Question 1

What is the Agentic Trust Framework (ATF)?

Accepted Answer

The Agentic Trust Framework is an open governance specification that applies Zero Trust principles to autonomous AI agents. It defines five core elements (Identity, Behavior, Data Governance, Segmentation, Incident Response) and a four-level maturity model (Intern, Junior, Senior, Principal) for progressively granting agents autonomy based on demonstrated trustworthiness.

Question 2

What are the five pillars of the Agentic Trust Framework?

Accepted Answer

ATF's five core elements are: (1) Identity: verifying who an agent is through cryptographic credentials; (2) Behavior: continuously monitoring agent actions via observability and anomaly detection; (3) Data Governance: controlling what data agents consume and produce; (4) Segmentation: defining where agents can go through least-privilege access controls; (5) Incident Response: defining what happens if an agent goes rogue, including kill switches and circuit breakers.

Question 3

How does ATF relate to Zero Trust architecture?

Accepted Answer

ATF applies NIST 800-207 Zero Trust principles (never trust, always verify) to autonomous AI agents. Traditional Zero Trust governs human users and static systems; ATF extends this to non-deterministic, autonomous agents that take real actions at machine speed.

Question 4

What are ATF's four maturity levels?

Accepted Answer

Level 1 (Intern): read-only, fully supervised. Level 2 (Junior): recommends actions for human approval. Level 3 (Senior): acts autonomously with post-action notification. Level 4 (Principal): fully autonomous within defined boundaries. Agents earn progression through demonstrated trustworthy behavior.

Question 5

Is the Agentic Trust Framework free to use?

Accepted Answer

Yes. ATF is published under Creative Commons Attribution 4.0 International (CC BY 4.0). You can freely use, adapt, and build upon the framework with appropriate attribution. The specification is maintained on GitHub.

Question 6

How does ATF compare to MAESTRO?

Accepted Answer

MAESTRO and ATF are complementary. MAESTRO is a 7-layer threat modeling framework identifying what to worry about. ATF tells you what to build by providing governance controls. Use MAESTRO to identify risks, use ATF to mitigate them.

Question 7

How does ATF compare to the OWASP Top 10 for Agentic Applications?

Accepted Answer

OWASP identifies the top 10 risks for agentic applications (ASI-01 through ASI-10). ATF provides governance controls to mitigate each risk. Every OWASP agentic risk maps to one or more ATF core elements.

Question 8

How does ATF compare to NIST for AI agent security?

Accepted Answer

ATF is complementary to NIST. NIST 800-207 defines Zero Trust architecture principles; ATF applies them specifically to AI agents. NIST AI RMF defines risk management functions; ATF implements those with agent-specific controls and maturity levels.

Question 9

Who is implementing ATF?

Accepted Answer

Microsoft's Agent Governance Toolkit (MIT-licensed Python middleware covering all 5 pillars) and Berlin AI Labs (12-service reference implementation) have independently implemented ATF. ATF also aligns with the AWS Agentic AI Security Scoping Matrix.

Question 10

How do I assess my organization's readiness?

Accepted Answer

ATF includes a 30-question self-assessment covering all five core elements. Each question scores 1-5, providing element-by-element maturity scores and an overall readiness level. Available at verifiedagents.ai/assess.

Question 11

How do ATF maturity levels align with AWS scopes?

Accepted Answer

ATF levels map 1:1 to AWS Agentic AI Security Scoping Matrix: Intern = Scope 1 (No Agency), Junior = Scope 2 (Prescribed Agency), Senior = Scope 3 (Supervised Agency), Principal = Scope 4 (Full Agency).

Question 12

Can agents be demoted in ATF?

Accepted Answer

Yes. Demotion is a key differentiator. A critical incident triggers immediate demotion to Intern, a security vulnerability triggers demotion pending remediation, and repeated minor incidents trigger a one-level demotion. This ensures continuous trust verification.

Scope	Single use case, limited user population
Data access	Read-only, single domain
Human involvement	Continuous oversight
Success criteria	Accuracy threshold, no unexpected behaviors
Duration	Minimum 2 weeks

Scope	Production use case, broader user population
Data access	Read-only, may span domains with approval workflow
Human involvement	Approval required for all recommendations
Success criteria	>95% recommendation acceptance, zero critical incidents
Duration	Minimum 4 weeks

Scope	Defined operational domain
Data access	Read + write within scope
Human involvement	Post-action notification, exception handling
Success criteria	>99% accuracy, zero critical incidents, demonstrated ROI
Duration	Minimum 8 weeks

Scope	Multi-domain within policy bounds
Data access	Policy-governed, dynamic scope
Human involvement	Strategic oversight, edge case escalation
Success criteria	Sustained performance, continuous compliance, business value
Duration	Ongoing with continuous validation

Getting Started

Core Principles

Deployment Path

Controlled Pilot (Intern)

Production Introduction (Junior)

Bounded Autonomy (Senior)

Full Autonomy (Principal)

Recommended Build Order

Identity Foundation

Data Governance

Behavioral Monitoring

Segmentation

Incident Response

Pre-Deployment Checklist

Before deploying any agent

Ready to start?