CSA MAESTRO / CSA Agentic Trust Framework

This page covers two Cloud Security Alliance agentic-security publications. MAESTRO (Multi-Agent Environment, Security, Threat, Risk, and Outcome)1 is a seven-layer threat-modeling framework published February 6, 2025; it partitions an agentic system into layers and enumerates threats per layer and across layers. The CSA Agentic Trust Framework (ATF v1.0, February 2, 2026)2 applies Zero Trust governance to autonomous AI agents: five core elements answer five trust questions, four maturity levels grade earned autonomy, and five promotion gates govern advancement between levels. MAESTRO is a threat-modeling methodology, not a control catalogue; ATF is a governance model, not a maturity model with graded controls. The structure, layer names, and gate names below are verified against the primary sources by the 2026-Q2 standards review.

CSAI Foundation (March 23, 2026): a 501(c)(3) spun from CSA with six strategic programs including an AI Risk Observatory and “Valid-AI-ted” AI-driven audit engine. These are organizational initiatives, not part of MAESTRO or ATF.

MAESTRO: Seven-Layer Threat Model

MAESTRO1 expands to Multi-Agent Environment, Security, Threat, Risk, and Outcome. It partitions an agentic system into seven layers:

LayerNameScope
Layer 1Foundation ModelsCore models (LLMs) underlying agent function
Layer 2Data OperationsProcessing, storage, RAG pipelines, databases
Layer 3Agent FrameworksToolkits/frameworks used to build agents
Layer 4Deployment and InfrastructureCloud/on-prem systems where agents run
Layer 5Evaluation and ObservabilityMonitoring and performance assessment
Layer 6Security and ComplianceVertical layer integrating controls across all layers
Layer 7Agent EcosystemMarketplace where agents meet applications and users

MAESTRO models threats that span layers: supply-chain compromise of one layer affecting others, lateral movement, cross-boundary privilege escalation, inter-layer data leakage, and goal-misalignment cascades.

CSA Agentic Trust Framework (ATF)

The ATF v1.02 applies Zero Trust governance to autonomous agents. Its Zero Trust basis is cited as NIST SP 800-2073: no default autonomy; trust is earned and continuously verified. The framework has three distinct constructs.

Five core elements (pillars) answer five trust questions:

  1. Identity — “Who are you?”
  2. Behavior — “What are you doing?”
  3. Data Governance — “What are you eating? What are you serving?”
  4. Segmentation — “Where can you go?”
  5. Incident Response — “What if you go rogue?”

Four maturity levels grade earned autonomy. An agent can be demoted; a critical incident triggers immediate demotion to Intern.3

  1. Intern — observe + report
  2. Junior — recommend + approve
  3. Senior — act + notify
  4. Principal — autonomous within domain

Five promotion gates must be passed to advance a level: Performance, Security Validation, Business Value, Incident Record, Governance Sign-off.

Gates name criteria categories without thresholds

The five promotion gates name what must be demonstrated, not how much. Per-element controls are described, not specified to pass/fail criteria. The 2026-Q2 review confirmed no published gate threshold or scored rubric in either the ATF blog or the GitHub reference.

Coverage Against OWASP ASI Top 10

This table scores ATF against its five elements, not the promotion gates. It is a re-scoring driven by the gate→element correction in the 2026-Q2 review: the elements are the constructs that map to risk categories; the gates govern level advancement.

ASI CategoryCoverage
ASI01: Agent Goal Hijack◐ Partial (Behavior + Incident Response elements)
ASI02: Tool Misuse◐ Partial (Segmentation element bounds blast radius)
ASI03: Identity & Privilege● Identity element
ASI04: Supply Chain○ None
ASI05: Unexpected Code Execution (RCE)◐ Partial (Segmentation element limits blast radius)
ASI06: Memory Poisoning◐ Partial (Data Governance element — input/output validation)
ASI07: Insecure Inter-Agent◐ Partial
ASI08: Cascading Failures◐ Partial (Segmentation element)
ASI09: Human-Agent Trust Exploitation○ None (elements bound agent autonomy; no human-trust-exploitation coverage)
ASI10: Rogue Agents● Behavior + Incident Response elements (containment, demotion)

CSAI Foundation Programs (March 23, 2026)

  1. AI Risk Observatory: centralized risk tracking
  2. Valid-AI-ted: AI-driven audit engine
  3. AI Controls Matrix expansion: adding ISO 42001, ISO 27001, and SOC 2 mappings to AI-specific controls; could provide the first unified compliance mapping across multiple standards
  4. Three additional programs (details pending)

Strengths

  • The four-level maturity model (Intern → Junior → Senior → Principal), gated by five promotion gates, addresses the “Least Agency” principle with a structured earned-autonomy progression
  • Identity and rogue-agent categories (ASI03, ASI10) receive strong coverage via the Identity and Incident Response elements
  • CSAI Foundation’s AI Controls Matrix expansion could resolve the multi-standard compliance mapping gap
  • AI Risk Observatory could become a valuable threat intelligence resource

Gaps and Shortcomings

  • Newest framework: limited operational validation
  • Supply chain (ASI04) has no coverage in either MAESTRO (named as a cross-layer threat only) or ATF
  • Promotion gates name criteria categories without measurable thresholds
  • No certifiable standard, guidance only
  • The AI Controls Matrix expansion is a roadmap item, not yet delivered

See Also

Notes

Sources

Footnotes

  1. CSA — Agentic AI Threat Modeling Framework: MAESTRO, retrieved 2026-06-22. Acronym: Multi-Agent Environment, Security, Threat, Risk, and Outcome. Layers: L1 Foundation Models, L2 Data Operations, L3 Agent Frameworks, L4 Deployment and Infrastructure, L5 Evaluation and Observability, L6 Security and Compliance, L7 Agent Ecosystem. 2

  2. CSA — The Agentic Trust Framework: Zero Trust Governance for AI Agents, retrieved 2026-06-22. Five elements: Identity, Behavior, Data Governance, Segmentation, Incident Response. Five gates: Performance, Security Validation, Business Value, Incident Record, Governance Sign-off. Four levels: Intern, Junior, Senior, Principal. 2

  3. agentic-trust-framework — massivescale-ai (GitHub), retrieved 2026-06-22. NIST SP 800-207 Zero Trust basis; demotion-to-Intern on critical incident. 2