EVIDENCE TRAIL
Legal-hold / WORM retention for audit trails
Verbatim excerpts from the upstream sources cited on the mitigation page, with what each source does and does not prove. The WORM primitive is well-established across three major cloud vendors (AWS S3 Object Lock, Azure Immutable Blob, GCP Bucket Lock) and mandated by NIST SP 800-53 AU-9/AU-11 and financial-services regulation (SEC 17a-4(f), FINRA 4511). The agentic-AI application — placing the lock behind the audit pipeline that actor-recorder split feeds — is Helmwart's composition.
Last cross-checked against upstream sources: · 9 sources
References
Each entry shows what the source supports and what it does not prove.
AWS S3 Object Lock documentation
Opening section "Locking objects with Object Lock"
"S3 Object Lock can help prevent Amazon S3 objects from being deleted or overwritten for a fixed amount of time or indefinitely. Object Lock uses a write-once-read-many (WORM) model to store objects. You can use Object Lock to help meet regulatory requirements that require WORM storage, or to add another layer of protection against object changes or deletion."
Supports: Verbatim WORM definition and regulatory purpose. Confirms compliance mode: "a protected object version can't be overwritten or deleted by any user, including the root user in your AWS account." Cohasset certification for SEC 17a-4, CFTC, and FINRA is noted in the same page.
Does not prove: AWS-specific implementation. Does not define retention windows or the agentic-AI application — those are Helmwart additions derived from the underlying regulatory requirements.
AWS S3 Object Lock documentation — Compliance mode
§Retention modes — "Compliance mode" paragraph
"In compliance mode, a protected object version can't be overwritten or deleted by any user, including the root user in your AWS account. When an object is locked in compliance mode, its retention mode can't be changed, and its retention period can't be shortened. Compliance mode helps ensure that an object version can't be overwritten or deleted for the duration of the retention period."
Supports: Verbatim confirmation that compliance-mode Object Lock is absolute — no override path including account root. Directly supports the MDX claim that "root cannot override; the lock is real."
Does not prove: Does not address the agentic AI threat model (T8 Repudiation) directly. The regulatory rationale must be inferred from the Cohasset certification reference.
AWS S3 Object Lock documentation — Legal holds
§Legal holds
"A legal hold provides the same protection as a retention period, but it has no expiration date. Instead, a legal hold remains in place until you explicitly remove it. Legal holds are independent from retention periods and are placed on individual object versions."
Supports: Verbatim definition of legal hold semantics: no expiration, independent of retention period, explicit removal required. Matches MDX's "legal hold for active incidents" guidance exactly.
Does not prove: Does not specify who has authority to lift holds — the IAM permission model (s3:PutObjectLegalHold) implies any authorized principal. The MDX adds the Helmwart-specific governance requirement that the lift authority be separate from SRE ops.
Azure Immutable Storage for Blob Data — overview
Opening paragraph "Overview of immutable storage for blob data"
"Immutable storage for Azure Blob Storage enables users to store business-critical data in a WORM (Write Once, Read Many) state. While in a WORM state, data can't be modified or deleted for a user-specified interval."
Supports: Cross-vendor WORM confirmation. Also states: "Regulatory compliance: Immutable storage for Azure Blob Storage helps organizations address SEC 17a-4(f), CFTC 1.31(d), FINRA, and other regulations." Cohasset Associates independent assessment noted. Legal hold described as "a temporary immutability policy … stored in a Write-Once, Read-Many (WORM) format until the hold is explicitly cleared."
Does not prove: Azure-specific implementation detail. Container-level vs version-level WORM distinctions are Azure-specific and not reflected in the MDX's cloud-agnostic guidance.
NIST SP 800-53 Rev. 5 — AU-11 Audit Record Retention
AU-11 AUDIT RECORD RETENTION — Control statement
"Retain audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements."
Supports: Verbatim NIST mandate for audit-record retention tied to regulatory requirements. "After-the-fact investigations" is the direct analogue of Helmwart's reactive-phase framing. AU-11 is the primary NIST grounding for the retention-window requirement.
Does not prove: Does not specify WORM or immutability — only retention duration. The WORM specificity comes from AU-9(1) and from the SEC/FINRA regulatory layer, not from AU-11 alone.
NIST SP 800-53 Rev. 5 — AU-9 Protection of Audit Information
AU-9 Control statement (a) and AU-9(1) HARDWARE WRITE-ONCE MEDIA enhancement
"Protect audit information and audit logging tools from unauthorized access, modification, and deletion … Write audit trails to hardware-enforced, write-once media. [Discussion:] Write-once, read-many (WORM) media includes Compact Disc-Recordable (CD-R), Blu-Ray Disc Recordable (BD-R), and Digital Versatile Disc-Recordable (DVD-R)."
Supports: AU-9 is the direct NIST authority for protecting audit records against modification and deletion. AU-9(1) explicitly names WORM as the hardware enforcement mechanism. Combined with AU-11, this is the NIST foundation for the legal-hold control.
Does not prove: AU-9(1) lists physical media (CD-R, DVD-R) as examples — predating cloud WORM implementations. The MDX applies the principle to cloud object-lock; this is an Helmwart extension of the underlying intent, not a literal reading of the enhancement.
FINRA Rule 4511 — General Requirements for Books and Records
FINRA Rule 4511(c) — Format and media requirement
"All books and records required to be made pursuant to the FINRA rules shall be preserved in a format and media that complies with SEA Rule 17a-4."
Supports: Direct cross-reference from FINRA to SEC Rule 17a-4 for the WORM format requirement. Combined with the MDX's vendor-claim that AWS Object Lock is Cohasset-certified for FINRA 4511, this closes the regulatory chain. The MDX cites FINRA 4511 alongside SEC 17a-4(f) as a named regulatory driver.
Does not prove: FINRA 4511 itself does not define WORM — it delegates the format requirement to SEC 17a-4. The agentic-AI application is Helmwart's; FINRA only mandates retention for broker-dealer records, not for AI audit trails generally.
OWASP Agentic AI — Threats & Mitigations v1.1 (T8 Repudiation)
§T8 Repudiation and Untraceability — named scenario "Financial Transaction Obfuscation" (reproduced in Helmwart's t8.mdx from the upstream document)
"Financial Transaction Obfuscation. A payments agent processes hundreds of fund transfers per day. An operator with access to the agent's log-management interface deletes or truncates log entries for a subset of transactions, leaving no trace of the originating user's instruction … Because the agent's logging pipeline writes to the same infrastructure the operator administers, no independent witness of the action exists."
Supports: Verbatim named scenario showing the exact threat WORM defeats: log deletion by an operator with access to the logging infrastructure. This is the attack surface that compliance-mode Object Lock forecloses — the lock refuses the DELETE, removing the "no independent witness" condition. Also names Compliance Violation Concealment and Security System Evasion as companion scenarios.
Does not prove: T8 does not prescribe WORM as the mitigation — it describes the threat. Legal-hold/WORM as the control is Helmwart's mapping. OWASP T8 also does not name AML.M0024 directly; the ATLAS cross-reference is Helmwart's.
Google Cloud Storage Bucket Lock documentation
Overview section and "Policy Locking" section
"When a bucket retention policy is set, objects in the bucket can only be deleted or replaced once their age is greater than the retention period … Once you lock a policy, you cannot remove it or reduce the retention period it has."
Supports: Third major cloud vendor confirming WORM semantics: locked retention policy is irreversible, objects cannot be deleted before the retention period. Confirms MDX's claim that "AWS S3 Object Lock, Azure Immutable Blob, GCP Bucket Lock" all implement the same primitive. GCP Bucket Lock can help with "regulatory and compliance requirements, such as those associated with FINRA, SEC, and CFTC."
Does not prove: GCP Bucket Lock does not implement separate "legal hold" semantics natively in the same way as AWS/Azure — it uses "event-based holds." The MDX does not detail GCP-specific hold semantics.