Zero Trust Governance for Autonomous AI Agents
The Agentic Trust Framework (ATF) is an open governance specification for autonomous AI agents, applying Zero Trust principles across five core security elements. Published through the Cloud Security Alliance and licensed under CC BY 4.0.
ATF answers the question every organization deploying AI agents must face: How do we maintain control?
This is a specification, not a code library. ATF defines governance principles and requirements. Implementations demonstrate them in practice.
Every AI agent must be governed across five dimensions:
| # | Element | Question | What It Governs |
|---|---|---|---|
| 1 | Identity | "Who are you?" | Agent credentials, authentication, ownership |
| 2 | Behavior | "What are you doing?" | Monitoring, anomaly detection, intent alignment |
| 3 | Data Governance | "What are you eating? What are you serving?" | Input validation, PII protection, output filtering |
| 4 | Segmentation | "Where can you go?" | Access boundaries, least privilege, blast radius |
| 5 | Incident Response | "What if you go rogue?" | Kill switches, circuit breakers, containment |
Agents earn autonomy through demonstrated trustworthiness. They do not receive it by default.
| Level | Name | Autonomy | Human Involvement | AWS Scope |
|---|---|---|---|---|
| 1 | Intern | Observe + Report | Continuous oversight | Scope 1 |
| 2 | Junior | Recommend + Approve | Human approves all actions | Scope 2 |
| 3 | Senior | Act + Notify | Post-action notification | Scope 3 |
| 4 | Principal | Autonomous | Strategic oversight only | Scope 4 |
Agents can be demoted at any time if they fail to maintain standards. A critical incident triggers immediate demotion to Intern.
See MATURITY_MODEL.md for promotion gates, demotion criteria, operating model, and deployment checklists.
Specification: v0.9.1 (Public Review Draft, April 2026)
The specification has been published through the Cloud Security Alliance, independently implemented by multiple organizations, and is approaching v1.0.
Organizations are building against the ATF specification independently. See ECOSYSTEM.md for detailed entries.
| Project | Organization | Relationship | ATF Coverage | Repository |
|---|---|---|---|---|
| Agent Governance Toolkit | Microsoft | Independent convergence | All 5 elements | GitHub |
| VERA | Berlin AI Labs | Built on ATF principles | All 5 elements + maturity model | GitHub |
- Issue #4: Temporal drift detection for behavioral monitoring
- Issue #3: Agent Passport System for cryptographic identity
- Issue #2: DID/VC-based agent identity (MolTrust)
ATF is complementary, not competing. It is the governance operating model that other frameworks' threat models and risk assessments lead you to.
| Framework | Relationship | One-Liner |
|---|---|---|
| CSA AICM | Parent umbrella | AICM defines 243 controls for AI broadly. ATF operationalizes the agent-specific subset. |
| MAESTRO | Complementary | MAESTRO identifies what could go wrong. ATF defines how to maintain control. |
| OWASP Agentic Top 10 | Complementary | OWASP tells you what the threats are. ATF provides the governance to mitigate them. |
| NIST 800-207 | Foundational | NIST provides the Zero Trust principles. ATF applies them to AI agents. |
| AWS Scoping Matrix | Directly aligned | ATF maturity levels map 1:1 to AWS Scopes 1-4. |
| ISO/IEC 42001 | Directly aligned | ISO 42001 asks if you have an AI management system. ATF helps you build the agent governance component. |
See CROSSWALKS.md for detailed framework alignment mappings.
| Document | Description |
|---|---|
| SPECIFICATION.md | Core specification with requirements (RFC 2119) |
| MATURITY_MODEL.md | Four-level maturity model with promotion/demotion criteria |
| CONFORMANCE.md | Conformance tiers, 25 core requirements, maturity level matrix |
| IMPLEMENTATION_PATTERNS.md | Technology-agnostic implementation patterns |
| CROSSWALKS.md | Framework alignment mappings (AICM, OWASP, NIST, ISO) |
| SECURITY.md | Security principles and threat model |
- Assess your readiness: Take the free ATF Self-Assessment (30 questions, 15 minutes, PDF report)
- Read the specification: Start with SPECIFICATION.md for requirements, then MATURITY_MODEL.md for the operating model
- Understand the patterns: Review IMPLEMENTATION_PATTERNS.md for technology-agnostic guidance
- Map to your compliance: See CROSSWALKS.md for alignment to AICM, ISO 42001, ISO 27001, NIST, and more
ATF builds on concepts from Agentic AI + Zero Trust: A Guide for Business Leaders (September 2025), featuring a foreword by John Kindervag, creator of Zero Trust.
Published on the Cloud Security Alliance blog in February 2026 via a joint Zero Trust Working Group and AI Safety Working Group collaboration.
ATF welcomes specification feedback, implementation experience reports, and crosswalk contributions. See CONTRIBUTIONS.md for details.
- Specification: Creative Commons Attribution 4.0 International (CC BY 4.0)
- Repository: Apache License 2.0
- Specification site: agentictrustframework.ai
- Assessment tool: verifiedagents.ai/assess
- CSA blog post: cloudsecurityalliance.org
- Author: Josh Woodruff, MassiveScale.AI
- Book: Agentic AI + Zero Trust (Kindle) | Paperback