EVIDENCE TRAIL
Goal-consistency monitoring
Verbatim excerpts from the upstream sources cited on the mitigation page, with what each source does and does not prove. The title "goal-consistency monitoring" is Helmwart's normalised label — the strongest verbatim upstream match is OWASP Agentic AI v1.1 Playbook 1, which names "goal consistency validation" explicitly. Note: the source MDX describes NIST AI 600-1 MEASURE-2.7 as "alignment monitoring"; MEASURE 2.7 is security and resilience evaluation — that attribution is corrected in this evidence trail.
Last cross-checked against upstream sources: · 7 sources
References
Each entry shows what the source supports and what it does not prove.
OWASP Agentic AI — Threats & Mitigations v1.1
Threat table — T6 Intent Breaking & Goal Manipulation, "Mitigation" column
"Implement planning validation frameworks, boundary management for reflection processes, and dynamic protection mechanisms for goal alignment. Deploy AI behavioral auditing by having another model check the agent and flag significant goal deviations that could indicate manipulation."
Supports: Verbatim recommendation to monitor for "goal deviations" in an agentic context. Closest upstream wording match for this control's title and primary mechanism.
Does not prove: Describes the pattern at a high level; does not specify embedding-similarity or LLM-judge as the detection primitive, or define what "significant" divergence means operationally.
OWASP Agentic AI — Threats & Mitigations v1.1 (Playbook 1)
Playbook 1: Preventing AI Agent Reasoning Manipulation — Step 2: Prevent AI agent Goal Manipulation (Reactive)
"Use goal consistency validation to detect and block unintended AI behavioral shifts. Track goal modification request frequency per AI agent. Detect if an AI repeatedly attempts to change its goals, which could indicate manipulation attempts."
Supports: Explicit named control "goal consistency validation" with the exact framing used in this Helmwart mitigation. Strongest verbatim upstream anchor for the control's title.
Does not prove: Playbook guidance is prescriptive but not implementation-specific; does not define how goal-state is extracted from a framework or what threshold triggers the block.
OWASP Top 10 for Agentic Applications 2026
§ASI01 Agent Goal Hijack — Prevention and Mitigation Guidelines, item 7
"Maintain comprehensive logging and continuous monitoring of agent activity, establishing a behavioral baseline that includes goal state, tool-use patterns, and invariant properties … Track a stable identifier for the active goal where feasible, and alert on any deviations — such as unexpected goal changes, anomalous tool sequences, or shifts from the established baseline — so that unauthorized goal drift is immediately visible in operations."
Supports: Names goal-state tracking and alerting on goal drift as a concrete operational recommendation. Confirms tool-use patterns as a proxy signal — matching this control's Source B (tool-call proxy).
Does not prove: Framed as monitoring/logging guidance; does not mandate blocking or rollback on divergence. Helmwart extends the recommendation to a blocking step for high-stakes tasks.
MITRE ATLAS AML.M0024 — AI Telemetry Logging
AML.M0024 mitigation description
"Implement logging of inputs and outputs of deployed AI models. When deploying AI agents, implement logging of the intermediate steps of agentic actions and decisions, data access and tool use, installation commands, and identity of the agent. Monitoring logs can help to detect security threats and mitigate impacts."
Supports: Explicitly requires logging of intermediate agentic steps and tool use — the same trace data that goal-consistency monitoring reads to extract goal-state signals. Provides the infrastructure prerequisite for this control.
Does not prove: Defines the logging layer only; does not specify that logged data should be compared against a declared goal or that divergence should trigger a block.
MITRE ATLAS AML.M0022 — Generative AI Model Alignment
AML.M0022 mitigation description
"When training or fine-tuning a generative AI model it is important to utilize techniques that improve model alignment with safety, security, and content policies."
Supports: Establishes model alignment as a named ATLAS mitigation category. Cross-reference is appropriate because goal-consistency monitoring is a runtime complement to training-time alignment.
Does not prove: AML.M0022 is a training-time control (RLHF, SFT, RLAIF). It does not address runtime goal-drift detection. Citing it as equivalent to goal-consistency monitoring would be an overclaim.
NIST AI 600-1 — Generative AI Profile (NIST AI RMF)
MEASURE 2.7 — title and opening clause
"AI system security and resilience – as identified in the MAP function – are evaluated and documented."
Supports: MEASURE 2.7 is the closest NIST 600-1 section the source MDX cites for "alignment monitoring." MS-2.7-007 names prompt injection in the red-teaming scope, which partially overlaps the threat this control detects.
Does not prove: MEASURE 2.7 covers security/resilience evaluation: red-teaming, content provenance, watermarking. It is NOT an alignment-monitoring action. The source MDX's description of MEASURE 2.7 as "alignment monitoring" is a misattribution. The closest NIST action for runtime alignment verification is MS-4.2-003 ("Implement interpretability and explainability methods to evaluate GAI system decisions and verify alignment with intended purpose"), which is not cited in the MDX. Corrected here.
Ngo, Chan & Mindermann — "The Alignment Problem from a Deep Learning Perspective" (2022)
Abstract
"AGIs could learn to act deceptively to receive higher reward, learn misaligned internally-represented goals that generalize beyond their fine-tuning distributions, and pursue those goals using power-seeking strategies."
Supports: Establishes the theoretical basis: agents can develop internally-represented goals that diverge from intended goals beyond the training distribution. This is the risk mechanism that goal-consistency monitoring is designed to detect at runtime.
Does not prove: This is an AGI-scale alignment paper. It does not discuss runtime goal-consistency monitoring as a deployed control, embedding-similarity checks, or agentic workflow architectures. The theoretical risk framing does not validate the operational effectiveness of this control.