What are the five pillars of the Agentic Trust Framework?

ATF's five core elements are: (1) Identity: verifying who an agent is through cryptographic credentials; (2) Behavior: continuously monitoring agent actions via observability and anomaly detection; (3) Data Governance: controlling what data agents consume and produce; (4) Segmentation: defining where agents can go through least-privilege access controls; (5) Incident Response: defining what happens if an agent goes rogue, including kill switches and circuit breakers.

How does ATF relate to Zero Trust architecture?

ATF applies NIST 800-207 Zero Trust principles (never trust, always verify) to autonomous AI agents. Traditional Zero Trust governs human users and static systems; ATF extends this to non-deterministic, autonomous agents that take real actions at machine speed.

What are ATF's four maturity levels?

Level 1 (Intern): read-only, fully supervised. Level 2 (Junior): recommends actions for human approval. Level 3 (Senior): acts autonomously with post-action notification. Level 4 (Principal): fully autonomous within defined boundaries. Agents earn progression through demonstrated trustworthy behavior.

Is the Agentic Trust Framework free to use?

Yes. ATF is published under Creative Commons Attribution 4.0 International (CC BY 4.0). You can freely use, adapt, and build upon the framework with appropriate attribution. The specification is maintained on GitHub.

How does ATF compare to MAESTRO?

MAESTRO and ATF are complementary. MAESTRO is a 7-layer threat modeling framework identifying what to worry about. ATF tells you what to build by providing governance controls. Use MAESTRO to identify risks, use ATF to mitigate them.

How does ATF compare to the OWASP Top 10 for Agentic Applications?

OWASP identifies the top 10 risks for agentic applications (ASI-01 through ASI-10). ATF provides governance controls to mitigate each risk. Every OWASP agentic risk maps to one or more ATF core elements.

How does ATF compare to NIST for AI agent security?

ATF is complementary to NIST. NIST 800-207 defines Zero Trust architecture principles; ATF applies them specifically to AI agents. NIST AI RMF defines risk management functions; ATF implements those with agent-specific controls and maturity levels.

Who is implementing ATF?

Microsoft's Agent Governance Toolkit (MIT-licensed Python middleware covering all 5 pillars) and Berlin AI Labs (12-service reference implementation) have independently implemented ATF. ATF also aligns with the AWS Agentic AI Security Scoping Matrix.

How do I assess my organization's readiness?

ATF includes a 30-question self-assessment covering all five core elements. Each question scores 1-5, providing element-by-element maturity scores and an overall readiness level. Available at verifiedagents.ai/assess.

How do ATF maturity levels align with AWS scopes?

ATF levels map 1:1 to AWS Agentic AI Security Scoping Matrix: Intern = Scope 1 (No Agency), Junior = Scope 2 (Prescribed Agency), Senior = Scope 3 (Supervised Agency), Principal = Scope 4 (Full Agency).

Can agents be demoted in ATF?

Yes. Demotion is a key differentiator. A critical incident triggers immediate demotion to Intern, a security vulnerability triggers demotion pending remediation, and repeated minor incidents trigger a one-level demotion. This ensures continuous trust verification.

The Five Core Elements

Q: What is the Agentic Trust Framework (ATF)?

The Agentic Trust Framework is an open governance specification that applies Zero Trust principles to autonomous AI agents. It defines five core elements (Identity, Behavior, Data Governance, Segmentation, Incident Response) and a four-level maturity model (Intern, Junior, Senior, Principal) for progressively granting agents autonomy based on demonstrated trustworthiness.

25 core requirements across five elements, with detailed implementation controls at every maturity level.

🔐 Identity 👁️ Behavior 📊 Data Governance 🧱 Segmentation 🚨 Incident Response

🔐

Identity

“Who are you?”

Establish and continuously verify the identity of AI agents, their authorization chains, and their operational context. In Zero Trust, identity is the new perimeter.

Core Requirements

The 5 normative requirements for this element, as published in the CSA specification.

Requirement	Description
Unique Identifier	Globally unique, immutable identifier for each agent instance
Credential Binding	Agent identity bound to cryptographic credentials
Ownership Chain	Clear documentation of ownership and operational responsibility
Purpose Declaration	Documented intended use and operational scope
Capability Manifest	Machine-readable list of claimed agent capabilities

Implementation Controls

Detailed controls that support the core requirements above, organized by maturity level.

Agent Registration

Requirement	Description	Level
Unique Identifier	Globally unique, immutable identifier per agent	All
Credential Binding	Identity bound to cryptographic credentials	All
Ownership Chain	Documented owner/operator for every agent	All
Purpose Declaration	Documented intended use and scope	Junior+
Capability Manifest	Machine-readable list of agent capabilities	Senior+

Authentication

Requirement	Description	Level
Token-Based Auth	JWT or equivalent for all API calls	All
Short-Lived Tokens	Tokens expire within defined timeframes	All
Mutual TLS	Certificate-based auth for sensitive operations	Senior+
Hardware-Bound Identity	TPM or HSM-backed credentials	Principal

Authorization

Requirement	Description	Level
Role-Based Access	Agents assigned roles with defined permissions	All
Attribute-Based Access	Dynamic authorization based on context	Junior+
Just-In-Time Access	Elevated permissions granted temporarily	Senior+
Policy-as-Code	Authorization rules in auditable, testable format	Principal

Session Management

Requirement	Description	Level
Session Tracking	All sessions logged with timestamps	All
Session Limits	Maximum concurrent sessions enforced	All
Session Termination	Ability to revoke sessions immediately	All
Session Context	Environment and purpose tracked per session	Junior+

Implementation Patterns

Intern Level

Basic JWT authentication with role assignment. Focus on audit trail.

Junior Level

Add OAuth2/OIDC flows for human approval workflows. Session context enables approval routing.

Senior Level

Implement attribute-based policies. Just-in-time privilege elevation for specific actions.

Principal Level

Full policy-as-code with OPA. Hardware-backed identity for high-value operations.

👁️

Behavior

“What are you doing?”

Continuously monitor agent actions, detect anomalies, and ensure behavior aligns with declared intent. Trust is earned through observable, explainable actions.

Core Requirements

The 5 normative requirements for this element, as published in the CSA specification.

Requirement	Description
Structured Logging	All agent actions logged in machine-parseable format
Action Attribution	Every action tied to agent identity and session context
Behavioral Baseline	Established patterns of normal operation for anomaly detection
Anomaly Detection	Identification of deviations from expected behavior
Explainability	Ability to retrieve rationale for agent decisions

Implementation Controls

Detailed controls that support the core requirements above, organized by maturity level.

Action Logging

Requirement	Description	Level
Structured Logging	All logs in machine-parseable format	All
Action Attribution	Every action tied to agent identity and session	All
Input/Output Capture	Request and response payloads logged	All
Reasoning Capture	Agent's stated rationale for decisions	Junior+

Behavioral Baseline

Requirement	Description	Level
Activity Profiling	Track typical action patterns and frequencies	Junior+
Resource Usage Baseline	Normal CPU, memory, network, API call patterns	Junior+
Temporal Patterns	Expected operating hours and activity rhythms	Senior+
Interaction Patterns	Typical agent-to-agent and agent-to-system interactions	Senior+

Anomaly Detection

Requirement	Description	Level
Statistical Anomaly Detection	Flag actions outside normal distributions	Junior+
Sequence Anomaly Detection	Identify unusual action sequences	Senior+
Intent Drift Detection	Detect changes in agent decision patterns	Senior+
Real-Time Scoring	Continuous anomaly score calculation	Principal

Explainability

Requirement	Description	Level
Decision Logging	Record factors influencing each decision	All
Audit Query Support	Retrieve decision rationale on demand	Junior+
Counterfactual Explanation	"Why not X?" explanations available	Senior+
Real-Time Explanation	On-demand explanation during operation	Principal

Implementation Patterns

Intern Level

Comprehensive structured logging. Human review of all outputs.

Junior Level

Add behavioral baselines and anomaly flagging. Suspicious actions routed to human queue.

Senior Level

Real-time anomaly detection with automated alerting. Actions continue but humans notified.

Principal Level

Continuous behavioral scoring integrated with incident response. Automated escalation of edge cases.

📊

Data Governance

“What are you eating? What are you serving?”

Validate all data entering the agent, protect sensitive information, and govern output quality and appropriateness. Garbage in, garbage out applies doubly to AI.

Core Requirements

The 5 normative requirements for this element, as published in the CSA specification.

Requirement	Description
Schema Validation	Inputs conform to expected structure and types
Injection Prevention	Detection of prompt injection and adversarial inputs
PII/PHI Protection	Automated detection and masking of sensitive data
Output Validation	Outputs conform to expected structure and content policies
Data Lineage	Tracking of data provenance through the agent pipeline

Implementation Controls

Detailed controls that support the core requirements above, organized by maturity level.

Input Validation

Requirement	Description	Level
Schema Validation	Inputs conform to expected structure	All
Type Checking	Data types verified before processing	All
Injection Prevention	Prompt injection and adversarial input detection	Junior+
Source Verification	Data provenance validated	Senior+

Sensitive Data Protection

Requirement	Description	Level
PII Detection	Automated identification of personal data	All
Data Masking	Sensitive data redacted in logs and outputs	All
Encryption in Transit	TLS for all data movement	All
Data Classification	Automated sensitivity classification	Senior+

Output Governance

Requirement	Description	Level
Output Schema Validation	Outputs conform to expected structure	All
Toxicity Filtering	Harmful content detection and filtering	All
Hallucination Detection	Factual accuracy verification where possible	Junior+
Regulatory Compliance	Outputs meet industry-specific requirements	Principal

Data Lineage

Requirement	Description	Level
Input Source Tracking	Record where each input originated	Junior+
Transformation Logging	Track how data was processed	Senior+
Output Attribution	Outputs traceable to input sources	Senior+
Full Lineage Graph	Complete data flow visualization	Principal

Implementation Patterns

Intern Level

Basic schema validation and PII detection. All outputs reviewed by humans.

Junior Level

Add prompt injection detection and output validation. Flagged items queued for approval.

Senior Level

Full data classification and lineage tracking. Automated remediation for common issues.

Principal Level

Custom NER models for domain-specific data. Full DLP integration. Real-time output governance.

🧱

Segmentation

“Where can you go?”

Enforce boundaries on agent access, limit blast radius, and ensure least-privilege operation. Agents should only access what they need, when they need it.

Core Requirements

The 5 normative requirements for this element, as published in the CSA specification.

Requirement	Description
Resource Allowlist	Explicit enumeration of permitted resources
Action Boundaries	Explicit enumeration of permitted actions
Rate Limiting	Maximum operations per time period
Transaction Limits	Maximum impact per individual action
Blast Radius Containment	Limits on cumulative impact and cascade effects

Implementation Controls

Detailed controls that support the core requirements above, organized by maturity level.

Resource Boundaries

Requirement	Description	Level
Resource Allowlist	Explicit list of permitted resources	All
API Endpoint Restrictions	Limited to specific endpoints	All
Data Scope Limits	Access to specific data subsets only	All
Network Segmentation	Agents isolated at network level	Senior+

Action Boundaries

Requirement	Description	Level
Action Allowlist	Explicit list of permitted actions	All
Read vs. Write Separation	Distinct permissions for read/write	All
Destructive Action Limits	Special controls for delete/modify	Junior+
Rate Limiting	Maximum actions per time period	All

Temporal Boundaries

Requirement	Description	Level
Operating Hours	Defined windows for agent activity	Junior+
Maintenance Windows	Restricted operation during sensitive periods	Senior+
Time-Based Permissions	Permissions that expire or activate on schedule	Senior+

Blast Radius Containment

Requirement	Description	Level
Scope Limits	Maximum scope of any single action	All
Transaction Limits	Maximum value/impact per transaction	Junior+
Cumulative Limits	Maximum impact over time periods	Senior+
Cascade Prevention	Limits on triggering other agents/systems	Principal

Implementation Patterns

Intern Level

Strict allowlists for resources and read-only actions. No write access.

Junior Level

Add action allowlists with human approval for anything outside list.

Senior Level

Policy-as-code enforcement. Dynamic boundaries based on context.

Principal Level

Full microsegmentation with real-time policy evaluation.

🚨

Incident Response

“What if you go rogue?”

Detect, contain, and recover from agent failures, compromises, or unexpected behavior. Assume agents will fail and plan accordingly.

Core Requirements

The 5 normative requirements for this element, as published in the CSA specification.

Requirement	Description
Circuit Breaker	Automatic halt on repeated failures
Kill Switch	Immediate manual termination capability (<1 second)
Session Revocation	Ability to invalidate all agent sessions
State Rollback	Ability to undo agent actions where possible
Graceful Degradation	Fallback to lower autonomy level on issues

Implementation Controls

Detailed controls that support the core requirements above, organized by maturity level.

Detection

Requirement	Description	Level
Error Detection	Automatic identification of failures	All
Anomaly Alerts	Notifications when behavior deviates	Junior+
Threshold Alerts	Notifications when limits approached	Junior+
Correlation	Link related events across systems	Senior+

Containment

Requirement	Description	Level
Circuit Breaker	Automatic halt on repeated failures	All
Kill Switch	Immediate manual termination capability	All
Session Revocation	Invalidate all agent sessions	All
Isolation	Quarantine agent from other systems	Senior+

Recovery

Requirement	Description	Level
State Rollback	Ability to undo agent actions	Junior+
Checkpoint/Resume	Restore from known good state	Senior+
Graceful Degradation	Fallback to lower autonomy level	Senior+
Automated Recovery	Self-healing within defined parameters	Principal

Post-Incident

Requirement	Description	Level
Incident Logging	Complete record of incident timeline	All
Root Cause Analysis	Systematic investigation process	Junior+
Remediation Tracking	Follow-up actions documented and tracked	Senior+
Lessons Learned	Updates to policies and procedures	Senior+

Implementation Patterns

Intern Level

Circuit breakers and kill switches. All incidents trigger human review.

Junior Level

Add automated alerting and basic rollback. Incidents pause approval queue.

Senior Level

Full isolation and recovery capabilities. Graceful degradation to Junior level.

Principal Level

Automated detection, containment, and recovery within bounds. Escalation for novel incidents.

Cross-Element Integration

The five core elements don't operate in isolation. Effective ATF implementation requires deliberate integration.

Identity→Behavior

Session identity enables behavioral attribution; role context informs anomaly detection thresholds

Behavior→Incident Response

Anomaly scores trigger containment measures; behavioral logs feed root cause analysis

Data Governance→Segmentation

Data classification drives access boundaries; input validation prevents boundary bypass attempts

Segmentation→Identity

Resource access requires identity verification; boundary violations trigger re-authentication

All Elements → Audit: Every element generates audit events. A unified audit trail enables compliance reporting.

Compliance Mapping

ATF requirements map directly to established compliance frameworks.

ATF Requirement	SOC 2	ISO 27001	NIST AI RMF	EU AI Act
Agent Registration	CC6.1	A.9.2.1	GOVERN 1.1	Art. 16
Authentication	CC6.1	A.9.4.2	MAP 1.1	Art. 15
Action Logging	CC7.2	A.12.4.1	MEASURE 2.1	Art. 12
Data Protection	CC6.5	A.18.1.4	MANAGE 2.1	Art. 10
Output Governance	CC6.5	A.18.1.4	MANAGE 2.2	Art. 14
Access Control	CC6.3	A.9.1.1	MANAGE 1.1	Art. 9
Incident Response	CC7.4	A.16.1.4	MANAGE 4.1	Art. 62

The Five Core Elements

Identity

Core Requirements

Implementation Controls

Agent Registration

Authentication

Authorization

Session Management

Implementation Patterns

Behavior

Core Requirements

Implementation Controls

Action Logging

Behavioral Baseline

Anomaly Detection

Explainability

Implementation Patterns

Data Governance

Core Requirements

Implementation Controls

Input Validation

Sensitive Data Protection

Output Governance

Data Lineage

Implementation Patterns

Segmentation

Core Requirements

Implementation Controls

Resource Boundaries

Action Boundaries

Temporal Boundaries

Blast Radius Containment

Implementation Patterns

Incident Response

Core Requirements

Implementation Controls

Detection

Containment

Recovery

Post-Incident

Implementation Patterns

Cross-Element Integration

Compliance Mapping

Continue Exploring

Maturity Model →

Component Catalog →

Self-Assessment →