MRIS assesses the 45 controls of the TISAX® ISA 2027 catalog — 324 individual requirements — against GenAI-accelerated attacks and names concrete hardening measures from the MHC catalog for every gap.
Mythos (Anthropic) was the first frontier AI model whose capabilities in an attacker’s hands fundamentally changed the security landscape. MRIS uses it as the reference threat model: every control is measured against an attacker with Mythos-level capabilities.
AI attackers work on a target indefinitely, in parallel and without fatigue.
Minutes, not days, pass between initial access and damage.
Fragmented individual steps stay below every reporting and detection threshold.
Attack capability no longer depends on the actor's resources.
Each of the 45 controls of the ISA 2027 Information Security module is assessed against the GenAI threat landscape — at the level of the 324 individual requirements. What is assessed is the requirement wording, not any specific organization’s implementation.
Select one of the 31 controls with findings. MRIS shows the assigned Myth-Hardening Controls (MHC) or individual measures that close the gap.
Mappings per MRIS for TISAX® 2027, annex (72 findings across 31 controls).
Number of individual findings (of 72) each MHC carries. Prioritization starts with the broadest impact. MHC-16 is an original addition without a TISAX® finding.
Assessment of all 324 requirements, 8 pattern clusters, gap analysis against 6 reference frameworks.
DownloadImplementation guidance for the 10 MHC: maturity paths, audit evidence, Threat Priority Score and P0/P1/P2 roadmap.
DownloadThe MRIS publications are working aids (CC BY 4.0, © 2026 Richard Peddi). TISAX® is a registered trademark of the ENX Association; the ENX Association administers TISAX® on behalf of the VDA. This analysis is an independent, privately produced work with no affiliation to the ENX Association or the VDA — neither part of the official TISAX® assessment process nor authorized by ENX, and no substitute for a maturity assessment by an accredited audit provider. No legal or certification advice; use at your own responsibility.