Proposal to add Agent Threat Rules (ATR) as a cross-reference namespace in the CCC GenAI catalog, alongside the existing FINOS-AIGF and SAIF cross-references already used in catalogs/ai-ml/gen-ai/controls.yaml.
ATR is an open detection standard for AI agent threats published under Apache-2.0 at https://github.com/Agent-Threat-Rule/agent-threat-rules. It currently contains 330 rules across ten threat categories with mappings to MITRE ATLAS (100 of 113 techniques), OWASP Agentic AI Top 10, OWASP LLM Top 10, and NIST AI RMF. A companion v0.3 OSCAL catalog of NIST AI RMF Core under CC0 is at https://github.com/Agent-Threat-Rule/ai-rmf-oscal-catalog.
The motivation mirrors issue 872 which proposed AIGF cross-references and was resolved positively. CCC GenAI controls describe what to do; ATR provides the executable detection patterns that operationalise those controls. For example, CCC.GenAI.CN01 Model Input Filtering and Sanitisation maps cleanly to ATR-2026-00010 Malicious Content in MCP Tool Response and ATR-2026-00011 Instruction Injection via Tool Output. CCC.GenAI.TH01 Prompt Injection maps to a family of 197 ATR rules covering direct and indirect prompt injection. The cross-reference would let financial services teams move from a CCC catalog requirement directly to a runtime detection pattern.
I read the eddie-knight comment on issue 872 about the in-flight migration to OpenSSF Gemara layer-2 schema. I do not want to file a PR until the migration window closes and the team has confirmed which schema is the right target. The current proposal is therefore an Option B equivalent: a new reference-id namespace ATR, scoped to the GenAI catalog only, no schema changes required if the namespace is treated as free-form (matching how FINOS-AIGF and SAIF currently work in the controls.yaml file).
Concrete asks. First, is there interest in CCC accepting an ATR cross-reference namespace alongside FINOS-AIGF and SAIF in the GenAI controls and threats files. Second, should the contribution wait until after the Gemara schema migration is complete, or is a pre-Gemara PR welcome. Third, does the project prefer a per-control namespace (ATR) or a separate mapping artefact at services/ai-ml/gen-ai/mappings/atr.yaml in the Option B style.
I have not signed the FINOS CSCLA yet. I will sign it via the EasyCLA flow on the participants.yaml PR once the Editor confirms a path forward. Apache-2.0 license on ATR is compatible with FINOS Community Specification License 1.0 redistribution terms.
ATR is in production at Cisco AI Defense (314 rules, merged via cisco-ai-defense/skill-scanner PR 79 and PR 99) and Microsoft agent-governance-toolkit (287 rules, merged via microsoft/agent-governance-toolkit PR 908 and PR 1277). Stating these as factual deployment evidence, not as a peer claim relative to CCC.
Happy to bring this to the next Security WG async thread if that is the preferred forum. cc maintainers @mlysaght2017 @eddie-knight @robmoffat for awareness.
Proposal to add Agent Threat Rules (ATR) as a cross-reference namespace in the CCC GenAI catalog, alongside the existing FINOS-AIGF and SAIF cross-references already used in catalogs/ai-ml/gen-ai/controls.yaml.
ATR is an open detection standard for AI agent threats published under Apache-2.0 at https://github.com/Agent-Threat-Rule/agent-threat-rules. It currently contains 330 rules across ten threat categories with mappings to MITRE ATLAS (100 of 113 techniques), OWASP Agentic AI Top 10, OWASP LLM Top 10, and NIST AI RMF. A companion v0.3 OSCAL catalog of NIST AI RMF Core under CC0 is at https://github.com/Agent-Threat-Rule/ai-rmf-oscal-catalog.
The motivation mirrors issue 872 which proposed AIGF cross-references and was resolved positively. CCC GenAI controls describe what to do; ATR provides the executable detection patterns that operationalise those controls. For example, CCC.GenAI.CN01 Model Input Filtering and Sanitisation maps cleanly to ATR-2026-00010 Malicious Content in MCP Tool Response and ATR-2026-00011 Instruction Injection via Tool Output. CCC.GenAI.TH01 Prompt Injection maps to a family of 197 ATR rules covering direct and indirect prompt injection. The cross-reference would let financial services teams move from a CCC catalog requirement directly to a runtime detection pattern.
I read the eddie-knight comment on issue 872 about the in-flight migration to OpenSSF Gemara layer-2 schema. I do not want to file a PR until the migration window closes and the team has confirmed which schema is the right target. The current proposal is therefore an Option B equivalent: a new reference-id namespace ATR, scoped to the GenAI catalog only, no schema changes required if the namespace is treated as free-form (matching how FINOS-AIGF and SAIF currently work in the controls.yaml file).
Concrete asks. First, is there interest in CCC accepting an ATR cross-reference namespace alongside FINOS-AIGF and SAIF in the GenAI controls and threats files. Second, should the contribution wait until after the Gemara schema migration is complete, or is a pre-Gemara PR welcome. Third, does the project prefer a per-control namespace (ATR) or a separate mapping artefact at services/ai-ml/gen-ai/mappings/atr.yaml in the Option B style.
I have not signed the FINOS CSCLA yet. I will sign it via the EasyCLA flow on the participants.yaml PR once the Editor confirms a path forward. Apache-2.0 license on ATR is compatible with FINOS Community Specification License 1.0 redistribution terms.
ATR is in production at Cisco AI Defense (314 rules, merged via cisco-ai-defense/skill-scanner PR 79 and PR 99) and Microsoft agent-governance-toolkit (287 rules, merged via microsoft/agent-governance-toolkit PR 908 and PR 1277). Stating these as factual deployment evidence, not as a peer claim relative to CCC.
Happy to bring this to the next Security WG async thread if that is the preferred forum. cc maintainers @mlysaght2017 @eddie-knight @robmoffat for awareness.