← Trust Layer
Control coverage

Where Queldrex fits your AI governance framework.

Queldrex produces signed, tamper-evident evidence of every AI tool decision and enforces controls in the path of your agent. Below is a map of which framework controls that evidence and enforcement can support, so you and your auditors know where to look.

Read this first. This is a descriptive map of how Queldrex’s technical evidence and enforcement relate to common AI governance frameworks. It is provided to help you and your auditors locate relevant evidence. It is not a certification, not an attestation of compliance, and not legal advice. Whether you meet any framework is for you and your auditors to determine.

NIST AI RMF

1.0
GOVERNPolicies, processes and accountability for AI risk

Your organization’s tighten-only rules, allowlist and budgets are enforced on every AI tool call and recorded.

Evidence: Org policy: rules, allowlist, per-agent scope, budgets
MAPContext and risks of AI use are identified

Each tool and server is classified for untrusted-input, sensitive-data and egress capability (the lethal-trifecta map) before use.

Evidence: Prompt-injection / tool-poisoning / exfiltration detection
MEASURE 2.7AI system security and resilience are evaluated

A reproducible, versioned adversarial benchmark reports detection and false-positive rates; monitor mode measures against live traffic.

Evidence: Reproducible benchmark + monitor mode
MANAGE 4.1AI risks are monitored and responded to

Kill-switch, automatic circuit-breaker quarantine, revocation and real-time alerts provide monitoring and response.

Evidence: Kill-switch, circuit breaker, revocation, alerts

EU AI Act

2024/1689
Article 9Risk management system

An in-path gate applies risk-based decisions (allow / require approval / deny) to every AI tool action, with your own rules layered on top.

Evidence: In-path enforcement gate (allow / approve / deny)
Article 12Record-keeping / automatic logging

Every decision produces a signed, timestamped receipt, hash-chained into a tamper-evident ledger anchored to an external timestamp authority.

Evidence: Signed decision receipts
Article 14Human oversight

Risky actions are paused for a human in an approvals inbox, and an operator can stop all AI tool activity instantly with the kill-switch.

Evidence: Human oversight: approvals inbox + emergency stop
Article 15Accuracy, robustness and cybersecurity

Deterministic + model + guard-model detection of prompt injection, tool poisoning and exfiltration, fail-safe by design; accuracy is benchmarked.

Evidence: Prompt-injection / tool-poisoning / exfiltration detection

ISO/IEC 42001

2023
A.6.2AI system operation and monitoring

Continuous, tamper-evident logging of AI tool decisions supports operational monitoring and after-the-fact review.

Evidence: Tamper-evident, externally-anchored ledger
A.9Use and operation controls

A signed evidence bundle documents what was checked and decided over a period for internal audit and management review.

Evidence: Signed, verifiable evidence bundle

OWASP LLM Top 10

2025
LLM01Prompt Injection

Direct and indirect prompt-injection detection on tool definitions and on tool OUTPUT (poisoned pages/emails) before the agent trusts them.

Evidence: Prompt-injection / tool-poisoning / exfiltration detection
LLM02Sensitive Information Disclosure

High-confidence secrets are redacted locally before any output leaves the machine, and exfiltration channels in tools are flagged.

Evidence: Local secret redaction before egress
LLM06Excessive Agency

The enforcement gate, approved-tools allowlist and per-agent budgets bound what an agent can actually do, with human approval for high-impact actions.

Evidence: In-path enforcement gate (allow / approve / deny)

OWASP Agentic

2026
ASI01Agent goal / instruction hijacking

Hidden-instruction, chat-template control-token, obfuscated-payload and canary-tripwire detection catch attempts to redirect an agent’s goals.

Evidence: Prompt-injection / tool-poisoning / exfiltration detection
ASI02Tool misuse

The approved-tools allowlist and in-path gate bound which tools an agent may call, with poisoned or over-scoped tools flagged and deniable.

Evidence: In-path enforcement gate (allow / approve / deny)
ASI03Identity and privilege abuse

Per-agent scope, over-broad and function-vs-scope-mismatch checks, spoofed safety annotations, and credential-harvesting tools are flagged; secrets are scrubbed before egress.

Evidence: Org policy: rules, allowlist, per-agent scope, budgets
ASI04Agentic supply chain

MCP servers and tools are scanned before use, re-verified on a schedule to catch rug-pulls / definition drift, and checked for cloud-metadata SSRF and sensitive-file access.

Evidence: Prompt-injection / tool-poisoning / exfiltration detection
ASI05Unexpected code execution

Parameters that run code, commands or raw SQL are flagged as high-agency and routed to a hard approval gate before the action is allowed.

Evidence: In-path enforcement gate (allow / approve / deny)
ASI06Memory and context poisoning

Tools that write attacker-controlled instructions into the agent’s long-term memory so a payload survives across sessions are flagged as persistent poisoning.

Evidence: Prompt-injection / tool-poisoning / exfiltration detection
ASI07Insecure inter-agent communication

Delegation-abuse detection flags metadata that hands a task to another agent or sub-agent to run an action outside the controls placed on this tool.

Evidence: Prompt-injection / tool-poisoning / exfiltration detection
ASI08Cascading failures

Per-agent budgets, an automatic circuit-breaker quarantine and the kill-switch bound the blast radius when one agent or tool starts to fail.

Evidence: Kill-switch, circuit breaker, revocation, alerts
ASI09Human–agent trust exploitation

High-impact actions pause for a human in the approvals inbox, and every decision carries a signed, human-readable rationale so approvals are auditable.

Evidence: Human oversight: approvals inbox + emergency stop
ASI10Rogue agents

Kill-switch, revocation and tighten-only per-agent policy let an operator stop or constrain a misbehaving agent, with every action recorded.

Evidence: Kill-switch, circuit breaker, revocation, alerts

Framework names and control identifiers are the property of their respective owners (NIST, the European Union, ISO/IEC, OWASP) and are referenced here for interoperability. Queldrex is an independent tool and is not endorsed by or affiliated with these bodies.