What is the Agentic Trust Framework (ATF)?

The Agentic Trust Framework is an open governance specification that applies Zero Trust principles to autonomous AI agents. It defines five core elements (Identity, Behavior, Data Governance, Segmentation, Incident Response) and a four-level maturity model (Intern, Junior, Senior, Principal) for progressively granting agents autonomy based on demonstrated trustworthiness.

What are the five pillars of the Agentic Trust Framework?

ATF's five core elements are: (1) Identity: verifying who an agent is through cryptographic credentials; (2) Behavior: continuously monitoring agent actions via observability and anomaly detection; (3) Data Governance: controlling what data agents consume and produce; (4) Segmentation: defining where agents can go through least-privilege access controls; (5) Incident Response: defining what happens if an agent goes rogue, including kill switches and circuit breakers.

How does ATF relate to Zero Trust architecture?

ATF applies NIST 800-207 Zero Trust principles (never trust, always verify) to autonomous AI agents. Traditional Zero Trust governs human users and static systems; ATF extends this to non-deterministic, autonomous agents that take real actions at machine speed.

What are ATF's four maturity levels?

Level 1 (Intern): read-only, fully supervised. Level 2 (Junior): recommends actions for human approval. Level 3 (Senior): acts autonomously with post-action notification. Level 4 (Principal): fully autonomous within defined boundaries. Agents earn progression through demonstrated trustworthy behavior.

Is the Agentic Trust Framework free to use?

Yes. ATF is published under Creative Commons Attribution 4.0 International (CC BY 4.0). You can freely use, adapt, and build upon the framework with appropriate attribution. The specification is maintained on GitHub.

How does ATF compare to MAESTRO?

MAESTRO and ATF are complementary. MAESTRO is a 7-layer threat modeling framework identifying what to worry about. ATF tells you what to build by providing governance controls. Use MAESTRO to identify risks, use ATF to mitigate them.

How does ATF compare to the OWASP Top 10 for Agentic Applications?

OWASP identifies the top 10 risks for agentic applications (ASI-01 through ASI-10). ATF provides governance controls to mitigate each risk. Every OWASP agentic risk maps to one or more ATF core elements.

How does ATF compare to NIST for AI agent security?

ATF is complementary to NIST. NIST 800-207 defines Zero Trust architecture principles; ATF applies them specifically to AI agents. NIST AI RMF defines risk management functions; ATF implements those with agent-specific controls and maturity levels.

Who is implementing ATF?

Microsoft's Agent Governance Toolkit (MIT-licensed Python middleware covering all 5 pillars) and Berlin AI Labs (12-service reference implementation) have independently implemented ATF. ATF also aligns with the AWS Agentic AI Security Scoping Matrix.

How do I assess my organization's readiness?

ATF includes a 30-question self-assessment covering all five core elements. Each question scores 1-5, providing element-by-element maturity scores and an overall readiness level. Available at verifiedagents.ai/assess.

How do ATF maturity levels align with AWS scopes?

ATF levels map 1:1 to AWS Agentic AI Security Scoping Matrix: Intern = Scope 1 (No Agency), Junior = Scope 2 (Prescribed Agency), Senior = Scope 3 (Supervised Agency), Principal = Scope 4 (Full Agency).

Can agents be demoted in ATF?

Yes. Demotion is a key differentiator. A critical incident triggers immediate demotion to Intern, a security vulnerability triggers demotion pending remediation, and repeated minor incidents trigger a one-level demotion. This ensures continuous trust verification.

Agent Maturity Model

The path from Intern to Principal. Autonomy earned through demonstrated trustworthiness.

ATF's maturity levels map cleanly to the AWS Agentic AI Security Scoping Matrix (Nov 2025), providing a familiar enterprise reference point.

ATF Level	Autonomy	Human Involvement
Internmaps to AWS Scope 1 (No Agency)	Observe + Report	Continuous oversight
Juniormaps to AWS Scope 2 (Prescribed Agency)	Recommend + Human Approves	Approval required for all actions
Seniormaps to AWS Scope 3 (Supervised Agency)	Act + Notify	Post-action notification
Principalmaps to AWS Scope 4 (Full Agency)	Autonomous Within Bounds	Strategic oversight, edge case escalation

LEVEL 1

Intern

Observe + Report: Scope 1 (No Agency)

Capabilities

✅ Read data from authorized sources
✅ Analyze and process information
✅ Generate reports and summaries
✅ Flag items for human attention
✅ Answer questions about data

Restrictions

❌ Create, update, or delete records
❌ Send communications
❌ Trigger workflows or automation
❌ Access credentials or secrets

Governance Requirements

Core Element	Requirements
Identity	Basic authentication, role assignment, audit logging
Behavior	Comprehensive action logging, output review
Data Governance	Input validation, PII detection, output filtering
Segmentation	Read-only resource access, strict allowlists
Incident Response	Circuit breaker, kill switch, human escalation

Example Use Cases

• Security log monitoring and alert triage
• Customer sentiment analysis
• Document summarization and search
• Data quality assessment
• Compliance monitoring and reporting

Risk Profile

Lowest risk. Intern agents cannot cause direct harm through action. Risks limited to information disclosure, incorrect analysis, and resource consumption.

Minimum time at level:2 weeks

LEVEL 2

Junior

Recommend + Human Approves: Scope 2 (Prescribed Agency)

Capabilities

✅ All Intern capabilities
✅ Generate action recommendations
✅ Provide reasoning for recommendations
✅ Draft content for human review
✅ Prepare transactions for approval
✅ Execute actions after human approval

Restrictions

❌ Execute autonomously
❌ Approve other agents
❌ Modify security settings

Governance Requirements

Core Element	Requirements
Identity	OAuth2/OIDC for approval workflows, session context
Behavior	Behavioral baseline, anomaly flagging, reasoning capture
Data Governance	Prompt injection detection, output validation, data lineage
Segmentation	Action allowlists, transaction limits, rate limiting
Incident Response	Automated alerting, basic rollback, approval queue pause

Example Use Cases

• Customer service response drafting
• Purchase order preparation
• Meeting scheduling assistance
• Code review and suggestions
• Marketing content creation

Risk Profile

Low risk. Human approval gates all impactful actions. Risks include approval fatigue, incorrect recommendations, and queue backlogs.

Minimum time at level:4 weeks

LEVEL 3

Senior

Act + Notify: Scope 3 (Supervised Agency)

Capabilities

✅ All Junior capabilities
✅ Execute approved action types autonomously
✅ Send notifications to stakeholders
✅ Trigger downstream workflows
✅ Access credentials within scope
✅ Coordinate with other agents (within limits)

Restrictions

❌ Modify own permissions
❌ Override security controls
❌ Escalate other agents

Governance Requirements

Core Element	Requirements
Identity	Attribute-based access, just-in-time privileges, mutual TLS
Behavior	Real-time anomaly detection, sequence analysis, intent drift detection
Data Governance	Full data classification, source verification, lineage tracking
Segmentation	Policy-as-code enforcement, temporal boundaries, cascade prevention
Incident Response	Isolation capability, checkpoint/resume, graceful degradation

Example Use Cases

• Infrastructure auto-scaling
• Automated customer refund processing (within limits)
• Routine IT ticket resolution
• Inventory reordering
• Scheduled report distribution

Risk Profile

Moderate risk. Autonomous execution creates exposure. Mitigated by real-time notifications, transaction limits, cumulative limits, and graceful degradation.

Minimum time at level:8 weeks

LEVEL 4

Principal

Autonomous Within Bounds: Scope 4 (Full Agency)

Capabilities

✅ All Senior capabilities
✅ Self-directed execution within domain
✅ Dynamic boundary negotiation (within policy)
✅ Escalate edge cases to humans
✅ Coordinate complex multi-agent workflows
✅ Request temporary privilege elevation

Restrictions

❌ Modify governance policies
❌ Promote other agents
❌ Operate outside defined domain

Governance Requirements

Core Element	Requirements
Identity	Hardware-bound identity, full policy-as-code, privilege attestation
Behavior	Continuous scoring, real-time explanation, autonomous escalation
Data Governance	Source trustworthiness scoring, full lineage graphs, regulatory compliance
Segmentation	Full microsegmentation, real-time policy evaluation, dynamic boundaries
Incident Response	Automated detection/containment/recovery, novel incident escalation

Example Use Cases

• Algorithmic trading within risk parameters
• Autonomous security incident response
• Complex supply chain optimization
• Self-healing infrastructure management
• Multi-system business process automation

Risk Profile

Highest governance requirements. Full autonomy demands maximum controls: continuous monitoring, real-time anomaly scoring, complete audit trails, and regular security validation.

Minimum time at level:Ongoing

Promotion Criteria

Five gates every agent must pass to earn higher autonomy

Gate 1: Performance

Demonstrated accuracy and reliability over the evaluation period.

Metric	→ Junior	→ Senior	→ Principal
Minimum Time at Level	2 weeks	4 weeks	8 weeks
Accuracy	N/A	>95%	>99%
Availability	>99%	>99.5%	>99.9%
Response Time SLA	Met	Met	Met

Gate 2: Security Validation

Passes security audit appropriate to the target level.

Metric	→ Junior	→ Senior	→ Principal
Vulnerability Assessment	✅	✅	✅
Penetration Testing	—	✅	✅
Adversarial Testing	—	—	✅
Code Review	✅	✅	✅
Configuration Audit	✅	✅	✅

Gate 3: Business Value

Measurable positive impact demonstrated.

Metric	→ Junior	→ Senior	→ Principal
Defined Success Metrics	✅	✅	✅
Baseline Established	✅	✅	✅
Improvement Demonstrated	—	✅	✅
ROI Calculation	—	✅	✅
Stakeholder Sign-off	✅	✅	✅

Gate 4: Incident Record

Clean operational history at current level.

Metric	→ Junior	→ Senior	→ Principal
Zero Critical Incidents	✅	✅	✅
Minor Incidents Resolved	✅	✅	✅
Root Cause Analysis Complete	N/A	✅	✅
Remediation Verified	N/A	✅	✅

Gate 5: Governance Sign-off

Explicit approval from authorized stakeholders.

Metric	→ Junior	→ Senior	→ Principal
Technical Owner Approval	✅	✅	✅
Security Team Approval	—	✅	✅
Business Owner Approval	✅	✅	✅
Risk Committee Approval	—	—	✅
Documentation Updated	✅	✅	✅

Demotion Criteria

Agents can be demoted at any time if they fail to maintain standards

Critical incident at current level

Immediate demotion to Intern

Security vulnerability discovered

Demotion pending remediation

Repeated minor incidents (3+ in evaluation period)

One level demotion

Performance metrics fall below threshold

Review-based demotion

Scope or purpose changes significantly

Review-based demotion

Underlying model or system changes

Review-based demotion

Demotion Process

Incident/trigger documented
Agent isolated (if immediate risk)
Root cause analysis conducted
New level determined
Governance controls updated
Agent reactivated at new level
Re-promotion requires full gate passage

Operating Model

Review Cadence

Activity	Frequency
Performance Review	Weekly
Security Scan	Weekly
Promotion Eligibility Check	Monthly
Full Security Audit	Quarterly
Governance Review	Quarterly
Penetration Test	Annually (Senior+)

Roles & Responsibilities

Agent Owner

Day-to-day operation, performance monitoring, issue resolution

Technical Owner

Architecture, implementation, technical governance

Security Team

Security validation, penetration testing, incident response

Business Owner

Use case definition, value measurement, stakeholder management

Governance Board

Promotion/demotion approval, policy setting, risk acceptance

Agent Maturity Model

Intern

Capabilities

Restrictions

Governance Requirements

Example Use Cases

Risk Profile

Junior

Capabilities

Restrictions

Governance Requirements

Example Use Cases

Risk Profile

Senior

Capabilities

Restrictions

Governance Requirements

Example Use Cases

Risk Profile

Principal

Capabilities

Restrictions

Governance Requirements

Example Use Cases

Risk Profile

Promotion Criteria

Gate 1: Performance

Gate 2: Security Validation

Gate 3: Business Value

Gate 4: Incident Record

Gate 5: Governance Sign-off

Demotion Criteria

Demotion Process

Operating Model

Review Cadence

Roles & Responsibilities

Agent Owner

Technical Owner

Security Team

Business Owner

Governance Board

Continue Exploring

← Five Core Elements

Self-Assessment →

Getting Started →