
Key facts.
- GhostCite's large-scale analysis found 13 leading models fabricate citations at rates from about 14% to 95%, a concrete agent failure that purpose-built frameworks name. source
- Greshake's indirect prompt injection is a documented, named agent threat, an attack hidden in the data an agent reads, that a governance program can adopt off the shelf instead of imagining from scratch. source
- AgentDojo measures how often a frontier agent is hijacked under prompt injection, a concrete threat and a test a governance program can adopt rather than inventing its own threat list. source
Why start from a framework instead of a blank page?
Because the blank page is where governance projects stall. Designing a control structure, a risk taxonomy and a threat list from nothing is slow, error-prone and likely to miss the agent-specific failures a team has not seen yet. The standards and the security literature have already done that work. ISO/IEC 42001 gives you the management-system shape, policies, roles, reviews. The published agent-attack work gives you a threat list built from real attacks: Greshake documented indirect prompt injection and AgentDojo measured how often it succeeds, so you are not trying to imagine prompt injection, tool misuse and excessive agency from first principles. Adopting these is not a shortcut that sacrifices quality; it is starting from the accumulated work of people who studied the problem, then tailoring it to your specifics.
The GhostCite result shows why the agent-specific detail in these frameworks matters. A generic governance policy written from scratch is unlikely to anticipate that an agent will fabricate citations between roughly 14% and 95% of the time depending on the model, but a purpose-built framework names hallucination and output-integrity risks explicitly, so adopting it means your governance covers the failure before you have been burned by it. A more capable model does not remove the failure, GhostCite's range spans leading models, so the framework's coverage is what protects you. The fast path is clear: adopt the structure, the management system and the threat list from the frameworks, then spend your effort tailoring them to your agents rather than reinventing what already exists.

Which framework does what?
Two roles, two ready-made sources. For the management system, ISO/IEC 42001, which gives you the policies, roles and review cycles that make governance a standing process rather than a one-off. For the threat list, the documented agent-attack literature, where Greshake names indirect prompt injection and AgentDojo measures how often it lands, so the agent-specific risks your controls have to address are already enumerated and quantified. You do not invent either from scratch; you adopt each for what it is built for, then tailor both to your agents, your data and your rules. That is the difference between a governance program assembled in weeks and one designed from scratch over months.
| Need | Framework to adopt |
|---|---|
| Management system | ISO/IEC 42001:2023 |
| Documented agent threat | Greshake indirect prompt injection (arXiv:2302.12173) |
| Measured threat + test | AgentDojo prompt-injection benchmark (arXiv:2406.13352) |
A blank-page policy quiets the symptom; ISO 42001 and the attack literature remove it and a stronger model does not cover the gap, sparing rework. (arXiv:2602.06718)
The Pattern Intelligence Layer is where adopted standards and documented threats become enforced controls, so the ISO management system and the Greshake/AgentDojo threat list are tailored and applied at the pattern level rather than left as documents. The accumulated work of the frameworks turns into governance the agent actually runs under. Reliability at the pattern level is reached faster by building on what exists than by starting from a blank page.
Frequently asked questions
Won't an off-the-shelf framework miss our specifics?
The frameworks are the starting structure, not the finished program. You adopt the structure, management system and threat list, then tailor all three to your agents, data and rules.
Why not design governance to fit us exactly?
Because the blank page is where governance stalls and a from-scratch policy misses agent-specific failures like citation fabrication that purpose-built frameworks already name.
Which ready-made sources do I adopt?
Use each for its role: ISO 42001 for the management system and the documented attacks, Greshake's indirect injection and AgentDojo's benchmark, for the threat list. Together they cover what a blank page does not.

