| ID | Title | Objective | Control Family | Threat Mappings | Guideline Mappings | Assessment Requirements |
|---|---|---|---|---|---|---|
| CCC.MARefArc.CN01 | Data Filtering From External Knowledge Bases | Sanitize, filter, and classify data ingested by the Knowledge Layer from internal and external source bases before it is embedded into the vector store or used for retrieval-augmented generation, preventing inadvertent exposure or manipulation of sensitive organizational knowledge. | PREV | 4 | 1 | 2 |
| CCC.MARefArc.CN02 | User, Application, and Model Firewalling | Establish enforced trust boundaries between the user, the application, and the models and tools by routing all traffic through the agent, LLM, and MCP gateways where guardrails inspect and constrain requests and responses. | PREV | 8 | 1 | 2 |
| CCC.MARefArc.CN03 | System Acceptance Testing | Validate agents, models, and end-to-end workflows against accuracy, robustness, bias, drift, and compliance criteria before promotion to production, and re-validate after material changes. | PREV | 6 | 1 | 2 |
| CCC.MARefArc.CN04 | Data Quality and Classification | Assess the quality of, and assign classification and sensitivity labels to, all data used for grounding, training, and fine-tuning, and enforce handling rules derived from those labels throughout the Knowledge and LLM layers. | PREV | 12 | 1 | 2 |
| CCC.MARefArc.CN05 | Legal and Contractual Frameworks for AI Systems | Establish contractual controls with model and MCP service providers covering data handling, retention and deletion, intellectual property, liability, and supply-chain integrity. | PREV | 7 | 1 | 2 |
| CCC.MARefArc.CN06 | Quality of Service and DDoS Prevention | Protect model and tool availability by enforcing quality-of-service controls, rate limits, and abuse and DDoS mitigation at the gateways. | PREV | 3 | 1 | 2 |
| CCC.MARefArc.CN07 | AI Model Version Pinning | Pin and record explicit model versions in the Model Registry so that model behaviour is reproducible and provider-side changes are surfaced rather than silently absorbed. | PREV | 2 | 1 | 2 |
| CCC.MARefArc.CN08 | Role-Based Access Control for AI Data | Enforce least-privilege, role-based access control over all AI data stores, including source bases, the vector store, and model artifacts. | PREV | 6 | 1 | 2 |
| CCC.MARefArc.CN09 | Encryption of AI Data at Rest | Encrypt AI data at rest, including the vector store and source repositories, so that storage-level access does not expose embeddings or sensitive content. | PREV | 4 | 1 | 2 |
| CCC.MARefArc.CN10 | AI Firewall Implementation and Management | Implement and operate an AI firewall within the guardrail components that inspects prompts, content, and responses for injection, sensitive data, and policy violations. | PREV | 8 | 1 | 2 |
| CCC.MARefArc.CN11 | Agent Authority Least Privilege Framework | Constrain each agent's authority to the minimum set of tools, APIs, and data required for its task, enforced by the runtime and MCP guardrails, and prevent permission creep during operation. | PREV | 2 | 1 | 2 |
| CCC.MARefArc.CN12 | Tool Chain Validation and Sanitization | Validate tool selection, sanitize tool-call parameters, and constrain tool sequencing within the runtime and MCP guardrails to prevent manipulation of agent tool use. | PREV | 5 | 1 | 2 |
| CCC.MARefArc.CN13 | MCP Server Security Governance | Govern the onboarding, verification, and ongoing monitoring of MCP servers so that only approved, integrity-verified servers are reachable, and supply-chain compromise is detected. | PREV | 5 | 1 | 2 |
| CCC.MARefArc.CN14 | Multi-Agent Isolation and Segmentation | Isolate agents and their memory and state so that compromise or failure of one agent cannot propagate to others, and enforce segmentation of agent-to-agent communication. | PREV | 3 | 1 | 2 |
| CCC.MARefArc.CN15 | Agentic System Credential Protection Framework | Prevent agents from discovering, extracting, or misusing credentials by brokering secrets outside agent-accessible surfaces and constraining tool access to credential stores. | PREV | 3 | 1 | 2 |
| CCC.MARefArc.CN16 | AI Data Leakage Prevention and Detection | Detect leakage of sensitive data in model inputs and outputs and in telemetry, and alert and respond when disclosure is detected. | DET | 2 | 1 | 2 |
| CCC.MARefArc.CN17 | AI System Observability | Instrument every layer to emit logs, traces, metrics, and events to the Observability Layer so that behaviour, drift, availability, and data handling are continuously visible and auditable. | DET | 10 | 1 | 2 |
| CCC.MARefArc.CN18 | AI System Alerting and Denial of Wallet Monitoring | Monitor spend and usage of models and tools, and alert on anomalous consumption indicative of Denial of Wallet or runaway agentic loops. | DET | 3 | 1 | 2 |
| CCC.MARefArc.CN19 | Human Feedback Loop for AI Systems | Capture human feedback on agent outputs through the Feedback Engine and Human Supervision capabilities and feed it into evaluation and improvement of agents and models. | DET | 5 | 1 | 2 |
| CCC.MARefArc.CN20 | Citations and Source Traceability for AI-Generated Information | Attach citations and source traceability to AI-generated information so that outputs can be verified against retrieved sources and decisions can be explained. | DET | 4 | 1 | 2 |
| CCC.MARefArc.CN21 | Automated Evaluation Using LLM-as-a-Judge | Use automated model-based evaluation in the Evaluation Layer to assess output quality, grounding, bias, and policy compliance at scale. | DET | 8 | 1 | 2 |
| CCC.MARefArc.CN22 | Preserving Source Data Access Controls in AI Systems | Propagate the access controls of source data into the retrieval path so that retrieval and generation cannot expose content a requesting user is not authorized to see. | DET | 4 | 1 | 2 |
| CCC.MARefArc.CN23 | Agent Decision Audit and Explainability | Record an auditable trace of agent decisions, including tool selections, inputs, and rationale, sufficient to explain and review autonomous actions after the fact. | DET | 3 | 1 | 2 |
AI/ML / Multi Agent Refarch
Controls
Version: