EVIDENCE TRAIL
Cross-system scope auditing
Verbatim excerpts from the upstream sources cited on the mitigation page, with what each source does and does not prove. The NIST SP 800-53 AC-2(6) and AC-6(7) controls are the direct regulatory foundation; SP 800-207 CDM provides the continuous-monitoring architecture; ATLAS AML.M0026 is the closest AI-specific peer mitigation. No single source names "cross-system entitlement reconciliation for agent identities" verbatim — that pattern is Helmwart's composition of established CIEM practice and NIST controls.
Last cross-checked against upstream sources: · 7 sources
References
Each entry shows what the source supports and what it does not prove.
NIST SP 800-53 Rev 5 — AC-2(6) Account Management | Dynamic Privilege Management
§AC-2(6) ACCOUNT MANAGEMENT | DYNAMIC PRIVILEGE MANAGEMENT — Discussion paragraph
"In contrast to access control approaches that employ static accounts and predefined user privileges, dynamic access control approaches rely on runtime access control decisions facilitated by dynamic privilege management, such as attribute-based access control. While user identities remain relatively constant over time, user privileges typically change more frequently based on ongoing mission or business requirements and the operational needs of organizations. An example of dynamic privilege management is the immediate revocation of privileges from users as opposed to requiring that users terminate and restart their sessions to reflect changes in privileges."
Supports: Establishes that privileges change on a faster cadence than identities and must be managed dynamically — the core rationale for continuous (not quarterly) reconciliation. The "immediate revocation" example directly matches the 24-hour drift-alert requirement in this control.
Does not prove: Does not address multi-system or cross-boundary reconciliation. The control is scoped to a single enterprise's account management system. Extension to agent identities spanning HR, Finance, and MCP tool stacks is Helmwart's application.
NIST SP 800-53 Rev 5 — AC-6(7) Least Privilege | Review of User Privileges
§AC-6(7) LEAST PRIVILEGE | REVIEW OF USER PRIVILEGES — Control text and Discussion paragraph
"Review [Assignment: organization-defined frequency] the privileges assigned to [Assignment: organization-defined roles or classes of users] to validate the need for such privileges; and Reassign or remove privileges, if necessary, to correctly reflect organizational mission and business needs. … The need for certain assigned user privileges may change over time to reflect changes in organizational mission and business functions, environments of operation, technologies, or threats. A periodic review of assigned user privileges is necessary to determine if the rationale for assigning such privileges remains valid."
Supports: Mandates periodic review of assigned privileges and removal when no longer valid — the reconciliation-against-baseline pattern this control implements. The "reassign or remove" corrective action maps to the ticket-and-freeze response workflow described in the MDX.
Does not prove: Frequency is left to the organisation ("organisation-defined"). The control does not mandate continuous or automated reconciliation, and does not address non-human or agent identities specifically. Helmwart tightens the cadence to nightly (or hourly for high-sensitivity agents) and extends scope to agent service principals.
NIST SP 800-207 Zero Trust Architecture
§2.1 Tenets of Zero Trust — Tenet 5 (enterprise monitors integrity and security posture of all assets)
"An enterprise implementing a ZTA should establish a continuous diagnostics and mitigation (CDM) or similar system to monitor the state of devices and applications and should apply patches/fixes as needed. Assets that are discovered to be subverted, have known vulnerabilities, and/or are not managed by the enterprise may be treated differently (including denial of all connections to enterprise resources) than devices owned by or associated with the enterprise that are deemed to be in their most secure state."
Supports: Names continuous diagnostics as the required mechanism for maintaining trust in enterprise assets, and explicitly links it to the policy engine's access decisions. The CDM-feeds-policy-engine architecture (also per §3 Logical Components) is the conceptual ancestor of the agent-entitlement-feeds-access-decision model this control implements.
Does not prove: CDM in SP 800-207 focuses on device/asset posture (patch state, OS integrity), not on entitlement drift or IAM privilege review. The MDX maps CDM to continuous entitlement reconciliation, which is an architectural extension rather than a direct citation of SP 800-207 scope.
NIST SP 800-207 Zero Trust Architecture — CDM System as ZTA Component
§3 Logical Components of Zero Trust Architecture — CDM System bullet
"Continuous diagnostics and mitigation (CDM) system: This gathers information about the enterprise asset's current state and applies updates to configuration and software components. An enterprise CDM system provides the policy engine with the information about the asset making an access request, such as whether it is running the appropriate patched operating system (OS), the integrity of enterprise-approved software components or presence of non-approved components and whether the asset has any known vulnerabilities. CDM systems are also responsible for identifying and potentially enforcing a subset of policies on nonenterprise devices active on enterprise infrastructure."
Supports: Defines CDM as a feed into the policy engine that informs access decisions dynamically. Confirms the continuous-monitoring-to-access-decision pipeline that this control extends to entitlement state.
Does not prove: Still scoped to device/OS/software posture, not IAM entitlement state. Cross-system privilege reconciliation for agent identities requires ingesting IAM data, which is outside CDM's formal scope in this document.
NIST SP 800-53 Rev 5 — AC-6(9) Least Privilege | Log Use of Privileged Functions
§AC-6(9) LEAST PRIVILEGE | LOG USE OF PRIVILEGED FUNCTIONS — Control text and Discussion
"Log the execution of privileged functions. … The misuse of privileged functions, either intentionally or unintentionally by authorized users or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Logging and analyzing the use of privileged functions is one way to detect such misuse and, in doing so, help mitigate the risk from insider threats and the advanced persistent threat."
Supports: Establishes logging of privileged-function execution as a companion control to privilege review — the same audit-log reconciliation concept this control uses for T44 (missing log delivery). Confirms NIST's intent that privilege controls must be paired with observable audit records.
Does not prove: Addresses logging of function execution, not reconciliation of entitlement state across system boundaries. The cross-system dimension is Helmwart's extension.
MITRE ATLAS AML.M0024 — AI Telemetry Logging
No verbatim excerpt pulled yet — open the original to verify the cited section.
Supports: Names telemetry logging of AI model inputs, outputs, and reasoning steps as the detection foundation for anomalous behaviour — the same audit-record-delivery check that the T44 coverage arm of this control performs. Confirms ATLAS endorsement of logging as a mitigation against agentic misuse.
Does not prove: Does not address cross-system entitlement reconciliation. AML.M0024 is about logging model behaviour, not auditing IAM privilege state across HR, Finance, or MCP tool stacks. ATLAS page was 404 at check date; description sourced from the project's own atlas-mitigations.ts catalogue data.
MITRE ATLAS AML.M0026 — Privileged AI Agent Permissions Configuration
No verbatim excerpt pulled yet — open the original to verify the cited section.
Supports: Directly names privileged AI agent permissions as a hardening surface requiring step-up auth, scoped credentials, and explicit review — the same permission-review concept this control operationalises through cross-system reconciliation. Closest ATLAS mitigation to the entitlement-baseline model.
Does not prove: Does not specify continuous reconciliation cadence or multi-system scope. The "explicit review" framing is point-in-time, not automated nightly reconciliation. ATLAS page was 404 at check date; description sourced from the project's own atlas-mitigations.ts catalogue data.