Appendices
Regulatory Alignment
Continuum/AI controls map to requirements in established regulatory frameworks. Organizations can leverage certification to demonstrate compliance with multiple regulatory obligations.
Framework mapping
| Framework | Minimum Profile | Coverage |
|---|---|---|
| SOC 2 Type II | Elevated | CC6, CC7, CC8 criteria |
| ISO 27001:2022 | Elevated | Annex A controls |
| ISO 42001:2023 | Elevated | AI-specific requirements |
| NIST CSF 2.0 | Standard | All functions |
| EU AI Act | Elevated | High-risk system requirements |
| LGPD (Brazil) | Elevated | Data protection requirements |
| HIPAA | Critical | Technical safeguards |
| PCI DSS 4.0 | Critical | Requirement categories |
OWASP Agentic Top 10 mapping
| OWASP Risk | Primary Controls |
|---|---|
| Unauthorized Actions | AZN-01, AZN-04, INT-02 |
| Trust Boundary Violations | VAL-03, VAL-04, EXE-03 |
| Data Exfiltration | DAT-05, OBS-05, INT-02 |
| Prompt Injection | VAL-01, VAL-02, VAL-04 |
| Privilege Escalation | AZN-05, IDN-01, GOV-04 |
| Insufficient Logging | OBS-01, OBS-02, OBS-03 |
| Supply Chain Vulnerabilities | SUP-01, SUP-02, SUP-03 |
| Memory Poisoning | VAL-01, EXE-01, DAT-06 |
| Cascading Failures | INT-03, RES-02, RES-04 |
| Resource Exhaustion | EXE-02, OBS-04, INT-01 |
SOC 2 alignment
Continuum/AI Elevated profile provides evidence supporting SOC 2 Common Criteria 6, 7, and 8. CC6 addresses access control through IDN and AZN domain controls. CC7 addresses system operations through OBS, INT, and RES domain controls. CC8 addresses change management through GOV and SUP domain controls.
ISO alignment
Continuum/AI maps to ISO 27001:2022 Annex A controls for information security and ISO 42001:2023 requirements for AI management systems. Organizations with existing ISO certifications can inherit applicable controls when evidence demonstrates equivalence.