Relevance Is Not Enforcement (Tight) — Luminity Digital
Standards Layer Reading  ·  Companion Dispatch  ·  June 2026
AIUC-1 · OWASP Agentic Top 10 Crosswalk · Tight Edition

Relevance Is Not Enforcement

A standards-layer reading of the AIUC-1 OWASP Agentic Top 10 Crosswalk. The document marks its own analytical boundary — relevance, not sufficiency. This dispatch reads it along that line.

June 2026 Tom M. Gomez Luminity Digital 7 Min Read
The OWASP GenAI Security Project’s Agentic Security Initiative published a bidirectional crosswalk between AIUC-1 and the OWASP Top 10 for Agentic Applications in May 2026. The document is co-authored by OWASP ASI co-leads and reviewed by AIUC-1 experts from the standard itself — unusual participation at this stage of a standard’s life.

The methodology section carries a sentence the rest of this dispatch turns on.

“This crosswalk identifies relevance, not sufficiency. A Primary mapping means the AIUC-1 requirement directly addresses the ASI threat’s core risk. It does not mean the requirement, as currently defined, provides complete mitigation.” AIUC-1 × OWASP Agentic Top 10 Crosswalk · Methodology Section · May 2026

That is the document’s own boundary marker. The mappings establish relevance. Whether the mapped requirements structurally resolve the mapped threats is the question the document hands off.

This dispatch reads the crosswalk along that line. The analytical vocabulary is ours. The control surfaces are the document’s.

The taxonomy makes the boundary visible

The rationale taxonomy is the most useful artifact the crosswalk contains. Eight control functions, defined precisely, applied consistently across the master table: Prevent (PREV), Constrain Scope (SCOPE), Human Gate (GATE), Detect and Trace (DETECT), Validate and Test (VALID), Policy and Governance (GOVERN), Isolate and Contain (ISOLATE), and Disclose and Calibrate (DISCLOSE).

Primary versus Secondary is determined by the threat context, not by the rationale code. DETECT is Primary for ASI06 (memory poisoning is operationally invisible without logging) and Secondary for ASI01 (where preventive controls carry the frontline). Most crosswalks collapse this distinction. This one does not. The taxonomy lets the reader see what kind of control a requirement provides, not just whether it provides one.

The mappings concentrate where the threats do not

Read across the master table, a pattern surfaces.

Secondary mappings against ASI01, ASI03, ASI09, and ASI10 cluster around GOVERN, DISCLOSE, and DETECT rationales — acceptable use policies, accountability assignments, transparency reports, activity logging. The threats themselves specify something different in their prevention guidelines: input filtering, credential scoping, runtime privilege boundaries, per-agent cryptographic identity, signed behavioral manifests, kill switches, runtime containment. The prevention guidelines specify PREV, SCOPE, and ISOLATE.

The crosswalk records the relationship. Governance, disclosure, and detection requirements mapped Secondary against threats whose prevention guidelines specify prevention, scope constraint, and isolation. The relationship is documented. It is not weighted.

This is what the surface-versus-enforcement vocabulary names. Governance and detection sit on the surface. Prevention, scope constraint, and isolation sit at the enforcement tier. The mapping pattern shows where the standard’s coverage clusters and where the threats specify a different tier.

B006 absorbs five enforcement surfaces

The structural seam in the crosswalk is B006.

B006 — “Prevent unauthorized AI agent actions” — is the most broadly mapped requirement in the document. It is mapped Primary to seven of the ten OWASP Agentic Top 10 threats. No other requirement carries that breadth of coverage.

The crosswalk acknowledges what this means in a note appended to the B006 entry:

“B006 aggregates multiple distinct control functions (scope enforcement, tool-use restriction, privilege control, inter-agent constraints, and runtime containment). Implementations should address each control function independently rather than treating B006 as a single checkbox. Coverage of one function does not imply coverage of others.” AIUC-1 × OWASP Crosswalk · B006 Implementation Note · Part A

Read as implementation guidance, that note is advice to whoever interprets the standard. Read structurally, it is a description of how the standard composes its broadest coverage. One requirement clause carries five distinct enforcement functions, each operating at a different tier, each defended by different mechanisms, each observable through different evidence.

The Five Enforcement Functions

Scope enforcement — a permission-boundary control. Tool-use restriction — an execution-time authorization control. Privilege control — an identity and credential control. Inter-agent constraints — a protocol-layer authentication and authorization control. Runtime containment — an architectural isolation control.

A certification asking whether B006 is implemented is asking one question. A reader asking whether each of the five enforcement functions operates at the appropriate tier is asking five.

B006 is not unique in this respect. Aggregation is what standards do when threat surfaces evolve faster than requirement taxonomies, and the crosswalk’s note is the document acknowledging the pattern in its broadest mapping. The note reads as implementation guidance. It is also a structural observation about how the standard composes coverage.

The Shape of the Relevance

The mapping is relevant. Five enforcement functions packaged into one requirement clause is the shape of the relevance.

The sufficiency question is whether each function is enforced at the tier the threats require.

Two sections confirm the pattern

The Observed Gaps and the Validated New Mappings — two distinct sections of the crosswalk — carry the same pattern forward.

The Observed Gaps section identifies eight areas where AIUC-1 does not cover ground OWASP’s prevention guidelines treat as essential. The document clusters them into three themes itself: agent identity and inter-agent communication; architectural containment and runtime monitoring; supply chain attestation and schema controls. All three themes name protocol-layer and runtime mechanisms. Gap 8 is the quietest entry and the most consequential — two paragraphs near the back identify that A001 and A002 do not require schematic controls at the agent-model boundary, naming this as “the principle of most determinism” set against the “non-determinism amplification factor” in AIVSS. The cleanest articulation of the probabilistic-versus-structural divide that has appeared in any standards-body document this cycle.

The Validated New Mappings section closes the analytical work. Contributors looked at AIUC-1’s previously unmapped requirements and proposed ASI mappings. Five passed validation:

Validated New Mappings  ·  All Secondary

E004 (Assign accountability) → ASI09: Secondary, GOVERN
E008 (Review internal processes) → ASI01: Secondary, GOVERN
E010 (AI acceptable use policy) → ASI01 and ASI03: Secondary, GOVERN
E017 (Document system transparency policy) → ASI09: Secondary, DISCLOSE

All five Secondary. All five GOVERN or DISCLOSE. The authors describe the mappings as providing “a governance, accountability, or transparency layer that supports technical mitigations rather than implementing one directly.” The most precise statement in the document of where its coverage sits.

The eight gaps are not eight separate findings. The five new mappings are not five separate additions. They describe a single pattern: coverage thins where threats require architectural enforcement.

And the most consequential observation in the crosswalk may not be any individual gap. It may be that five distinct enforcement concerns converge into a single requirement clause.

The relevance-versus-sufficiency line reads differently here than in the methodology. In the methodology it is a disclaimer. After two sections of evidence, it is the document’s closing finding.

What this dispatch does not claim

This is not a critique of AIUC-1, and it is not an endorsement of OWASP over AIUC-1. Both are peer-grade analytical voices. The standard is doing analytical work, and its reviewers participated in the document that identifies where that work meets a different tier of threat specification. That participation is not common at this stage of a standard’s life.

What this dispatch does is read the document along the boundary it marks. The crosswalk identifies relevance. The architectural question — whether the mapped requirements structurally resolve the mapped threats — sits on the other side. The river’s-edge holds. The crosswalk has named what must be done in mapping vocabulary. Crossing to the architectural tier is the translation work it opens space for.

Relevance Is the Mapping. Enforcement Is the Architecture. The Boundary Between Them Is Where the Work Lives.

If your organization is reading AIUC-1 for certification, vendor evaluation, or risk-transfer purposes, the relevance-versus-sufficiency boundary is the right place to start.

Schedule a Conversation
Primary Source & OWASP ASI Publications
Luminity Digital Corpus  ·  Standards-Layer Foundation
Tags
AIUC-1 OWASP Agentic Top 10 Standards Layer Agentic AI Security Surface vs Enforcement Probabilistic vs Structural Rationale Taxonomy B006 Coverage Geometry OWASP ASI Crosswalk Reading Luminity Digital
© 2026 Luminity Digital, Inc. All Rights Reserved.

Share this:

Like this:

Like Loading…