The framework

The five questions every AI agent has to answer.

The Agentic Trust Framework is the open governance spec for AI agents. Published through the Cloud Security Alliance. Licensed CC BY 4.0. Vendor-neutral, by design.

How we know it works

February 2026
CSA published the spec.
The Cloud Security Alliance made ATF an official open spec. It's the standards body the industry already trusts for Zero Trust (never trust, always verify) and cloud security.
7 days later
Berlin AI Labs moved first.
Seven days after we published, Berlin AI Labs was already mapping VERA to every ATF requirement, all five elements. They call it built on ATF principles. Unprompted.
30 days later
Microsoft's toolkit conforms to ATF.
Microsoft's Agent Governance Toolkit filed a formal ATF conformance assessment, 25 of 25 requirements, exactly 30 days after we published. Nobody asked them to.
RSAC 2026
Every major keynote landed on the same five.
Independent speakers at the year's biggest security conference described ATF's five requirements without naming it. The five questions are the consensus.

Standards usually take years to get adopted. This one took days.

Read the five questions

01
Who are you?
Unknown
02
What are you doing?
Unknown
03
What are you eating and serving?
Unknown
04
Where can you go?
Unknown
05
What if you go rogue?
Unknown

Each question gets its own section below.

01 · Identity

Who are you?

Every agent has its own identity, the same way every employee does. Not borrowed. Not anonymous. You know exactly which agent did what.

What failure looks like

97% of AI-related breaches lacked basic access controls. When agents share a service account, there is no trail and no accountability.

Source: IBM Cost of a Data Breach 2025

What governed looks like

Every agent has a credential that expires, scope it inherits, and a log that names it on every action. The auditor can answer "which agent did this" in one minute.

02 · Behavioral monitoring

What are you doing?

You know what normal looks like for this agent. So when something isn't normal, you notice. At 2 a.m. too.

What failure looks like

86% of AI agents ship without security approval. They run unmonitored next to your production data, and the first time anyone looks is after something goes wrong.

Source: Gravitee, Feb 2026

What governed looks like

Behavior baselines per agent, alerts on drift, and a human in the loop on anything that crosses the line you set.

03 · Data governance

What are you eating and serving?

You control what data goes into the agent. You control what comes out. You know where the model saw it and where it sent it.

What failure looks like

Shadow AI breaches added $670K on top of an already-bad breach in 2025. Most of it is data the agent should never have touched.

Source: IBM Cost of a Data Breach 2025

What governed looks like

Inputs classified before the agent reads them. Outputs filtered before they leave. Every prompt and response retained per your policy, not the vendor’s.

04 · Segmentation

Where can you go?

Agents reach only the systems they need to do their job. One compromised agent can't roam the building.

What failure looks like

An agent given full API access "to make integration easier" is one prompt injection away from your customer database. This is how lateral movement happens at machine speed.

Source: Pattern from our incident reviews

What governed looks like

Least-privilege per agent. Network segments around the agent runtime. Outbound calls go through a broker that enforces what the agent can and cannot reach.

05 · Incident response

What if you go rogue?

You can stop one agent without stopping the business. In minutes, not meetings.

What failure looks like

Gartner predicts 40% of agentic AI projects will get cancelled by 2027 because organisations can't answer this one. Risk controls are the gate.

Source: Gartner

What governed looks like

A kill switch per agent. A documented rollback. A runbook your on-call has actually rehearsed.

Where this fits

ATF bridges. It doesn't compete.

The other frameworks say what or whether. ATF says how.

NIST AI RMF

What it gives you: A risk-management process for AI
What ATF adds: The five technical controls to put inside that process

ISO 42001

What it gives you: An AI management system standard
What ATF adds: What good agent governance looks like in practice

OWASP for AI

What it gives you: A taxonomy of AI security risks
What ATF adds: Five operating questions that map to those risks

MAESTRO / AEGIS

What it gives you: Threat models and assurance patterns
What ATF adds: A governance spec your teams can implement on Monday

Framework	What it gives you	What ATF adds
NIST AI RMF	A risk-management process for AI	The five technical controls to put inside that process
ISO 42001	An AI management system standard	What good agent governance looks like in practice
OWASP for AI	A taxonomy of AI security risks	Five operating questions that map to those risks
MAESTRO / AEGIS	Threat models and assurance patterns	A governance spec your teams can implement on Monday

See where you stand against the five.

The free assessment takes 10 minutes. You'll get a score per question and a plain plan for the gaps.

Take the free assessment Read the spec on agentictrustframework.ai

Prefer a conversation? Book a strategy call.

CSA published the spec.

Berlin AI Labs moved first.

Microsoft's toolkit conforms to ATF.

Every major keynote landed on the same five.

Who are you?

What are you doing?

What are you eating and serving?

Where can you go?

What if you go rogue?

ATF bridges. It doesn't compete.

See where you stand against the five.