EVIDENCE TRAIL
Insider-threat program — personnel security for AI operators
Verbatim excerpts from the upstream sources cited on the mitigation page, with what each source does and does not prove. The personnel-security controls (PM-12, PS-3, PS-4, PS-6) are drawn verbatim from NIST SP 800-53 Rev 5; MITRE ATLAS has no direct personnel-side analogue — AML.M0026 addresses the agent's machine permissions only, which is the gap this mitigation fills.
Last cross-checked against upstream sources: · 7 sources
References
Each entry shows what the source supports and what it does not prove.
NIST SP 800-53 Rev 5 — PM-12 Insider Threat Program
Chapter 3 — PM-12 INSIDER THREAT PROGRAM, Control statement and Discussion (p. 209)
"Implement an insider threat program that includes a cross-discipline insider threat incident handling team. … Insider threat programs include controls to detect and prevent malicious insider activity through the centralized integration and analysis of both technical and nontechnical information to identify potential insider threat concerns. A senior official is designated by the department or agency head as the responsible individual to implement and provide oversight for the program."
Supports: Verbatim federal mandate for an insider-threat program with a named senior official, cross-discipline incident team, and both technical and nontechnical detection. Directly underpins the PM-12 component of this mitigation.
Does not prove: Scoped to federal systems and classified environments by its executive-order lineage (EO 13587). Discussion note explicitly extends to non-national-security systems but does not reference agentic AI or AI operators specifically.
NIST SP 800-53 Rev 5 — PS-3 Personnel Screening
Chapter 3 — PS-3 PERSONNEL SCREENING, Control statement and Discussion (p. 223)
"Screen individuals prior to authorizing access to the system; and rescreen individuals in accordance with [Assignment: organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of rescreening]. … Organizations may define different rescreening conditions and frequencies for personnel accessing systems based on types of information processed, stored, or transmitted by the systems."
Supports: Verbatim source of the personnel-screening (background-check) requirement that this mitigation applies proportionally to AI-operator blast radius. The "types of information processed" framing maps directly to high-blast-radius agent classification.
Does not prove: Does not name AI systems, agents, or operator roles as a distinct screening category. Blast-radius proportionality is Helmwart's extension.
NIST SP 800-53 Rev 5 — PS-4 Personnel Termination
Chapter 3 — PS-4 PERSONNEL TERMINATION, Control statement and Discussion (p. 224)
"Upon termination of individual employment: (a) Disable system access within [Assignment: organization-defined time period]; (b) Terminate or revoke any authenticators and credentials associated with the individual; … The timely execution of termination actions is essential for individuals who have been terminated for cause. In certain situations, organizations consider disabling the system accounts of individuals who are being terminated prior to the individuals being notified."
Supports: Verbatim source of the credential-revocation-on-departure requirement. The control's time-period assignment parameter is the basis for Helmwart's 24 h / 72 h / 7-day SLA tiers. The pre-notification disable option is verbatim justification for the "for-cause" off-boarding path.
Does not prove: Time period is left as an organizational assignment parameter — the 24-hour high-privilege benchmark in this mitigation derives from industry practice (referenced in the MDX) rather than a literal NIST figure.
NIST SP 800-53 Rev 5 — PS-6 Access Agreements
Chapter 3 — PS-6 ACCESS AGREEMENTS, Control statement and Discussion (p. 226)
"Develop and document access agreements for organizational systems … Verify that individuals requiring access to organizational information and systems: Sign appropriate access agreements prior to being granted access; and Re-sign access agreements to maintain access to organizational systems when access agreements have been updated. … Access agreements include nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements."
Supports: Verbatim source of the NDA / acceptable-use-agreement requirement. The enumeration (NDA, acceptable use, rules of behavior, conflict-of-interest) maps exactly to the "required_signatures" list in the mitigation's YAML manifest.
Does not prove: Does not reference agentic AI, agent-operator roles, or the "training-acknowledgement" signature that Helmwart adds as an agentic-specific extension.
NIST SP 800-53 Rev 5 — Insider Threat (glossary definition)
NIST Glossary — term: insider_threat, sourced from SP 800-53 Rev 5
"The threat that an insider will use her/his authorized access, wittingly or unwittingly, to do harm to the security of organizational operations and assets, individuals, other organizations, and the Nation."
Supports: Canonical definition establishing that insider threat includes both malicious ("wittingly") and negligent ("unwittingly") misuse of authorized access. Justifies including unintentional-operator failures (not just malicious insiders) within this program's scope.
Does not prove: Definition predates agentic AI. Does not address the operator-of-an-AI-agent role specifically.
SEI CERT Insider Threat Center (Carnegie Mellon University)
SEI CERT Insider Threat research home page — definition statement and research description
"Insider Threat [is] the potential for an individual who has or had authorized access to an organization's assets to use their access, either maliciously or unintentionally, to act in a way that could negatively affect the organization. … The SEI maintains a database exceeding 3,000 documented insider incidents used to validate research findings and develop practical organizational assessments and training programs."
Supports: The academic body of work and empirical incident database that the National Insider Threat Task Force draws from. Provides the socio-technical detection model (combining behavioral and technical indicators) referenced by PM-12 discussion and adopted by this mitigation's anomaly-signal list.
Does not prove: The 3,000-incident database was built from traditional IT and government insider incidents. No published SEI work to date specifically calibrates thresholds for agentic AI operator roles.
MITRE ATLAS AML.M0026 — Privileged AI Agent Permissions Configuration
ATLAS dist/ATLAS.yaml — id: AML.M0026, name: Privileged AI Agent Permissions Configuration, description field
"AI agents may be granted elevated privileges above that of a normal user to enable desired workflows. When deploying a privileged AI agent, or an agent that interacts with multiple users, it is important to implement robust policies and controls on permissions of the privileged agent. These controls include Role-Based Access Controls (RBAC), Attribute-Based Access Controls (ABAC), and the principle of least privilege so that the agent is only granted the necessary permissions to access tools and resources required to accomplish its designated task(s)."
Supports: The closest ATLAS technical analogue: names least-privilege scoping of the agent as the access-control baseline. Confirms that the ATLAS catalogue treats agent-privilege configuration as a first-class mitigation — motivating why the personnel-side (who holds those privileges) deserves its own parallel entry.
Does not prove: Addresses the agent's machine identity and technical RBAC, not the human operator's access lifecycle. The gap between this control and the personnel-side program is precisely what m-insider-threat-program fills.