AI Compliance Gap Analysis

Which compliance controls face the most AI security threats? Analysis of 1,293 CVE mappings across 3 frameworks to identify high-risk areas and coverage gaps.

Last updated: April 2, 2026

Frameworks

Total Controls

With CVE Mappings

Gaps (No CVEs)

ISO 42001

8 controls · 6 covered · 2 gaps

View details

Control	CVEs	Threat Level	Risk
A.6.2.6 AI system risk treatment	245		High
A.6.2.4 AI system risk assessment	20		Medium
A.10.2 AI system lifecycle	16		Low
A.10.3 Data quality for AI systems	15		Low
A.7.3 Awareness — AI-specific threats	8		Low
A.10.4 AI system testing and validation	1		Low
A.5.4 AI system impact assessment process	0	No data	Gap
B.4 Monitoring and measurement of AI risks	0	No data	Gap

EU AI Act

8 controls · 5 covered · 3 gaps

View details

Control	CVEs	Threat Level	Risk
Art.15 Accuracy, robustness and cybersecurity	139		High
Art.9 Risk management system	61		Medium
Art.17 Quality management system	5		Low
Art.10 Data and data governance	1		Low
Art.13 Transparency and information to deployers	1		Low
Art.14 Human oversight	0	No data	Gap
Art.42 Presumption of conformity with certain requirements	0	No data	Gap
Art.62 Reporting of serious incidents	0	No data	Gap

OWASP LLM Top 10

10 controls · 10 covered · Full coverage

View details

Control	CVEs	Risk
LLM05 Improper Output Handling	151	High
LLM04 Data and Model Poisoning	144	High
LLM07 System Prompt Leakage	108	High
LLM06 Excessive Agency	103	High
LLM03 Supply Chain Vulnerabilities	83	Medium
LLM08 Vector and Embedding Weaknesses	67	Medium
LLM02 Sensitive Information Disclosure	63	Medium
LLM01 Prompt Injection	27	Medium
LLM10 Unbounded Consumption	19	Low
LLM09 Misinformation	16	Low

Need the full evidence pack?

Download detailed CVE-to-control mappings with rationale, severity scores, and remediation status. Ready for ISO 42001 and EU AI Act audits.

Get Evidence Pack