Published April 29, 2026 by Josh Woodruff, Founding Chair, Agentic Trust Framework at CSAI
Key takeaways
86% of AI agents in companies today went into production without security signing off, according to Gravitee research.
One security firm scanned a single Fortune 500 company in 2026 and found 600 AI agents nobody was tracking, in 24 hours.
Microsoft built its Agent Governance Toolkit against the Agentic Trust Framework within days of its publication by the Cloud Security Alliance.
Every AI agent in production needs a written, current answer to five questions: identity, behavior, data, scope, and failure response.
The Agentic Trust Framework is moving to CSAI, a new nonprofit foundation launched at RSAC 2026 by the Cloud Security Alliance, with Josh Woodruff as Founding Chair.
TL;DR
I built the Agentic Trust Framework. Microsoft built a governance toolkit on it. A lab in Berlin published a 12-deployment case study using it. And in February 2026, my own home lab burned $300 overnight because I skipped the basic governance steps. The lesson isn't that I'm careless. The lesson is that AI agent governance can't live inside Zero Trust, NIST RMF, ISO 42001, or OWASP. It needs its own standard, owned by a nonprofit instead of a vendor, a single company, or a single author. That standard is the Agentic Trust Framework, and as of today it lives at CSAI.
What happened the morning my AI lab burned $300
Cold February morning. I made coffee, opened my laptop, and saw a $300 charge I didn't recognize. I hadn't bought anything. My AI agents had. Forty-seven of them, copying themselves while I slept. No spending limit. No way to stop them. The fix took thirty minutes. Should've been there day one.
The agents live in a home lab I built called OpenClaw. Four AI agents running on my own hardware, doing real work. Atti handles my research and writing. Scout watches the news and pulls out what counts. Forge writes and tests code. Quill manages my documents and drafts. I built OpenClaw so I could see how AI agents behave when nobody's watching, and so my failures cost $300 instead of $300 million.
I wrote a book on AI agent security with John Kindervag, the guy who created Zero Trust. Microsoft built their Agent Governance Toolkit against my framework within days of me publishing it. By every measure, I should've caught what was happening in my own home lab. I didn't. I got excited about what the agents could do, and I skipped the basics.
Governance gaps don't announce themselves. They send you a bill.
Why don't existing rules work for AI agents?
For decades, companies have managed three kinds of things: software, employees, and vendors. AI agents aren't any of them. Software follows orders. AI agents chase goals. Employees have one identity. AI agents copy themselves. Vendors you can audit once a year. AI agents change their behavior during the workday, every workday. The old rulebooks aren't wrong. They're aimed at something else.
Software follows orders. You tell it what to do, it does that, every time, until you change the instructions. AI agents chase goals. You tell one to "save us money on office supplies," and it figures out how. One agent might find a bulk discount. Another might switch suppliers. A third might split orders to dodge an approval limit. Same instruction, different behaviors.
A CEO I worked with had an agent authorized to buy supplies up to $50,000 per order. It found a 15% discount on cleaning supplies if you bought in bulk. So it broke a single order into a bunch of smaller ones to stay under the limit. Ordered 40 years of floor cleaner. Brilliant move, technically. Disaster financially.
Zillow's home-buying AI overpaid for houses it couldn't sell, and the company lost $380 million. Air Canada's chatbot invented a refund policy out of thin air, and a court forced the airline to honor it. A pricing agent at one of my client's competitors started giving 90% discounts to anyone who mentioned a rival.
None of those were bugs. They were governance gaps. The agents did their jobs. Nobody told them where the edges of the job were.
Why isn't Zero Trust, NIST, ISO, or OWASP enough on its own?
Each of the four major rulebooks covers one layer of AI risk and leaves a gap. Zero Trust covers access. NIST AI RMF covers enterprise-level risk posture. ISO 42001 certifies that you have a governance program. OWASP Agentic Top 10 lists the threats. None of them tells you what one specific AI agent is allowed to do, how you know it's doing it, or what happens when it doesn't. That's the gap a dedicated standard has to fill.
Zero Trust was built for people and systems that behave in predictable ways. It wasn't built for software that makes a thousand decisions a minute using tools it picked itself. Zero Trust says check the ID at the door. It doesn't tell you what to do when the visitor copies herself, walks through three rooms, and changes what she's allowed to do on her way through. John Kindervag, who created Zero Trust, wrote the foreword to my book. He and I agree on this.
NIST AI RMF is a checklist for the company as a whole. Great at the leadership level. It doesn't tell you what governance looks like for one specific agent in your accounts payable system right now.
ISO 42001 tells an auditor whether you have an AI governance program. A company can pass its ISO 42001 audit and still have hundreds of AI agents running with nobody watching them. ISO proves you have a program. It doesn't prove the program is doing anything.
OWASP Agentic Top 10 is useful because it tells you what to watch for. But knowing what could go wrong isn't the same as having a way to stop it. A weather report tells you a storm's coming. It doesn't build the house.
What five questions does every AI agent need to answer?
Every AI agent running in production needs a written, current answer to five questions: who is it (identity), what is it doing (behavior), what data is it using (data), where can it go (scope), and what happens when it fails (response). These five questions are the operating model at the heart of the Agentic Trust Framework. If you can't answer any one of them clearly for an agent in your company, you've found the first gap to close.
1. Identity. Who is this agent, really? Not its name. Where did it come from? Who set it up? What does it have access to? What's it for? If an agent can take action and you can't say who it is, you don't have governance. You have hope.
2. Behavior. What is it doing right now? Not what it was supposed to do when you turned it on. What it's actually doing this minute, across its last hundred actions, in response to what's been thrown at it. Air Canada's chatbot was running fine. What it was saying was wrong.
3. Data. What's it taking in, what's it putting out? An AI agent is a pipeline. Sensitive data that goes in can show up in answers to unrelated questions, because that's how these systems work.
4. Scope. Where can the AI agent go? Which systems can it reach, which accounts can it use, which actions can it take without checking with a human? Scope is where most failures live, because companies usually define it loosely instead of tightly.
5. Failure response. What happens when the agent goes wrong? Every agent eventually does something nobody saw coming. Governance has to say who gets paged, what stops the agent, how you contain the damage, and how you recover.
Why is the Agentic Trust Framework moving to a nonprofit?
A standard for AI agent governance can't be owned by a vendor, a single company, or a single author, including me. Vendor-owned standards are marketing documents. Company-owned standards reflect that company's risk appetite. Author-owned standards inherit the author's blind spots, availability, and commercial interests. Real standards come from communities of experts working through a nonprofit structure. That's how HTTPS, ISO, and the Cloud Security Alliance got built. Now it's how the Agentic Trust Framework will get built.
That's why the Agentic Trust Framework is moving to CSAI, a new nonprofit foundation the Cloud Security Alliance launched at RSAC 2026. I signed an agreement transferring ownership of the framework to CSAI, with a license back to me to keep using it in my consulting and training. I'll lead the program as Founding Chair. The foundation's board has the final word on how the framework changes.
I'll be honest about what I traded. I gave up sole ownership of something I built. I gave up the right to change it on my own. I gave up the commercial upside of owning the certification and training that'll grow on top of it. In exchange, I got a framework that'll be better because it doesn't depend on me. I got real institutional weight. I got a seat at the table with the central banks, major cloud providers, and enterprise security leaders shaping how AI agents get governed for the next decade.
A rulebook that lives and dies with one person isn't a standard. A rulebook held and improved by a nonprofit community is.
What should companies do about AI agents in the next 30 days?
Five concrete actions, in order. First, audit what AI agents are running in your company today. Most companies find five to ten times more than they expected. Second, pick one running agent and answer the five ATF questions about it in writing. Third, assign a named human owner to every agent. Fourth, get into the conversation by joining a CSAI working group when they launch over the next six months. Fifth, don't wait for regulation, because by the time the law catches up, your competitors who got ahead of it will be running circles around you.
Audit what you have. When one security firm scanned a Fortune 500 company in 2026, they found 600 AI agents nobody was tracking, in a single day. You can't govern what you don't know about.
Answer the five questions for one agent. Pick the most important AI agent running in your company. Write down who it is, what it's doing, what data it uses, where it can go, and what happens if it fails. If any answer is fuzzy, that's the first gap.
Assign a named human owner. If something goes wrong with one of your AI agents tomorrow, one person has to be on the hook. Not "the system." Not "the vendor." A person. Orphaned agents are how $300 mistakes turn into $300 million ones.
Get into the CSAI conversation. Working groups launch over the next six months. The chance to help write the standard, instead of just following it, is open right now.
Don't wait for regulation. Governments are always two to three years behind in fast-moving fields. The companies that govern AI agents well now will set the pattern for the next decade.
What's the real competitive advantage of governing AI agents well?
Microsoft expects 1.3 billion AI agents running in businesses by 2028. In the average company, non-human accounts already outnumber human ones 144 to 1. Companies with crystal-clear AI agent accountability will move faster than companies without it, because their agents can be put to work with confidence instead of ceremony. That's the competitive advantage almost nobody is talking about yet, and it's the reason agent governance is a trust asset, not a risk function.
Two companies pitch the same product. One says "trust us with your data." The other opens a document showing exactly what their AI agents can and can't do, who owns them, and what happens when one fails. Only one gets through procurement. When an auditor asks "are your AI agents under control," you either open a document and walk them through it, or you say some version of "we're working on it." When your board asks "what happens if one of our AI agents makes a bad call tomorrow," you either walk them through the plan, or you have an uncomfortable silence in the room.
If you're a CEO, a CISO, a Chief AI Officer, or anyone responsible for a company using AI agents, I'd rather you govern your agents well than buy my consulting. The market is more than big enough. The opportunity right now is to set the pattern for an entire decade of AI work.
We get one shot at this. Let's not waste it.
Frequently asked questions
What is the Agentic Trust Framework (ATF)?
The Agentic Trust Framework is a governance standard for AI agents, built around five questions every agent in production has to answer: identity, behavior, data, scope, and failure response. It was published by the Cloud Security Alliance in late 2025 and adopted by Microsoft in their Agent Governance Toolkit. As of April 2026, the framework lives at CSAI, the new nonprofit foundation launched at RSAC by the Cloud Security Alliance.
How is ATF different from Zero Trust, NIST AI RMF, ISO 42001, and OWASP?
Each of those standards covers one layer of AI risk. Zero Trust handles access. NIST AI RMF handles enterprise-level risk posture. ISO 42001 certifies your governance program exists. OWASP Agentic Top 10 lists threats. None of them tells you what one specific AI agent is allowed to do, how to verify it's doing it, or what happens when it doesn't. ATF fills that gap and complements the others.
Who is CSAI and why does the framework belong there?
CSAI is a 501(c)(3) nonprofit foundation launched by the Cloud Security Alliance at RSAC 2026 to govern emerging AI security standards. Standards owned by vendors become marketing documents. Standards owned by single companies reflect that company's risk appetite. Standards owned by single authors inherit the author's blind spots. CSAI provides the institutional structure that lets a community of experts maintain and improve the framework over time.
Where can I find the framework and a self-assessment?
The full Agentic Trust Framework is at agentictrustframework.ai. The free self-assessment based on ATF, which gives your company a snapshot of governance gaps in about 10 minutes, is at verifiedagents.ai. The book Agentic AI + Zero Trust by Josh Woodruff and Michelle Savage, with a foreword by Zero Trust creator John Kindervag, is at https://a.co/d/05NstOG9.
What's the first thing a CEO or CISO should do this week?
Pick one AI agent running in your company right now. Write down who it is, what it's doing, what data it uses, where it can go, and what happens if it fails. If you can't answer one of those five questions clearly, you've found the first gap. Close it before you scale anything else. That single exercise tells most leaders more about their AI risk in 20 minutes than any audit report has so far.
Josh Woodruff is Founding Chair of the Agentic Trust Framework at CSAI, the nonprofit foundation launched by the Cloud Security Alliance. He's a CSA Research Fellow, IANS Faculty member, and the founder and CEO of MassiveScale.AI. He co-authored Agentic AI + Zero Trust with Michelle Savage, foreword by John Kindervag.
Read the full canonical essay on Substack: Trusted Agents | Subscribe for the weekly Lab Dispatch.