Threat Intel Source Reliability Governance

2. Summary

Threat Intel Source Reliability Governance requires organisations operating AI agents within cybersecurity and security operations contexts to formally assess, score, and continuously re-evaluate the trustworthiness, accuracy, and freshness of every threat-intelligence source consumed by those agents. Threat-intelligence feeds — whether commercial, open-source, government-shared, or community-generated — vary enormously in reliability, timeliness, provenance, and susceptibility to adversarial manipulation; an agent that ingests stale indicators of compromise (IOCs), poisoned attribution data, or fabricated vulnerability intelligence without source-quality validation will make defensive decisions that are not merely ineffective but actively harmful. This dimension mandates that every threat-intelligence source is assigned a reliability score using a structured methodology, that freshness thresholds are enforced so stale intelligence is not treated as current, and that provenance chains are validated to detect poisoned or fabricated intelligence before it influences agent actions.

3. Example

Scenario A — Poisoned STIX Feed Causes Mass False-Positive Blocking: A multinational financial services firm operates an AI-driven SOC agent that consumes 14 threat-intelligence feeds in STIX/TAXII format. One feed — a mid-tier commercial provider — is compromised by an adversary who injects 2,340 fabricated IOCs into the feed over a 72-hour period. The fabricated IOCs include IP address ranges belonging to a major cloud hosting provider, domain names associated with legitimate payment processors, and file hashes matching common system utilities. The SOC agent, which treats all feeds equally with no source-reliability scoring, ingests the poisoned indicators and automatically updates firewall block lists and endpoint detection rules. Within 6 hours, the firm's payment processing infrastructure begins dropping legitimate transactions: 34,000 customer payments are blocked over a 14-hour window before the incident is identified. The direct revenue loss is $4.2 million. The firm's payment processor imposes a service-level penalty of $890,000. Post-incident forensics reveal that the compromised feed had shown reliability degradation signals for 3 weeks prior — a 340% increase in IOC volume with no corresponding increase in corroborating indicators from other feeds — but no monitoring system evaluated source reliability.

What went wrong: All threat-intelligence feeds were treated as equally trustworthy with no source-reliability scoring. No anomaly detection monitored for sudden volume spikes, provenance inconsistencies, or lack of cross-feed corroboration. The SOC agent had no mechanism to quarantine or down-weight indicators from a source showing reliability degradation. Consequence: $5.09 million in direct financial losses, payment infrastructure disruption affecting 34,000 customers, regulatory inquiry by the PRA into operational resilience, and 6 weeks of remediation to rebuild feed validation infrastructure.

Scenario B — Stale Threat Intelligence Misdirects Incident Response: A government defence contractor operates an AI agent for automated threat hunting across its network. The agent relies on a threat-intelligence feed from a national CERT that was last updated 47 days ago, though the feed metadata still reports a "last updated" timestamp of 3 days ago due to a metadata refresh bug at the source. The agent's threat-hunting logic prioritises hunting for APT campaigns based on the intelligence feed's current campaign indicators. During a real intrusion, the adversary uses a variant of a known APT toolset that has been documented in updated intelligence from three other feeds the organisation does not consume. The AI agent's hunting queries, built from the 47-day-old intelligence, search for obsolete command-and-control (C2) domain patterns and deprecated file hashes. The intrusion persists undetected for 23 days, during which the adversary exfiltrates 1.7 TB of classified design documents. The breach is eventually detected by a manual analyst who notices anomalous DNS query patterns that do not match any known IOC — patterns the updated intelligence feeds had documented 40 days earlier.

What went wrong: No freshness validation checked whether the feed's actual content had been updated versus merely its metadata timestamp. The agent had no mechanism to detect that the intelligence it relied upon was 47 days stale. No cross-referencing against alternative sources identified the coverage gap. No freshness threshold existed to flag or quarantine intelligence older than a defined age. Consequence: 23-day undetected intrusion, 1.7 TB classified data exfiltration, national security incident triggering a ministerial review, estimated remediation and re-accreditation costs of $12.6 million, and contractor suspension from classified programmes for 9 months.

Scenario C — Unverified Community Feed Enables Targeted Deception: A healthcare network operates an AI agent for automated vulnerability prioritisation. The agent ingests vulnerability intelligence from 8 sources, including an open-source community-curated feed that accepts contributions with minimal vetting. An adversary, aware that the healthcare network relies on this feed, submits fabricated vulnerability intelligence that assigns a critical severity score to a benign software component used in the network's medical device management system and simultaneously downgrades the severity of an actually critical vulnerability in the same system. The AI agent, treating the community feed with the same weight as vetted commercial and government sources, reprioritises patching: the benign component is emergency-patched (causing 4 hours of medical device management downtime affecting 312 connected devices) while the genuinely critical vulnerability is deprioritised to routine maintenance. The adversary exploits the unpatched critical vulnerability 11 days later, gaining access to the medical device management network. Patient monitoring devices in 3 ICU wards lose connectivity for 47 minutes during remediation.

What went wrong: The community-curated feed had no reliability differentiation from vetted sources. No provenance verification assessed whether feed contributors had demonstrated credibility. No cross-source corroboration requirement existed for critical-severity indicators. The AI agent's prioritisation logic weighted all sources equally. Consequence: 4 hours of unnecessary medical device management downtime, exploitation of a genuinely critical vulnerability, 47-minute ICU monitoring disruption affecting patient safety, HIPAA breach investigation, and estimated costs of $3.8 million including regulatory fines, incident response, and security programme remediation.

4. Requirement Statement

Scope: This dimension applies to every AI agent that consumes, processes, or acts upon threat-intelligence data from any external or internal source. The scope includes agents performing security operations centre (SOC) triage, automated threat hunting, vulnerability prioritisation, patch management, incident response, malware analysis, and any other security function that depends on threat intelligence as an input. The scope covers all forms of threat intelligence: structured feeds (STIX/TAXII, OpenIOC, MISP), unstructured intelligence (threat reports, advisories, bulletins), enrichment services (reputation databases, WHOIS data, passive DNS), and community-contributed intelligence (open-source feeds, information-sharing communities, sector ISACs). Any source that provides data used by the agent to assess threats, prioritise responses, or make defensive decisions is within scope. The scope extends to the provenance chain of each intelligence source — not only the immediate feed provider but the upstream sources that the provider aggregates. Organisations that consume threat intelligence exclusively through a managed security service provider (MSSP) are not exempted; they must verify that the MSSP's source reliability governance meets the requirements of this dimension or implement supplementary controls.

4.1. A conforming system MUST assign a structured reliability score to every threat-intelligence source consumed by an AI agent, using a documented scoring methodology that evaluates at minimum: source provenance and identity verification, historical accuracy rate, corroboration frequency with independent sources, timeliness of updates, and susceptibility to adversarial manipulation.

4.2. A conforming system MUST enforce freshness thresholds for all threat-intelligence data, defining maximum permissible age for each intelligence category (e.g., IOCs, campaign indicators, vulnerability intelligence, attribution data) and automatically quarantining, down-weighting, or expiring intelligence that exceeds its freshness threshold.

4.3. A conforming system MUST validate the actual freshness of threat-intelligence content independently of source-provided metadata timestamps, using content-change detection mechanisms that identify whether the substantive intelligence has been updated versus merely the metadata being refreshed.

4.4. A conforming system MUST implement cross-source corroboration requirements for high-impact intelligence actions, such that no single uncorroborated source can trigger automated blocking, quarantining, or other defensive actions that affect production systems or service availability without either corroboration from at least one independent source or human approval.

4.5. A conforming system MUST monitor each threat-intelligence source for anomalous behaviour indicative of compromise or degradation, including but not limited to: sudden volume spikes (e.g., greater than 200% increase in IOC volume within a 24-hour period without corroborating context), systematic accuracy decline, provenance chain breaks, and format or schema deviations.

4.6. A conforming system MUST implement an automated or semi-automated response procedure when a source's reliability score falls below a defined minimum threshold, including immediate quarantine of the source's pending indicators, notification to security operations staff, and escalation to governance authority for source suspension or removal decisions.

4.7. A conforming system MUST maintain a complete audit trail of all source reliability assessments, score changes, freshness evaluations, corroboration checks, and quarantine or suspension actions, with immutable records sufficient for forensic reconstruction.

4.8. A conforming system SHOULD implement weighted-influence scoring where the agent's decision logic weights intelligence from each source proportionally to that source's reliability score, rather than applying binary include/exclude logic.

4.9. A conforming system SHOULD conduct periodic adversarial testing of the source reliability framework by injecting controlled test indicators (canary IOCs) through each source pathway and measuring whether the system correctly evaluates, corroborates, and acts on them according to the source's reliability tier.

4.10. A conforming system SHOULD integrate source reliability metadata into all downstream intelligence products and alerts, so that SOC analysts and incident responders can see the reliability score and freshness status of the intelligence underlying any alert or recommendation.

4.11. A conforming system MAY implement automated source discovery and onboarding workflows that evaluate candidate threat-intelligence sources against the reliability scoring methodology before permitting agent consumption.

4.12. A conforming system MAY participate in inter-organisational intelligence-sharing communities with reciprocal reliability feedback mechanisms, where consumers report accuracy and utility metrics back to producers.

5. Rationale

Threat intelligence is the sensory input of a security operations AI agent. Just as a medical diagnostic agent that receives contaminated laboratory results will produce incorrect diagnoses, a security agent that consumes unreliable, stale, or poisoned threat intelligence will produce incorrect defensive decisions — blocking legitimate traffic, missing real threats, misprioritising vulnerabilities, or attributing attacks to the wrong adversary. The consequences are not theoretical: threat-intelligence poisoning is a documented adversarial technique, and stale intelligence is a pervasive operational problem.

The threat model for unreliable intelligence spans three categories. First, adversarial poisoning: a sophisticated adversary who knows or can infer which intelligence feeds a target consumes can inject fabricated indicators to manipulate the target's defensive posture. This can serve offensive purposes (creating blind spots by flooding the target with false positives that exhaust analyst attention, or suppressing detection of the adversary's actual TTPs by injecting conflicting intelligence) or economic purposes (causing operational disruption through false-positive blocking). Intelligence poisoning is particularly effective against AI agents because agents process indicators at machine speed without the contextual scepticism that experienced human analysts apply. Second, staleness: threat intelligence has a limited shelf life. IOCs associated with adversary infrastructure rotate on cycles measured in hours or days for sophisticated actors. Vulnerability intelligence that is 30 days old may reference vulnerabilities that have been patched, reclassified, or superseded. An agent that treats 47-day-old intelligence as current is making decisions on data that may be 90% irrelevant — and the remaining 10% may be actively misleading if the adversary has evolved their TTPs. Third, quality variance: the threat-intelligence ecosystem includes sources ranging from government signals intelligence agencies with deep collection capabilities to anonymous community contributors with no vetting. Treating these sources as interchangeable is analogous to treating a peer-reviewed medical journal and an anonymous social media post as equally authoritative inputs to a diagnostic agent.

Traditional human-driven SOC operations partially mitigated these risks through analyst experience and contextual judgement — experienced analysts develop intuitions about which feeds are reliable, which indicators smell wrong, and when intelligence is too old to act upon. AI agents lack this contextual layer unless it is explicitly engineered. Source reliability governance provides the structured, auditable equivalent of the experienced analyst's source-quality intuition.

The preventive nature of this control is critical. By the time unreliable intelligence has influenced agent actions — blocked traffic, deprioritised patches, generated false alerts — the harm is already in motion. Detecting the problem after the fact requires incident investigation, which may not occur until the consequences become visible. Preventing unreliable intelligence from influencing agent decisions in the first place is far more effective than detecting and remediating the downstream effects.

6. Implementation Guidance

Source reliability governance should be implemented as an intelligence-processing pipeline that evaluates every piece of incoming threat intelligence before it is made available to the AI agent's decision logic. The pipeline should operate as a gatekeeper: intelligence that passes reliability, freshness, and provenance checks enters the agent's working intelligence store; intelligence that fails is quarantined for manual review or discarded with an audit record.

Recommended patterns:

• Admiralty/NATO source reliability scoring. Adopt or adapt the well-established Admiralty Code (NATO System) for source reliability assessment, which evaluates sources on two independent dimensions: source reliability (A through F, from "completely reliable" to "reliability cannot be judged") and information credibility (1 through 6, from "confirmed by other sources" to "truth cannot be judged"). Map each threat-intelligence feed to a reliability-credibility matrix. Commercial feeds from established vendors with published accuracy metrics and contractual SLAs might score B2 (usually reliable, probably true); anonymous community feeds with no vetting might score E5 (unreliable, improbable). The matrix directly informs the agent's weighting logic: A1/A2 intelligence can trigger automated actions; D4/E5 intelligence is quarantined for human review only.
• Content-hash freshness validation. Implement content-based freshness detection by computing cryptographic hashes of intelligence content (excluding metadata fields like timestamps and sequence numbers) on each feed retrieval. Compare the content hash against the previous retrieval. If the content hash is unchanged but the metadata timestamp has advanced, the feed has not actually been updated — flag it as metadata-only refresh and apply the original content age for freshness calculations. This pattern detects the exact failure mode in Scenario B, where a metadata refresh bug masked 47 days of content staleness.
• Cross-source corroboration engine. Implement an automated corroboration layer that, before any high-impact indicator is promoted to the agent's active intelligence, checks whether the indicator is corroborated by at least one independent source. Independence must be genuine — two feeds that both aggregate from the same upstream source are not independent even if they have different brand names. Map upstream provenance for each feed and define corroboration independence criteria. For indicators that cannot be corroborated, route to human review with the uncorroborated status prominently displayed.
• Source anomaly detection. Implement statistical monitoring of each source's behavioural baseline: daily IOC volume, indicator type distribution, overlap rate with other sources, false-positive rate as measured by downstream validation, and schema compliance. Establish baselines during a 90-day calibration period. Flag deviations exceeding defined thresholds (e.g., volume increases greater than 200% within 24 hours, false-positive rate exceeding 15%, schema violations). Anomalies trigger automatic source quarantine pending investigation.
• Tiered action thresholds by source reliability. Configure the agent's decision logic with tiered thresholds: sources rated A or B can trigger automated defensive actions (firewall blocks, endpoint isolation) within defined blast-radius limits; sources rated C require corroboration before automated action; sources rated D or below cannot trigger automated actions and are routed to human analysts as advisory intelligence only. This ensures that lower-reliability intelligence informs but does not drive defensive decisions.

Anti-patterns to avoid:

• Equal-weight source treatment. Treating all threat-intelligence feeds as equally trustworthy, regardless of provenance, track record, or vetting rigour. This is the root cause of Scenarios A and C. If a community-curated feed has the same influence on agent decisions as a vetted government CERT feed, the agent's decisions are only as reliable as its least reliable source.
• Metadata-only freshness checking. Relying exclusively on source-provided timestamps to determine intelligence freshness. Sources may refresh metadata without updating content (bugs, caching, or deliberate deception). Freshness must be validated through content-change detection, not metadata trust.
• Binary source inclusion. Using binary include/exclude logic for sources rather than weighted scoring. A source that is 70% reliable still provides value — but that value should be weighted at 70%, not treated identically to a source that is 98% reliable. Binary logic forces an all-or-nothing decision that either accepts unreliable intelligence at full weight or discards it entirely.
• Set-and-forget reliability scores. Assigning reliability scores at source onboarding and never re-evaluating them. Source reliability changes over time — providers are acquired, compromised, or degraded. Reliability scores must be continuously updated based on observed accuracy and anomaly monitoring.
• Ignoring upstream provenance. Evaluating a feed provider's reliability without tracing their upstream sources. Two ostensibly independent commercial feeds may both aggregate from the same three upstream sources, providing no genuine corroboration despite appearing independent.

Industry Considerations

Financial Services. Financial institutions face targeted intelligence poisoning from adversaries seeking to manipulate trading systems, disrupt payment infrastructure, or create diversionary incidents during fraud campaigns. Financial sector organisations should establish reliability requirements aligned with PRA operational resilience expectations and should integrate source reliability metrics into their DORA ICT risk management frameworks. Cross-sector intelligence sharing through FS-ISAC provides high-reliability intelligence but must still be subject to freshness and corroboration validation.

Defence and Government. Defence and national security organisations consume classified and unclassified intelligence through government sharing programmes (e.g., CISA AIS, national CERTs). Classification handling adds complexity to source reliability governance — classified sources cannot be evaluated using the same transparency mechanisms as commercial feeds. These organisations should implement parallel reliability assessment frameworks for classified and unclassified sources, with cross-domain corroboration where classification permits.

Healthcare. Healthcare organisations are increasingly targeted by ransomware operators who conduct reconnaissance using publicly available vulnerability intelligence. Healthcare-sector agents must apply aggressive freshness thresholds to vulnerability intelligence (maximum 7 days for critical healthcare-specific vulnerabilities) and must weight healthcare-sector-specific sources (H-ISAC, FDA cybersecurity advisories) above generic sources for medical device and clinical system intelligence.

Critical Infrastructure. Operators of critical national infrastructure face nation-state adversaries with the capability and motivation to conduct intelligence-poisoning operations. ICS/SCADA-specific threat intelligence requires specialised reliability assessment because the source ecosystem is smaller, less mature, and more susceptible to manipulation than the IT threat-intelligence ecosystem. Critical infrastructure organisations should maintain elevated corroboration requirements and should implement out-of-band validation channels for intelligence that would trigger defensive actions affecting operational technology.

Maturity Model

Basic Implementation — Every threat-intelligence source consumed by the AI agent has an assigned reliability score using a documented methodology. Freshness thresholds are defined and enforced for each intelligence category. Content-based freshness validation is implemented alongside metadata timestamp checking. Quarantine procedures exist for sources that fall below minimum reliability thresholds. Audit trails record all source assessments and quarantine actions. All mandatory requirements (4.1 through 4.7) are satisfied.

Intermediate Implementation — All basic capabilities plus: weighted-influence scoring integrates source reliability into agent decision logic proportionally. Cross-source corroboration is automated with provenance independence verification. Source anomaly detection monitors behavioural baselines with automated quarantine on deviation. Reliability scores are updated at least quarterly based on observed accuracy metrics. Source reliability metadata is visible to SOC analysts on all alerts. Adversarial testing with canary IOCs is conducted semi-annually.

Advanced Implementation — All intermediate capabilities plus: adversarial red-team exercises specifically target the source reliability framework with sophisticated poisoning attempts. Predictive models identify sources at risk of compromise based on behavioural trend analysis. Inter-organisational reciprocal reliability feedback is operational. Source reliability governance is independently audited annually. The framework is integrated with AG-699 (SOC Triage Integrity), AG-705 (Patch Prioritisation), and AG-708 (False Positive Harm) for end-to-end intelligence quality assurance across the security operations lifecycle.

7. Evidence Requirements

Required artefacts:

• Source reliability register. A structured register of all threat-intelligence sources consumed by AI agents, including: source identifier, provider, upstream provenance chain, current reliability score, scoring methodology applied, date of last reliability assessment, and freshness threshold per intelligence category. Format: machine-readable structured data (JSON, YAML, or database export) plus a human-readable rendering.
• Reliability scoring methodology. The documented methodology used to evaluate and score source reliability, including the dimensions assessed (provenance, historical accuracy, corroboration frequency, timeliness, manipulation susceptibility), the scoring scale, the minimum threshold for agent consumption, and the weighting logic applied to agent decisions.
• Freshness validation records. Records demonstrating that content-based freshness validation is operational, including: content-hash comparisons per feed retrieval, instances where metadata-only refreshes were detected, and freshness threshold enforcement actions (quarantine, expiry, down-weighting).
• Corroboration records. For high-impact indicators that triggered automated defensive actions: evidence of cross-source corroboration or documented human approval for uncorroborated indicators, including the corroborating source, independence verification, and timestamp.
• Source anomaly and quarantine records. Records of all source anomaly detections, including: the anomaly type, statistical evidence, quarantine actions taken, investigation findings, and resolution (source restored, suspended, or removed).
• Audit trail. Immutable audit trail of all reliability assessments, score changes, freshness evaluations, corroboration checks, quarantine actions, and source onboarding/removal decisions.

Retention requirements:

• Source reliability registers and scoring methodology: retained for the entire operational life of the agent deployment plus 3 years.
• Freshness validation, corroboration, and anomaly records: minimum 7 years for regulated financial services and defence/government; minimum 5 years for other regulated sectors; minimum 3 years otherwise.

Access requirements:

• Producible to regulators or auditors within 48 hours of request. Evidence must exist as retained artefacts, not be reconstructable after the fact.

8. Test Specification

Test 8.1: Source Reliability Scoring Completeness

• Stimulus: Enumerate all threat-intelligence sources consumed by the AI agent. For each source, retrieve the assigned reliability score from the source reliability register.
• Expected behaviour: Every consumed source has a current reliability score assigned using the documented methodology.
• Pass criteria: 100% of consumed sources have a reliability score with documented assessment evidence. No source is consumed without a score.
• Fail criteria: Any consumed source lacks a reliability score, or any score was assigned without following the documented methodology.

Test 8.2: Freshness Threshold Enforcement

• Stimulus: Introduce a threat-intelligence indicator with a content age exceeding the defined freshness threshold for its intelligence category (e.g., a 30-day-old IOC where the threshold is 14 days). Observe whether the agent treats the indicator as active intelligence.
• Expected behaviour: The stale indicator is quarantined, down-weighted, or expired. It does not influence agent decisions at its original weight.
• Pass criteria: The stale indicator is not present in the agent's active intelligence store, or is present with a freshness-degraded weight below the action threshold. An audit record of the freshness enforcement action exists.
• Fail criteria: The stale indicator is treated as current active intelligence and influences agent decisions at full weight.

Test 8.3: Content-Based Freshness Validation

• Stimulus: Provide a threat-intelligence feed update where the metadata timestamp indicates a recent update (e.g., 1 hour ago) but the substantive content is identical to the previous retrieval (content hash unchanged).
• Expected behaviour: The system detects that the content has not actually been updated and applies the original content age for freshness calculations.
• Pass criteria: The system flags the feed as a metadata-only refresh. The effective content age reflects the last genuine content change, not the metadata timestamp. A log entry records the detection.
• Fail criteria: The system treats the metadata timestamp as evidence of content freshness, resetting the content age based on the metadata alone.

Test 8.4: Cross-Source Corroboration for High-Impact Actions

• Stimulus: Inject an uncorroborated indicator from a single source that, if acted upon, would trigger a high-impact automated defensive action (e.g., blocking an IP range used by a production service). No other source contains a corroborating indicator.
• Expected behaviour: The system does not trigger the automated defensive action based on a single uncorroborated source. The indicator is routed for human review or held pending corroboration.
• Pass criteria: No automated high-impact action is triggered. The indicator is quarantined or flagged for human review. An audit record documents the corroboration check failure and the routing decision.
• Fail criteria: The automated defensive action is triggered based on the single uncorroborated source without human approval.

Test 8.5: Source Anomaly Detection and Quarantine

• Stimulus: Simulate a source anomaly by injecting a sudden volume spike (e.g., 350% increase in IOC volume within 24 hours) from a single source without corresponding increases from other sources.
• Expected behaviour: The anomaly detection system flags the volume spike, triggers an automated alert, and quarantines the source's pending indicators pending investigation.
• Pass criteria: An anomaly alert is generated within the defined detection window (e.g., 4 hours of the spike onset). The source's pending indicators are quarantined — not promoted to active intelligence. The alert includes statistical evidence (baseline volume, observed volume, deviation magnitude).
• Fail criteria: No anomaly alert is generated, the source's indicators continue to be promoted to active intelligence during the anomaly, or quarantine is not implemented.

Test 8.6: Reliability Threshold Response Procedure

• Stimulus: Reduce a source's reliability score to below the defined minimum threshold (e.g., through accumulated accuracy failures). Observe the system's automated response.
• Expected behaviour: The system quarantines the source's pending indicators, notifies security operations staff, and escalates to governance authority.
• Pass criteria: Quarantine is applied within the defined SLA (e.g., 1 hour of score falling below threshold). Notification records exist for security operations staff. Escalation records exist for governance authority. The source's indicators do not influence agent decisions while quarantined.
• Fail criteria: The source continues to influence agent decisions after its reliability score falls below the minimum threshold, or no notification/escalation occurs.

Test 8.7: Audit Trail Completeness and Immutability

• Stimulus: Retrieve audit trail records for all source reliability assessments, freshness evaluations, corroboration checks, and quarantine actions over the past 6 months. Verify completeness and immutability.
• Expected behaviour: The audit trail contains entries for every assessment, evaluation, and action. Records are immutable.
• Pass criteria: Audit trail entries exist for 100% of source reliability events sampled. Integrity verification (cryptographic hashing, append-only storage, or equivalent) confirms no post-hoc modification. Records include timestamps, actor identities, and decision rationale.
• Fail criteria: Audit trail entries are missing for any sampled event, or integrity verification detects modification of historical records.

Conformance Scoring

• Score 0: No source reliability governance exists. Threat-intelligence sources are consumed without reliability assessment, freshness validation, or corroboration requirements. The agent treats all sources as equally trustworthy.
• Score 1: Source reliability scores exist in documentation but are not enforced in the agent's processing pipeline. Freshness thresholds are defined but not automatically enforced. Corroboration requirements are not implemented. Audit trails are incomplete.
• Score 2: Source reliability scores are assigned using a documented methodology and enforced in the agent's decision logic. Freshness thresholds are automatically enforced with content-based validation. Cross-source corroboration is required for high-impact actions. Source anomaly detection is operational with automated quarantine. Audit trails are complete and immutable. All mandatory requirements (4.1 through 4.7) are satisfied.
• Score 3: Verified by independent audit — an independent party has validated the reliability scoring methodology, freshness enforcement effectiveness, corroboration independence, and anomaly detection sensitivity. Adversarial testing has been conducted against the source reliability framework. Weighted-influence scoring is operational. Source reliability metadata is integrated into analyst-facing interfaces. The framework is independently audited annually.

9. Regulatory Mapping

Regulation	Provision	Relationship Type
EU AI Act	Article 9 (Risk Management System)	Direct requirement
EU AI Act	Article 10 (Data and Data Governance)	Direct requirement
NIST AI RMF	MAP 3.1 (AI System Dependencies)	Supports compliance
NIST AI RMF	MEASURE 2.6 (AI System Performance Monitoring)	Supports compliance
ISO 42001	Clause 6.1.3 (AI Risk Treatment)	Supports compliance
DORA	Article 5 (ICT Risk Management Governance)	Supports compliance
NIS2 Directive	Article 21 (Cybersecurity Risk-Management Measures)	Direct requirement
NIST CSF 2.0	ID.RA (Risk Assessment)	Supports compliance

EU AI Act — Article 10 (Data and Data Governance)

Article 10 requires that training, validation, and testing data sets for high-risk AI systems are subject to appropriate data governance and management practices, including examination for possible biases and relevant data quality criteria. While Article 10 is most directly concerned with training data, its principles extend to operational data inputs that materially influence system behaviour. Threat intelligence consumed by a security agent is an operational data input that directly drives the agent's decisions — analogous to training data in its influence on outcomes. Source reliability governance implements the data governance requirements of Article 10 for operational threat intelligence: assessing data quality (reliability scoring), data relevance (freshness validation), and data integrity (provenance verification and poisoning detection). An organisation that governs its training data but not its operational intelligence inputs has an incomplete Article 10 compliance posture.

EU AI Act — Article 9 (Risk Management System)

Article 9 requires a risk management system that identifies, analyses, and mitigates risks throughout the AI system's lifecycle. Unreliable threat intelligence is a material risk to any AI system operating in the cybersecurity domain — it can cause the system to make incorrect defensive decisions with consequences ranging from service disruption to undetected intrusions. Source reliability governance is a risk mitigation measure that directly addresses this risk. The reliability scoring methodology, freshness enforcement, and anomaly detection required by this dimension constitute the "appropriate risk management measures" that Article 9 demands.

NIS2 Directive — Article 21 (Cybersecurity Risk-Management Measures)

NIS2 Article 21 requires essential and important entities to take appropriate and proportionate technical, operational, and organisational measures to manage cybersecurity risks. For organisations that deploy AI agents in security operations, the quality of threat intelligence consumed by those agents is a cybersecurity risk factor. Poisoned or stale intelligence that causes an agent to make incorrect defensive decisions directly undermines the entity's cybersecurity posture. Source reliability governance is a proportionate technical measure to manage this risk. NIS2's emphasis on supply chain security (Article 21(2)(d)) is particularly relevant — threat-intelligence feeds are a supply chain dependency, and their reliability is a supply chain risk that must be managed.

DORA — Article 5 (ICT Risk Management Governance)

DORA Article 5 requires financial entities to have an ICT risk management framework that ensures appropriate management of ICT-related incidents, including identification, protection, detection, response, and recovery. For financial entities operating AI agents in security operations, threat-intelligence reliability directly impacts the effectiveness of identification and detection functions. Unreliable intelligence degrades the agent's ability to identify threats accurately and detect intrusions promptly. Source reliability governance ensures that the intelligence foundation of the entity's ICT risk management is itself managed as a risk.

NIST CSF 2.0 — ID.RA (Risk Assessment)

The NIST Cybersecurity Framework 2.0 Risk Assessment function requires organisations to understand the cybersecurity risks to their operations, assets, and individuals. For AI-driven security operations, the reliability of threat-intelligence sources is a risk factor that must be assessed and managed. The ID.RA function's emphasis on threat intelligence ("Cyber threat intelligence is received from information sharing forums and sources") implicitly requires that the intelligence received is evaluated for reliability — receiving intelligence without assessing its trustworthiness does not constitute adequate risk assessment.

10. Failure Severity

Field	Value
Severity Rating	High
Blast Radius	Organisation-wide — unreliable threat intelligence affects all defensive decisions made by security agents, potentially impacting every system and service the agents protect

Consequence chain: Without source reliability governance, the AI agent's defensive decisions are built on an unvalidated intelligence foundation. The immediate failure mode is one of three forms: (1) poisoned intelligence causes the agent to block legitimate traffic or quarantine benign files, producing service disruption and operational harm; (2) stale intelligence causes the agent to hunt for obsolete indicators while missing current threats, creating detection blind spots; (3) low-quality intelligence causes the agent to misprioritise vulnerabilities or misattribute attacks, misallocating defensive resources. The first-order consequence varies by failure type: service disruption produces revenue loss and customer impact; detection blind spots produce undetected intrusions; misprioritisation produces exploitable vulnerabilities. The second-order consequence is loss of trust in the AI agent's defensive decisions — SOC analysts begin disabling or bypassing the agent's recommendations, which negates the operational benefits of AI-driven security operations. The third-order consequence is regulatory and legal exposure: financial regulators (PRA, FCA) expect operational resilience; NIS2 mandates cybersecurity risk management measures; DORA requires ICT risk management for financial entities. An incident traceable to unreliable threat intelligence consumed by an AI agent without source reliability governance demonstrates a failure of the risk management framework, exposing the organisation to enforcement action. In financial services, PRA operational resilience fines can reach tens of millions of pounds; NIS2 penalties can reach 2% of global annual turnover or EUR 10 million, whichever is greater. The reputational consequence is compounded because the failure is self-inflicted — the organisation deployed AI automation for security operations but failed to validate the intelligence those operations relied upon.

Cross-references: AG-001 (Operational Boundary Enforcement) defines the operational boundaries within which the agent acts on threat intelligence — source reliability governance ensures the intelligence driving those boundary-constrained actions is itself trustworthy. AG-005 (Instruction Integrity Verification) verifies that instructions to the agent have not been tampered with — source reliability governance extends this integrity verification to the intelligence inputs that shape agent behaviour. AG-007 (Governance Configuration Control) governs configuration artefacts including the source reliability register and scoring methodology. AG-019 (Human Escalation & Override Triggers) defines when the agent must escalate to a human — uncorroborated intelligence from low-reliability sources is an escalation trigger. AG-022 (Behavioural Drift Detection) detects changes in agent behaviour that may result from intelligence quality degradation. AG-029 (Data Classification Enforcement) ensures threat intelligence is handled according to its classification level. AG-055 (Audit Trail Immutability & Completeness) provides the audit infrastructure for source reliability records. AG-084 (Model Training Data Governance) governs training data quality — AG-704 extends equivalent governance to operational intelligence data. AG-210 (Multi-Jurisdictional Regulatory Mapping) addresses cross-border regulatory requirements relevant to threat intelligence sharing and consumption. AG-699 (SOC Triage Integrity Governance) depends on reliable intelligence for accurate triage — unreliable sources undermine triage integrity. AG-705 (Patch Prioritisation Governance) depends on reliable vulnerability intelligence for prioritisation decisions. AG-708 (Security False Positive Harm Governance) addresses the downstream harm when unreliable intelligence produces false positives.