CSA MAESTRO / CSA Agentic Trust Framework
The CSA Agentic Trust Framework (ATF, February 2, 2026) is a new framework applying Zero Trust governance principles specifically to autonomous AI agents. It introduces five progressive autonomy promotion gates — a staged authorization model where agents must demonstrate trustworthiness before being granted additional autonomous capabilities.
CSAI Foundation (March 23, 2026) — A new 501(c)(3) spun from CSA with six strategic programs including an AI Risk Observatory and “Valid-AI-ted” AI-driven audit engine. This extends CSA’s AI security mission into independent foundation status.
Architecture: Five Promotion Gates
The ATF’s core contribution is a gate-based autonomy governance model that treats autonomous action as a privilege to be earned rather than granted:
- Gate 1 — Identity establishment: agent must have a verifiable, scoped identity
- Gate 2 — Capability attestation: agent capabilities declared and bounded
- Gate 3 — Behavioral baseline: agent establishes a known-good behavioral pattern
- Gate 4 — Monitored autonomy: agent operates under continuous surveillance
- Gate 5 — Full autonomy: granted only after demonstrated track record
Gate implementation details
Specific implementation criteria for each gate are not yet fully specified in published guidance. The gates represent an architectural pattern rather than a detailed control specification.
Coverage Against OWASP ASI Top 10
| ASI Category | Coverage |
|---|---|
| ASI01: Agent Goal Hijack | ◐ Partial (gates 1-3) |
| ASI02: Tool Misuse | ◐ Partial (capability bounding) |
| ASI03: Identity & Privilege | ● Gate 1-2 address identity |
| ASI04: Supply Chain | ○ None |
| ASI05: Data Disclosure | ◐ Partial |
| ASI06: Memory Poisoning | ○ None |
| ASI07: Insecure Inter-Agent | ◐ Partial |
| ASI08: Cascading Failures | ◐ Partial |
| ASI09: Missing Guardrails | ● Gates address guardrails |
| ASI10: Rogue Agents | ● Gate-based containment |
CSAI Foundation Programs (March 23, 2026)
- AI Risk Observatory — centralized risk tracking
- Valid-AI-ted — AI-driven audit engine
- AI Controls Matrix expansion — adding ISO 42001, ISO 27001, and SOC 2 mappings to AI-specific controls; could provide the first unified compliance mapping across multiple standards
- Three additional programs (details pending)
Strengths
- Gate-based autonomy governance model addresses the “Least Agency” principle with a structured progression
- Identity and guardrail categories (ASI03, ASI09, ASI10) receive the strongest coverage of any framework relative to their maturity
- CSAI Foundation’s AI Controls Matrix expansion could resolve the multi-standard compliance mapping gap
- AI Risk Observatory could become a valuable threat intelligence resource
Gaps and Shortcomings
- Newest framework — limited operational validation
- Supply chain (ASI04) and memory poisoning (ASI06) categories have no coverage
- Promotion gate implementation details are not fully specified
- No certifiable standard — guidance only
- Weakest coverage of ASI06 (Memory Poisoning) and ASI04 (Supply Chain) of all frameworks reviewed
- The AI Controls Matrix expansion is a roadmap item, not yet delivered
See Also
- Cloud Security Alliance (publisher)
- OWASP Top 10 for Agentic Applications (ASI Top 10) — risk taxonomy that ATF is designed to govern
- NIST AI Risk Management Framework (AI RMF) — governance complement; NIST RMF provides the federal baseline, ATF addresses agentic specifics
- Agentic AI Security Capability Maturity Model — A 2026 Practical Proposal — MAESTRO Layer 1 (Data) → D6; Layers 3–4 (Model + Reasoning) → D4; Layers 4–5 (Reasoning + Agent ecosystem) → D5; Layer 6 (Observability) → D7; Layer 7 (Supply chain) → D8. ATF Gates 0–4 inform D3 L4 (with caveat — gates not fully specified by CSA, see CMM)