Framework Comparison

ATF is complementary, not competing. It's the implementation specification that other frameworks' threat models and risk assessments lead you to.

🤝 Better together

“MAESTRO tells you what to worry about. OWASP tells you what can go wrong. NIST tells you the principles. ATF tells you what to build.

Use threat models and risk assessments to identify gaps. Use ATF to close them.

Jump to Framework

FrameworkRelationship
MAESTRO (CSA)Complementary
OWASP Top 10 for Agentic ApplicationsComplementary
NIST 800-207 / AI RMFFoundational
CSA AI Controls Matrix (AICM)Parent Framework
ISO/IEC 42001:2023Directly Aligned
ISO/IEC 27001:2022Foundational
AWS Agentic AI Security Scoping MatrixDirectly Aligned
OWASP AEGIS (Forrester)Complementary
KPMG TACOAdjacent

MAESTRO (CSA)

Complementary

Threat Modeling for Multi-Agent Systems

MAESTRO tells you what to worry about. ATF tells you what to build. MAESTRO provides a 7-layer threat model for multi-agent systems; ATF provides the governance controls to address those threats.

Mapping to ATF

MAESTROATF Element
Foundation ModelIdentity: credential management, model provenance
Data OperationsData Governance: input validation, output filtering
Agent CoreBehavior: monitoring, anomaly detection, explainability
Agent EcosystemIdentity: agent-to-agent authentication, trust chains
Deployment InfrastructureSegmentation: network isolation, policy enforcement
Orchestration & InteractionSegmentation + Behavior: workflow controls, coordination limits
Evaluation & ObservabilityAll Elements: continuous monitoring, compliance reporting

When you complete a MAESTRO threat assessment, the natural next question is: 'Now what do we build?' ATF provides that implementation specification. Use MAESTRO to identify risks; use ATF to mitigate them.

OWASP Top 10 for Agentic Applications

Complementary

Risk Catalog for AI Agent Vulnerabilities

OWASP identifies the top risks; ATF provides the controls to mitigate them. Every OWASP agentic risk maps to one or more ATF elements.

Mapping to ATF

OWASP Top 10 for Agentic ApplicationsATF Element
ASI-01: Agent Identity SpoofingIdentity: cryptographic agent credentials, mutual auth
ASI-02: Agent Authorization FailuresIdentity + Segmentation: RBAC/ABAC, policy-as-code
ASI-03: Excessive Agent AutonomyBehavior + Segmentation: maturity levels, boundaries
ASI-04: Improper Output HandlingData Governance: output validation, toxicity filtering
ASI-05: Insecure Agent MemoryData Governance: data classification, encryption
ASI-06: Agent-to-Agent Trust IssuesIdentity: trust chains, session verification
ASI-07: Insufficient Agent LoggingBehavior: comprehensive structured logging
ASI-08: Vulnerable Agent Supply ChainIdentity + Data Governance: provenance, validation
ASI-09: Agent Resource ExhaustionSegmentation: rate limiting, blast radius containment
ASI-10: Unreliable Agent OperationsIncident Response: circuit breakers, graceful degradation

OWASP provides the risk vocabulary; ATF provides the governance response. Together they give security teams both the 'what can go wrong' and the 'how to prevent it.'

NIST 800-207 / AI RMF

Foundational

Zero Trust Architecture + AI Risk Management

ATF operationalizes NIST Zero Trust principles for AI agents. NIST 800-207 defines the architecture; ATF applies it to the specific challenges of autonomous, non-deterministic systems.

Mapping to ATF

NIST 800-207 / AI RMFATF Element
Never trust, always verifyAll Elements: continuous verification at every level
Least privilege accessSegmentation: strict allowlists, maturity-based boundaries
Assume breachIncident Response: kill switches, circuit breakers, containment
GOVERN functionOperating Model: roles, review cadence, promotion criteria
MAP functionIdentity + Behavior: agent characterization, behavioral baselines
MEASURE functionBehavior: anomaly detection, performance metrics
MANAGE functionAll Elements: controls, incident response, continuous improvement

NIST provides the principles; ATF provides the agent-specific implementation. Organizations already implementing Zero Trust will find ATF a natural extension of their existing architecture.

CSA AI Controls Matrix (AICM)

Parent Framework

243 AI Security Controls Across 18 Domains

AICM is CSA’s flagship AI security controls framework: 243 control objectives across 18 domains, built on the Cloud Controls Matrix (CCM). ATF operationalizes the agent-specific subset of AICM’s controls, adding the maturity model and progressive autonomy governance that AICM does not have. AICM is the broad AI controls umbrella; ATF is the agent-specific operating model underneath it.

Mapping to ATF

CSA AI Controls MatrixATF Element
Identity & Access Management (IAM)Identity: agent credentials, mutual authentication, non-human identity lifecycle
Data Security & Privacy Lifecycle Management (DSP)Data Governance: input validation, PII/PHI classification, data lineage, output filtering
Log and Monitoring (LOG)Behavior: real-time behavioral monitoring, structured decision logging, anomaly detection
Infrastructure & Virtualization Security (IVS)Segmentation: network isolation, resource boundaries, blast radius containment
Security Incident Management (SEF)Incident Response: kill switches, circuit breakers, containment, recovery playbooks
Model Security (MDS)Identity + Data Governance: model provenance, supply chain verification, integrity validation
Application & Interface Security (AIS)Segmentation + Behavior: API governance, action boundaries, rate limiting
Governance, Risk & Compliance (GRC)Operating Model: governance policies, promotion criteria, review cadence, compliance evidence
Supply Chain Management & Transparency (STA)Identity + Data Governance: agent provenance, tool verification, delegation chain integrity
Audit & Assurance (A&A)Maturity Model: governance sign-off gates, assessment scoring, certification readiness
Change Control & Configuration Management (CCC)Behavior + Operating Model: configuration drift detection, change approval workflows
Threat & Vulnerability Management (TVM)Behavior + Incident Response: threat detection for agent-specific attack vectors

AICM defines the 243 controls for AI broadly. ATF operationalizes the subset that applies to autonomous agents. The analogy: AICM is to ATF what CCM is to a specific security domain framework. Organizations using AICM for broad AI governance can layer ATF as the agent-specific operating model, getting a maturity progression and scored self-assessment that AICM does not provide. Both are published through CSA, and both are freely available.

ISO/IEC 42001:2023

Directly Aligned

AI-Specific Management System Standard

ISO/IEC 42001:2023 is the world’s first AI management system standard, with 39 controls across 10 domains covering AI governance, risk management, system lifecycle, and data management. ATF operationalizes the agent-specific subset of these controls, providing the implementation specification that ISO 42001 governance programs need for autonomous AI systems. Microsoft, AWS, Google Cloud, and Anthropic have all achieved ISO 42001 certification, making this crosswalk increasingly important for enterprise adoption.

Mapping to ATF

ISO/IEC 42001:2023ATF Element
A.2 AI PolicyOperating Model: governance policies, promotion criteria, review cadence
A.3 Internal OrganizationOperating Model: roles, responsibilities, reporting for agent governance
A.4 Resources for AI SystemsIdentity: agent inventory, credential management, resource documentation
A.5 AI System LifecycleMaturity Model: Intern → Principal progression, promotion gates, demotion triggers
A.6 Data for AI SystemsData Governance: input validation, data provenance, PII/PHI protection, output filtering
A.7 System Information for Interested PartiesBehavior: transparency, decision logging, explainability, audit trails
A.8 Use of AI SystemsSegmentation + Behavior: action boundaries, rate limiting, behavioral monitoring
A.9 Third-Party and Customer RelationshipsIdentity + Segmentation: agent-to-agent trust, supply chain verification, delegation chains
A.10 Continual ImprovementAll Elements: maturity progression, incident-driven demotion, continuous verification

ISO 42001 provides the management system; ATF provides the agent-specific operating model within it. Organizations pursuing ISO 42001 certification will find that ATF implementation generates much of the evidence and documentation the standard requires for autonomous AI systems.

ISO/IEC 27001:2022

Foundational

Information Security Management Baseline

ISO/IEC 27001 is the global standard for information security management systems. ATF extends ISO 27001’s security controls to address the unique challenges of autonomous AI agents: non-deterministic behavior, machine-speed decision-making, and dynamic trust relationships. Organizations with existing ISO 27001 certification will find ATF builds naturally on their existing ISMS.

Mapping to ATF

ISO/IEC 27001:2022ATF Element
A.5 Organizational Controls (policies, roles)Operating Model: agent governance policies, ownership, review cadence
A.5.15-A.5.18 Access ControlIdentity + Segmentation: agent credentials, least privilege, action boundaries
A.8.1-A.8.10 Technology Controls (endpoint, logging)Behavior: continuous monitoring, structured logging, anomaly detection
A.8.11-A.8.12 Network SecuritySegmentation: network isolation, resource allowlists, blast radius containment
A.8.15-A.8.16 Logging and MonitoringBehavior: real-time behavioral analysis, decision audit trails
A.5.24-A.5.28 Incident ManagementIncident Response: circuit breakers, kill switches, containment, recovery playbooks
A.5.31-A.5.36 ComplianceMaturity Model: governance sign-off gates, compliance evidence generation
A.8.25-A.8.31 Secure DevelopmentData Governance: input validation, output filtering, data lineage

ISO 27001 provides the information security foundation; ATF extends it for autonomous AI agents. The key addition ATF makes is addressing non-deterministic agent behavior, progressive autonomy, and machine-speed incident response, none of which ISO 27001 was designed to cover.

AWS Agentic AI Security Scoping Matrix

Directly Aligned

Agent Scope Classification

ATF maturity levels map 1:1 to AWS scopes. This wasn't accidental. Both frameworks recognize that agent autonomy must be classified and governed progressively.

Mapping to ATF

AWS Agentic AI Security Scoping MatrixATF Element
Scope 1: No AgencyIntern: read-only, fully supervised
Scope 2: Prescribed AgencyJunior: recommendations, human approval required
Scope 3: Supervised AgencySenior: autonomous within guardrails, post-action notification
Scope 4: Full AgencyPrincipal: self-directed within policy bounds

AWS provides the scoping model; ATF provides the governance framework to operationalize each scope level with specific controls, promotion criteria, and demotion triggers.

OWASP AEGIS (Forrester)

Complementary

Agent Governance Assessment

AEGIS focuses on governance assessment and organizational readiness. ATF provides the technical specification that organizations can implement once they understand their governance posture.

Mapping to ATF

OWASP AEGISATF Element
Governance AssessmentATF Self-Assessment: element-by-element readiness evaluation
Organizational ReadinessOperating Model: roles, cadence, documentation
Risk EvaluationMaturity Model: risk profiles per level

Use AEGIS to assess organizational readiness; use ATF to define what 'ready' looks like technically. The two frameworks address different layers of the same problem.

KPMG TACO

Adjacent

Trust in AI Compliance and Oversight

TACO focuses on audit and compliance governance for AI systems broadly. ATF focuses specifically on the operational governance of autonomous agents. Complementary scopes with overlapping concerns.

Mapping to ATF

KPMG TACOATF Element
Compliance OversightATF Compliance Mapping: SOC 2, ISO 27001, EU AI Act alignment
AI GovernanceOperating Model: promotion boards, review cadence
Trust MeasurementMaturity Model: trust earned through demonstrated performance

Organizations implementing TACO for broad AI governance can use ATF as the agent-specific implementation layer, ensuring autonomous systems have the additional controls their autonomy demands.

The Big Picture

🔍

Identify Risks

MAESTRO, OWASP, NIST AI RMF

📐

Define Controls

ATF Specification + Maturity Model

🔧

Implement

ATF Component Catalog + Patterns

Continue Exploring

Specification →

The five core elements in detail

Ecosystem →

Who's implementing ATF

FAQ →

Common questions answered