CIS Controls v8.1 Mapping for AI Agent Governance
Disclaimer: This document is a self-assessment mapping, NOT a validated certification. Organizations must perform their own assessments with qualified auditors. CIS Controlsยฎ is a trademark of the Center for Internet Security.
Overview
This document maps AGT governance capabilities to the CIS Controls v8.1 safeguards relevant to AI agent infrastructure. CIS Controls provide a prioritized set of actions that collectively form a defense-in-depth approach to cybersecurity.
Coverage Summary
| Metric | Value |
| CIS Controls assessed | 18 |
| Relevant safeguards mapped | 42 |
| Fully addressed | 28 (67%) |
| Partially addressed | 10 (24%) |
| Gaps | 4 (9%) |
Mapping Table
CIS Control 1: Inventory and Control of Enterprise Assets
| Safeguard | Description | AGT Coverage | Module |
| 1.1 | Establish and maintain detailed enterprise asset inventory | โ
Full | agent-discovery โ scans processes, configs, repos for unregistered agents |
| 1.2 | Address unauthorized assets | โ
Full | AgentIdentity โ unknown DIDs rejected by trust verification |
| 1.3 | Utilize an active discovery tool | โ
Full | agent-discovery โ continuous scanning with reconciliation |
| 1.4 | Use dynamic host configuration protocol (DHCP) logging | โฌ N/A | Network-level, outside AGT scope |
CIS Control 2: Inventory and Control of Software Assets
| Safeguard | Description | AGT Coverage | Module |
| 2.1 | Establish and maintain a software inventory | โ
Full | MCP server registry + McpCveFeed package tracking |
| 2.2 | Ensure authorized software is currently supported | โ
Full | McpCveFeed โ CVE tracking via OSV.dev |
| 2.3 | Address unauthorized software | โ
Full | MCP gateway denied_tools list |
| 2.5 | Allowlist authorized software | โ
Full | McpAuthPolicy server allowlist |
| 2.6 | Allowlist authorized libraries | ๐ก Partial | SBOM generation (Tutorial 26), manual review |
CIS Control 3: Data Protection
| Safeguard | Description | AGT Coverage | Module |
| 3.1 | Establish and maintain a data management process | โ
Full | data-provenance-model.md โ provenance schema |
| 3.2 | Establish and maintain a data inventory | ๐ก Partial | Provenance records track data sources; no full inventory UI |
| 3.3 | Configure data access control lists | โ
Full | Policy rules with condition matching on data classification |
| 3.4 | Enforce data retention | โ
Full | record-retention-policy.md + AuditLog with configurable TTL |
| 3.6 | Encrypt data on end-user devices | โ
Full | E2E encryption (Signal protocol) for agent-to-agent messaging |
| 3.9 | Encrypt data on removable media | โฌ N/A | Agent systems don't use removable media |
| 3.10 | Encrypt sensitive data in transit | โ
Full | E2E encryption + TLS enforcement in McpAuthPolicy |
| 3.11 | Encrypt sensitive data at rest | ๐ก Partial | Identity files encrypted at rest; audit logs depend on storage backend |
| 3.12 | Segment data processing and storage | ๐ก Partial | SessionState attribute ratchets enforce data classification boundaries |
CIS Control 4: Secure Configuration of Enterprise Assets and Software
| Safeguard | Description | AGT Coverage | Module |
| 4.1 | Establish and maintain a secure configuration process | โ
Full | Policy-as-code in YAML with extends composition |
| 4.2 | Establish and maintain a secure configuration for network infrastructure | ๐ก Partial | McpAuthPolicy TLS enforcement; network config outside scope |
| 4.7 | Manage default accounts on enterprise assets | โ
Full | No default accounts; all agents require explicit identity creation |
CIS Control 5: Account Management
| Safeguard | Description | AGT Coverage | Module |
| 5.1 | Establish and maintain an inventory of accounts | โ
Full | AgentIdentity registry with DID inventory |
| 5.2 | Use unique passwords | โ
Full | Ed25519 keypairs โ no passwords, cryptographic identity |
| 5.3 | Disable dormant accounts | โ
Full | AgentIdentity.suspend() / revoke() |
| 5.4 | Restrict administrator privileges | โ
Full | Delegation chains with monotonic scope narrowing |
CIS Control 6: Access Management
| Safeguard | Description | AGT Coverage | Module |
| 6.1 | Establish an access granting process | โ
Full | Policy rules with require_approval + ApprovalHandler |
| 6.2 | Establish an access revoking process | โ
Full | Kill switch + AgentIdentity.revoke() |
| 6.3 | Require MFA for externally-exposed applications | ๐ก Partial | Trust handshake (challenge-response), not traditional MFA |
| 6.5 | Require MFA for administrative access | ๐ก Partial | Human sponsor model; MFA depends on IdP |
CIS Control 7: Continuous Vulnerability Management
| Safeguard | Description | AGT Coverage | Module |
| 7.1 | Establish and maintain a vulnerability management process | โ
Full | McpCveFeed + Dependabot + CodeQL |
| 7.2 | Establish and maintain a remediation process | โ
Full | incident-response-workflow.md |
| 7.4 | Perform automated application patch management | ๐ก Partial | Dependabot for deps; MCP server patching is external |
| 7.7 | Remediate detected vulnerabilities | โ
Full | CVE severity โ policy-gated blocking of vulnerable servers |
CIS Control 8: Audit Log Management
| Safeguard | Description | AGT Coverage | Module |
| 8.1 | Establish and maintain an audit log management process | โ
Full | AuditLog with tamper-evident hash chaining |
| 8.2 | Collect audit logs | โ
Full | AuditLog.log() for all governance events |
| 8.3 | Ensure adequate audit log storage | โ
Full | record-retention-policy.md + configurable AuditSink |
| 8.5 | Collect detailed audit logs | โ
Full | Policy decisions, approval outcomes, trust scores, OTel spans |
| 8.9 | Centralize audit logs | โ
Full | OTel export to centralized backends (Azure Monitor, Splunk, etc.) |
| 8.11 | Conduct audit log reviews | ๐ก Partial | AuditLog.query() + OTel dashboards; no automated review |
CIS Control 10: Malware Defenses
| Safeguard | Description | AGT Coverage | Module |
| 10.1 | Deploy and maintain anti-malware software | ๐ก Partial | PromptInjectionDetector + advisory classifiers |
| 10.7 | Use behavior-based anti-malware software | โ
Full | PatternAdvisory + CallbackAdvisory for anomaly detection |
CIS Control 11: Data Recovery
| Safeguard | Description | AGT Coverage | Module |
| 11.1 | Establish and maintain a data recovery process | โฌ Gap | AGT does not manage backups; depends on infrastructure |
CIS Control 13: Network Monitoring and Defense
| Safeguard | Description | AGT Coverage | Module |
| 13.1 | Centralize security event alerting | โ
Full | OTel metrics + agt.policy.denials alerts |
| 13.6 | Collect network traffic flow logs | โฌ Gap | Network-level; outside AGT scope |
CIS Control 14: Security Awareness and Skills Training
| Safeguard | Description | AGT Coverage | Module |
| 14.1 | Establish and maintain a security awareness program | โฌ Gap | Organizational responsibility; AGT provides 40+ tutorials |
| 14.9 | Conduct role-specific security awareness training | ๐ก Partial | Tutorials cover governance for developers; no formal training program |
CIS Control 16: Application Software Security
| Safeguard | Description | AGT Coverage | Module |
| 16.1 | Establish and maintain a secure application development process | โ
Full | Policy-as-code, CI/CD with CodeQL + Gitleaks + fuzzing |
| 16.4 | Establish and maintain a secure coding standard | โ
Full | .pre-commit-hooks.yaml, linting, OWASP mapping |
| 16.9 | Train developers in application security | ๐ก Partial | 40+ tutorials; no formal certification |
| 16.12 | Implement code-level security checks | โ
Full | PromptInjectionDetector, McpSecurityScanner, advisory classifiers |
CIS Control 17: Incident Response Management
| Safeguard | Description | AGT Coverage | Module |
| 17.1 | Designate personnel to manage incident handling | โฌ Gap | Organizational responsibility |
| 17.2 | Establish and maintain contact information for reporting incidents | ๐ก Partial | SECURITY.md in repo; no integrated incident contact system |
| 17.4 | Establish and maintain an incident response process | โ
Full | incident-response-workflow.md |
| 17.8 | Conduct post-incident reviews | โ
Full | Post-mortem template in incident response workflow |
Gap Analysis
| # | Gap | Severity | Recommendation |
| 1 | Data recovery (CIS 11.1) | Medium | Document backup procedures for audit logs and policy stores. AGT can recommend but not enforce backup. |
| 2 | Network traffic flow logs (CIS 13.6) | Low | Network-level concern; recommend AKS/infrastructure-layer monitoring. |
| 3 | Security awareness program (CIS 14.1) | Medium | AGT provides tutorials; organizations should build formal training around them. |
| 4 | Incident handling personnel (CIS 17.1) | Medium | Organizational responsibility; document in impact assessment template. |
Related: NIST AI RMF Alignment ยท SOC 2 Mapping ยท OWASP Agentic Top 10 Architecture ยท EU AI Act Checklist