Documentation Index
Fetch the complete documentation index at: https://docs.neuraltrust.ai/llms.txt
Use this file to discover all available pages before exploring further.
Every resource in the Inventory is evaluated against a fixed set of security controls chosen for its type. Each control returns one of four statuses; results are combined into a weighted 0–100 posture score and bucketed into a risk level.
Control statuses
Every control emits one of four values:
| Status | Meaning | Weight contribution |
|---|
| PASS | Control is satisfied | 0% |
| WARNING | Partial or degraded satisfaction (e.g. instructions present but very short) | 50% |
| FAIL | Control is violated | 100% |
| UNKNOWN | Required data is not available — usually a permissions gap in the integration | 30% |
Risk levels
The 0–100 score is bucketed by exact thresholds:
| Level | Score range | Response |
|---|
| Critical | >= 75 | Act immediately — material exposure exists |
| High | 50–74 | Address within the current sprint |
| Medium | 25–49 | Hardening opportunity |
| Low | 0–24 | Hygiene |
Control category weights
Controls belong to a category; each category carries a base weight that feeds the score. Cloud resources (agents, models, datasets) and endpoint resources (IDEs, extensions, CLIs, MCP servers on devices) use different weight tables because their risk topologies differ.
| Category | Cloud weight | Endpoint weight |
|---|
| Supply chain | 30 | 40 |
| Excessive agency | 25 | 25 |
| Prompt injection | 20 | 5 |
| Sensitive data | 15 | 10 |
| Guardrails | 15 | 10 |
| Content safety | 15 | 5 |
| Data privacy | 15 | 10 |
| Output handling | 10 | 5 |
| Model security | 10 | 10 |
Controls by resource type
Every control carries an id, human-readable name, a category, a weight, a list of mapped compliance frameworks, a description of why the risk exists, and remediation steps. Below is the full catalog.
Agents
Applies to Azure AI Foundry agents, Mistral agents, GCP Vertex AI Reasoning Engines, and M365 Copilot / Copilot Studio agents.
| ID | Name | Category | Weight |
|---|
computer_use | Computer Use Capability | Excessive agency | 2.5 |
agent_model_version | Agent Model Version | Supply chain | 2.0 |
jailbreak_detection | Jailbreak Detection Enabled (Azure) | Prompt injection | 2.0 |
function_tools_scope | Function Tools Scope | Excessive agency | 2.0 |
critical_function_patterns | Critical Function Patterns | Excessive agency | 2.0 |
browser_automation | Browser Automation Capability | Excessive agency | 2.0 |
code_interpreter | Code Interpreter Risk | Excessive agency | 1.8 |
combined_excessive_agency | Combined Excessive Agency | Excessive agency | 1.8 |
content_filter_enabled | Content Filtering Enabled (Azure) | Content safety | 1.5 |
document_library_exposure | Document Library Exposure | Sensitive data | 1.5 |
deep_research | Autonomous Deep Research | Excessive agency | 1.5 |
guardrails_configured | Guardrails Configured | Guardrails | 1.2 |
file_search_access | File Search Data Access | Sensitive data | 1.2 |
mcp_tools | MCP Server Connections | Excessive agency | 1.2 |
instructions_present | System Instructions Defined | Guardrails | 1.0 |
agent_version_tracked | Agent Version Tracked | Supply chain | 1.0 |
version_history_stability | Version History Stability (Mistral) | Supply chain | 1.0 |
deployment_aliases_configured | Deployment Aliases Configured (Mistral) | Supply chain | 1.0 |
classic_retirement | Classic Assistants API Retirement (Azure) | Supply chain | 1.0 |
content_thresholds | Content Filter Thresholds (Azure) | Content safety | 1.0 |
protected_material | Protected Material Detection (Azure) | Sensitive data | 1.0 |
memory_enabled | Conversation Memory (Azure) | Data privacy | 1.0 |
response_format | Response Format Constraints (Azure) | Output handling | 1.0 |
sampling_parameters | Sampling Parameters | Guardrails | 1.0 |
connected_agents | Connected Agent Chain | Excessive agency | 1.0 |
external_data_access | External Data Access | Excessive agency | 1.0 |
knowledge_base_connected | Knowledge Base Connectivity | Sensitive data | 1.0 |
fabric_access | Microsoft Fabric Access | Sensitive data | 1.0 |
sharepoint_access | SharePoint Access | Sensitive data | 1.0 |
openapi_access | OpenAPI Tool Access | Excessive agency | 1.0 |
copilot_authentication | Copilot Authentication (M365) | Guardrails | 1.0 |
copilot_access_control | Copilot Access Control (M365) | Guardrails | 1.0 |
copilot_data_exposure | Copilot Data Source Exposure (M365) | Sensitive data | 1.0 |
copilot_teams_publishing | Copilot Teams Publishing (M365) | Supply chain | 1.0 |
copilot_solution_managed | Copilot Solution Managed (M365) | Supply chain | 1.0 |
copilot_owner_assigned | Copilot Owner Assigned (M365) | Supply chain | 1.0 |
Models
Applies to foundation models in Azure Cognitive Services, Azure ML Workspaces, GCP Vertex AI Model Registry, and Mistral.
| ID | Name | Category | Weight |
|---|
model_safety_guardrails | Model Safety Guardrails | Guardrails | 3.0 |
model_lifecycle | Model Lifecycle Status | Supply chain | 2.5 |
model_provider_trust | Model Provider Trust | Supply chain | 2.5 |
model_capabilities_risk | Model Capabilities Risk | Model security | 2.5 |
model_content_filter | Model Content Filter (Azure) | Content safety | 2.5 |
model_version_tracked | Model Version Tracked | Supply chain | 2.0 |
Datasets
Applies to vector stores, document libraries, and training datasets.
| ID | Name | Category | Weight |
|---|
pii_indicators | PII Indicators | Data privacy | 2.5 |
dataset_compliance | Compliance Requirements | Data privacy | 2.0 |
dataset_encryption | Data Encryption | Data privacy | 1.5 |
data_location | Data Storage Location | Data privacy | 1.2 |
MCP servers
Applies to MCP server declarations discovered in source repos (github) and on managed devices (Endpoint Discovery).
| ID | Name | Category | Weight |
|---|
mcp_no_hardcoded_secrets | No Hardcoded Secrets in MCP Config | Sensitive data | 5.0 |
mcp_no_tool_poisoning | No Tool Poisoning in MCP Description | Prompt injection | 4.0 |
mcp_no_auto_approve_wildcard | No Wildcard autoApprove | Excessive agency | 4.0 |
mcp_supply_chain | MCP Server Supply Chain Safety | Supply chain | 3.5 |
mcp_uses_https | Remote MCP Server Uses HTTPS | Data privacy | 2.0 |
| ID | Name | Category | Weight |
|---|
endpoint_known_vulnerabilities | No Known Vulnerabilities | Supply chain | 5.0 |
endpoint_shadow_ai | No Shadow AI Tools | Sensitive data | 5.0 |
endpoint_tool_approval | Tool Policy Compliance | Supply chain | 4.0 |
endpoint_vulnerability_severity | Vulnerability Severity Acceptable | Supply chain | 3.5 |
endpoint_detection_freshness | Detection Data Freshness | Guardrails | 2.0 |
Shadow AI (SaaS)
Applies to AI SaaS usage observed by the Runtime browser extension.
| ID | Name | Category | Weight |
|---|
shadow_ai_unsanctioned_usage | No Unsanctioned AI Usage | Excessive agency | 6.0 |
shadow_ai_app_approval | Application Policy Approval | Supply chain | 5.0 |
shadow_ai_data_handling_risk | Data Handling Risk | Data privacy | 4.0 |
shadow_ai_provider_trust | AI Provider Trust | Supply chain | 3.0 |
shadow_ai_detection_intensity | Detection Frequency | Guardrails | 3.0 |
Compliance framework mapping
Every control carries its mapped framework references so a failing control can be traced back to the obligation it supports. The frameworks that appear across the catalog:
- AI frameworks — NIST AI RMF, EU AI Act, ISO/IEC 42001, OWASP LLM Top 10 (2025), OWASP MCP Top 10
- General security — SOC 2 (CC6.7, CC8.1), NIST SP 800-53 (CM-7, RA-5, SI-4, AU-6, SC-28), CIS Controls 2.1 / 7.1
- Privacy — GDPR (Art. 5, Art. 32), CCPA, HIPAA, PCI-DSS, SOX
- Vulnerability — CVSSv3, CWE-74, CWE-306, CWE-319, CWE-494, CWE-798
- OWASP Web — A06:2021
What a finding contains
When a control fails or warns, the resulting finding carries:
| Field | Purpose |
|---|
name | Human-readable control name (e.g. “Code Interpreter Risk”) |
status | PASS / FAIL / WARNING / UNKNOWN |
frameworks | Mapped compliance frameworks |
description / finding | What was detected |
why_risk | Plain-language explanation of the underlying threat |
severity_rationale | Why this specific status was assigned (includes status-specific variants for WARNING and UNKNOWN) |
remediation | Numbered steps to resolve — status-specific for WARNING and UNKNOWN |
UNKNOWN findings and integration health
UNKNOWN indicates missing data, not missing risk. Every UNKNOWN control ships a generic severity rationale and remediation:
“This control could not be evaluated because the required configuration data was not available from the provider API. The actual risk is indeterminate until the data becomes accessible.”
“Verify that the integration has the required API permissions to retrieve the configuration data this control needs. Re-sync the resource after fixing permissions — the control will be re-evaluated automatically.”
Controls may override this with a provider-specific message (for example, the Mistral version_history_stability control points users at the specific API endpoint and permissions that would unblock evaluation).
Pair with Runtime
Agent-SPM by TrustLens identifies what needs protection. Agent Runtime by TrustGate enforces how it is protected at runtime.
A common pattern: a TrustLens FAIL on guardrails_configured becomes the trigger to put that agent behind a Gateway with a prompt-security policy attached. Once the Gateway is in front, the control will pass on the next sync with a reference back to the runtime policy.
