Limitation, Development-time Threats"
      },
      "source": "docs/MLASVS/V1-DATA/MLASVS-DATA-1-Provenance.md",
      "format": "block"
    },
    {
      "id": "DATA-007",
      "category": "DATA",
      "category_name": "Data Security & Privacy",
      "title": "Secure data storage",
      "level": "L1",
      "description": "Store ML data in secure, access-controlled environments",
      "atlas": "AML.TA0002",
      "atlas_raw": "AML.TA0002",
      "owasp": null,
      "test": "TEST-DATA-004",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V1-DATA/MLASVS-DATA-4-Access-Control.md",
      "format": "table"
    },
    {
      "id": "DATA-008",
      "category": "DATA",
      "category_name": "Data Security & Privacy",
      "title": "Data encryption at rest",
      "level": "L1",
      "description": "Encrypt all ML data at rest using AES-256 or equivalent",
      "atlas": "AML.TA0010",
      "atlas_raw": "AML.TA0010",
      "owasp": null,
      "test": "TEST-DATA-004",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V1-DATA/MLASVS-DATA-4-Access-Control.md",
      "format": "table"
    },
    {
      "id": "DATA-009",
      "category": "DATA",
      "category_name": "Data Security & Privacy",
      "title": "Data encryption in transit",
      "level": "L1",
      "description": "Encrypt all ML data in transit using TLS 1.2+",
      "atlas": "AML.TA0010",
      "atlas_raw": "AML.TA0010",
      "owasp": null,
      "test": "TEST-DATA-004",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V1-DATA/MLASVS-DATA-4-Access-Control.md",
      "format": "table"
    },
    {
      "id": "DATA-010",
      "category": "DATA",
      "category_name": "Data Security & Privacy",
      "title": "Data minimization",
      "level": "L1",
      "description": "Collect only data necessary for the intended ML purpose",
      "atlas": "AML.TA0010",
      "atlas_raw": "AML.TA0010",
      "owasp": null,
      "test": "TEST-DATA-002",
      "mlaswe": [
        "MLASWE-0012"
      ],
      "references": {},
      "source": "docs/MLASVS/V1-DATA/MLASVS-DATA-2-Sanitization.md",
      "format": "table"
    },
    {
      "id": "DATA-011",
      "category": "DATA",
      "category_name": "Data Security & Privacy",
      "title": "Training data quality checks",
      "level": "L1",
      "description": "Automated quality validation of training data before use",
      "atlas": "AML.TA0005",
      "atlas_raw": "AML.TA0005",
      "owasp": null,
      "test": "TEST-DATA-002",
      "mlaswe": [
        "MLASWE-0002"
      ],
      "references": {},
      "source": "docs/MLASVS/V1-DATA/MLASVS-DATA-2-Sanitization.md",
      "format": "table"
    },
    {
      "id": "DATA-012",
      "category": "DATA",
      "category_name": "Data Security & Privacy",
      "title": "Data retention policy",
      "level": "L1",
      "description": "Define and enforce data retention and disposal schedules",
      "atlas": "AML.TA0010",
      "atlas_raw": "AML.TA0010",
      "owasp": null,
      "test": "TEST-DATA-004",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V1-DATA/MLASVS-DATA-4-Access-Control.md",
      "format": "table"
    },
    {
      "id": "DATA-013",
      "category": "DATA",
      "category_name": "Data Security & Privacy",
      "title": "Data labeling security",
      "level": "L1",
      "description": "Secure data labeling workflows to prevent label manipulation",
      "atlas": "AML.TA0005",
      "atlas_raw": "AML.TA0005",
      "owasp": null,
      "test": "TEST-DATA-002",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V1-DATA/MLASVS-DATA-2-Sanitization.md",
      "format": "table"
    },
    {
      "id": "DATA-014",
      "category": "DATA",
      "category_name": "Data Security & Privacy",
      "title": "Cross-contamination prevention",
      "level": "L1",
      "description": "Prevent data leakage between training, validation, and test sets",
      "atlas": "AML.TA0005",
      "atlas_raw": "AML.TA0005",
      "owasp": null,
      "test": "TEST-DATA-002",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V1-DATA/MLASVS-DATA-2-Sanitization.md",
      "format": "table"
    },
    {
      "id": "DATA-015",
      "category": "DATA",
      "category_name": "Data Security & Privacy",
      "title": "Data de-identification",
      "level": "L1",
      "description": "Remove or mask sensitive identifiers from training data",
      "atlas": "AML.TA0010",
      "atlas_raw": "AML.TA0010",
      "owasp": null,
      "test": "TEST-DATA-002",
      "mlaswe": [
        "MLASWE-0012"
      ],
      "references": {},
      "source": "docs/MLASVS/V1-DATA/MLASVS-DATA-2-Sanitization.md",
      "format": "table"
    },
    {
      "id": "DATA-016",
      "category": "DATA",
      "category_name": "Data Security & Privacy",
      "title": "Consent and rights management",
      "level": "L1",
      "description": "Ensure data usage complies with consent and data rights",
      "atlas": "AML.TA0010",
      "atlas_raw": "AML.TA0010",
      "owasp": null,
      "test": "TEST-DATA-002",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V1-DATA/MLASVS-DATA-2-Sanitization.md",
      "format": "table"
    },
    {
      "id": "DATA-017",
      "category": "DATA",
      "category_name": "Data Security & Privacy",
      "title": "Data distribution analysis",
      "level": "L1",
      "description": "Analyze data distributions to detect anomalies and drift",
      "atlas": "AML.TA0005",
      "atlas_raw": "AML.TA0005",
      "owasp": null,
      "test": "TEST-DATA-002",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V1-DATA/MLASVS-DATA-2-Sanitization.md",
      "format": "table"
    },
    {
      "id": "DATA-018",
      "category": "DATA",
      "category_name": "Data Security & Privacy",
      "title": "Data corruption detection",
      "level": "L1",
      "description": "Detect corrupted, malformed, or incomplete data records",
      "atlas": "AML.TA0005",
      "atlas_raw": "AML.TA0005",
      "owasp": null,
      "test": "TEST-DATA-002",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V1-DATA/MLASVS-DATA-2-Sanitization.md",
      "format": "table"
    },
    {
      "id": "DATA-019",
      "category": "DATA",
      "category_name": "Data Security & Privacy",
      "title": "Differential Privacy for Distributed Training",
      "level": "L2",
      "description": "In federated or distributed training settings, differential privacy (DP) must be applied to model updates before sharing. The privacy budget (epsilon, delta) must be tracked across all training rounds and participants.",
      "atlas": "AML.T0020",
      "atlas_raw": "AML.T0020 (Poison Training Data)",
      "owasp": null,
      "test": "MLASTG-TEST-DATA-005",
      "mlaswe": [
        "MLASWE-0004",
        "MLASWE-0005"
      ],
      "references": {},
      "source": "docs/MLASVS/V1-DATA/MLASVS-DATA-3-Differential-Privacy-FL.md",
      "format": "block"
    },
    {
      "id": "DATA-020",
      "category": "DATA",
      "category_name": "Data Security & Privacy",
      "title": "Cryptographic Data Provenance",
      "level": "L2",
      "description": "Full cryptographic provenance chain using signed manifests or transparency logs for all training datasets.",
      "atlas": "AML.TA0009",
      "atlas_raw": "AML.TA0009 (Discovery)",
      "owasp": null,
      "test": "MLASTG-TEST-DATA-001",
      "mlaswe": [],
      "references": {
        "owasp": "ML04 (Supply Chain), ML08 (Transfer Learning)",
        "nist_ai_rmf": "MAP-1, MAP-2, MEASURE-2",
        "owasp_ai_exchange": "Data Limitation, Development-time Threats"
      },
      "source": "docs/MLASVS/V1-DATA/MLASVS-DATA-1-Provenance.md",
      "format": "block"
    },
    {
      "id": "DATA-021",
      "category": "DATA",
      "category_name": "Data Security & Privacy",
      "title": "Federated data governance",
      "level": "L2",
      "description": "Enable cross-organization data governance for federated ML",
      "atlas": "AML.TA0002",
      "atlas_raw": "AML.TA0002",
      "owasp": null,
      "test": "TEST-DATA-004",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V1-DATA/MLASVS-DATA-4-Access-Control.md",
      "format": "table"
    },
    {
      "id": "DATA-022",
      "category": "DATA",
      "category_name": "Data Security & Privacy",
      "title": "Secure multi-party computation",
      "level": "L2",
      "description": "Enable collaborative ML training without exposing raw data",
      "atlas": "AML.TA0010",
      "atlas_raw": "AML.TA0010",
      "owasp": null,
      "test": "TEST-DATA-003",
      "mlaswe": [],
      "references": {
        "nist_ai_rmf": "MEASURE 2.5 (Data quality)"
      },
      "source": "docs/MLASVS/V1-DATA/MLASVS-DATA-3-Differential-Privacy.md",
      "format": "table"
    },
    {
      "id": "DATA-023",
      "category": "DATA",
      "category_name": "Data Security & Privacy",
      "title": "Secure Aggregation Verification",
      "level": "L2",
      "description": "In federated learning, the aggregation protocol must prevent the central server from inspecting individual participant model updates. Use homomorphic encryption, secure multi-party computation (SMPC), or trusted execution environments (TEEs).",
      "atlas": "AML.T0024.002",
      "atlas_raw": "AML.T0024.002 (Extract AI Model)",
      "owasp": null,
      "test": "MLASTG-TEST-DATA-005",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V1-DATA/MLASVS-DATA-3-Differential-Privacy-FL.md",
      "format": "block"
    },
    {
      "id": "DATA-024",
      "category": "DATA",
      "category_name": "Data Security & Privacy",
      "title": "Automated data poisoning detection",
      "level": "L2",
      "description": "Automated detection of poisoned training data samples",
      "atlas": "AML.TA0005",
      "atlas_raw": "AML.TA0005",
      "owasp": null,
      "test": "TEST-DATA-002",
      "mlaswe": [
        "MLASWE-0002",
        "MLASWE-0007"
      ],
      "references": {},
      "source": "docs/MLASVS/V1-DATA/MLASVS-DATA-2-Sanitization.md",
      "format": "table"
    },
    {
      "id": "DATA-025",
      "category": "DATA",
      "category_name": "Data Security & Privacy",
      "title": "Adversarial data filtering",
      "level": "L2",
      "description": "Filter adversarial or manipulated samples from training data",
      "atlas": "AML.TA0005",
      "atlas_raw": "AML.TA0005",
      "owasp": null,
      "test": "TEST-DATA-002",
      "mlaswe": [
        "MLASWE-0002"
      ],
      "references": {},
      "source": "docs/MLASVS/V1-DATA/MLASVS-DATA-2-Sanitization.md",
      "format": "table"
    },
    {
      "id": "DATA-026",
      "category": "DATA",
      "category_name": "Data Security & Privacy",
      "title": "Real-time Data Integrity Monitoring",
      "level": "L2",
      "description": "For continuous learning systems, data integrity must be monitored in real-time during the data ingestion pipeline.",
      "atlas": "AML.TA0010",
      "atlas_raw": "AML.TA0010 (Collection)",
      "owasp": null,
      "test": "MLASTG-TEST-DATA-001",
      "mlaswe": [],
      "references": {
        "owasp": "ML04 (Supply Chain), ML08 (Transfer Learning)",
        "nist_ai_rmf": "MAP-1, MAP-2, MEASURE-2",
        "owasp_ai_exchange": "Data Limitation, Development-time Threats"
      },
      "source": "docs/MLASVS/V1-DATA/MLASVS-DATA-1-Provenance.md",
      "format": "block"
    },
    {
      "id": "DATA-027",
      "category": "DATA",
      "category_name": "Data Security & Privacy",
      "title": "Data usage auditing",
      "level": "L2",
      "description": "Audit all data access and usage for compliance",
      "atlas": "AML.TA0009",
      "atlas_raw": "AML.TA0009",
      "owasp": null,
      "test": "TEST-DATA-004",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V1-DATA/MLASVS-DATA-4-Access-Control.md",
      "format": "table"
    },
    {
      "id": "DATA-028",
      "category": "DATA",
      "category_name": "Data Security & Privacy",
      "title": "Cross-border data compliance",
      "level": "L2",
      "description": "Ensure data handling complies with cross-border regulations",
      "atlas": "AML.TA0010",
      "atlas_raw": "AML.TA0010",
      "owasp": null,
      "test": "TEST-DATA-004",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V1-DATA/MLASVS-DATA-4-Access-Control.md",
      "format": "table"
    },
    {
      "id": "DATA-029",
      "category": "DATA",
      "category_name": "Data Security & Privacy",
      "title": "Synthetic data validation",
      "level": "L2",
      "description": "Validate quality and representativeness of synthetic training data",
      "atlas": "AML.TA0005",
      "atlas_raw": "AML.TA0005",
      "owasp": null,
      "test": "TEST-DATA-002",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V1-DATA/MLASVS-DATA-2-Sanitization.md",
      "format": "table"
    },
    {
      "id": "DATA-030",
      "category": "DATA",
      "category_name": "Data Security & Privacy",
      "title": "Data Trust Scoring",
      "level": "L2",
      "description": "Each data source must be assigned a trust score based on provenance completeness, historical integrity, and source reputation.",
      "atlas": "AML.TA0009",
      "atlas_raw": "AML.TA0009 (Discovery)",
      "owasp": null,
      "test": "MLASTG-TEST-DATA-001",
      "mlaswe": [
        "MLASWE-0002"
      ],
      "references": {
        "owasp": "ML04 (Supply Chain), ML08 (Transfer Learning)",
        "nist_ai_rmf": "MAP-1, MAP-2, MEASURE-2",
        "owasp_ai_exchange": "Data Limitation, Development-time Threats"
      },
      "source": "docs/MLASVS/V1-DATA/MLASVS-DATA-1-Provenance.md",
      "format": "block"
    },
    {
      "id": "GOV-001",
      "category": "GOV",
      "category_name": "Governance & Compliance",
      "title": "ML System Inventory",
      "level": "L1",
      "description": "Complete inventory of all ML systems in the organization must be maintained.",
      "atlas": null,
      "atlas_raw": null,
      "owasp": null,
      "test": "MLASTG-TEST-GOV-001",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V7-GOV/MLASVS-GOV-1-Risk-Governance.md",
      "format": "block"
    },
    {
      "id": "GOV-002",
      "category": "GOV",
      "category_name": "Governance & Compliance",
      "title": "ML Risk Assessment Requirement",
      "level": "L1",
      "description": "All ML systems must undergo security risk assessment before production deployment.",
      "atlas": null,
      "atlas_raw": null,
      "owasp": null,
      "test": "MLASTG-TEST-GOV-001",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V7-GOV/MLASVS-GOV-1-Risk-Governance.md",
      "format": "block"
    },
    {
      "id": "GOV-003",
      "category": "GOV",
      "category_name": "Governance & Compliance",
      "title": "ML Security Policy",
      "level": "L1",
      "description": "Organization must have an ML-specific security policy approved by management.",
      "atlas": null,
      "atlas_raw": null,
      "owasp": null,
      "test": "MLASTG-TEST-GOV-001",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V7-GOV/MLASVS-GOV-1-Risk-Governance.md",
      "format": "block"
    },
    {
      "id": "GOV-004",
      "category": "GOV",
      "category_name": "Governance & Compliance",
      "title": "Data Governance Policy",
      "level": "L1",
      "description": "Data governance policy must cover ML-specific data considerations.",
      "atlas": null,
      "atlas_raw": null,
      "owasp": null,
      "test": "MLASTG-TEST-GOV-001",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V7-GOV/MLASVS-GOV-1-Risk-Governance.md",
      "format": "block"
    },
    {
      "id": "GOV-005",
      "category": "GOV",
      "category_name": "Governance & Compliance",
      "title": "Model Documentation (Model Cards)",
      "level": "L1",
      "description": "Each ML model must have a model card documenting its purpose, limitations, and performance.",
      "atlas": null,
      "atlas_raw": null,
      "owasp": null,
      "test": "MLASTG-TEST-GOV-001",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V7-GOV/MLASVS-GOV-1-Risk-Governance.md",
      "format": "block"
    },
    {
      "id": "GOV-006",
      "category": "GOV",
      "category_name": "Governance & Compliance",
      "title": "Incident Response Plan",
      "level": "L1",
      "description": "Incident response plan must cover ML-specific compromise scenarios.",
      "atlas": null,
      "atlas_raw": null,
      "owasp": null,
      "test": "MLASTG-TEST-GOV-001",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V7-GOV/MLASVS-GOV-1-Risk-Governance.md",
      "format": "block"
    },
    {
      "id": "GOV-007",
      "category": "GOV",
      "category_name": "Governance & Compliance",
      "title": "Bias Evaluation Requirement",
      "level": "L1",
      "description": "All ML models must undergo bias evaluation before deployment.",
      "atlas": null,
      "atlas_raw": null,
      "owasp": null,
      "test": "MLASTG-TEST-GOV-001",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V7-GOV/MLASVS-GOV-2-Bias-Fairness.md",
      "format": "block"
    },
    {
      "id": "GOV-008",
      "category": "GOV",
      "category_name": "Governance & Compliance",
      "title": "Model Performance Monitoring",
      "level": "L1",
      "description": "Model performance must be monitored with fairness metrics tracked alongside accuracy.",
      "atlas": null,
      "atlas_raw": null,
      "owasp": null,
      "test": "MLASTG-TEST-GOV-001",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V7-GOV/MLASVS-GOV-2-Bias-Fairness.md",
      "format": "block"
    },
    {
      "id": "GOV-009",
      "category": "GOV",
      "category_name": "Governance & Compliance",
      "title": "Audit Logging for ML Decisions",
      "level": "L1",
      "description": "All ML-driven decisions must be logged with sufficient context for audit.",
      "atlas": null,
      "atlas_raw": null,
      "owasp": null,
      "test": "MLASTG-TEST-GOV-001",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V7-GOV/MLASVS-GOV-3-Audit-Compliance.md",
      "format": "block"
    },
    {
      "id": "GOV-010",
      "category": "GOV",
      "category_name": "Governance & Compliance",
      "title": "Third-Party AI Risk Assessment",
      "level": "L1",
      "description": "Third-party AI/ML services must undergo security assessment before use.",
      "atlas": null,
      "atlas_raw": null,
      "owasp": null,
      "test": "MLASTG-TEST-GOV-001",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V7-GOV/MLASVS-GOV-3-Audit-Compliance.md",
      "format": "block"
    },
    {
      "id": "GOV-011",
      "category": "GOV",
      "category_name": "Governance & Compliance",
      "title": "AI Ethics Board",
      "level": "L2",
      "description": "Organization must have an AI ethics board or equivalent oversight body.",
      "atlas": null,
      "atlas_raw": null,
      "owasp": null,
      "test": "MLASTG-TEST-GOV-001",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V7-GOV/MLASVS-GOV-1-Risk-Governance.md",
      "format": "block"
    },
    {
      "id": "GOV-012",
      "category": "GOV",
      "category_name": "Governance & Compliance",
      "title": "Human-in-the-Loop for Critical Decisions",
      "level": "L2",
      "description": "Critical decisions driven by ML must require human review and approval.",
      "atlas": null,
      "atlas_raw": null,
      "owasp": null,
      "test": "MLASTG-TEST-GOV-001",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V7-GOV/MLASVS-GOV-1-Risk-Governance.md",
      "format": "block"
    },
    {
      "id": "GOV-013",
      "category": "GOV",
      "category_name": "Governance & Compliance",
      "title": "Continuous Compliance Monitoring",
      "level": "L2",
      "description": "Compliance must be monitored continuously through automated controls.",
      "atlas": null,
      "atlas_raw": null,
      "owasp": null,
      "test": "MLASTG-TEST-GOV-001",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V7-GOV/MLASVS-GOV-3-Audit-Compliance.md",
      "format": "block"
    },
    {
      "id": "GOV-014",
      "category": "GOV",
      "category_name": "Governance & Compliance",
      "title": "External Audit Readiness",
      "level": "L2",
      "description": "ML systems must be ready for external audit at all times.",
      "atlas": null,
      "atlas_raw": null,
      "owasp": null,
      "test": "MLASTG-TEST-GOV-001",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V7-GOV/MLASVS-GOV-3-Audit-Compliance.md",
      "format": "block"
    },
    {
      "id": "GOV-015",
      "category": "GOV",
      "category_name": "Governance & Compliance",
      "title": "EU AI Act Conformity Assessment",
      "level": "L2",
      "description": "High-risk ML systems must meet EU AI Act conformity requirements.",
      "atlas": null,
      "atlas_raw": null,
      "owasp": null,
      "test": "MLASTG-TEST-GOV-001",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V7-GOV/MLASVS-GOV-3-Audit-Compliance.md",
      "format": "block"
    },
    {
      "id": "GOV-016",
      "category": "GOV",
      "category_name": "Governance & Compliance",
      "title": "Regular Red Team Exercises",
      "level": "L2",
      "description": "ML systems must undergo regular adversarial red team testing.",
      "atlas": null,
      "atlas_raw": null,
      "owasp": null,
      "test": "MLASTG-TEST-GOV-001",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V7-GOV/MLASVS-GOV-1-Risk-Governance.md",
      "format": "block"
    },
    {
      "id": "GOV-017",
      "category": "GOV",
      "category_name": "Governance & Compliance",
      "title": "Bias Continuous Monitoring",
      "level": "L2",
      "description": "Real-time bias detection with automated alerting on fairness drift.",
      "atlas": null,
      "atlas_raw": null,
      "owasp": null,
      "test": "MLASTG-TEST-GOV-001",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V7-GOV/MLASVS-GOV-2-Bias-Fairness.md",
      "format": "block"
    },
    {
      "id": "GOV-018",
      "category": "GOV",
      "category_name": "Governance & Compliance",
      "title": "Transparency Reporting",
      "level": "L2",
      "description": "ML system transparency reports must be published for external stakeholders.",
      "atlas": null,
      "atlas_raw": null,
      "owasp": null,
      "test": "MLASTG-TEST-GOV-001",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V7-GOV/MLASVS-GOV-1-Risk-Governance.md",
      "format": "block"
    },
    {
      "id": "GOV-019",
      "category": "GOV",
      "category_name": "Governance & Compliance",
      "title": "Regulatory Filing Automation",
      "level": "L2",
      "description": "Automated generation of regulatory filings for ML systems.",
      "atlas": null,
      "atlas_raw": null,
      "owasp": null,
      "test": "MLASTG-TEST-GOV-001",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V7-GOV/MLASVS-GOV-3-Audit-Compliance.md",
      "format": "block"
    },
    {
      "id": "GOV-020",
      "category": "GOV",
      "category_name": "Governance & Compliance",
      "title": "ML System Impact Assessment",
      "level": "L2",
      "description": "Impact assessments must be conducted for high-risk ML systems covering societal, privacy, fairness, and safety impacts.",
      "atlas": null,
      "atlas_raw": null,
      "owasp": null,
      "test": "MLASTG-TEST-GOV-001",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V7-GOV/MLASVS-GOV-1-Risk-Governance.md",
      "format": "block"
    },
    {
      "id": "INFRA-001",
      "category": "INFRA",
      "category_name": "Runtime & Infrastructure",
      "title": "Model Serving Network Segmentation",
      "level": "L1",
      "description": "Model serving infrastructure must be on a separate network segment from general infrastructure.",
      "atlas": "AML.TA0002",
      "atlas_raw": "AML.TA0002 (Initial Access)",
      "owasp": null,
      "test": "MLASTG-TEST-INFRA-001",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V6-INFRA/MLASVS-INFRA-1-Model-Serving.md",
      "format": "block"
    },
    {
      "id": "INFRA-002",
      "category": "INFRA",
      "category_name": "Runtime & Infrastructure",
      "title": "Inference Endpoint Authentication",
      "level": "L1",
      "description": "All inference endpoints must require authentication before processing requests.",
      "atlas": "AML.TA0002",
      "atlas_raw": "AML.TA0002 (Initial Access)",
      "owasp": null,
      "test": "MLASTG-TEST-INFRA-002",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V6-INFRA/MLASVS-INFRA-2-API-Security.md",
      "format": "block"
    },
    {
      "id": "INFRA-003",
      "category": "INFRA",
      "category_name": "Runtime & Infrastructure",
      "title": "Inference Endpoint Authorization",
      "level": "L1",
      "description": "Authorization must enforce per-user or per-role access limits.",
      "atlas": "AML.TA0002",
      "atlas_raw": "AML.TA0002 (Initial Access)",
      "owasp": null,
      "test": "MLASTG-TEST-INFRA-002",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V6-INFRA/MLASVS-INFRA-2-API-Security.md",
      "format": "block"
    },
    {
      "id": "INFRA-004",
      "category": "INFRA",
      "category_name": "Runtime & Infrastructure",
      "title": "TLS for Model Endpoints",
      "level": "L1",
      "description": "All inference traffic must be encrypted in transit.",
      "atlas": "AML.TA0010",
      "atlas_raw": "AML.TA0010 (Collection)",
      "owasp": null,
      "test": "MLASTG-TEST-INFRA-002",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V6-INFRA/MLASVS-INFRA-2-API-Security.md",
      "format": "block"
    },
    {
      "id": "INFRA-005",
      "category": "INFRA",
      "category_name": "Runtime & Infrastructure",
      "title": "GPU/Compute Isolation",
      "level": "L1",
      "description": "GPU and compute resources must be isolated between model replicas and tenants.",
      "atlas": "AML.TA0002",
      "atlas_raw": "AML.TA0002 (Initial Access)",
      "owasp": null,
      "test": "MLASTG-TEST-INFRA-001",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V6-INFRA/MLASVS-INFRA-1-Model-Serving.md",
      "format": "block"
    },
    {
      "id": "INFRA-006",
      "category": "INFRA",
      "category_name": "Runtime & Infrastructure",
      "title": "Model Cache Security",
      "level": "L1",
      "description": "Model inference caches must not leak data between users.",
      "atlas": "AML.TA0010",
      "atlas_raw": "AML.TA0010 (Collection)",
      "owasp": null,
      "test": "MLASTG-TEST-INFRA-001",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V6-INFRA/MLASVS-INFRA-1-Model-Serving.md",
      "format": "block"
    },
    {
      "id": "INFRA-007",
      "category": "INFRA",
      "category_name": "Runtime & Infrastructure",
      "title": "Inference Request Logging",
      "level": "L1",
      "description": "All inference requests must be logged for audit and monitoring purposes.",
      "atlas": "AML.TA0009",
      "atlas_raw": "AML.TA0009 (Discovery)",
      "owasp": null,
      "test": "MLASTG-TEST-INFRA-001",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V6-INFRA/MLASVS-INFRA-1-Model-Serving.md",
      "format": "block"
    },
    {
      "id": "INFRA-008",
      "category": "INFRA",
      "category_name": "Runtime & Infrastructure",
      "title": "Batch Inference Security",
      "level": "L1",
      "description": "Batch inference jobs must be secured with access controls.",
      "atlas": "AML.TA0002",
      "atlas_raw": "AML.TA0002 (Initial Access)",
      "owasp": null,
      "test": "MLASTG-TEST-INFRA-001",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V6-INFRA/MLASVS-INFRA-1-Model-Serving.md",
      "format": "block"
    },
    {
      "id": "INFRA-009",
      "category": "INFRA",
      "category_name": "Runtime & Infrastructure",
      "title": "API Rate Limiting",
      "level": "L1",
      "description": "Rate limiting must be configured per user/API key to prevent extraction and DoS.",
      "atlas": "AML.T0024.002",
      "atlas_raw": "AML.T0024.002 (Extract AI Model)",
      "owasp": null,
      "test": "MLASTG-TEST-INFRA-002",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V6-INFRA/MLASVS-INFRA-2-API-Security.md",
      "format": "block"
    },
    {
      "id": "INFRA-010",
      "category": "INFRA",
      "category_name": "Runtime & Infrastructure",
      "title": "Input Size Validation",
      "level": "L1",
      "description": "Input payload size must be validated to prevent resource exhaustion.",
      "atlas": "AML.T0029",
      "atlas_raw": "AML.T0029 (Denial of AI Service)",
      "owasp": null,
      "test": "MLASTG-TEST-INFRA-002",
      "mlaswe": [
        "MLASWE-0008"
      ],
      "references": {},
      "source": "docs/MLASVS/V6-INFRA/MLASVS-INFRA-2-API-Security.md",
      "format": "block"
    },
    {
      "id": "INFRA-011",
      "category": "INFRA",
      "category_name": "Runtime & Infrastructure",
      "title": "API Versioning",
      "level": "L1",
      "description": "API versions must be maintained with a deprecation policy.",
      "atlas": "AML.TA0002",
      "atlas_raw": "AML.TA0002 (Initial Access)",
      "owasp": null,
      "test": "MLASTG-TEST-INFRA-002",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V6-INFRA/MLASVS-INFRA-2-API-Security.md",
      "format": "block"
    },
    {
      "id": "INFRA-012",
      "category": "INFRA",
      "category_name": "Runtime & Infrastructure",
      "title": "Model Health Monitoring",
      "level": "L1",
      "description": "Basic health monitoring must be implemented for model endpoints.",
      "atlas": "AML.TA0005",
      "atlas_raw": "AML.TA0005 (Execution)",
      "owasp": null,
      "test": "MLASTG-TEST-INFRA-001",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V6-INFRA/MLASVS-INFRA-1-Model-Serving.md",
      "format": "block"
    },
    {
      "id": "INFRA-013",
      "category": "INFRA",
      "category_name": "Runtime & Infrastructure",
      "title": "Adversarial Input Detection at Inference",
      "level": "L2",
      "description": "Real-time detection of adversarial inputs during inference.",
      "atlas": "AML.T0043",
      "atlas_raw": "AML.T0043 (Craft Adversarial Data)",
      "owasp": null,
      "test": "MLASTG-TEST-INFRA-001",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V6-INFRA/MLASVS-INFRA-1-Model-Serving.md",
      "format": "block"
    },
    {
      "id": "INFRA-014",
      "category": "INFRA",
      "category_name": "Runtime & Infrastructure",
      "title": "Runtime Model Behavior Monitoring",
      "level": "L2",
      "description": "Runtime monitoring must detect anomalous model behavior.",
      "atlas": "AML.T0018",
      "atlas_raw": "AML.T0018 (Manipulate AI Model)",
      "owasp": null,
      "test": "MLASTG-TEST-INFRA-001",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V6-INFRA/MLASVS-INFRA-1-Model-Serving.md",
      "format": "block"
    },
    {
      "id": "INFRA-015",
      "category": "INFRA",
      "category_name": "Runtime & Infrastructure",
      "title": "Automated Model Rollback on Anomaly",
      "level": "L2",
      "description": "Automated rollback to previous model version when anomalies are detected.",
      "atlas": "AML.TA0006",
      "atlas_raw": "AML.TA0006 (Persistence)",
      "owasp": null,
      "test": "MLASTG-TEST-INFRA-001",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V6-INFRA/MLASVS-INFRA-1-Model-Serving.md",
      "format": "block"
    },
    {
      "id": "INFRA-016",
      "category": "INFRA",
      "category_name": "Runtime & Infrastructure",
      "title": "Side-Channel Attack Prevention",
      "level": "L2",
      "description": "Mitigations for side-channel attacks on model inference.",
      "atlas": "AML.T0024.001",
      "atlas_raw": "AML.T0024.001 (Invert AI Model)",
      "owasp": null,
      "test": "MLASTG-TEST-INFRA-001",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V6-INFRA/MLASVS-INFRA-1-Model-Serving.md",
      "format": "block"
    },
    {
      "id": "INFRA-017",
      "category": "INFRA",
      "category_name": "Runtime & Infrastructure",
      "title": "Confidential Computing for Inference",
      "level": "L2",
      "description": "Sensitive inference workloads should use confidential computing.",
      "atlas": "AML.TA0010",
      "atlas_raw": "AML.TA0010 (Collection)",
      "owasp": null,
      "test": "MLASTG-TEST-INFRA-001",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V6-INFRA/MLASVS-INFRA-1-Model-Serving.md",
      "format": "block"
    },
    {
      "id": "INFRA-018",
      "category": "INFRA",
      "category_name": "Runtime & Infrastructure",
      "title": "Real-time Drift Monitoring",
      "level": "L2",
      "description": "Model drift (data distribution and concept drift) must be monitored in real-time.",
      "atlas": "AML.T0018",
      "atlas_raw": "AML.T0018 (Manipulate AI Model)",
      "owasp": null,
      "test": "MLASTG-TEST-INFRA-001",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V6-INFRA/MLASVS-INFRA-1-Model-Serving.md",
      "format": "block"
    },
    {
      "id": "INFRA-019",
      "category": "INFRA",
      "category_name": "Runtime & Infrastructure",
      "title": "ML-Specific SIEM Integration",
      "level": "L2",
      "description": "ML security events must feed into SIEM for correlation and analysis.",
      "atlas": "AML.TA0009",
      "atlas_raw": "AML.TA0009 (Discovery)",
      "owasp": null,
      "test": "MLASTG-TEST-INFRA-001",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V6-INFRA/MLASVS-INFRA-1-Model-Serving.md",
      "format": "block"
    },
    {
      "id": "INFRA-020",
      "category": "INFRA",
      "category_name": "Runtime & Infrastructure",
      "title": "Dedicated ML Incident Response Playbook",
      "level": "L2",
      "description": "Specialized incident response playbook for ML security incidents.",
      "atlas": "AML.TA0009",
      "atlas_raw": "AML.TA0009 (Discovery)",
      "owasp": null,
      "test": "MLASTG-TEST-INFRA-001",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V6-INFRA/MLASVS-INFRA-1-Model-Serving.md",
      "format": "block"
    },
    {
      "id": "INFRA-021",
      "category": "INFRA",
      "category_name": "Runtime & Infrastructure",
      "title": "Continuous Penetration Testing",
      "level": "L2",
      "description": "Model APIs must undergo regular penetration testing.",
      "atlas": "AML.TA0001",
      "atlas_raw": "AML.TA0001 (Reconnaissance)",
      "owasp": null,
      "test": "MLASTG-TEST-INFRA-002",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V6-INFRA/MLASVS-INFRA-2-API-Security.md",
      "format": "block"
    },
    {
      "id": "INFRA-022",
      "category": "INFRA",
      "category_name": "Runtime & Infrastructure",
      "title": "Hardware-Rooted Model Attestation",
      "level": "L2",
      "description": "Hardware-based attestation that verified models are running in trusted environments.",
      "atlas": "AML.TA0006",
      "atlas_raw": "AML.TA0006 (Persistence)",
      "owasp": null,
      "test": "MLASTG-TEST-INFRA-001",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V6-INFRA/MLASVS-INFRA-1-Model-Serving.md",
      "format": "block"
    },
    {
      "id": "LLM-001",
      "category": "LLM",
      "category_name": "LLM-Specific Security",
      "title": "Prompt Injection Prevention",
      "level": "L1",
      "description": "LLM applications must implement defenses against prompt injection attacks including direct, indirect, and multi-turn variants.",
      "atlas": "AML.T0051",
      "atlas_raw": "AML.T0051 (LLM Prompt Injection)",
      "owasp": "LLM01",
      "test": "MLASTG-TEST-LLM-001",
      "mlaswe": [
        "MLASWE-0006"
      ],
      "references": {
        "owasp": "LLM01",
        "nist_ai_rmf": "MEASURE-1, MANAGE-1",
        "owasp_ai_exchange": "Input Threats section"
      },
      "source": "docs/MLASVS/V3-LLM/MLASVS-LLM-1-Prompt-Injection.md",
      "format": "block"
    },
    {
      "id": "LLM-002",
      "category": "LLM",
      "category_name": "LLM-Specific Security",
      "title": "Input/Output Boundary Enforcement",
      "level": "L1",
      "description": "Clear separation between system instructions, user input, and retrieved context must be maintained.",
      "atlas": "AML.T0051",
      "atlas_raw": "AML.T0051 (LLM Prompt Injection)",
      "owasp": null,
      "test": "MLASTG-TEST-LLM-001",
      "mlaswe": [
        "MLASWE-0006"
      ],
      "references": {
        "owasp": "LLM01 (Prompt Injection), LLM07 (Insecure Plugin Design)",
        "nist_ai_rmf": "MEASURE-1, MANAGE-1",
        "owasp_ai_exchange": "Input Threats section"
      },
      "source": "docs/MLASVS/V3-LLM/MLASVS-LLM-1-Prompt-Injection.md",
      "format": "block"
    },
    {
      "id": "LLM-003",
      "category": "LLM",
      "category_name": "LLM-Specific Security",
      "title": "Output validation and filtering",
      "level": "L1",
      "description": "Validate and filter LLM outputs before rendering or execution",
      "atlas": "AML.T0057",
      "atlas_raw": "AML.T0057",
      "owasp": null,
      "test": "TEST-LLM-002",
      "mlaswe": [
        "MLASWE-0010"
      ],
      "references": {
        "owasp": "LLM02 (Insecure Output Handling), LLM06 (Sensitive Information Disclosure)"
      },
      "source": "docs/MLASVS/V3-LLM/MLASVS-LLM-2-Output-Handling.md",
      "format": "table"
    },
    {
      "id": "LLM-004",
      "category": "LLM",
      "category_name": "LLM-Specific Security",
      "title": "System Prompt Isolation",
      "level": "L1",
      "description": "The system prompt (base instructions) must be isolated from user input to prevent extraction or override.",
      "atlas": "AML.T0051",
      "atlas_raw": "AML.T0051 (LLM Prompt Injection)",
      "owasp": null,
      "test": "MLASTG-TEST-LLM-001",
      "mlaswe": [
        "MLASWE-0006"
      ],
      "references": {
        "owasp": "LLM01 (Prompt Injection), LLM07 (Insecure Plugin Design)",
        "nist_ai_rmf": "MEASURE-1, MANAGE-1",
        "owasp_ai_exchange": "Input Threats section"
      },
      "source": "docs/MLASVS/V3-LLM/MLASVS-LLM-1-Prompt-Injection.md",
      "format": "block"
    },
    {
      "id": "LLM-005",
      "category": "LLM",
      "category_name": "LLM-Specific Security",
      "title": "Context window limits",
      "level": "L1",
      "description": "Enforce maximum context window size",
      "atlas": "AML.T0029",
      "atlas_raw": "AML.T0029",
      "owasp": null,
      "test": "TEST-LLM-003",
      "mlaswe": [
        "MLASWE-0008"
      ],
      "references": {
        "owasp": "LLM04 (Model DoS), LLM08 (Excessive Agency)"
      },
      "source": "docs/MLASVS/V3-LLM/MLASVS-LLM-3-Agency-Control.md",
      "format": "table"
    },
    {
      "id": "LLM-006",
      "category": "LLM",
      "category_name": "LLM-Specific Security",
      "title": "Plugin permission scoping",
      "level": "L1",
      "description": null,
      "atlas": "AML.T0053",
      "atlas_raw": "AML.T0053",
      "owasp": null,
      "test": "TEST-LLM-001",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/0x02-MLASVS-Categories.md",
      "format": "table"
    },
    {
      "id": "LLM-007",
      "category": "LLM",
      "category_name": "LLM-Specific Security",
      "title": "Tool call authorization",
      "level": "L1",
      "description": null,
      "atlas": "AML.T0053",
      "atlas_raw": "AML.T0053",
      "owasp": null,
      "test": "TEST-LLM-001",
      "mlaswe": [
        "MLASWE-0011"
      ],
      "references": {},
      "source": "docs/MLASVS/0x02-MLASVS-Categories.md",
      "format": "table"
    },
    {
      "id": "LLM-008",
      "category": "LLM",
      "category_name": "LLM-Specific Security",
      "title": "Sensitive data exfiltration prevention",
      "level": "L1",
      "description": "Prevent LLM from outputting API keys, credentials, or PII",
      "atlas": "AML.T0057",
      "atlas_raw": "AML.T0057",
      "owasp": null,
      "test": "TEST-LLM-002",
      "mlaswe": [
        "MLASWE-0012"
      ],
      "references": {
        "owasp": "LLM02 (Insecure Output Handling), LLM06 (Sensitive Information Disclosure)"
      },
      "source": "docs/MLASVS/V3-LLM/MLASVS-LLM-2-Output-Handling.md",
      "format": "table"
    },
    {
      "id": "LLM-009",
      "category": "LLM",
      "category_name": "LLM-Specific Security",
      "title": "Content filtering pipeline",
      "level": "L1",
      "description": "Deploy content moderation to block policy-violating outputs",
      "atlas": "AML.T0057",
      "atlas_raw": "AML.T0057",
      "owasp": null,
      "test": "TEST-LLM-002",
      "mlaswe": [
        "MLASWE-0010"
      ],
      "references": {
        "owasp": "LLM02 (Insecure Output Handling), LLM06 (Sensitive Information Disclosure)"
      },
      "source": "docs/MLASVS/V3-LLM/MLASVS-LLM-2-Output-Handling.md",
      "format": "table"
    },
    {
      "id": "LLM-010",
      "category": "LLM",
      "category_name": "LLM-Specific Security",
      "title": "Human-in-the-loop for critical actions",
      "level": "L1",
      "description": "Require human approval for destructive or irreversible LLM actions",
      "atlas": "AML.T0053",
      "atlas_raw": "AML.T0053",
      "owasp": null,
      "test": "TEST-LLM-003",
      "mlaswe": [
        "MLASWE-0011",
        "MLASWE-0013"
      ],
      "references": {
        "owasp": "LLM04 (Model DoS), LLM08 (Excessive Agency)"
      },
      "source": "docs/MLASVS/V3-LLM/MLASVS-LLM-3-Agency-Control.md",
      "format": "table"
    },
    {
      "id": "LLM-011",
      "category": "LLM",
      "category_name": "LLM-Specific Security",
      "title": "Rate limiting on LLM endpoints",
      "level": "L1",
      "description": "Enforce per-user request rate limits on LLM APIs",
      "atlas": "AML.T0029",
      "atlas_raw": "AML.T0029",
      "owasp": null,
      "test": "TEST-LLM-003",
      "mlaswe": [
        "MLASWE-0008"
      ],
      "references": {
        "owasp": "LLM04 (Model DoS), LLM08 (Excessive Agency)"
      },
      "source": "docs/MLASVS/V3-LLM/MLASVS-LLM-3-Agency-Control.md",
      "format": "table"
    },
    {
      "id": "LLM-012",
      "category": "LLM",
      "category_name": "LLM-Specific Security",
      "title": "Token usage monitoring",
      "level": "L1",
      "description": "Monitor and alert on abnormal token consumption patterns",
      "atlas": "AML.T0029",
      "atlas_raw": "AML.T0029",
      "owasp": null,
      "test": "TEST-LLM-003",
      "mlaswe": [
        "MLASWE-0008"
      ],
      "references": {
        "owasp": "LLM04 (Model DoS), LLM08 (Excessive Agency)"
      },
      "source": "docs/MLASVS/V3-LLM/MLASVS-LLM-3-Agency-Control.md",
      "format": "table"
    },
    {
      "id": "LLM-013",
      "category": "LLM",
      "category_name": "LLM-Specific Security",
      "title": "Input token limits",
      "level": "L1",
      "description": "Enforce maximum input token count per request",
      "atlas": "AML.T0029",
      "atlas_raw": "AML.T0029",
      "owasp": null,
      "test": "TEST-LLM-003",
      "mlaswe": [
        "MLASWE-0008"
      ],
      "references": {
        "owasp": "LLM04 (Model DoS), LLM08 (Excessive Agency)"
      },
      "source": "docs/MLASVS/V3-LLM/MLASVS-LLM-3-Agency-Control.md",
      "format": "table"
    },
    {
      "id": "LLM-014",
      "category": "LLM",
      "category_name": "LLM-Specific Security",
      "title": "Output length limits",
      "level": "L1",
      "description": "Enforce maximum output length to prevent resource exhaustion",
      "atlas": "AML.T0057",
      "atlas_raw": "AML.T0057",
      "owasp": null,
      "test": "TEST-LLM-002",
      "mlaswe": [
        "MLASWE-0010"
      ],
      "references": {
        "owasp": "LLM02 (Insecure Output Handling), LLM06 (Sensitive Information Disclosure)"
      },
      "source": "docs/MLASVS/V3-LLM/MLASVS-LLM-2-Output-Handling.md",
      "format": "table"
    },
    {
      "id": "LLM-015",
      "category": "LLM",
      "category_name": "LLM-Specific Security",
      "title": "Prompt Firewall Deployment",
      "level": "L2",
      "description": "A dedicated prompt firewall or LLM gateway must be deployed to intercept and filter malicious prompts before they reach the model.",
      "atlas": "AML.T0051",
      "atlas_raw": "AML.T0051 (LLM Prompt Injection)",
      "owasp": null,
      "test": "MLASTG-TEST-LLM-001",
      "mlaswe": [
        "MLASWE-0006"
      ],
      "references": {
        "owasp": "LLM01 (Prompt Injection), LLM07 (Insecure Plugin Design)",
        "nist_ai_rmf": "MEASURE-1, MANAGE-1",
        "owasp_ai_exchange": "Input Threats section"
      },
      "source": "docs/MLASVS/V3-LLM/MLASVS-LLM-1-Prompt-Injection.md",
      "format": "block"
    },
    {
      "id": "LLM-016",
      "category": "LLM",
      "category_name": "LLM-Specific Security",
      "title": "Semantic Prompt Filtering",
      "level": "L2",
      "description": "Beyond keyword-based filtering, semantic analysis must detect injection intent even when obfuscated or paraphrased.",
      "atlas": "AML.T0051",
      "atlas_raw": "AML.T0051 (LLM Prompt Injection)",
      "owasp": null,
      "test": "MLASTG-TEST-LLM-001",
      "mlaswe": [
        "MLASWE-0006"
      ],
      "references": {
        "owasp": "LLM01 (Prompt Injection), LLM07 (Insecure Plugin Design)",
        "nist_ai_rmf": "MEASURE-1, MANAGE-1",
        "owasp_ai_exchange": "Input Threats section"
      },
      "source": "docs/MLASVS/V3-LLM/MLASVS-LLM-1-Prompt-Injection.md",
      "format": "block"
    },
    {
      "id": "LLM-017",
      "category": "LLM",
      "category_name": "LLM-Specific Security",
      "title": "Jailbreak detection system",
      "level": "L2",
      "description": "Deploy automated detection of jailbreak attempts",
      "atlas": "AML.T0051",
      "atlas_raw": "AML.T0051",
      "owasp": null,
      "test": "TEST-LLM-003",
      "mlaswe": [],
      "references": {
        "owasp": "LLM04 (Model DoS), LLM08 (Excessive Agency)"
      },
      "source": "docs/MLASVS/V3-LLM/MLASVS-LLM-3-Agency-Control.md",
      "format": "table"
    },
    {
      "id": "LLM-018",
      "category": "LLM",
      "category_name": "LLM-Specific Security",
      "title": "RAG Security Controls",
      "level": "L2",
      "description": "RAG (Retrieval-Augmented Generation) systems must implement controls to prevent indirect prompt injection through retrieved documents.",
      "atlas": "AML.T0051",
      "atlas_raw": "AML.T0051 (LLM Prompt Injection)",
      "owasp": null,
      "test": "MLASTG-TEST-LLM-001",
      "mlaswe": [
        "MLASWE-0006"
      ],
      "references": {
        "owasp": "LLM01 (Prompt Injection), LLM07 (Insecure Plugin Design)",
        "nist_ai_rmf": "MEASURE-1, MANAGE-1",
        "owasp_ai_exchange": "Input Threats section"
      },
      "source": "docs/MLASVS/V3-LLM/MLASVS-LLM-1-Prompt-Injection.md",
      "format": "block"
    },
    {
      "id": "LLM-019",
      "category": "LLM",
      "category_name": "LLM-Specific Security",
      "title": "Embedding-Level Anomaly Detection",
      "level": "L2",
      "description": "Detect prompt injection attempts by analyzing embedding-level anomalies in input text.",
      "atlas": "AML.T0051",
      "atlas_raw": "AML.T0051 (LLM Prompt Injection)",
      "owasp": null,
      "test": "MLASTG-TEST-LLM-001",
      "mlaswe": [],
      "references": {
        "owasp": "LLM01 (Prompt Injection), LLM07 (Insecure Plugin Design)",
        "nist_ai_rmf": "MEASURE-1, MANAGE-1",
        "owasp_ai_exchange": "Input Threats section"
      },
      "source": "docs/MLASVS/V3-LLM/MLASVS-LLM-1-Prompt-Injection.md",
      "format": "block"
    },
    {
      "id": "LLM-020",
      "category": "LLM",
      "category_name": "LLM-Specific Security",
      "title": "Agentic workflow authorization",
      "level": "L2",
      "description": "Gate all tool/API invocations behind explicit authorization checks",
      "atlas": "AML.T0053",
      "atlas_raw": "AML.T0053",
      "owasp": null,
      "test": "TEST-LLM-003",
      "mlaswe": [
        "MLASWE-0011"
      ],
      "references": {
        "owasp": "LLM04 (Model DoS), LLM08 (Excessive Agency)"
      },
      "source": "docs/MLASVS/V3-LLM/MLASVS-LLM-3-Agency-Control.md",
      "format": "table"
    },
    {
      "id": "LLM-021",
      "category": "LLM",
      "category_name": "LLM-Specific Security",
      "title": "Tool/Plugin Isolation Sandbox",
      "level": "L2",
      "description": "External tool calls and plugin invocations must be sandboxed to prevent abuse via prompt injection.",
      "atlas": "AML.T0053",
      "atlas_raw": "AML.T0053 (LLM Plugin Compromise)",
      "owasp": null,
      "test": "MLASTG-TEST-LLM-001",
      "mlaswe": [
        "MLASWE-0011"
      ],
      "references": {
        "owasp": "LLM01 (Prompt Injection), LLM07 (Insecure Plugin Design)",
        "nist_ai_rmf": "MEASURE-1, MANAGE-1",
        "owasp_ai_exchange": "Input Threats section"
      },
      "source": "docs/MLASVS/V3-LLM/MLASVS-LLM-1-Prompt-Injection.md",
      "format": "block"
    },
    {
      "id": "LLM-022",
      "category": "LLM",
      "category_name": "LLM-Specific Security",
      "title": "Continuous red teaming pipeline",
      "level": "L2",
      "description": "Maintain automated red team testing for LLM vulnerabilities",
      "atlas": "AML.T0051",
      "atlas_raw": "AML.T0051",
      "owasp": null,
      "test": "TEST-LLM-003",
      "mlaswe": [],
      "references": {
        "owasp": "LLM04 (Model DoS), LLM08 (Excessive Agency)"
      },
      "source": "docs/MLASVS/V3-LLM/MLASVS-LLM-3-Agency-Control.md",
      "format": "table"
    },
    {
      "id": "LLM-023",
      "category": "LLM",
      "category_name": "LLM-Specific Security",
      "title": "Human override mechanisms",
      "level": "L2",
      "description": "Enable human operators to override or halt LLM actions at any time",
      "atlas": "AML.T0053",
      "atlas_raw": "AML.T0053",
      "owasp": null,
      "test": "TEST-LLM-003",
      "mlaswe": [
        "MLASWE-0011"
      ],
      "references": {
        "owasp": "LLM04 (Model DoS), LLM08 (Excessive Agency)"
      },
      "source": "docs/MLASVS/V3-LLM/MLASVS-LLM-3-Agency-Control.md",
      "format": "table"
    },
    {
      "id": "LLM-024",
      "category": "LLM",
      "category_name": "LLM-Specific Security",
      "title": "Multi-turn attack detection",
      "level": "L2",
      "description": "Detect gradual instruction drift across multi-turn conversations",
      "atlas": "AML.T0051",
      "atlas_raw": "AML.T0051",
      "owasp": null,
      "test": "TEST-LLM-003",
      "mlaswe": [],
      "references": {
        "owasp": "LLM04 (Model DoS), LLM08 (Excessive Agency)"
      },
      "source": "docs/MLASVS/V3-LLM/MLASVS-LLM-3-Agency-Control.md",
      "format": "table"
    },
    {
      "id": "MODEL-001",
      "category": "MODEL",
      "category_name": "Model Security",
      "title": "Adversarial Robustness Testing",
      "level": "L1",
      "description": "Models must be tested against common adversarial attack methods (FGSM, PGD for white-box; HopSkipJump, Boundary Attack for black-box).",
      "atlas": "AML.T0043",
      "atlas_raw": "AML.T0043 (Craft Adversarial Data)",
      "owasp": null,
      "test": "MLASTG-TEST-MODEL-001",
      "mlaswe": [
        "MLASWE-0001"
      ],
      "references": {
        "nist_ai_rmf": "MEASURE-1, MEASURE-2, MANAGE-1",
        "owasp_ai_exchange": "Input Threats, AI Security Testing",
        "owasp": "ML01 (Input Manipulation)"
      },
      "source": "docs/MLASVS/V2-MODEL/MLASVS-MODEL-1-Adversarial-Robustness.md",
      "format": "block"
    },
    {
      "id": "MODEL-002",
      "category": "MODEL",
      "category_name": "Model Security",
      "title": "Input Perturbation Limits",
      "level": "L1",
      "description": "Models must define and enforce maximum allowed input perturbation boundaries.",
      "atlas": "AML.T0043",
      "atlas_raw": "AML.T0043 (Craft Adversarial Data)",
      "owasp": null,
      "test": "MLASTG-TEST-MODEL-001",
      "mlaswe": [
        "MLASWE-0001"
      ],
      "references": {
        "nist_ai_rmf": "MEASURE-1, MEASURE-2, MANAGE-1",
        "owasp_ai_exchange": "Input Threats, AI Security Testing",
        "owasp": "ML01 (Input Manipulation)"
      },
      "source": "docs/MLASVS/V2-MODEL/MLASVS-MODEL-1-Adversarial-Robustness.md",
      "format": "block"
    },
    {
      "id": "MODEL-003",
      "category": "MODEL",
      "category_name": "Model Security",
      "title": "Model Input Validation",
      "level": "L1",
      "description": "All inputs to the model must be validated against expected ranges, types, and formats before inference.",
      "atlas": "AML.T0043",
      "atlas_raw": "AML.T0043 (Craft Adversarial Data)",
      "owasp": null,
      "test": "MLASTG-TEST-MODEL-001",
      "mlaswe": [
        "MLASWE-0001"
      ],
      "references": {
        "nist_ai_rmf": "MEASURE-1, MEASURE-2, MANAGE-1",
        "owasp_ai_exchange": "Input Threats, AI Security Testing",
        "owasp": "ML01 (Input Manipulation)"
      },
      "source": "docs/MLASVS/V2-MODEL/MLASVS-MODEL-1-Adversarial-Robustness.md",
      "format": "block"
    },
    {
      "id": "MODEL-004",
      "category": "MODEL",
      "category_name": "Model Security",
      "title": "Output confidence calibration",
      "level": "L1",
      "description": "Limit precision of output confidence scores to reduce information leakage",
      "atlas": "AML.T0024.001",
      "atlas_raw": "AML.T0024.001",
      "owasp": null,
      "test": "TEST-MODEL-002",
      "mlaswe": [
        "MLASWE-0003"
      ],
      "references": {},
      "source": "docs/MLASVS/V2-MODEL/MLASVS-MODEL-2-Extraction.md",
      "format": "table"
    },
    {
      "id": "MODEL-005",
      "category": "MODEL",
      "category_name": "Model Security",
      "title": "API rate limiting",
      "level": "L1",
      "description": "Enforce per-user query quotas to prevent bulk extraction",
      "atlas": "AML.T0024.002",
      "atlas_raw": "AML.T0024.002",
      "owasp": null,
      "test": "TEST-MODEL-002",
      "mlaswe": [
        "MLASWE-0003"
      ],
      "references": {},
      "source": "docs/MLASVS/V2-MODEL/MLASVS-MODEL-2-Extraction.md",
      "format": "table"
    },
    {
      "id": "MODEL-006",
      "category": "MODEL",
      "category_name": "Model Security",
      "title": "Access control on model endpoints",
      "level": "L1",
      "description": "Require authentication for all model inference endpoints",
      "atlas": "AML.TA0002",
      "atlas_raw": "AML.TA0002",
      "owasp": null,
      "test": "TEST-MODEL-002",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V2-MODEL/MLASVS-MODEL-2-Extraction.md",
      "format": "table"
    },
    {
      "id": "MODEL-007",
      "category": "MODEL",
      "category_name": "Model Security",
      "title": "Model versioning",
      "level": "L1",
      "description": "Maintain versioned model registry with immutable history",
      "atlas": "AML.TA0006",
      "atlas_raw": "AML.TA0006",
      "owasp": null,
      "test": "TEST-MODEL-005",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V2-MODEL/MLASVS-MODEL-5-Integrity.md",
      "format": "table"
    },
    {
      "id": "MODEL-008",
      "category": "MODEL",
      "category_name": "Model Security",
      "title": "Model signing",
      "level": "L1",
      "description": "Cryptographically sign model artifacts to detect tampering",
      "atlas": "AML.TA0006",
      "atlas_raw": "AML.TA0006",
      "owasp": null,
      "test": "TEST-MODEL-005",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V2-MODEL/MLASVS-MODEL-5-Integrity.md",
      "format": "table"
    },
    {
      "id": "MODEL-009",
      "category": "MODEL",
      "category_name": "Model Security",
      "title": "Inference logging",
      "level": "L1",
      "description": "Log inference requests with anonymized identifiers for audit",
      "atlas": "AML.TA0009",
      "atlas_raw": "AML.TA0009",
      "owasp": null,
      "test": "TEST-MODEL-003",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V2-MODEL/MLASVS-MODEL-3-Inversion.md",
      "format": "table"
    },
    {
      "id": "MODEL-010",
      "category": "MODEL",
      "category_name": "Model Security",
      "title": "Reward Function Robustness",
      "level": "L2",
      "description": "RL reward functions must be validated for robustness against unintended optimization. The reward function should be analyzed for potential loopholes that allow the agent to achieve high reward without performing the intended task.",
      "atlas": "AML.T0018",
      "atlas_raw": "AML.T0018 (Manipulate AI Model)",
      "owasp": null,
      "test": "MLASTG-TEST-MODEL-006",
      "mlaswe": [
        "MLASWE-0001"
      ],
      "references": {},
      "source": "docs/MLASVS/V2-MODEL/MLASVS-MODEL-6-RL-Robustness.md",
      "format": "block"
    },
    {
      "id": "MODEL-011",
      "category": "MODEL",
      "category_name": "Model Security",
      "title": "Output sanitization",
      "level": "L1",
      "description": "Sanitize model outputs to prevent training data reconstruction",
      "atlas": "AML.T0024.001",
      "atlas_raw": "AML.T0024.001",
      "owasp": null,
      "test": "TEST-MODEL-003",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V2-MODEL/MLASVS-MODEL-3-Inversion.md",
      "format": "table"
    },
    {
      "id": "MODEL-012",
      "category": "MODEL",
      "category_name": "Model Security",
      "title": "Adversarial Policy Robustness",
      "level": "L2",
      "description": "RL policies must be robust to adversarial perturbations of observations, actions, and policy parameters. Small perturbations should not cause catastrophic behavioral changes.",
      "atlas": "AML.T0049",
      "atlas_raw": "AML.T0049 (Exploit Public-Facing Application)",
      "owasp": null,
      "test": "MLASTG-TEST-MODEL-006",
      "mlaswe": [
        "MLASWE-0008"
      ],
      "references": {},
      "source": "docs/MLASVS/V2-MODEL/MLASVS-MODEL-6-RL-Robustness.md",
      "format": "block"
    },
    {
      "id": "MODEL-013",
      "category": "MODEL",
      "category_name": "Model Security",
      "title": "Model behavior monitoring",
      "level": "L1",
      "description": "Monitor model behavior for anomalous patterns indicating attacks",
      "atlas": "AML.T0018",
      "atlas_raw": "AML.T0018",
      "owasp": null,
      "test": "TEST-MODEL-003",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V2-MODEL/MLASVS-MODEL-3-Inversion.md",
      "format": "table"
    },
    {
      "id": "MODEL-014",
      "category": "MODEL",
      "category_name": "Model Security",
      "title": "Secure model serialization",
      "level": "L1",
      "description": "Use safe serialization formats (SafeTensors preferred over Pickle)",
      "atlas": "AML.TA0002",
      "atlas_raw": "AML.TA0002",
      "owasp": null,
      "test": "TEST-MODEL-005",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V2-MODEL/MLASVS-MODEL-5-Integrity.md",
      "format": "table"
    },
    {
      "id": "MODEL-015",
      "category": "MODEL",
      "category_name": "Model Security",
      "title": "Model rollback capability",
      "level": "L1",
      "description": "Enable rapid rollback to previous model versions",
      "atlas": "AML.TA0006",
      "atlas_raw": "AML.TA0006",
      "owasp": null,
      "test": "TEST-MODEL-005",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V2-MODEL/MLASVS-MODEL-5-Integrity.md",
      "format": "table"
    },
    {
      "id": "MODEL-016",
      "category": "MODEL",
      "category_name": "Model Security",
      "title": "Certified Adversarial Robustness",
      "level": "L2",
      "description": "For high-security models, certified (provable) robustness bounds must be established using methods like randomized smoothing or Lipschitz-based certification.",
      "atlas": "AML.T0043",
      "atlas_raw": "AML.T0043 (Craft Adversarial Data)",
      "owasp": null,
      "test": "MLASTG-TEST-MODEL-001",
      "mlaswe": [
        "MLASWE-0001"
      ],
      "references": {
        "nist_ai_rmf": "MEASURE-1, MEASURE-2, MANAGE-1",
        "owasp_ai_exchange": "Input Threats, AI Security Testing",
        "owasp": "ML01 (Input Manipulation)"
      },
      "source": "docs/MLASVS/V2-MODEL/MLASVS-MODEL-1-Adversarial-Robustness.md",
      "format": "block"
    },
    {
      "id": "MODEL-017",
      "category": "MODEL",
      "category_name": "Model Security",
      "title": "Robustness certification (provable bounds)",
      "level": "L2",
      "description": null,
      "atlas": "AML.T0015",
      "atlas_raw": "AML.T0015",
      "owasp": null,
      "test": "TEST-MODEL-001",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/0x02-MLASVS-Categories.md",
      "format": "table"
    },
    {
      "id": "MODEL-018",
      "category": "MODEL",
      "category_name": "Model Security",
      "title": "Extraction resistance validation",
      "level": "L2",
      "description": "Verify that surrogate models cannot achieve high fidelity through API queries",
      "atlas": "AML.T0024.002",
      "atlas_raw": "AML.T0024.002",
      "owasp": null,
      "test": "TEST-MODEL-002",
      "mlaswe": [
        "MLASWE-0003"
      ],
      "references": {},
      "source": "docs/MLASVS/V2-MODEL/MLASVS-MODEL-2-Extraction.md",
      "format": "table"
    },
    {
      "id": "MODEL-019",
      "category": "MODEL",
      "category_name": "Model Security",
      "title": "Differential privacy in model",
      "level": "L2",
      "description": "Implement differential privacy guarantees in model training",
      "atlas": "AML.T0024.000",
      "atlas_raw": "AML.T0024.000",
      "owasp": null,
      "test": "TEST-MODEL-003",
      "mlaswe": [
        "MLASWE-0004",
        "MLASWE-0005",
        "MLASWE-0012"
      ],
      "references": {},
      "source": "docs/MLASVS/V2-MODEL/MLASVS-MODEL-3-Inversion.md",
      "format": "table"
    },
    {
      "id": "MODEL-020",
      "category": "MODEL",
      "category_name": "Model Security",
      "title": "Membership inference prevention",
      "level": "L2",
      "description": "Prevent adversaries from determining if specific records were in training data",
      "atlas": "AML.T0024.000",
      "atlas_raw": "AML.T0024.000",
      "owasp": null,
      "test": "TEST-MODEL-003",
      "mlaswe": [
        "MLASWE-0004",
        "MLASWE-0005"
      ],
      "references": {},
      "source": "docs/MLASVS/V2-MODEL/MLASVS-MODEL-3-Inversion.md",
      "format": "table"
    },
    {
      "id": "MODEL-021",
      "category": "MODEL",
      "category_name": "Model Security",
      "title": "Backdoor detection validation",
      "level": "L2",
      "description": "Validate that models pass backdoor detection analysis",
      "atlas": "AML.T0020",
      "atlas_raw": "AML.T0020",
      "owasp": null,
      "test": "TEST-MODEL-004",
      "mlaswe": [
        "MLASWE-0007",
        "MLASWE-0009"
      ],
      "references": {},
      "source": "docs/MLASVS/V2-MODEL/MLASVS-MODEL-4-Backdoor.md",
      "format": "table"
    },
    {
      "id": "MODEL-022",
      "category": "MODEL",
      "category_name": "Model Security",
      "title": "Trojan detection",
      "level": "L2",
      "description": "Detect trojan triggers using activation clustering and trigger inversion",
      "atlas": "AML.T0020",
      "atlas_raw": "AML.T0020",
      "owasp": null,
      "test": "TEST-MODEL-004",
      "mlaswe": [
        "MLASWE-0007"
      ],
      "references": {},
      "source": "docs/MLASVS/V2-MODEL/MLASVS-MODEL-4-Backdoor.md",
      "format": "table"
    },
    {
      "id": "MODEL-023",
      "category": "MODEL",
      "category_name": "Model Security",
      "title": "Model watermarking",
      "level": "L2",
      "description": "Embed unique fingerprints in model outputs for forensic tracing",
      "atlas": "AML.T0024.002",
      "atlas_raw": "AML.T0024.002",
      "owasp": null,
      "test": "TEST-MODEL-002",
      "mlaswe": [
        "MLASWE-0003"
      ],
      "references": {},
      "source": "docs/MLASVS/V2-MODEL/MLASVS-MODEL-2-Extraction.md",
      "format": "table"
    },
    {
      "id": "MODEL-024",
      "category": "MODEL",
      "category_name": "Model Security",
      "title": "Adversarial Training Validation",
      "level": "L2",
      "description": "Models trained for sensitive applications must incorporate adversarial training as a defense mechanism.",
      "atlas": "AML.T0043",
      "atlas_raw": "AML.T0043 (Craft Adversarial Data)",
      "owasp": null,
      "test": "MLASTG-TEST-MODEL-001",
      "mlaswe": [
        "MLASWE-0001"
      ],
      "references": {
        "nist_ai_rmf": "MEASURE-1, MEASURE-2, MANAGE-1",
        "owasp_ai_exchange": "Input Threats, AI Security Testing",
        "owasp": "ML01 (Input Manipulation)"
      },
      "source": "docs/MLASVS/V2-MODEL/MLASVS-MODEL-1-Adversarial-Robustness.md",
      "format": "block"
    },
    {
      "id": "MODEL-025",
      "category": "MODEL",
      "category_name": "Model Security",
      "title": "Feature squeezing validation",
      "level": "L2",
      "description": null,
      "atlas": "AML.T0015",
      "atlas_raw": "AML.T0015",
      "owasp": null,
      "test": "TEST-MODEL-001",
      "mlaswe": [
        "MLASWE-0001"
      ],
      "references": {},
      "source": "docs/MLASVS/0x02-MLASVS-Categories.md",
      "format": "table"
    },
    {
      "id": "MODEL-026",
      "category": "MODEL",
      "category_name": "Model Security",
      "title": "Model ensemble diversity",
      "level": "L2",
      "description": null,
      "atlas": "AML.T0015",
      "atlas_raw": "AML.T0015",
      "owasp": null,
      "test": "TEST-MODEL-001",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/0x02-MLASVS-Categories.md",
      "format": "table"
    },
    {
      "id": "MODEL-027",
      "category": "MODEL",
      "category_name": "Model Security",
      "title": "Certified defense mechanisms",
      "level": "L2",
      "description": null,
      "atlas": "AML.T0015",
      "atlas_raw": "AML.T0015",
      "owasp": null,
      "test": "TEST-MODEL-001",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/0x02-MLASVS-Categories.md",
      "format": "table"
    },
    {
      "id": "MODEL-028",
      "category": "MODEL",
      "category_name": "Model Security",
      "title": "Red Team Exercise Completion",
      "level": "L2",
      "description": "Regular adversarial red team exercises must be conducted against the model by independent security teams.",
      "atlas": "AML.TA0001",
      "atlas_raw": "AML.TA0001 (Reconnaissance)",
      "owasp": null,
      "test": "MLASTG-TEST-MODEL-001",
      "mlaswe": [],
      "references": {
        "nist_ai_rmf": "MEASURE-1, MEASURE-2, MANAGE-1",
        "owasp_ai_exchange": "Input Threats, AI Security Testing",
        "owasp": "ML01 (Input Manipulation)"
      },
      "source": "docs/MLASVS/V2-MODEL/MLASVS-MODEL-1-Adversarial-Robustness.md",
      "format": "block"
    },
    {
      "id": "MODEL-029",
      "category": "MODEL",
      "category_name": "Model Security",
      "title": "Continuous Adversarial Retesting",
      "level": "L2",
      "description": "Models must be continuously tested against new adversarial attack methods in a CI/CD pipeline.",
      "atlas": "AML.T0043",
      "atlas_raw": "AML.T0043 (Craft Adversarial Data)",
      "owasp": null,
      "test": "MLASTG-TEST-MODEL-001",
      "mlaswe": [],
      "references": {
        "nist_ai_rmf": "MEASURE-1, MEASURE-2, MANAGE-1",
        "owasp_ai_exchange": "Input Threats, AI Security Testing",
        "owasp": "ML01 (Input Manipulation)"
      },
      "source": "docs/MLASVS/V2-MODEL/MLASVS-MODEL-1-Adversarial-Robustness.md",
      "format": "block"
    },
    {
      "id": "MODEL-030",
      "category": "MODEL",
      "category_name": "Model Security",
      "title": "Model provenance attestation",
      "level": "L2",
      "description": "Attest model origin, training process, and chain of custody",
      "atlas": "AML.TA0006",
      "atlas_raw": "AML.TA0006",
      "owasp": null,
      "test": "TEST-MODEL-005",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V2-MODEL/MLASVS-MODEL-5-Integrity.md",
      "format": "table"
    },
    {
      "id": "PIPELINE-001",
      "category": "PIPELINE",
      "category_name": "Pipeline & MLOps",
      "title": "ML Pipeline Access Control",
      "level": "L1",
      "description": "Access to ML pipelines must be authenticated and authorized.",
      "atlas": "AML.TA0002",
      "atlas_raw": "AML.TA0002 (Initial Access)",
      "owasp": null,
      "test": "MLASTG-TEST-PIPELINE-001",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V5-PIPELINE/MLASVS-PIPELINE-1-CICD.md",
      "format": "block"
    },
    {
      "id": "PIPELINE-002",
      "category": "PIPELINE",
      "category_name": "Pipeline & MLOps",
      "title": "Pipeline Artifact Signing",
      "level": "L1",
      "description": "All ML artifacts produced by pipelines must be signed.",
      "atlas": "AML.TA0006",
      "atlas_raw": "AML.TA0006 (Persistence)",
      "owasp": null,
      "test": "MLASTG-TEST-PIPELINE-001",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V5-PIPELINE/MLASVS-PIPELINE-1-CICD.md",
      "format": "block"
    },
    {
      "id": "PIPELINE-003",
      "category": "PIPELINE",
      "category_name": "Pipeline & MLOps",
      "title": "Experiment Tracking Access Control",
      "level": "L1",
      "description": "Experiment tracking systems must enforce access control.",
      "atlas": "AML.TA0002",
      "atlas_raw": "AML.TA0002 (Initial Access)",
      "owasp": null,
      "test": "MLASTG-TEST-PIPELINE-001",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V5-PIPELINE/MLASVS-PIPELINE-1-CICD.md",
      "format": "block"
    },
    {
      "id": "PIPELINE-004",
      "category": "PIPELINE",
      "category_name": "Pipeline & MLOps",
      "title": "Training Environment Isolation",
      "level": "L1",
      "description": "Training environments must be isolated from other systems.",
      "atlas": "AML.TA0002",
      "atlas_raw": "AML.TA0002 (Initial Access)",
      "owasp": null,
      "test": "MLASTG-TEST-PIPELINE-001",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V5-PIPELINE/MLASVS-PIPELINE-1-CICD.md",
      "format": "block"
    },
    {
      "id": "PIPELINE-005",
      "category": "PIPELINE",
      "category_name": "Pipeline & MLOps",
      "title": "Pipeline Secret Management",
      "level": "L1",
      "description": "Secrets used in ML pipelines must be managed securely.",
      "atlas": "AML.TA0002",
      "atlas_raw": "AML.TA0002 (Credential Access)",
      "owasp": null,
      "test": "MLASTG-TEST-PIPELINE-001",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V5-PIPELINE/MLASVS-PIPELINE-1-CICD.md",
      "format": "block"
    },
    {
      "id": "PIPELINE-006",
      "category": "PIPELINE",
      "category_name": "Pipeline & MLOps",
      "title": "Run History Audit Logging",
      "level": "L1",
      "description": "All pipeline runs must be logged with immutable audit trails.",
      "atlas": "AML.TA0009",
      "atlas_raw": "AML.TA0009 (Discovery)",
      "owasp": null,
      "test": "MLASTG-TEST-PIPELINE-001",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V5-PIPELINE/MLASVS-PIPELINE-1-CICD.md",
      "format": "block"
    },
    {
      "id": "PIPELINE-007",
      "category": "PIPELINE",
      "category_name": "Pipeline & MLOps",
      "title": "Feature Store Access Control",
      "level": "L1",
      "description": "Feature stores must enforce access control.",
      "atlas": "AML.TA0002",
      "atlas_raw": "AML.TA0002 (Initial Access)",
      "owasp": null,
      "test": "MLASTG-TEST-PIPELINE-001",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V5-PIPELINE/MLASVS-PIPELINE-1-CICD.md",
      "format": "block"
    },
    {
      "id": "PIPELINE-008",
      "category": "PIPELINE",
      "category_name": "Pipeline & MLOps",
      "title": "Model Registry Authentication",
      "level": "L1",
      "description": "Model registry must require authentication.",
      "atlas": "AML.TA0002",
      "atlas_raw": "AML.TA0002 (Initial Access)",
      "owasp": null,
      "test": "MLASTG-TEST-PIPELINE-001",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V5-PIPELINE/MLASVS-PIPELINE-1-CICD.md",
      "format": "block"
    },
    {
      "id": "PIPELINE-009",
      "category": "PIPELINE",
      "category_name": "Pipeline & MLOps",
      "title": "Deployment Approval Workflow",
      "level": "L1",
      "description": "Model deployments must require approval.",
      "atlas": "AML.TA0006",
      "atlas_raw": "AML.TA0006 (Persistence)",
      "owasp": null,
      "test": "MLASTG-TEST-PIPELINE-001",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V5-PIPELINE/MLASVS-PIPELINE-1-CICD.md",
      "format": "block"
    },
    {
      "id": "PIPELINE-010",
      "category": "PIPELINE",
      "category_name": "Pipeline & MLOps",
      "title": "Model Deployment Rollback",
      "level": "L1",
      "description": "Registry must support rollback to previous model versions.",
      "atlas": "AML.TA0006",
      "atlas_raw": "AML.TA0006 (Persistence)",
      "owasp": null,
      "test": "MLASTG-TEST-PIPELINE-001",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V5-PIPELINE/MLASVS-PIPELINE-1-CICD.md",
      "format": "block"
    },
    {
      "id": "PIPELINE-011",
      "category": "PIPELINE",
      "category_name": "Pipeline & MLOps",
      "title": "Pipeline Integrity Monitoring",
      "level": "L2",
      "description": "Pipeline configurations must be monitored for unauthorized changes.",
      "atlas": "AML.TA0005",
      "atlas_raw": "AML.TA0005 (Execution)",
      "owasp": null,
      "test": "MLASTG-TEST-PIPELINE-001",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V5-PIPELINE/MLASVS-PIPELINE-1-CICD.md",
      "format": "block"
    },
    {
      "id": "PIPELINE-012",
      "category": "PIPELINE",
      "category_name": "Pipeline & MLOps",
      "title": "Automated Pipeline Security Scanning",
      "level": "L2",
      "description": "Pipelines must include automated security scanning steps.",
      "atlas": "AML.TA0005",
      "atlas_raw": "AML.TA0005 (Execution)",
      "owasp": null,
      "test": "MLASTG-TEST-PIPELINE-001",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V5-PIPELINE/MLASVS-PIPELINE-1-CICD.md",
      "format": "block"
    },
    {
      "id": "PIPELINE-013",
      "category": "PIPELINE",
      "category_name": "Pipeline & MLOps",
      "title": "Immutable Model Registry",
      "level": "L2",
      "description": "Model registry entries should be immutable once published.",
      "atlas": "AML.TA0006",
      "atlas_raw": "AML.TA0006 (Persistence)",
      "owasp": null,
      "test": "MLASTG-TEST-PIPELINE-001",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V5-PIPELINE/MLASVS-PIPELINE-1-CICD.md",
      "format": "block"
    },
    {
      "id": "PIPELINE-014",
      "category": "PIPELINE",
      "category_name": "Pipeline & MLOps",
      "title": "Reproducible Training Verification",
      "level": "L2",
      "description": "Pipeline must support reproducible training with deterministic results.",
      "atlas": "AML.TA0005",
      "atlas_raw": "AML.TA0005 (Execution)",
      "owasp": null,
      "test": "MLASTG-TEST-PIPELINE-001",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V5-PIPELINE/MLASVS-PIPELINE-1-CICD.md",
      "format": "block"
    },
    {
      "id": "PIPELINE-015",
      "category": "PIPELINE",
      "category_name": "Pipeline & MLOps",
      "title": "Data Leakage Prevention in Pipeline",
      "level": "L2",
      "description": "Pipelines must prevent data leakage between stages and environments.",
      "atlas": "AML.TA0010",
      "atlas_raw": "AML.TA0010 (Collection)",
      "owasp": null,
      "test": "MLASTG-TEST-PIPELINE-001",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V5-PIPELINE/MLASVS-PIPELINE-1-CICD.md",
      "format": "block"
    },
    {
      "id": "PIPELINE-016",
      "category": "PIPELINE",
      "category_name": "Pipeline & MLOps",
      "title": "Cross-tenant Isolation in ML Platforms",
      "level": "L2",
      "description": "Multi-tenant ML platforms must enforce tenant isolation.",
      "atlas": "AML.TA0002",
      "atlas_raw": "AML.TA0002 (Initial Access)",
      "owasp": null,
      "test": "MLASTG-TEST-PIPELINE-001",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V5-PIPELINE/MLASVS-PIPELINE-1-CICD.md",
      "format": "block"
    },
    {
      "id": "PIPELINE-017",
      "category": "PIPELINE",
      "category_name": "Pipeline & MLOps",
      "title": "Pipeline Compliance Attestation",
      "level": "L2",
      "description": "Pipelines must produce compliance attestation artifacts.",
      "atlas": "AML.TA0009",
      "atlas_raw": "AML.TA0009 (Discovery)",
      "owasp": null,
      "test": "MLASTG-TEST-PIPELINE-001",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V5-PIPELINE/MLASVS-PIPELINE-1-CICD.md",
      "format": "block"
    },
    {
      "id": "PIPELINE-018",
      "category": "PIPELINE",
      "category_name": "Pipeline & MLOps",
      "title": "Feature Store Data Integrity",
      "level": "L2",
      "description": "Feature stores must ensure data integrity and provenance.",
      "atlas": "AML.TA0005",
      "atlas_raw": "AML.TA0005 (Execution)",
      "owasp": null,
      "test": "MLASTG-TEST-PIPELINE-001",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V5-PIPELINE/MLASVS-PIPELINE-1-CICD.md",
      "format": "block"
    },
    {
      "id": "PIPELINE-019",
      "category": "PIPELINE",
      "category_name": "Pipeline & MLOps",
      "title": "Canary Deployment for Models",
      "level": "L2",
      "description": "New model versions should support canary/shadow deployment.",
      "atlas": "AML.TA0006",
      "atlas_raw": "AML.TA0006 (Persistence)",
      "owasp": null,
      "test": "MLASTG-TEST-PIPELINE-001",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V5-PIPELINE/MLASVS-PIPELINE-1-CICD.md",
      "format": "block"
    },
    {
      "id": "PIPELINE-020",
      "category": "PIPELINE",
      "category_name": "Pipeline & MLOps",
      "title": "Automated Testing Gate in CI/CD",
      "level": "L2",
      "description": "Security tests must gate deployments in CI/CD.",
      "atlas": "AML.TA0005",
      "atlas_raw": "AML.TA0005 (Execution)",
      "owasp": null,
      "test": "MLASTG-TEST-PIPELINE-001",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V5-PIPELINE/MLASVS-PIPELINE-1-CICD.md",
      "format": "block"
    },
    {
      "id": "SUPPLY-001",
      "category": "SUPPLY",
      "category_name": "Supply Chain Security",
      "title": "ML-SBOM Generation",
      "level": "L1",
      "description": "A complete ML-SBOM must be generated for each model, covering model metadata, base models, training datasets, framework dependencies, and training environment.",
      "atlas": "AML.TA0003",
      "atlas_raw": "AML.TA0003 (Resource Development)",
      "owasp": null,
      "test": "MLASTG-TEST-SUPPLY-001",
      "mlaswe": [
        "MLASWE-0009"
      ],
      "references": {},
      "source": "docs/MLASVS/V4-SUPPLY/MLASVS-SUPPLY-1-ML-SBOM.md",
      "format": "block"
    },
    {
      "id": "SUPPLY-002",
      "category": "SUPPLY",
      "category_name": "Supply Chain Security",
      "title": "Pre-trained Model Origin Verification",
      "level": "L1",
      "description": "Origin and authenticity of all pre-trained models must be verified.",
      "atlas": "AML.TA0003",
      "atlas_raw": "AML.TA0003 (Resource Development)",
      "owasp": null,
      "test": "MLASTG-TEST-SUPPLY-002",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V4-SUPPLY/MLASVS-SUPPLY-2-Base-Model-Vetting.md",
      "format": "block"
    },
    {
      "id": "SUPPLY-003",
      "category": "SUPPLY",
      "category_name": "Supply Chain Security",
      "title": "Training Dataset Provenance",
      "level": "L1",
      "description": "Each training dataset must have documented provenance including source URL, collection date, license, and responsible party.",
      "atlas": "AML.TA0003",
      "atlas_raw": "AML.TA0003 (Resource Development)",
      "owasp": null,
      "test": "MLASTG-TEST-SUPPLY-001",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V4-SUPPLY/MLASVS-SUPPLY-1-ML-SBOM.md",
      "format": "block"
    },
    {
      "id": "SUPPLY-004",
      "category": "SUPPLY",
      "category_name": "Supply Chain Security",
      "title": "ML Library Version Tracking",
      "level": "L1",
      "description": "All ML libraries and frameworks used in training and inference must be tracked with specific versions in the ML-SBOM.",
      "atlas": "AML.TA0003",
      "atlas_raw": "AML.TA0003 (Resource Development)",
      "owasp": null,
      "test": "MLASTG-TEST-SUPPLY-001",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V4-SUPPLY/MLASVS-SUPPLY-1-ML-SBOM.md",
      "format": "block"
    },
    {
      "id": "SUPPLY-005",
      "category": "SUPPLY",
      "category_name": "Supply Chain Security",
      "title": "License Compliance Check",
      "level": "L1",
      "description": "All ML components must be checked for license compliance before use.",
      "atlas": "AML.TA0003",
      "atlas_raw": "AML.TA0003 (Resource Development)",
      "owasp": null,
      "test": "MLASTG-TEST-SUPPLY-001",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V4-SUPPLY/MLASVS-SUPPLY-1-ML-SBOM.md",
      "format": "block"
    },
    {
      "id": "SUPPLY-006",
      "category": "SUPPLY",
      "category_name": "Supply Chain Security",
      "title": "Model Hash Verification at Load",
      "level": "L1",
      "description": "Cryptographic hashes must be verified when loading pre-trained models.",
      "atlas": "AML.TA0006",
      "atlas_raw": "AML.TA0006 (Persistence)",
      "owasp": null,
      "test": "MLASTG-TEST-SUPPLY-002",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V4-SUPPLY/MLASVS-SUPPLY-2-Base-Model-Vetting.md",
      "format": "block"
    },
    {
      "id": "SUPPLY-007",
      "category": "SUPPLY",
      "category_name": "Supply Chain Security",
      "title": "Transfer Learning Source Validation",
      "level": "L1",
      "description": "Source models used for transfer learning must be validated for security.",
      "atlas": "AML.T0020",
      "atlas_raw": "AML.T0020 (Data Poisoning)",
      "owasp": null,
      "test": "MLASTG-TEST-SUPPLY-002",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V4-SUPPLY/MLASVS-SUPPLY-2-Base-Model-Vetting.md",
      "format": "block"
    },
    {
      "id": "SUPPLY-008",
      "category": "SUPPLY",
      "category_name": "Supply Chain Security",
      "title": "Dataset License Verification",
      "level": "L1",
      "description": "Dataset licenses must be verified and documented to ensure compliance with usage terms.",
      "atlas": "AML.TA0003",
      "atlas_raw": "AML.TA0003 (Resource Development)",
      "owasp": null,
      "test": "MLASTG-TEST-SUPPLY-001",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V4-SUPPLY/MLASVS-SUPPLY-1-ML-SBOM.md",
      "format": "block"
    },
    {
      "id": "SUPPLY-009",
      "category": "SUPPLY",
      "category_name": "Supply Chain Security",
      "title": "Base Model Vulnerability Scanning",
      "level": "L1",
      "description": "Pre-trained models must be scanned for known vulnerabilities.",
      "atlas": "AML.TA0003",
      "atlas_raw": "AML.TA0003 (Resource Development)",
      "owasp": null,
      "test": "MLASTG-TEST-SUPPLY-002",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V4-SUPPLY/MLASVS-SUPPLY-2-Base-Model-Vetting.md",
      "format": "block"
    },
    {
      "id": "SUPPLY-010",
      "category": "SUPPLY",
      "category_name": "Supply Chain Security",
      "title": "ML Dependency Scanning",
      "level": "L1",
      "description": "ML libraries and dependencies must be scanned for known vulnerabilities using standard security scanners.",
      "atlas": "AML.TA0003",
      "atlas_raw": "AML.TA0003 (Resource Development)",
      "owasp": null,
      "test": "MLASTG-TEST-SUPPLY-001",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V4-SUPPLY/MLASVS-SUPPLY-1-ML-SBOM.md",
      "format": "block"
    },
    {
      "id": "SUPPLY-011",
      "category": "SUPPLY",
      "category_name": "Supply Chain Security",
      "title": "Secure Model Distribution Channels",
      "level": "L1",
      "description": "Models must be distributed through secure, authenticated channels.",
      "atlas": "AML.TA0002",
      "atlas_raw": "AML.TA0002 (Initial Access)",
      "owasp": null,
      "test": "MLASTG-TEST-SUPPLY-002",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V4-SUPPLY/MLASVS-SUPPLY-2-Base-Model-Vetting.md",
      "format": "block"
    },
    {
      "id": "SUPPLY-012",
      "category": "SUPPLY",
      "category_name": "Supply Chain Security",
      "title": "Third-Party Model Evaluation Report",
      "level": "L1",
      "description": "Comprehensive security evaluation reports must exist for third-party models.",
      "atlas": "AML.TA0003",
      "atlas_raw": "AML.TA0003 (Resource Development)",
      "owasp": null,
      "test": "MLASTG-TEST-SUPPLY-002",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V4-SUPPLY/MLASVS-SUPPLY-2-Base-Model-Vetting.md",
      "format": "block"
    },
    {
      "id": "SUPPLY-013",
      "category": "SUPPLY",
      "category_name": "Supply Chain Security",
      "title": "Automated ML-SBOM Generation in CI/CD",
      "level": "L2",
      "description": "ML-SBOM must be automatically generated as part of the CI/CD pipeline and updated on each model version.",
      "atlas": "AML.TA0003",
      "atlas_raw": "AML.TA0003 (Resource Development)",
      "owasp": null,
      "test": "MLASTG-TEST-SUPPLY-001",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V4-SUPPLY/MLASVS-SUPPLY-1-ML-SBOM.md",
      "format": "block"
    },
    {
      "id": "SUPPLY-014",
      "category": "SUPPLY",
      "category_name": "Supply Chain Security",
      "title": "Continuous Dependency Monitoring",
      "level": "L2",
      "description": "ML dependencies must be continuously monitored for newly discovered vulnerabilities.",
      "atlas": "AML.TA0003",
      "atlas_raw": "AML.TA0003 (Resource Development)",
      "owasp": null,
      "test": "MLASTG-TEST-SUPPLY-001",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V4-SUPPLY/MLASVS-SUPPLY-1-ML-SBOM.md",
      "format": "block"
    },
    {
      "id": "SUPPLY-015",
      "category": "SUPPLY",
      "category_name": "Supply Chain Security",
      "title": "Cryptographic Model Provenance",
      "level": "L2",
      "description": "Full cryptographic provenance using signed manifests for all models.",
      "atlas": "AML.TA0006",
      "atlas_raw": "AML.TA0006 (Persistence)",
      "owasp": null,
      "test": "MLASTG-TEST-SUPPLY-002",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V4-SUPPLY/MLASVS-SUPPLY-2-Base-Model-Vetting.md",
      "format": "block"
    },
    {
      "id": "SUPPLY-016",
      "category": "SUPPLY",
      "category_name": "Supply Chain Security",
      "title": "Model Signing and Attestation",
      "level": "L2",
      "description": "Models must be cryptographically signed and attested before deployment.",
      "atlas": "AML.TA0006",
      "atlas_raw": "AML.TA0006 (Persistence)",
      "owasp": null,
      "test": "MLASTG-TEST-SUPPLY-002",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V4-SUPPLY/MLASVS-SUPPLY-2-Base-Model-Vetting.md",
      "format": "block"
    },
    {
      "id": "SUPPLY-017",
      "category": "SUPPLY",
      "category_name": "Supply Chain Security",
      "title": "Fine-tuning Data Provenance Chain",
      "level": "L2",
      "description": "For fine-tuned models, the provenance chain must extend from base model through all fine-tuning datasets.",
      "atlas": "AML.T0020",
      "atlas_raw": "AML.T0020 (Data Poisoning)",
      "owasp": null,
      "test": "MLASTG-TEST-SUPPLY-001",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V4-SUPPLY/MLASVS-SUPPLY-1-ML-SBOM.md",
      "format": "block"
    },
    {
      "id": "SUPPLY-018",
      "category": "SUPPLY",
      "category_name": "Supply Chain Security",
      "title": "Adversarial Robustness of Base Model",
      "level": "L2",
      "description": "Base models must undergo adversarial robustness evaluation.",
      "atlas": "AML.T0043",
      "atlas_raw": "AML.T0043 (Craft Adversarial Data)",
      "owasp": null,
      "test": "MLASTG-TEST-SUPPLY-002",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V4-SUPPLY/MLASVS-SUPPLY-2-Base-Model-Vetting.md",
      "format": "block"
    },
    {
      "id": "SUPPLY-019",
      "category": "SUPPLY",
      "category_name": "Supply Chain Security",
      "title": "Backdoor Scanning of Pre-trained Models",
      "level": "L2",
      "description": "Pre-trained models must be scanned for potential backdoors.",
      "atlas": "AML.T0020",
      "atlas_raw": "AML.T0020 (Data Poisoning)",
      "owasp": null,
      "test": "MLASTG-TEST-SUPPLY-002",
      "mlaswe": [
        "MLASWE-0007"
      ],
      "references": {},
      "source": "docs/MLASVS/V4-SUPPLY/MLASVS-SUPPLY-2-Base-Model-Vetting.md",
      "format": "block"
    },
    {
      "id": "SUPPLY-020",
      "category": "SUPPLY",
      "category_name": "Supply Chain Security",
      "title": "Vendor Security Assessment Program",
      "level": "L2",
      "description": "Third-party ML model vendors must undergo security assessment.",
      "atlas": "AML.TA0003",
      "atlas_raw": "AML.TA0003 (Resource Development)",
      "owasp": null,
      "test": "MLASTG-TEST-SUPPLY-002",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V4-SUPPLY/MLASVS-SUPPLY-2-Base-Model-Vetting.md",
      "format": "block"
    },
    {
      "id": "SUPPLY-021",
      "category": "SUPPLY",
      "category_name": "Supply Chain Security",
      "title": "ML Supply Chain Incident Response",
      "level": "L2",
      "description": "An incident response plan specifically addressing ML supply chain compromises must exist and be tested.",
      "atlas": "AML.TA0003",
      "atlas_raw": "AML.TA0003 (Resource Development)",
      "owasp": null,
      "test": "MLASTG-TEST-SUPPLY-001",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V4-SUPPLY/MLASVS-SUPPLY-1-ML-SBOM.md",
      "format": "block"
    },
    {
      "id": "SUPPLY-022",
      "category": "SUPPLY",
      "category_name": "Supply Chain Security",
      "title": "Reproducible Build Verification",
      "level": "L2",
      "description": "Model builds must be reproducible from source to verify integrity.",
      "atlas": "AML.TA0006",
      "atlas_raw": "AML.TA0006 (Persistence)",
      "owasp": null,
      "test": "MLASTG-TEST-SUPPLY-002",
      "mlaswe": [],
      "references": {},
      "source": "docs/MLASVS/V4-SUPPLY/MLASVS-SUPPLY-2-Base-Model-Vetting.md",
      "format": "block"
    }
  ]
}
