{
 "reviewed": "2026-07-15",
 "disclosure": "ALLinAI 控制設計起點，不是法律意見、合規認證、資安認證、完整控制清單或保證；NIST AI RMF 1.0 正在更新，Core 與 Playbook 是自願性資源，不是逐項勾選表。請依實際系統、資料、權限、契約、法規與錯誤後果裁剪並實測。",
 "categories": {
  "governance": "治理與責任",
  "data": "資料與知識",
  "model": "模型與輸出",
  "access": "身分與工具權限",
  "actions": "外部動作與交易",
  "operations": "監控與營運"
 },
 "systems": {
  "generation": "文字生成",
  "rag": "RAG 知識庫",
  "extraction": "擷取／結構化",
  "classification": "分類／預測",
  "agent": "AI Agent"
 },
 "types": {
  "preventive": "預防性",
  "detective": "偵測性",
  "corrective": "矯正／復原"
 },
 "sources": {
  "nist_rmf": "https://airc.nist.gov/airmf-resources/airmf/5-sec-core/",
  "nist_playbook": "https://airc.nist.gov/airmf-resources/playbook/",
  "nist_sp800_218a": "https://csrc.nist.gov/pubs/sp/800/218/a/final",
  "cisa_secure_ai": "https://www.cisa.gov/news-events/alerts/2023/11/26/cisa-and-uk-ncsc-unveil-joint-guidelines-secure-ai-system-development",
  "owasp_llm_2025": "https://genai.owasp.org/resource/owasp-top-10-for-llm-applications-2025/",
  "owasp_output": "https://genai.owasp.org/llmrisk/llm052025-improper-output-handling/",
  "owasp_agentic_2026": "https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/"
 },
 "controls": [
  {
   "slug": "use-case-owner-and-scope",
   "category": "governance",
   "systems": [
    "generation",
    "rag",
    "extraction",
    "classification",
    "agent"
   ],
   "types": [
    "preventive",
    "detective"
   ],
   "name": "使用情境、Owner 與適用範圍",
   "risk": "沒有人對用途、資料、輸出與停用負責，功能會在未審查情境擴張。",
   "implement": "為每個正式用途登錄業務 Owner、技術 Owner、使用者、允許與禁止用途、資料、影響及停用方式。",
   "verify": "抽查正式端點、內部工具與工作流是否都能對到現行清冊；請 Owner 說明最近一次覆核與停止方式。",
   "evidence": "版本化清冊、Owner 接受紀錄、範圍圖、覆核日期、停用演練。",
   "failure": "清冊只有模型名稱、Owner 已離職、實際用途超出登錄範圍，或找不到可停用的人。",
   "owners": "業務 Owner、產品、平台、風險／法務"
  },
  {
   "slug": "risk-based-use-case-approval",
   "category": "governance",
   "systems": [
    "generation",
    "rag",
    "extraction",
    "classification",
    "agent"
   ],
   "types": [
    "preventive"
   ],
   "name": "風險分級與使用情境批准",
   "risk": "高影響、敏感資料或外部動作在沒有適任審查時直接上線。",
   "implement": "上線前依影響、資料、可逆性、自動化程度與使用者群體決定審查、測試、人工關卡及批准角色。",
   "verify": "用高風險與低風險案例走一次流程，確認路由、必填證據與無批准時的阻斷。",
   "evidence": "分級問卷、決策理由、簽核狀態、例外、測試與發布紀錄。",
   "failure": "由開發者自行勾選通過、分數可以被平均抵銷，或未批准仍可發布。",
   "owners": "業務 Owner、風險／法務、資安、發布負責人"
  },
  {
   "slug": "policy-exception-expiry",
   "category": "governance",
   "systems": [
    "generation",
    "rag",
    "extraction",
    "classification",
    "agent"
   ],
   "types": [
    "preventive",
    "detective",
    "corrective"
   ],
   "name": "政策、例外與到期機制",
   "risk": "臨時繞過變成永久設定，或使用者不知道哪些行為被禁止。",
   "implement": "把允許／禁止用途、資料、人工責任與通報寫成可執行政策；例外需 Owner、理由、補償控制與到期日。",
   "verify": "查詢所有有效例外，驗證到期會阻斷或重新審查；訪談使用者是否理解禁止用途。",
   "evidence": "政策版本、教育紀錄、例外台帳、到期通知、關閉或續批證據。",
   "failure": "例外無到期、政策只放在文件沒進流程，或到期後權限仍有效。",
   "owners": "政策 Owner、風險／法務、IAM、業務主管"
  },
  {
   "slug": "inventory-lifecycle-decommission",
   "category": "governance",
   "systems": [
    "generation",
    "rag",
    "extraction",
    "classification",
    "agent"
   ],
   "types": [
    "preventive",
    "detective",
    "corrective"
   ],
   "name": "系統清冊、生命週期與退場",
   "risk": "影子 AI、廢棄端點、舊模型或孤兒資料持續產生費用與未管理風險。",
   "implement": "登錄模型、提示、資料、索引、工具、供應商、環境與相依性；定義上線、覆核、停用、保存與退場。",
   "verify": "以帳單、API gateway、IAM、程式庫與供應商清單對帳，找出未登錄或已退場但仍有流量的資產。",
   "evidence": "清冊差異、流量與成本對帳、退場工單、憑證撤銷、資料處理紀錄。",
   "failure": "清冊由人工半年更新一次、模型別名沒有實際版本，或停 UI 但端點與憑證仍可用。",
   "owners": "平台、採購、資安、資料與業務 Owner"
  },
  {
   "slug": "data-minimization-and-redaction",
   "category": "data",
   "systems": [
    "generation",
    "rag",
    "extraction",
    "classification",
    "agent"
   ],
   "types": [
    "preventive",
    "detective",
    "corrective"
   ],
   "name": "資料最小化、遮罩與秘密排除",
   "risk": "輸入、提示、評測或日誌帶入不必要個資、機密與憑證。",
   "implement": "在資料進模型、索引、trace 與供應商前，依用途移除不必要欄位、遮罩識別資料並禁止秘密原文。",
   "verify": "用合成敏感樣本測輸入、錯誤、輸出、下載與日誌；定期掃描抽樣並由資料 Owner 判讀。",
   "evidence": "欄位清單、資料流、遮罩規則、測試結果、例外與清除／輪替紀錄。",
   "failure": "只在畫面遮罩、原始值仍進供應商或日誌，或用黑名單漏掉新格式。",
   "owners": "資料 Owner、隱私、資安、平台"
  },
  {
   "slug": "retrieval-acl-and-tenant-isolation",
   "category": "data",
   "systems": [
    "rag",
    "agent"
   ],
   "types": [
    "preventive",
    "detective"
   ],
   "name": "檢索前 ACL 與租戶隔離",
   "risk": "RAG 在排序後才檢查權限，洩漏跨角色、部門或租戶內容與存在性。",
   "implement": "以呼叫者身分在檢索前套用文件 ACL；租戶索引、快取、記憶與日誌採明確隔離，撤權即時生效。",
   "verify": "測跨角色、跨租戶、撤權、分享變更、快取命中與錯誤訊息；確認候選文件階段已阻擋。",
   "evidence": "身分與 ACL 快照、查詢 trace、候選文件、拒絕結果、撤權延遲測試。",
   "failure": "只要求模型不要透露、權限只套在答案，或共用快取鍵沒有租戶維度。",
   "owners": "IAM、資料 Owner、RAG／平台工程、資安"
  },
  {
   "slug": "retention-deletion-and-purpose",
   "category": "data",
   "systems": [
    "generation",
    "rag",
    "extraction",
    "classification",
    "agent"
   ],
   "types": [
    "preventive",
    "detective",
    "corrective"
   ],
   "name": "保存、刪除與目的限制",
   "risk": "輸入、輸出、trace 或供應商資料保存過久、被拿去未核准用途或無法刪除。",
   "implement": "逐資料類型定義用途、位置、保存期、刪除、備份與供應商設定；停止使用與資料主體要求要能被執行。",
   "verify": "建立可追蹤測試資料，走到到期與刪除，確認索引、快取、備份及供應商複本的處理結果。",
   "evidence": "保存矩陣、實際設定、刪除請求、完成證明、供應商回覆與殘留差異。",
   "failure": "只寫政策沒有刪除作業、刪主庫卻留在索引，或供應商預設設定與核准不一致。",
   "owners": "隱私／法務、資料 Owner、平台、供應商 Owner"
  },
  {
   "slug": "data-quality-version-and-provenance",
   "category": "data",
   "systems": [
    "rag",
    "extraction",
    "classification",
    "agent"
   ],
   "types": [
    "preventive",
    "detective",
    "corrective"
   ],
   "name": "資料品質、版本與來源脈絡",
   "risk": "過期、衝突、解析失敗或來源不明的資料被當成現行標準答案。",
   "implement": "保存文件／資料版本、生效日、Owner、來源、解析與索引 manifest；衝突、缺值與失敗列不得靜默略過。",
   "verify": "以新舊版本、衝突來源、表格、掃描文件與刪除資料測試；抽查輸出能否回到支持主張的版本。",
   "evidence": "資料字典、來源與 hash、建置 manifest、失敗清單、人工裁決與更正紀錄。",
   "failure": "只看索引文件數、來源 URL 沒有版本，或把解析失敗資料列當成空值繼續。",
   "owners": "資料 Owner、內容 Owner、資料／RAG 工程、品質"
  },
  {
   "slug": "model-prompt-version-pinning",
   "category": "model",
   "systems": [
    "generation",
    "rag",
    "extraction",
    "classification",
    "agent"
   ],
   "types": [
    "preventive",
    "detective",
    "corrective"
   ],
   "name": "模型、提示與參數版本固定",
   "risk": "模型別名、prompt 或參數無聲變更，導致結果無法重現或回復。",
   "implement": "以不可變版本識別模型、prompt、工具描述、schema、參數與政策組合；發布記錄實際版本而非只記別名。",
   "verify": "由正式結果反查完整版本並重跑代表案例；模擬供應商別名變更與舊版回切。",
   "evidence": "版本 ID、內容 hash、部署 manifest、差異、回歸結果與回切演練。",
   "failure": "檔名叫 final、只有 Git commit 沒有線上版本，或回復舊 prompt 卻搭到新 schema。",
   "owners": "ML／Agent 工程、平台、發布負責人、品質"
  },
  {
   "slug": "instruction-data-separation",
   "category": "model",
   "systems": [
    "generation",
    "rag",
    "agent"
   ],
   "types": [
    "preventive",
    "detective"
   ],
   "name": "指令、政策與不可信內容分離",
   "risk": "使用者、網頁、文件或郵件中的內容被當成高權限指令。",
   "implement": "系統政策與工具邊界由程式和授權層強制；外部內容標為不可信資料，不得自行改任務、權限或目的地。",
   "verify": "在文件、網頁、郵件與編碼變體植入合成間接指令，確認不會洩漏、改收件人或呼叫未允許工具。",
   "evidence": "信任邊界圖、提示／政策版本、測試 corpus、工具 trace、拒絕與人工升級結果。",
   "failure": "只在 system prompt 寫『忽略惡意指令』、關鍵控制交給模型判斷，或工具可接受任意 URL。",
   "owners": "資安、Agent／RAG 工程、內容與工具 Owner"
  },
  {
   "slug": "evaluation-release-gate",
   "category": "model",
   "systems": [
    "generation",
    "rag",
    "extraction",
    "classification",
    "agent"
   ],
   "types": [
    "preventive",
    "detective"
   ],
   "name": "代表性評測與發布閘門",
   "risk": "只看示範或單一平均分數，重大錯誤仍被其他高分抵銷後上線。",
   "implement": "在測試前定義代表案例、分群、人工基準、門檻與重大阻斷；模型、提示、資料或工具變更都對應重測。",
   "verify": "以固定驗收集重跑並查看逐題、分群、變異與重大失敗；驗證 no-go 真的阻止發布。",
   "evidence": "測試集版本、評分規則、逐題結果、人工裁決、門檻、批准與例外。",
   "failure": "看到結果後改門檻、一直用驗收集調 prompt，或安全失敗被平均品質分數掩蓋。",
   "owners": "業務 Owner、品質／ML、風險角色、發布負責人"
  },
  {
   "slug": "output-schema-and-sink-validation",
   "category": "model",
   "systems": [
    "generation",
    "rag",
    "extraction",
    "classification",
    "agent"
   ],
   "types": [
    "preventive",
    "detective"
   ],
   "name": "輸出 Schema 與下游驗證",
   "risk": "模型輸出被直接當 HTML、SQL、命令、金額或工具參數，造成注入與資料損壞。",
   "implement": "將輸出視為不可信資料；使用嚴格 schema、型別、範圍、編碼、允許值與目的端驗證，顯示內容採安全轉義。",
   "verify": "測格式錯誤、超長、HTML／命令片段、負數、單位、未知欄位與部分輸出，確認 fail closed。",
   "evidence": "schema 版本、驗證規則、拒絕樣本、錯誤率、下游寫入前後紀錄。",
   "failure": "只要求模型輸出 JSON、解析失敗就猜測修正，或同一輸出未轉義直接送多種目的端。",
   "owners": "應用工程、工具／資料 Owner、資安、品質"
  },
  {
   "slug": "least-privilege-service-identity",
   "category": "access",
   "systems": [
    "rag",
    "extraction",
    "classification",
    "agent"
   ],
   "types": [
    "preventive",
    "detective",
    "corrective"
   ],
   "name": "最小權限服務身分",
   "risk": "AI 共用高權限帳號，任務可讀寫超出用途資料且無法歸責。",
   "implement": "每個工作負載使用獨立身分與最小 scope；區分讀、寫、刪除、寄送與付款，短效憑證並定期覆核。",
   "verify": "從每個工具和資料源反查實際權限，測未授權操作、撤權與過期；比對最近使用與已核准 scope。",
   "evidence": "IAM 政策、權限差異、存取日誌、覆核、撤權與失敗測試。",
   "failure": "所有 Agent 共用管理員 key、只靠前端隱藏按鈕，或停用人員後長效憑證仍有效。",
   "owners": "IAM、資安、平台、工具與資料 Owner"
  },
  {
   "slug": "managed-secrets-and-rotation",
   "category": "access",
   "systems": [
    "generation",
    "rag",
    "extraction",
    "classification",
    "agent"
   ],
   "types": [
    "preventive",
    "detective",
    "corrective"
   ],
   "name": "受管秘密、短效憑證與輪替",
   "risk": "API key、token 或連線字串進入 prompt、程式庫、日誌與聊天紀錄。",
   "implement": "秘密只由受管秘密系統注入，程式與 prompt 使用參照；限制 scope、保存與顯示，建立輪替與緊急撤銷。",
   "verify": "以假秘密做提交、輸出與日誌測試；輪替一個測試憑證，確認舊值失效且服務能恢復。",
   "evidence": "秘密掃描、存取紀錄、scope、輪替演練、撤銷時間與相依服務結果。",
   "failure": "秘密寫在 system prompt 或環境範例、只遮畫面沒撤銷，或所有環境共用同一 key。",
   "owners": "資安、平台、秘密 Owner、應用工程"
  },
  {
   "slug": "tool-allowlist-and-typed-contract",
   "category": "access",
   "systems": [
    "agent"
   ],
   "types": [
    "preventive",
    "detective"
   ],
   "name": "工具允許清單與型別化契約",
   "risk": "Agent 可呼叫未核准工具、任意端點或以自由文字組合危險參數。",
   "implement": "每個用途明列允許工具、方法、目的地與參數 schema；伺服器重新驗證身分、範圍、業務規則及輸出。",
   "verify": "測未知工具、額外欄位、任意 URL、路徑穿越、跨租戶 ID、超限與工具描述遭修改。",
   "evidence": "工具 registry、schema 版本、政策決策、拒絕 trace、目的地與參數稽核。",
   "failure": "工具描述等於授權、使用者可傳完整 URL，或模型產生參數後直接由高權限後端執行。",
   "owners": "工具 Owner、Agent 工程、資安、IAM"
  },
  {
   "slug": "step-up-approval-and-separation",
   "category": "access",
   "systems": [
    "agent"
   ],
   "types": [
    "preventive",
    "detective"
   ],
   "name": "高影響動作逐次批准與職責分離",
   "risk": "模型把沉默、舊批准或自己的文字當成授權，直接寄送、刪除、付款或改權限。",
   "implement": "高影響動作顯示對象、金額、差異與不可逆性，綁定單次請求與有效期；批准者和執行者依風險分離。",
   "verify": "測拒絕、逾時、撤回、參數變更、重放、代理批准與無人接手，確認均 fail closed。",
   "evidence": "批准人、時間、請求 hash、實際參數、執行結果、拒絕與撤回紀錄。",
   "failure": "一次批准整段對話、按鈕後參數仍可變，或模型自行判定『使用者應該同意』。",
   "owners": "業務／財務 Owner、IAM、工具 Owner、風險角色"
  },
  {
   "slug": "idempotency-and-deduplication",
   "category": "actions",
   "systems": [
    "agent"
   ],
   "types": [
    "preventive",
    "detective",
    "corrective"
   ],
   "name": "冪等鍵、去重與重放保護",
   "risk": "逾時、重試或回應遺失造成重複寄送、扣款、建單、寫入或刪除。",
   "implement": "以穩定業務鍵產生伺服器端冪等鍵，原子保存請求與結果；相同鍵不同參數拒絕，狀態未知先查詢。",
   "verify": "測逾時、回應遺失、並發、queue 重送與跨程序重試，確認外部副作用只發生一次。",
   "evidence": "冪等鍵、請求 hash、去重命中、外部交易、重試與人工處理紀錄。",
   "failure": "只在瀏覽器停用按鈕、每次重試產生新鍵，或把 HTTP timeout 當成未執行。",
   "owners": "平台、工具 Owner、業務／財務、品質"
  },
  {
   "slug": "state-machine-and-compensation",
   "category": "actions",
   "systems": [
    "agent"
   ],
   "types": [
    "preventive",
    "detective",
    "corrective"
   ],
   "name": "狀態機、交易邊界與人工補償",
   "risk": "多步驟流程部分成功，系統卻回報整體完成或直接重跑造成更多不一致。",
   "implement": "定義每步狀態、可重入點、提交邊界、補償與人工接管；以外部正式狀態判斷，不以模型敘述猜測。",
   "verify": "測每一步失敗、補償失敗、程序中斷與人工接管；逐筆核對外部系統最終狀態。",
   "evidence": "狀態轉移、工具回應、外部前後狀態、補償批准與未解案件。",
   "failure": "用 try/catch 當交易、回版就宣稱外部動作已復原，或無法表示『狀態未知』。",
   "owners": "工作流／工具 Owner、平台、業務、客服／財務"
  },
  {
   "slug": "dry-run-sandbox-and-diff-preview",
   "category": "actions",
   "systems": [
    "agent"
   ],
   "types": [
    "preventive",
    "detective"
   ],
   "name": "Dry-run、沙盒與變更差異預覽",
   "risk": "未看清實際收件人、資料差異與影響，就讓 Agent 在正式系統執行。",
   "implement": "先在隔離環境或 read-only 模式產生計畫與精確 diff；正式執行前由有權者檢視實際參數與範圍。",
   "verify": "比較 dry-run 與正式執行的參數、資料與權限；測預覽後資料變更時必須重新批准。",
   "evidence": "預覽版本、差異、批准 hash、環境隔離、正式執行與偏差紀錄。",
   "failure": "沙盒共用正式憑證、預覽是自然語言摘要，或批准後仍可更換收件人與金額。",
   "owners": "工具／業務 Owner、平台、資安、批准者"
  },
  {
   "slug": "limits-circuit-breaker-safe-stop",
   "category": "actions",
   "systems": [
    "agent"
   ],
   "types": [
    "preventive",
    "detective",
    "corrective"
   ],
   "name": "步數、成本、速率上限與安全停止",
   "risk": "Agent 迴圈、錯誤重試或工具風暴持續花費並放大外部副作用。",
   "implement": "設定工作、時間、token、成本、工具次數、寫入量與速率上限；重複狀態、錯誤率或預算超限即停止轉人工。",
   "verify": "注入空結果、持續錯誤、循環計畫、慢回應與超限，確認 circuit breaker 能阻斷且留下可接手狀態。",
   "evidence": "上限設定、停止原因、告警送達、成本／呼叫量、外部狀態與人工接管。",
   "failure": "只有全域月預算、停止只關 UI，或 retry 沒有總上限與 jitter。",
   "owners": "平台／SRE、Agent 工程、成本與工具 Owner"
  },
  {
   "slug": "production-monitoring-and-slo",
   "category": "operations",
   "systems": [
    "generation",
    "rag",
    "extraction",
    "classification",
    "agent"
   ],
   "types": [
    "detective",
    "corrective"
   ],
   "name": "部署後監控、SLO 與分群",
   "risk": "服務 HTTP 仍成功，但任務品質、引用、權限、成本或人工負荷已惡化。",
   "implement": "監控任務成功、重大錯誤、依據、安全、延遲、成本、申訴與人工覆核；依版本、角色、語言與高影響情境分群。",
   "verify": "用合成案例端到端觸發指標、告警與接手；抽樣對照真實工作成果，不只檢查 status code。",
   "evidence": "指標定義與分母、基準、分群儀表板、告警、值班回應與更正紀錄。",
   "failure": "只看平均滿意度、沒有版本維度、告警從未演練，或自動評分本身未校準。",
   "owners": "產品、SRE／平台、品質／ML、業務 Owner"
  },
  {
   "slug": "audit-trace-and-evidence-integrity",
   "category": "operations",
   "systems": [
    "generation",
    "rag",
    "extraction",
    "classification",
    "agent"
   ],
   "types": [
    "detective",
    "corrective"
   ],
   "name": "可追溯稽核紀錄與證據完整性",
   "risk": "出事後無法重建輸入、版本、權限、批准、工具呼叫與外部結果。",
   "implement": "以工作 ID 串接最小必要的輸入輸出、模型／提示／索引／工具版本、政策決策、批准與外部狀態；限制存取與保存。",
   "verify": "隨機抽一筆正式結果重建完整時間線；測日誌輪替、時鐘、欄位缺失與未授權修改。",
   "evidence": "trace schema、時間同步、存取紀錄、完整性檢查、保存與刪除證據。",
   "failure": "只存模型回覆、trace 充滿秘密、不同系統沒有共同 ID，或可由同一執行者覆寫。",
   "owners": "平台／SRE、資安、隱私、稽核／品質"
  },
  {
   "slug": "incident-runbook-rollback-and-drill",
   "category": "operations",
   "systems": [
    "generation",
    "rag",
    "extraction",
    "classification",
    "agent"
   ],
   "types": [
    "detective",
    "corrective"
   ],
   "name": "AI 事件流程、回復與演練",
   "risk": "事故只停聊天介面，外部副作用、錯誤決定與受影響者沒有被更正。",
   "implement": "把模型、資料、RAG、Agent 與供應商事故接進既有事件流程；列停止、保全、回復、補償、通知與救濟角色。",
   "verify": "用資料外洩、越權動作、錯誤決定與供應商中斷做桌上或技術演練，驗證告警到關單全流程。",
   "evidence": "runbook、演練時間線、回復結果、外部補償、受影響者處理與改善追蹤。",
   "failure": "只有工程 rollback、沒有法務／客服／業務角色，或事故關單只看服務恢復。",
   "owners": "事件指揮、資安、平台、業務、隱私／法務、客服"
  },
  {
   "slug": "vendor-change-resilience-and-exit",
   "category": "operations",
   "systems": [
    "generation",
    "rag",
    "extraction",
    "classification",
    "agent"
   ],
   "types": [
    "preventive",
    "detective",
    "corrective"
   ],
   "name": "供應商變更監控、韌性與退場",
   "risk": "供應商改模型、限制、資料處理或停止服務，組織無法辨識、降級或遷移。",
   "implement": "盤點相依性、實際版本、資料流、子處理者與合約；建立契約測試、變更通知、核准備援、降級與資料取回／刪除。",
   "verify": "模擬端點中斷、限流、輸出改變與退場；確認固定版本、切換、資料匯出及舊憑證撤銷。",
   "evidence": "供應商清單、契約／設定、變更差異、備援演練、資料匯出與刪除證明。",
   "failure": "狀態頁等於監控、模型別名等於固定版本，或備援從未用相同資料與權限測試。",
   "owners": "供應商 Owner、採購／法務、平台、資安、資料 Owner"
  }
 ]
}