EVIDENCE TRAIL
Output moderation gates
Verbatim excerpts from the upstream sources cited on the mitigation page, with what each source does and does not prove. The title "output moderation gates" is Helmwart's normalised label — upstream documents use "content filters", "moderation APIs", and "guardrails" interchangeably; MITRE ATLAS AML.M0020 is the closest single-source architectural definition.
Last cross-checked against upstream sources: · 6 sources
References
Each entry shows what the source supports and what it does not prove.
NIST AI 600-1 — Generative AI Profile (NIST AI RMF)
MEASURE 2.5 — Action MS-2.5-002 (Human-AI Configuration risk category)
"Document the extent to which human domain knowledge is employed to improve GAI system performance, via, e.g., RLHF, fine-tuning, retrieval-augmented generation, content moderation, business rules."
Supports: Positions content moderation explicitly as a standard instrument for improving and governing generative AI system performance, placing it alongside RLHF and fine-tuning as expected post-deployment practice.
Does not prove: Does not prescribe an independent moderation pass as a mandatory gate before emission; the action is a documentation requirement, not a deployment control. Does not reference harmful or hallucinated output categories by name in this sub-action.
OWASP LLM Top 10 v2025 — LLM05: Improper Output Handling
LLM05:2025 Improper Output Handling — Prevention and Mitigation Strategies
"Treat the model as any other user, adopting a zero-trust approach, and apply proper input validation on responses coming from the model to backend functions."
Supports: Establishes the zero-trust principle that LLM outputs must be validated before downstream use, the foundational rationale for inserting an independent moderation pass between generator and consumer.
Does not prove: LLM05 is primarily about injection and encoding hygiene (XSS, SQL injection) on output, not about classifying harmful or misleading content. Does not name a separate moderation model or moderation API as the control mechanism.
OWASP LLM Top 10 v2025 — LLM09: Misinformation
LLM09:2025 Misinformation — Prevention and Mitigation Strategies (items 4 and 7)
"Implement tools and processes to automatically validate key outputs, especially output from high-stakes environments. Design APIs and user interfaces that encourage responsible use of LLMs, such as integrating content filters, clearly labeling AI-generated content and informing users on limitations."
Supports: Names automatic output validation and content filters as recommended controls specifically targeting misinformation risk — the closest upstream prescription for an independent moderation pass before output reaches users.
Does not prove: Does not specify that the validator must be a separate model or moderation API. "Content filters" is used in a UI-design context (labelling), not exclusively as a pre-emission gate. Does not define which content categories trigger filtering.
OWASP Agentic AI — Threats & Mitigations v1.1
§T15 Human Manipulation — Mitigation column
"Monitor agent behavior to ensure it aligns with its defined role and expected actions. Restrict tool access to minimize the attack surface, limit the agent's ability to print links, implement validation mechanisms to detect and filter manipulated responses using guardrails, moderation APIs, or another model."
Supports: Explicitly names "moderation APIs, or another model" as the recommended mechanism for filtering manipulated agent responses before they reach users — the most direct upstream precedent for Helmwart's independent moderation pass.
Does not prove: The mitigation is stated at threat-table summary level without specifying trigger thresholds, latency requirements, or classification categories. T15 covers social-engineering-style manipulation; Helmwart generalises the control to all harmful/hallucinated output classes.
OWASP Agentic AI Mitigation Playbook P5 (Protecting HITL)
No verbatim excerpt pulled yet — open the original to verify the cited section.
Supports: P5 maps T15 Human Manipulation and T10 Overwhelming HITL to human-review workflows; pairing a moderation gate with that review path reduces the queue of raw outputs a reviewer must assess, directly supporting this control's latency and UX rationale.
Does not prove: Internal Helmwart mapping of the playbook; not a source of the moderation-gate principle itself. The playbook does not independently define moderation as a control.
MITRE ATLAS AML.M0020 — Generative AI Guardrails
AML.M0020 Generative AI Guardrails — Description (ATLAS.yaml, mitre-atlas/atlas-data)
"Guardrails are safety controls that are placed between a generative AI model and the output shared with the user to prevent undesired inputs and outputs. Guardrails can take the form of validators such as filters, rule-based logic, or regular expressions, as well as AI-based approaches, such as classifiers and utilizing LLMs, or named entity recognition (NER) to evaluate the safety of the prompt or response."
Supports: Canonical cross-framework definition of a moderation guardrail — placed between the model and the user, covering classifier-based and rule-based validators. Directly names the architectural pattern this control implements.
Does not prove: Does not prescribe which content categories must be covered, does not specify latency budgets, and does not require the guardrail to be a separate model (rules-based approaches are equally in scope). AML.M0020 is a general guardrail definition; Helmwart's control narrows scope to post-generation, pre-emission classification.