CSA MAESTRO / CSA Agentic Trust Framework
This page covers two Cloud Security Alliance agentic-security publications. MAESTRO (Multi-Agent Environment, Security, Threat, Risk, and Outcome)1 is a seven-layer threat-modeling framework published February 6, 2025; it partitions an agentic system into layers and enumerates threats per layer and across layers. The CSA Agentic Trust Framework (ATF v1.0, February 2, 2026)2 applies Zero Trust governance to autonomous AI agents: five core elements answer five trust questions, four maturity levels grade earned autonomy, and five promotion gates govern advancement between levels. MAESTRO is a threat-modeling methodology, not a control catalogue; ATF is a governance model, not a maturity model with graded controls. The structure, layer names, and gate names below are verified against the primary sources by the 2026-Q2 standards review.
CSAI Foundation (March 23, 2026): a 501(c)(3) spun from CSA with six strategic programs including an AI Risk Observatory and “Valid-AI-ted” AI-driven audit engine. These are organizational initiatives, not part of MAESTRO or ATF.
MAESTRO: Seven-Layer Threat Model
MAESTRO1 expands to Multi-Agent Environment, Security, Threat, Risk, and Outcome. It partitions an agentic system into seven layers:
| Layer | Name | Scope |
|---|---|---|
| Layer 1 | Foundation Models | Core models (LLMs) underlying agent function |
| Layer 2 | Data Operations | Processing, storage, RAG pipelines, databases |
| Layer 3 | Agent Frameworks | Toolkits/frameworks used to build agents |
| Layer 4 | Deployment and Infrastructure | Cloud/on-prem systems where agents run |
| Layer 5 | Evaluation and Observability | Monitoring and performance assessment |
| Layer 6 | Security and Compliance | Vertical layer integrating controls across all layers |
| Layer 7 | Agent Ecosystem | Marketplace where agents meet applications and users |
MAESTRO models threats that span layers: supply-chain compromise of one layer affecting others, lateral movement, cross-boundary privilege escalation, inter-layer data leakage, and goal-misalignment cascades.
CSA Agentic Trust Framework (ATF)
The ATF v1.02 applies Zero Trust governance to autonomous agents. Its Zero Trust basis is cited as NIST SP 800-2073: no default autonomy; trust is earned and continuously verified. The framework has three distinct constructs.
Five core elements (pillars) answer five trust questions:
- Identity — “Who are you?”
- Behavior — “What are you doing?”
- Data Governance — “What are you eating? What are you serving?”
- Segmentation — “Where can you go?”
- Incident Response — “What if you go rogue?”
Four maturity levels grade earned autonomy. An agent can be demoted; a critical incident triggers immediate demotion to Intern.3
- Intern — observe + report
- Junior — recommend + approve
- Senior — act + notify
- Principal — autonomous within domain
Five promotion gates must be passed to advance a level: Performance, Security Validation, Business Value, Incident Record, Governance Sign-off.
Gates name criteria categories without thresholds
The five promotion gates name what must be demonstrated, not how much. Per-element controls are described, not specified to pass/fail criteria. The 2026-Q2 review confirmed no published gate threshold or scored rubric in either the ATF blog or the GitHub reference.
Coverage Against OWASP ASI Top 10
This table scores ATF against its five elements, not the promotion gates. It is a re-scoring driven by the gate→element correction in the 2026-Q2 review: the elements are the constructs that map to risk categories; the gates govern level advancement.
| ASI Category | Coverage |
|---|---|
| ASI01: Agent Goal Hijack | ◐ Partial (Behavior + Incident Response elements) |
| ASI02: Tool Misuse | ◐ Partial (Segmentation element bounds blast radius) |
| ASI03: Identity & Privilege | ● Identity element |
| ASI04: Supply Chain | ○ None |
| ASI05: Unexpected Code Execution (RCE) | ◐ Partial (Segmentation element limits blast radius) |
| ASI06: Memory Poisoning | ◐ Partial (Data Governance element — input/output validation) |
| ASI07: Insecure Inter-Agent | ◐ Partial |
| ASI08: Cascading Failures | ◐ Partial (Segmentation element) |
| ASI09: Human-Agent Trust Exploitation | ○ None (elements bound agent autonomy; no human-trust-exploitation coverage) |
| ASI10: Rogue Agents | ● Behavior + Incident Response elements (containment, demotion) |
CSAI Foundation Programs (March 23, 2026)
- AI Risk Observatory: centralized risk tracking
- Valid-AI-ted: AI-driven audit engine
- AI Controls Matrix expansion: adding ISO 42001, ISO 27001, and SOC 2 mappings to AI-specific controls; could provide the first unified compliance mapping across multiple standards
- Three additional programs (details pending)
Strengths
- The four-level maturity model (Intern → Junior → Senior → Principal), gated by five promotion gates, addresses the “Least Agency” principle with a structured earned-autonomy progression
- Identity and rogue-agent categories (ASI03, ASI10) receive strong coverage via the Identity and Incident Response elements
- CSAI Foundation’s AI Controls Matrix expansion could resolve the multi-standard compliance mapping gap
- AI Risk Observatory could become a valuable threat intelligence resource
Gaps and Shortcomings
- Newest framework: limited operational validation
- Supply chain (ASI04) has no coverage in either MAESTRO (named as a cross-layer threat only) or ATF
- Promotion gates name criteria categories without measurable thresholds
- No certifiable standard, guidance only
- The AI Controls Matrix expansion is a roadmap item, not yet delivered
See Also
- Cloud Security Alliance (publisher)
- OWASP Top 10 for Agentic Applications (ASI Top 10) — risk taxonomy that ATF is designed to govern
- NIST AI Risk Management Framework (AI RMF) — governance complement; NIST RMF provides the federal baseline, ATF addresses agentic specifics
- Agentic AI Security Capability Maturity Model — MAESTRO Layer 2 (Data Operations) → D6; Layer 1 (Foundation Models) + Layer 3 (Agent Frameworks) → D4; Layer 4 (Deployment and Infrastructure) + Layer 7 (Agent Ecosystem) → D5; Layer 5 (Evaluation and Observability) → D7; Layer 3 supply-chain threat → D8. ATF maps via its five elements (Identity → D2, Behavior → D4/D7, Data Governance → D6, Segmentation → D3/D5, Incident Response → D9); the four maturity levels and five promotion gates inform D3 (gates name criteria categories without thresholds, see CMM)
- CSA MAESTRO and ATF Standards Review — primary-source verification of layer/element/gate names and the gate→element correction
- Threat Modeling for AI — uses MAESTRO as the layered-decomposition lens; Threat Taxonomy Reconciliation maps the seven layers alongside the ASI, T-code, and ATLAS taxonomies
Notes
Sources
- CSA MAESTRO / CSA Agentic Trust Framework
- Agentic AI Threat Modeling Framework: MAESTRO
- agentic-trust-framework (reference implementation)
Footnotes
-
CSA — Agentic AI Threat Modeling Framework: MAESTRO, retrieved 2026-06-22. Acronym: Multi-Agent Environment, Security, Threat, Risk, and Outcome. Layers: L1 Foundation Models, L2 Data Operations, L3 Agent Frameworks, L4 Deployment and Infrastructure, L5 Evaluation and Observability, L6 Security and Compliance, L7 Agent Ecosystem. ↩ ↩2
-
CSA — The Agentic Trust Framework: Zero Trust Governance for AI Agents, retrieved 2026-06-22. Five elements: Identity, Behavior, Data Governance, Segmentation, Incident Response. Five gates: Performance, Security Validation, Business Value, Incident Record, Governance Sign-off. Four levels: Intern, Junior, Senior, Principal. ↩ ↩2
-
agentic-trust-framework — massivescale-ai (GitHub), retrieved 2026-06-22. NIST SP 800-207 Zero Trust basis; demotion-to-Intern on critical incident. ↩ ↩2