sill.STANDARDS
STANDARDS
FRAMEWORK MAPPINGS · NOT CERTIFICATIONS

Control-by-control framework mappings

Sill maintains a public mapping between every shipped guardrail and the OWASP LLM Top 10, the OWASP Top 10 for Agentic Applications, MITRE ATLAS, and the NIST AI RMF. The tables below list each control, the framework risks it addresses, and where coverage is partial.

These are mappings — Sill’s reading of how its controls address each framework’s named risks. They are not certifications or attestations. Sill claims no security certification today and will not until an accredited audit completes. Merchants remain responsible for their own regulatory compliance.

Control-by-control mappings

EVERY CONTROL BELOW IS SHIPPED

Each control below is shipped. A cell asserts only that the named control addresses the named framework risk, per Sill’s reading of the public control descriptions — “(partial)” marks coverage of one facet, not the whole risk. Mapping is not certification, and Sill holds no security certification today. The full status table — including planned and out-of-scope controls — lives in docs/security/framework-mappings.md.

OWASP LLM Top 10OWASP Agentic Top 10MITRE ATLASNIST AI RMF

Verify it yourself — Sill’s signing key is published at edge.sill.so/.well-known/jwks.json. Every signed agent card and ARD catalog can be reproduced against it using only published standards — RFC-8785 JCS canonicalization and ed25519 — with no access to Sill’s code.

GUARDRAIL RULES — YOU CONFIGURE THESE PER POLICY

Sill guardrail rules mapped to OWASP LLM Top 10, OWASP Agentic Top 10, MITRE ATLAS, and NIST AI RMF
CONTROLOWASP LLM 2025OWASP AGENTIC v1.0MITRE ATLAS 2026.05NIST AI RMF
Allowlisted agents onlyr01ASI03, ASI10Initial AccessManage
Require valid IntentMandater02LLM06ASI01, ASI03Manage
Per-agent rate limitr03LLM10ASI08ImpactManage
Per-IP rate limitr04LLM10ASI08ImpactManage
Max per-transaction spendr05LLM06, LLM10ASI01ImpactManage
Daily spend cap per userr06LLM06, LLM10ASI08ImpactManage
Human review on destructive actionsr07LLM06ASI08, ASI09ImpactManage
No urgency manipulationr08ASI09 (partial)
No drip pricingr09ASI09 (partial)
Instruction-override detectionr10LLM01ASI01AML.T0051 (partial)Measure
Geofence (country allow/deny)r12Initial AccessManage
Aggregate rate cap across agentsr13LLM10ASI08ImpactManage
Cart total ≤ Intent ceilingr14LLM06ASI01Manage
Cart currency must match Intentr15LLM06ASI01Manage
Per-customer data scoping (BOLA)r17LLM06ASI03ExfiltrationManage
Skill-manifest integrity (pinning)r18LLM03 (partial)ASI02, ASI04 (partial)AML.T0011.002 (partial)Measure
Subscription requires explicit consentr19LLM06ASI09Manage
Unicode tag-block detectionr20LLM01ASI01AML.T0051 (partial)Measure
Credential-leak detection (inbound)r22LLM02 (partial)ASI02 (partial)AML.T0098 (partial)Measure
Mandate validity window capr23LLM06ASI03EvasionManage
Mandate body size limitr25LLM10
Emergency kill switchr28LLM10ASI08ImpactManage
Merchant-authored rule (DSL)r_custommerchant-definedmerchant-definedmerchant-defined

ALWAYS-ON PROTECTIONS — ENFORCED AUTOMATICALLY

Sill always-on protections mapped to OWASP LLM Top 10, OWASP Agentic Top 10, MITRE ATLAS, and NIST AI RMF
CONTROLOWASP LLM 2025OWASP AGENTIC v1.0MITRE ATLAS 2026.05NIST AI RMF
Mandate signature verification (ed25519)ASI03, ASI10Initial Access, Evasion; AML.T0096Manage
Mandate replay protectionr11ASI03EvasionMeasure
Failed-auth source-IP lockoutr24LLM10Credential AccessManage
Site-id binding (misdirected-mandate reject)ASI03EvasionManage
Anti-fingerprinting (identity-class coalescing)Discovery
Webhook signature verification (HMAC)r27Manage
Deterministic evaluation budgets (fail-closed)LLM10ASI08ImpactManage
Tamper-evident audit chain (Merkle + ed25519)Measure, Manage
PII-redaction architectureLLM02 (partial)ExfiltrationManage
Agent-bound output sanitizationr21LLM02, LLM05, LLM07AML.T0100 (partial)
Delegation-chain verificationr29ASI07 (registered-agent)Manage
MCP session rate limitr30LLM10ASI08ImpactManage

WHAT WE DON’T CLAIM

OWASP LLM04 / LLM08 / LLM09 (model poisoning, embeddings, misinformation)
Sill does not train, host, or retrieve for models — out of architectural scope.
OWASP Agentic ASI05 (unexpected code execution)
Sill is an authorization layer, not an execution sandbox.
OWASP Agentic ASI07 — beyond registered-agent delegation
Covered for registered-agent delegation (r29); NOT covered for unregistered or cross-registry agents.
ATLAS agent-runtime poisoning, host escape, machine compromise
These target the agent’s execution environment, outside Sill’s mandate-evaluation boundary.

See the mappings in action.

Install Sill Discovery in about 90 seconds. The same controls that map to OWASP, ATLAS, and NIST start producing signed audit records on your traffic the moment the embed loads.

Check agent readinessFree Discovery · no card required