What is the Agentic Trust Framework (ATF)?

The Agentic Trust Framework is an open governance specification that applies Zero Trust principles to autonomous AI agents. It defines five core elements (Identity, Behavior, Data Governance, Segmentation, Incident Response) and a four-level maturity model (Intern, Junior, Senior, Principal) for progressively granting agents autonomy based on demonstrated trustworthiness.

What are the five pillars of the Agentic Trust Framework?

ATF's five core elements are: (1) Identity: verifying who an agent is through cryptographic credentials; (2) Behavior: continuously monitoring agent actions via observability and anomaly detection; (3) Data Governance: controlling what data agents consume and produce; (4) Segmentation: defining where agents can go through least-privilege access controls; (5) Incident Response: defining what happens if an agent goes rogue, including kill switches and circuit breakers.

How does ATF relate to Zero Trust architecture?

ATF applies NIST 800-207 Zero Trust principles (never trust, always verify) to autonomous AI agents. Traditional Zero Trust governs human users and static systems; ATF extends this to non-deterministic, autonomous agents that take real actions at machine speed.

What are ATF's four maturity levels?

Level 1 (Intern): read-only, fully supervised. Level 2 (Junior): recommends actions for human approval. Level 3 (Senior): acts autonomously with post-action notification. Level 4 (Principal): fully autonomous within defined boundaries. Agents earn progression through demonstrated trustworthy behavior.

Is the Agentic Trust Framework free to use?

Yes. ATF is published under Creative Commons Attribution 4.0 International (CC BY 4.0). You can freely use, adapt, and build upon the framework with appropriate attribution. The specification is maintained on GitHub.

How does ATF compare to MAESTRO?

MAESTRO and ATF are complementary. MAESTRO is a 7-layer threat modeling framework identifying what to worry about. ATF tells you what to build by providing governance controls. Use MAESTRO to identify risks, use ATF to mitigate them.

How does ATF compare to the OWASP Top 10 for Agentic Applications?

OWASP identifies the top 10 risks for agentic applications (ASI-01 through ASI-10). ATF provides governance controls to mitigate each risk. Every OWASP agentic risk maps to one or more ATF core elements.

How does ATF compare to NIST for AI agent security?

ATF is complementary to NIST. NIST 800-207 defines Zero Trust architecture principles; ATF applies them specifically to AI agents. NIST AI RMF defines risk management functions; ATF implements those with agent-specific controls and maturity levels.

Who is implementing ATF?

Microsoft's Agent Governance Toolkit (MIT-licensed Python middleware covering all 5 pillars) and Berlin AI Labs (12-service reference implementation) have independently implemented ATF. ATF also aligns with the AWS Agentic AI Security Scoping Matrix.

How do I assess my organization's readiness?

ATF includes a 30-question self-assessment covering all five core elements. Each question scores 1-5, providing element-by-element maturity scores and an overall readiness level. Available at verifiedagents.ai/assess.

How do ATF maturity levels align with AWS scopes?

ATF levels map 1:1 to AWS Agentic AI Security Scoping Matrix: Intern = Scope 1 (No Agency), Junior = Scope 2 (Prescribed Agency), Senior = Scope 3 (Supervised Agency), Principal = Scope 4 (Full Agency).

Can agents be demoted in ATF?

Yes. Demotion is a key differentiator. A critical incident triggers immediate demotion to Intern, a security vulnerability triggers demotion pending remediation, and repeated minor incidents trigger a one-level demotion. This ensures continuous trust verification.

What is the Agentic Trust Framework (ATF)?

The Agentic Trust Framework (ATF) is an open governance specification that applies Zero Trust principles to autonomous AI agents. It defines five core elements: Identity, Behavior, Data Governance, Segmentation, and Incident Response. It includes a four-level maturity model (Intern, Junior, Senior, Principal) for progressively granting agents autonomy based on demonstrated trustworthiness.

What are the five core elements of the Agentic Trust Framework?

ATF's five core elements are: (1) Identity: verifying who an agent is through cryptographic credentials; (2) Behavior: continuously monitoring what an agent is doing via observability and anomaly detection; (3) Data Governance: controlling what data agents consume and produce; (4) Segmentation: defining where agents can go through least-privilege access controls; and (5) Incident Response: defining what happens if an agent goes rogue, including kill switches and circuit breakers.

How does ATF relate to Zero Trust architecture?

ATF applies NIST 800-207 Zero Trust principles (never trust, always verify) to the specific challenges of autonomous AI agents. Traditional Zero Trust governs human users and static systems; ATF extends this to non-deterministic, autonomous agents that can take real actions at machine speed.

What are ATF's four maturity levels?

ATF defines four agent maturity levels: Level 1 (Intern): read-only, fully supervised; Level 2 (Junior): recommends actions for human approval; Level 3 (Senior): acts autonomously with post-action notification; Level 4 (Principal): fully autonomous within defined boundaries. Agents earn progression through demonstrated trustworthy behavior, not by default.

How does ATF compare to OWASP and NIST for AI agent security?

ATF is complementary to both. OWASP's Top 10 for Agentic Applications identifies the key threats; ATF provides the governance controls to operationalize mitigations against those threats. NIST 800-207 defines Zero Trust architecture principles; ATF applies those principles specifically to AI agents. ATF also aligns with the AWS Agentic AI Security Scoping Matrix and MAESTRO, which provides a threat modeling framework for multi-agent systems and ATF's governance controls complement it.

How does ATF compare to MAESTRO?

MAESTRO and ATF are complementary frameworks. MAESTRO is a threat modeling framework for multi-agent systems with 7 layers, identifying what to worry about. ATF tells you what to build by providing governance controls. They interlock: MAESTRO's Agent Ecosystem layer → ATF's Identity Management; MAESTRO's Data Operations → ATF's Data Governance.

The Microsoft Agent Governance Toolkit, officially launched in April 2026 as a seven-package MIT-licensed open-source project, maps all five ATF core elements to its architecture, independently validating the governance model. The toolkit team has engaged directly on ATF conformance via GitHub. Berlin AI Labs contributed a reference implementation across 12 independently deployed services. The specification was published through the Cloud Security Alliance.

How does the Microsoft Agent Governance Toolkit relate to ATF?

The Microsoft Agent Governance Toolkit is a seven-package MIT-licensed open-source project launched in April 2026. Its architecture independently validates ATF's five-element model: Agent Mesh maps to ATF Identity (DID-based agent identity with behavioral trust scoring), Agent OS maps to Behavior (stateless policy engine), Agent Compliance maps to Data Governance (automated governance verification), Agent Runtime maps to Segmentation (execution rings with capability sandboxing), and Agent SRE maps to Incident Response (SLOs, circuit breakers, kill switches). The toolkit supports Python, TypeScript, Rust, Go, and .NET with integrations for LangChain, AutoGen, CrewAI, OpenAI Agents SDK, and Google ADK.

How do I assess my organization's ATF readiness?

Start with the free self-assessment at verifiedagents.ai. It covers 30 questions (6 per ATF pillar), takes about 15 minutes, and generates a board-ready PDF report with gap analysis and prioritized remediation steps.

Does ATF address EU AI Act and regulatory compliance?

ATF's governance elements map directly to EU AI Act requirements for high-risk AI systems: identity management supports transparency and traceability, behavior monitoring enables human oversight, data governance aligns with data quality mandates, and incident response supports risk management systems.

🛡️ Open Specification

Agentic Trust
Framework

Zero Trust Governance for Autonomous AI Agents

"Never trust, always verify" applied to AI agents that act on your behalf.

Assess Your AI Agent Readiness→See Who's Building on ATF→

What Is the Agentic Trust Framework?

The Agentic Trust Framework (ATF) is an open specification for governing AI agents using Zero Trust principles. It provides organizations with a practical, implementable approach to deploying autonomous AI systems that can pass security audits while delivering business value.

Unlike traditional security frameworks designed for human users and static systems, ATF addresses the unique challenges of AI agents:

Agents act autonomously

They make decisions without human approval

Agents learn and adapt

Their behavior changes over time

Agents access sensitive systems

They need credentials, data, and permissions

Agents interact with each other

Creating complex trust relationships

ATF answers the fundamental question every security team asks: How do we let AI agents do their jobs without creating unacceptable risk?

The Five Core Elements

Zero Trust principles applied to AI agents across five dimensions

🔐

Identity

“Who are you?”

Authentication, authorization, and session management for AI agents.

What It Means for Agents

Verify the agent's credentials, permissions, and authorization chain

👁️

Behavior

“What are you doing?”

Observability, anomaly detection, and intent analysis of agent actions.

What It Means for Agents

Monitor actions in real-time, detect anomalies, ensure intent alignment

📊

Data Governance

“What are you eating? What are you serving?”

Input validation, PII protection, and output governance controls.

What It Means for Agents

Validate inputs, protect sensitive data, govern outputs, prevent poisoning

🧱

Segmentation

“Where can you go?”

Access control, resource boundaries, and policy enforcement.

What It Means for Agents

Enforce boundaries, limit blast radius, control resource access

🚨

Incident Response

“What if you go rogue?”

Circuit breakers, kill switches, and containment procedures.

What It Means for Agents

Circuit breakers, kill switches, containment, and recovery

Agent Maturity Model

A progressive approach to granting autonomy based on demonstrated trustworthiness

LEVEL 1

Intern

Observe + Report

Fully supervised, no autonomous actions

AUTONOMY:

Read-only

HUMAN INVOLVEMENT:

Continuous oversight

RISK PROFILE:

Lowest

AWS SCOPE:

Scope 1 = Intern

MIN TIME:

2 weeks

EXAMPLE USE CASE

An agent that monitors security logs and flags suspicious patterns for analyst review.

→

LEVEL 2

Junior

Recommend + Human Approves

Limited autonomy, frequent check-ins

AUTONOMY:

Suggestions only

HUMAN INVOLVEMENT:

Approval required for all actions

RISK PROFILE:

Low

AWS SCOPE:

Scope 2 = Junior

MIN TIME:

4 weeks

EXAMPLE USE CASE

An agent that drafts customer service responses for human review before sending.

→

LEVEL 3

Senior

Act + Notify

Broad autonomy, exception-based oversight

AUTONOMY:

Executes within guardrails

HUMAN INVOLVEMENT:

Post-action notification

RISK PROFILE:

Moderate

AWS SCOPE:

Scope 3 = Senior

MIN TIME:

8 weeks

EXAMPLE USE CASE

An agent that automatically scales cloud infrastructure based on load, notifying the ops team of changes.

→

LEVEL 4

Principal

Autonomous Within Bounds

Full autonomy within defined boundaries

AUTONOMY:

Self-directed within approved domain

HUMAN INVOLVEMENT:

Strategic oversight, edge case escalation

RISK PROFILE:

Highest governance requirements

AWS SCOPE:

Scope 4 = Principal

MIN TIME:

Ongoing

EXAMPLE USE CASE

An agent that autonomously triages, contains, and remediates security incidents within defined playbooks, escalating novel threats to the human SOC team.

Promotion Criteria

Agents must demonstrate trustworthiness to earn higher autonomy

Performance

•Sustained accuracy over defined evaluation period
•Reliability metrics meet or exceed thresholds
•Consistent quality of outputs and decisions

Security Validation

•Passes security audit at current level
•Penetration testing shows no exploitable vulnerabilities
•Adversarial testing confirms robustness

Business Value

•Measurable ROI or outcome improvement
•Documented business impact
•Stakeholder satisfaction metrics

Incident Record

•No major errors or incidents at prior level
•Minor incidents properly handled and documented
•Root cause analysis completed for any issues

Governance Sign-off

•Explicit approval from designated authority
•Documented risk acceptance
•Updated policies and procedures in place

Important Note

Agents can also be DEMOTED if they fail to maintain these criteria or if incidents occur at their current level. This is a key differentiator that ensures continuous trust verification.

How ATF Relates to Other Frameworks

MAESTRO

MAESTRO models threats across 7 layers; ATF provides the governance controls to address them.

OWASP Top 10 for Agentic Applications

Identifies threats; ATF provides controls to mitigate them.

NIST 800-207

Defines Zero Trust principles; ATF applies them specifically to AI agents.

AWS Agentic AI Security Scoping Matrix

ATF maturity levels align to AWS Scopes 1-4.

Why ATF Matters Now

The Enterprise AI Dilemma

Organizations face competing pressures:

Board mandate

"We need to adopt AI to stay competitive"

Security mandate

"We can't deploy systems we can't govern"

Compliance mandate

"We must demonstrate control and auditability"

Traditional approaches force a choice: move fast with AI (and accept risk) or move carefully (and fall behind). ATF resolves this tension by providing a structured path to AI adoption with security built in from the start.

The Zero Trust Bonus

Here's what many organizations don't realize: implementing ATF for AI agents accelerates your broader Zero Trust journey.

The same principles, patterns, and infrastructure that govern AI agents apply to human access:

Continuous verification
Least privilege access
Microsegmentation
Assume breach mentality

Organizations that implement ATF for their AI agents often find they've built 60-70% of the infrastructure needed for comprehensive Zero Trust architecture.

Compliance Alignment

ATF maps directly to existing compliance frameworks:

Framework	ATF Alignment
CSA AICM	IAM, DSP, LOG, IVS, SEF, MDS, AIS, GRC, STA, A&A domains
NIST AI RMF	GOVERN, MAP, MEASURE, MANAGE functions
SOC 2	CC6.1-CC6.7 (access), CC7.2-CC7.4 (monitoring/incident)
ISO/IEC 42001	A.2-A.10 (AI policy, lifecycle, data, oversight, continuous improvement)
ISO/IEC 27001	A.5.15-A.8.32 (access, logging, data, segmentation, incident)
EU AI Act	Articles 9, 10, 12, 16, 20, 26, 62

See detailed framework crosswalks →

Getting Started

📖

Read the Specification

The complete ATF specification including detailed requirements and implementation guidance.

View on GitHub→

📰

Read the CSA Overview

A comprehensive overview published on the Cloud Security Alliance blog.

Read the Blog Post→

📚

Get the Book

The complete guide to implementing ATF in enterprise environments.

Buy on Amazon→

Frequently Asked Questions

Common questions about the Agentic Trust Framework, its relationship to other standards, and how to get started.

Origins

ATF builds on concepts introduced in Agentic AI + Zero Trust: A Guide for Business Leaders (September 2025), featuring a foreword by John Kindervag, creator of Zero Trust.

Author: Josh Woodruff
Organization: MassiveScale.AI
License: Creative Commons Attribution 4.0 International (CC BY 4.0)

Published as an open specification under Creative Commons licensing. The canonical specification is maintained on GitHub at github.com/massivescale-ai/agentic-trust-framework.

Stay updated on ATF

Framework updates, implementation guides, and community news.

Agentic TrustFramework

What Is the Agentic Trust Framework?

Agents act autonomously

Agents learn and adapt

Agents access sensitive systems

Agents interact with each other

The Five Core Elements

Identity

What It Means for Agents

Behavior

What It Means for Agents

Data Governance

What It Means for Agents

Segmentation

What It Means for Agents

Incident Response

What It Means for Agents

Agent Maturity Model

Intern

EXAMPLE USE CASE

Junior

EXAMPLE USE CASE

Senior

EXAMPLE USE CASE

Principal

EXAMPLE USE CASE

Promotion Criteria

Performance

Security Validation

Business Value

Incident Record

Governance Sign-off

Important Note

How ATF Relates to Other Frameworks

MAESTRO

OWASP Top 10 for Agentic Applications

NIST 800-207

AWS Agentic AI Security Scoping Matrix

Why ATF Matters Now

The Enterprise AI Dilemma

Board mandate

Security mandate

Compliance mandate

The Zero Trust Bonus

Compliance Alignment

Getting Started

Read the Specification

Read the CSA Overview

Get the Book

Frequently Asked Questions

Origins

Stay updated on ATF

Agentic Trust
Framework