ATF author here, excited about what you've built

[jman-msc]

Hi Imran,

I'm Josh Woodruff, author of the Agentic Trust Framework and co-chair of the CSA Zero Trust Working Group.

I just found your CSA-ATF-PROPOSAL.md and wanted to reach out directly. You built full coverage across all five pillars, got this moved into the microsoft/ org, and formally proposed CSA working group engagement. All within 30 days of the blog post. That's impressive, and I appreciate it.

I fully support positioning the Agent Governance Toolkit as an ATF reference implementation. On your three proposed spec additions:

1. Agent delegation chain verification: You're right that this is a gap. I want to formalize this in v0.2.0.
2. AI-BOM integration: Directly relevant to the Data Governance pillar and to EU AI Act alignment. I'm very interested.
3. Trust scoring quantification: The maturity model has qualitative promotion criteria today. A quantified scoring methodology would make it much stronger.

I'd like to invite you to contribute to the ATF specification through the CSA Zero Trust Working Group. I'll be at RSAC 2026 (March 23-26 in San Francisco) and would love to meet in person if you're attending. If not, let's set up a call.

I also just ran a CSA webinar on ATF. Here's the recording if you want to see the current state of the spec and where it's heading: CSA ATF Webinar Recording

One more thing: I'm developing a formal ATF Conformance specification, defining what "ATF Compatible" means as a verifiable checklist based on the five elements. You've already mapped against all 15 requirements. I'd welcome your input as a co-author. Your implementation experience is exactly what keeps a conformance spec practical instead of theoretical.

Looking forward to connecting.

Josh Woodruff
Founder and CEO, MassiveScale.AI
CSA Research Fellow | IANS Faculty | Co-Chair, CSA Zero Trust Working Group
agentictrustframework.ai

[imran-siddique]

@jman-msc — thank you for reaching out directly, and for the generous words. Finding the ATF spec back in February was one of those "someone already articulated the threat model we've been building against" moments. Your five-pillar structure gave us a clean compliance target, and mapping our toolkit against all 15 requirements validated that we'd been converging on the same architecture from the implementation side.

On the three spec additions

1. Agent delegation chain verification (v0.2.0)

This is the gap that shows up the moment you move from single-agent to multi-agent systems. Our AgentMesh package already implements this — cryptographically signed delegation chains where each hop in an agent-to-agent call carries:

• The originating agent's DID identity
• A signed delegation token with scoped permissions and TTL
• A Merkle-chained audit trail so any node in the chain can verify provenance back to the root

We'd be happy to contribute our implementation patterns and test vectors as input for the v0.2.0 spec. The tricky design decision is how much of the chain each intermediate agent should be able to inspect (full chain vs. only its immediate delegator) — we currently support both modes and have opinions on when each is appropriate.

2. AI-BOM integration

We built a full AI Bill of Materials system in Agent OS that tracks model provenance, training data lineage, weight checksums, and dependency graphs. This maps directly to the Data Governance pillar and is the artifact we believe regulators will eventually require — the EU AI Act's transparency obligations effectively demand something like this.

The piece we think the ATF spec could formalize: a standard schema for AI-BOMs that governance frameworks can validate against. We have a working schema today; would be valuable to align it with what the CSA working group envisions.

3. Trust scoring quantification

The maturity model's qualitative promotion criteria (Intern → Junior → Senior → Principal) are the right abstraction. What we've added on the implementation side is a numeric trust scoring engine that feeds those promotion decisions:

• Composite score (0-100) based on weighted signals: task success rate, policy compliance, anomaly frequency, time-in-tier
• Automatic promotion/demotion thresholds with configurable hysteresis to prevent oscillation
• Trust decay over inactivity periods

Making this quantified methodology part of the spec would give organizations a concrete, auditable basis for autonomy decisions instead of subjective judgment calls. Happy to share our scoring algorithms and the reasoning behind the weight defaults.

On the conformance specification

The co-author invitation is genuinely compelling — our implementation experience across all 15 requirements is exactly the kind of input that keeps conformance criteria practical. We're very interested in this and would like to understand the scope and timeline better before formalizing involvement. Would a call to walk through what you're envisioning for the conformance spec be a good starting point?

On RSAC

I won't be at RSAC this year unfortunately — but I'd very much like to connect. Would you be open to a call the week after RSAC (March 30 week) once you're back? Happy to do a screen-share walkthrough of the toolkit's ATF coverage, the delegation chain implementation, and the trust scoring engine. That might be more productive than a conference hallway conversation anyway.

On the webinar recording

Thank you for sharing — I'll watch it this week and may have follow-up questions on the spec direction, particularly around how conformance testing intersects with the maturity model tiers.

---

Genuinely excited about this convergence. We built the implementation; you wrote the specification; the alignment is too natural to not formalize. Looking forward to connecting.

Imran Siddique
Principal Software Engineering Manager, Microsoft

[jman-msc]

Hi @imran-siddique,

This is exactly the kind of response I was hoping for. Technical depth, specific implementation details, and clear opinions on the design tradeoffs. That's what makes a conformance spec work.

A few things worth calling out:

Delegation chains

The full-chain vs. immediate-delegator visibility question is one of the harder design decisions in v0.2.0. I have opinions on when each mode is appropriate too. I'd rather hash that out on a call than in a thread. Your test vectors and implementation patterns would be a huge input.

AI-BOM schema

Regulators will ask for this first, and most orgs won't have a good answer. If you already have a working schema validated against the EU AI Act transparency requirements, that saves months. Let's align it with what the CSA working group is building.

Trust scoring

The hysteresis to prevent promotion/demotion oscillation is a detail that only shows up after you've run this in production. The ATF maturity model uses MUST/SHOULD/MAY per requirement at each level (Intern through Principal), but promotion criteria between levels are still qualitative. A numeric scoring methodology would close that gap. I want implementation experience driving the spec here, not theory.

On conformance

I've published the ATF Conformance Specification. Two tiers: ATF Compatible (self-attestation against all 25 requirements) and ATF Certified (third-party audit, 90 days production operation, additional operational controls). There's a maturity level matrix that maps each requirement to MUST/SHOULD/MAY at each level. Your toolkit covers all 25 requirements across the five elements. I want your read on whether the conformance criteria are practical from an implementer's seat. That's the blind spot a spec author can't test alone.

We've also launched agentictrustframework.ai as the home for the spec and verifiedagents.ai for assessment and scoring. Both go well past the original blog post. Worth a look before our call.

On timing: week of March 30 works. I'll be back from RSAC with fresh context. A screen-share walkthrough of your ATF coverage, delegation chains, and trust scoring engine is the right format. I'll follow up after RSAC to lock in a time.

Thanks,
-Josh

[imran-siddique]

Josh — excellent, this is moving fast in the right direction.

Conformance spec review

I read through CONFORMANCE.md. A few notes from the implementer's seat:

What works well:

• The two-tier model (Compatible vs Certified) is the right structure. Self-attestation as the entry ramp, third-party audit for production — that mirrors SOC 2 Type I vs Type II, which enterprises already understand.
• The 25-requirement matrix with MUST/SHOULD/MAY per maturity level gives implementers clear targets. Our toolkit maps against all 25 — I'll prepare a formal mapping table for our call.
• The 90-day production operation requirement for Certified is smart. It filters out paper compliance.

Feedback for consideration:

• Delegation chain verification (your v0.2.0 addition) should be a MUST at the Senior/Principal level. Without it, multi-agent systems can't prove authorization provenance. I'd argue it's the single biggest gap for enterprise adoption.
• AI-BOM should have a MUST requirement for the model identifier and training data hash at minimum. Full provenance is SHOULD. This aligns with EU AI Act Art. 13 technical documentation requirements.
• Trust score quantification: the conformance spec should define minimum scoring signals (task success rate, policy compliance, anomaly frequency) even if the weights are implementation-specific. Otherwise "trust scoring" becomes a checkbox without substance.

I'll bring a detailed requirement-by-requirement assessment to the call.

New sites

Checked out agentictrustframework.ai and verifiedagents.ai — significant upgrade from the GitHub-only presence. The assessment model on verifiedagents.ai is exactly what enterprises will ask for when evaluating agent platforms.

Call logistics

Week of March 30 works perfectly. I'll send a calendar invite — suggest 60 minutes for:

1. ATF conformance walkthrough (your side — 15 min)
2. AGT implementation demo (my side — 25 min): delegation chains, trust scoring engine, AI-BOM schema
3. Discussion: v0.2.0 spec additions + conformance criteria feedback (20 min)

What timezone works best for you?

Looking forward to it.
— Imran

[imran-siddique]

Quick update on logistics — my schedule is packed the next few weeks with upcoming OOF, so a live call may be hard to fit. Would you be open to doing this async instead?

I'm thinking: I'll prepare a detailed requirement-by-requirement conformance assessment as a document (our ATF coverage, delegation chain implementation details, trust scoring algorithms, AI-BOM schema) and share it here or as a PR against the ATF repo. You can review at your pace, leave comments, and we iterate on the doc. That way we both get the depth of a call without the scheduling overhead.

If there are specific design decisions that need real-time discussion (like the delegation chain visibility question), we can do a focused 30-min call just for those — but let's see if the doc gets us 90% there first.

Let me know if that works.