All 330 ATR rules now carry
NIST AI RMF mappings.

The NIST AI Risk Management Framework (AI RMF 1.0 + GenAI Profile) is the de-facto standard adopted by US federal AI agencies, and the measurement foundation NIST CAISI is using for the COSAiS Single-Agent / Multi-Agent overlay work.

Most AI security products claim “NIST AI RMF alignment.” In practice the alignment is usually a closed document, a marketing line, or a single-framework crosswalk — without auditable per-rule mappings.

ATR ships it as MIT-licensed, open-source, reproducible per-rule metadata. Any government, any SOC, any auditor can download the YAML and inspect, rule by rule, which subcategory each maps to, why, and which detection element justifies it.

16 subcategories spanning all 4 NIST AI RMF functions (GV / MP / MS / MG). Each rule can map to multiple subcategories (primary + secondary strength). The 330 rules produce 1,566 mappings in total.

MG.2.3 dominates (442 mappings) because most detection rules link into the “containment / disengage” response path — detection itself is the condition that triggers the isolation mechanism.

Every rule's NIST mapping cites the specific detection element it relies on. Sample drawn from ATR-2026-00118 (Approval Fatigue Exploitation):

compliance:
  nist_ai_rmf:
    - subcategory: GV.6.1
      context: Approval fatigue exploitation manipulates
        human-in-the-loop oversight by overwhelming operators
        with rapid permission requests or minimizing
        dangerous actions; GV.6.1 requires data and oversight
        governance policies that preserve meaningful human
        review rather than enabling bulk auto-approval of
        risky tool calls.
      strength: primary

The context field specifies why this rule belongs to GV.6.1 — not as generic “governance,” but as the specific attack path through which approval-fatigue violates oversight policy. Every rule is documented this way.

The mapping pipeline has three stages: LLM-assisted batch generation, per-rule QA, atomic patch. Fully open-source and reproducible.

• Input330 ATR rule YAMLs (detection patterns, test cases, existing metadata), NIST AI RMF 1.0 reference, GenAI Profile, hand-written 5-shot examples.
• Batch generatorscripts/expand-nist-mapping.ts — Claude Opus + 5-shot prompt + structured output. Each rule produces ≥1 primary plus 0–3 secondary subcategory mappings, each with its own context field. Subcategory IDs validated strictly against the RMF reference — zero hallucination.
• Atomic patcherscripts/apply-nist-mapping.ts — Reads each proposal YAML, patches the compliance.nist_ai_rmf block in the corresponding rule YAML, atomic write (tmp + rename), patched YAML still parses (0 / 261 failures). Human-curated mappings already in place are never overwritten.
• Cost & timeUSD 24.98 (estimated USD 34) · wall-clock ~52 minutes · 261 new mappings layered on top of v0.1's 69, reaching 100% coverage.
• ProvenanceEvery rule's proposal YAML is preserved under proposals/nist/. Anyone can re-run the pipeline, compare outputs, and audit the mapping rationale.

ATR is a candidate reference implementation for NIST CAISI’s COSAiS Single-Agent and Multi-Agent overlay work.

The “measurement-science-first” framing CAISI uses in its Research Blog is the foundation we designed this mapping around: every rule has a reproducible measurement (garak inthewild benchmark, SKILL.md FP corpus, publicly-released test corpora) — not a marketing claim.

• →RFI docket: NIST-2025-0035 (CAISI Issues Request for Information About Securing AI Agent Systems)
• →Sister project: NCCoE AI Agent Identity & Authorization — ATR's detection layer naturally sits above the identity layer
• →Performance benchmarks: 97.1% recall on NVIDIA garak's inthewild_jailbreak_llms (666 samples) · 0.20% FP rate on 498 labeled benign SKILL.md samples · DOI 10.5281/zenodo.19178002

The mapping is open metadata, not a closed spec. Every rule's RMF mapping is publicly readable as YAML on GitHub — fork it, challenge it, open a PR to refine strength or context.