The Cloud Security Alliance published the Agentic Trust Framework (ATF) on February 2, 2026. It is the first governance specification that applies Zero Trust principles to autonomous AI agents with a structured maturity model. The framework was authored by Josh Woodruff (MassiveScale), Michelle Savage, and John Kindervag, who wrote the foreword. Kindervag is the original creator of Zero Trust.
A companion survey of 285 IT and security professionals, published by CSA and Strata Identity, provides the data behind the urgency: 84% of organizations cannot pass a compliance audit focused on agent behavior or access controls. Only 23% have a formal agent identity strategy. Only 18% are confident their current IAM can manage agent identities. The gap between agent deployment velocity and security readiness is widening.
This post walks through the framework, explains each trust element, and maps every recommendation to Oktsec features that ship today. This is the third independent validation of the Oktsec architecture, following the NIST NCCoE concept paper and the academic systematization from four universities.
Five questions that define agent security
ATF translates Zero Trust into five questions. Every security control in the framework exists to answer one of them:
| # | Trust Element | Question |
|---|---|---|
| 1 | Identity | Who is this agent? Who owns it? |
| 2 | Behavior | Is the agent doing what it claims? Can we prove it? |
| 3 | Data Governance | What data goes in? What comes out? Is PII protected? |
| 4 | Segmentation | Where can this agent go? What can it access? |
| 5 | Incident Response | What happens when the agent goes rogue? |
The layering is intentional. Identity is established before behavior is monitored. Data is validated before actions are taken. Incident response wraps all other components. Each element builds on the previous one, and the framework requires all five to be present before an agent can operate at any level.
Intern to Principal: earning autonomy
The most distinctive feature of ATF is its maturity model. Instead of binary trust (trusted or untrusted), agents progress through four levels using human role titles. The metaphor is deliberate: AI agents are "digital employees" who must earn greater responsibility through demonstrated competence.
Level 1: Intern
Read-only. The agent can access data, perform analysis, and generate insights. It cannot take any action that modifies external systems. All actions are logged, inputs are validated, and circuit breakers are active. Minimum two weeks at this level before promotion eligibility.
Level 2: Junior
Recommend with approval. The agent can propose specific actions with supporting reasoning, but every action requires explicit human approval before execution. Human-in-the-loop for all write operations. Minimum four weeks with greater than 95% recommendation acceptance rate before promotion.
Level 3: Senior
Execute with guardrails. The agent can execute actions within defined policy boundaries and notifies humans of what was done and why. Post-action notification replaces pre-action approval. Behavioral anomaly detection, PII protection, and role-based access control are required. Minimum eight weeks with zero critical incidents before promotion.
Level 4: Principal
Autonomous within domain. Full autonomous operation with maximum controls: continuous behavioral monitoring, real-time anomaly scoring, policy-as-code, and SOC integration. Any significant incident triggers automatic demotion to a lower level. This is the highest level of autonomy the framework permits, and it requires the highest level of governance.
Promotion between levels requires passing five gates: demonstrated accuracy and reliability, security audit at target level, measurable positive impact, clean operational history, and explicit stakeholder approval. No agent is promoted without human sign-off.
The survey data: enterprises are not ready
The CSA/Strata Identity survey paints a clear picture of the current state:
| Finding | Percentage |
|---|---|
| Cannot pass compliance audit on agent behavior/access controls | 84% |
| Have formal enterprise-wide agent identity strategy | 23% |
| Highly confident current IAM can manage agent identities | 18% |
| Maintain real-time agent registry/inventory | 21% |
| Can trace agent actions to a human across all environments | <28% |
| Currently have 1-100 agents deployed | 58% |
| Expect 101-500 agents within 12 months | 31% |
| Increasing identity/security budgets for AI agents | 40% |
The survey calls this the "time-to-trust" phase: organizations are scaling agent deployments faster than their identity and security frameworks can adapt. 58% already have agents deployed. 31% expect hundreds more within a year. And only 18% are confident they can manage agent identities with existing infrastructure.
This is the market context for ATF. The framework provides the governance vocabulary. The question is what implements it.
Mapping ATF to Oktsec: every element, every feature
Every trust element in ATF maps to a shipping Oktsec feature. This is not a roadmap. These are capabilities that exist today.
| ATF Element | ATF Requirement | Oktsec Implementation |
|---|---|---|
| Identity | Verified, auditable identity for every agent | Ed25519 key pairs with oktsec keygen. Every message signed. No message accepted without verified sender. |
| Behavior | Prove agent actions are legitimate | MCP Gateway applies 169 detection rules on every tool call. Anomaly detection flags behavioral drift. |
| Data Governance | Input validation and output governance | Content scanning on both requests (agent to tool) and responses (tool to agent). 19 credential leak rules. PII detection. |
| Segmentation | Least privilege and blast radius containment | Per-agent tool allowlists in YAML policies. Default-deny. Tool-level allow/deny per agent identity. |
| Incident Response | Circuit breakers, audit trail, containment | SARIF audit output. Rate limiting per agent. Deny rules. SQLite audit trail queryable under 6ms at 1M+ rows. |
Identity: Ed25519 cryptographic verification
ATF requires that every agent have an unforgeable identity. The framework recommends Decentralized Identifiers (DIDs) and Verifiable Credentials (VCs) for agent identity management.
Oktsec implements this with Ed25519 key pairs. Each agent generates a key pair at initialization. Every message is signed. Every signature is verified at the MCP Gateway before any tool call is processed. The identity is cryptographic, not session-based. It cannot be spoofed, shared, or escalated without access to the private key.
This directly addresses the survey finding that only 21% of organizations maintain a real-time agent registry. Oktsec's key registry provides the inventory. The MCP Gateway enforces the identity check on every call.
Behavior: 169 detection rules on every call
ATF's second element requires proving that the agent is doing what it claims. The framework describes behavioral monitoring as "AI watches AI for abnormal patterns."
The MCP Gateway's content scanning engine applies 169 detection rules to every tool call that passes through it. Prompt injection patterns, credential leak signatures, data exfiltration indicators, command execution attempts, SSRF probes, and MCP-specific attack patterns are all caught in real time. Anomaly detection identifies behavioral drift: an agent that suddenly starts accessing credential files or making requests to internal network addresses triggers alerts.
Data Governance: bidirectional content scanning
ATF asks two questions about data: "What are you eating?" (input validation) and "What are you serving?" (output governance). Both directions matter because agents both consume and produce data that flows to other agents and users.
The MCP Gateway scans content in both directions. Requests from agents to tools pass through the full detection pipeline. Responses from tools back to agents pass through the same pipeline in the opposite direction. This bidirectional scanning is what prevents the Viral Agent Loop: if a tool's response contains adversarial content, it is caught before reaching the requesting agent.
Segmentation: per-agent YAML policies
ATF requires blast radius containment. If one agent is compromised, the damage must be limited to that agent's authorized scope. The framework calls this segmentation and ties it directly to least-privilege operation.
Oktsec enforces segmentation through per-agent tool policies defined in YAML. Each agent identity has its own policy specifying which tools it can access and which are denied. The default is deny-all. Access is explicitly granted per tool, per agent. No semantic resolution, no embedding distance, no guessing. Either the tool is on the allowlist or the call is rejected.
This addresses ATF's concern about blast radius. A compromised agent with access to three specific tools can only affect those three tools. It cannot escalate to other tools, other agents, or other backends.
Incident Response: SARIF audit trail
ATF requires circuit breakers, kill switches, and recovery mechanisms. The fifth element is about what happens when things go wrong.
Oktsec's audit trail logs every interaction with full provenance: agent identity, tool invoked, parameters, content scan verdict, and timestamp. The output is SARIF format, machine-readable and integrable with CI/CD pipelines and SIEM systems. Rate limiting enforces circuit breaker behavior. Deny rules in YAML policies act as kill switches for specific tool access.
The survey found that less than 28% of organizations can trace agent actions to a human across all environments. Oktsec's audit trail provides this traceability. Every action is tied to a cryptographic agent identity. Every identity is tied to a key pair. Every key pair has a known owner.
ATF maturity levels and Oktsec policy enforcement
ATF's Intern-to-Principal progression maps directly to how Oktsec policies can be configured per agent:
| ATF Level | Autonomy | Oktsec Policy |
|---|---|---|
| Intern | Read-only | Allow only read tools (list, get, search). Deny all write operations. Full audit logging. |
| Junior | Recommend with approval | Allow read tools plus recommendation endpoints. Approval workflow gated externally. |
| Senior | Execute with guardrails | Allow specific write tools with content scanning. Post-action audit trail. Anomaly detection active. |
| Principal | Autonomous within domain | Broader tool access within defined domain. All 169 rules active. Rate limiting. SARIF output. Full provenance chain. |
The key insight is that ATF's maturity model is not just a governance concept. It is an operational pattern that maps to concrete policy configurations. An organization can start every new agent at Intern level with restrictive policies and progressively expand access as the agent demonstrates reliability. The MCP Gateway enforces these policies on every call without any changes to the agent's code or the MCP server's implementation.
Three frameworks, one architecture
In February 2026 alone, three independent frameworks converged on the same architectural requirements for AI agent security:
| Dimension | NIST NCCoE | Academic Paper (arXiv) | CSA ATF |
|---|---|---|---|
| Focus | Identity and authorization standards | Threat model and defense architecture | Governance and operational controls |
| Core requirement | Agent identity verification | Cryptographic capability binding | Unforgeable agent credentials |
| Access control | Fine-grained authorization | Per-agent tool allowlists | Least privilege via segmentation |
| Monitoring | Full audit trail | Runtime content scanning | Behavioral monitoring |
| Maturity model | Not specified | Not specified | Intern to Principal |
| Status | Public comment (closes Apr 2) | Published, peer-reviewed | Published, CC BY 4.0 |
All three arrive at the same conclusion: AI agents require cryptographic identity, deterministic access control, runtime content scanning, and complete audit trails. NIST approaches it from standards. The academic paper approaches it from threat modeling. CSA approaches it from governance. Oktsec implements all three.
ATF and the OWASP Agentic Top 10
ATF explicitly aligns with the OWASP Top 10 for Agentic Applications. Every OWASP risk maps to at least one ATF trust element:
| OWASP Risk | ATF Coverage |
|---|---|
| ASI01: Goal Hijack | Data Governance (input validation), Behavior |
| ASI02: Tool Misuse | Segmentation (tool governance), Behavior |
| ASI03: Identity & Privilege Abuse | Identity (verified credentials) |
| ASI04: Supply Chain | Data Governance (input validation at ingress) |
| ASI05: Code Execution | Segmentation (sandboxing), Incident Response |
| ASI06: Memory Poisoning | Data Governance (output filtering) |
| ASI07: Inter-Agent Comms | Identity (mutual verification) |
| ASI08: Cascading Failures | Incident Response (circuit breakers) |
| ASI09: Trust Exploitation | Maturity levels (human oversight gates) |
| ASI10: Rogue Agents | Incident Response (containment, demotion) |
When combined with Oktsec's coverage of 7 out of 10 OWASP Agentic risks through shipping features, organizations get defense across both the governance layer (ATF) and the technical enforcement layer (Oktsec). The framework provides the vocabulary and the compliance structure. Oktsec provides the implementation.
What this means for security teams
If you are evaluating AI agent security, ATF gives you a governance framework with clear maturity levels, measurable promotion criteria, and a shared vocabulary for discussing agent risk with boards and auditors. Here is how to use it:
- Classify your agents by maturity level. Most should start at Intern (read-only) or Junior (recommend with approval). Few should operate at Principal level. If any of your agents have unrestricted tool access without identity verification, they are operating above their earned trust level.
- Implement the five trust elements. Identity, behavior monitoring, data governance, segmentation, and incident response. All five are required at every level. The controls scale with maturity, but none are optional.
- Use the survey data to make the case. 84% of organizations cannot pass an agent compliance audit. If your organization deploys agents without identity verification, tool-level access control, and audit trails, you are in that 84%.
- Deploy enforcement infrastructure. ATF is a governance framework. It tells you what controls to implement. Oktsec is the implementation: Ed25519 identity, per-agent YAML policies, 169 detection rules, SARIF audit output. One binary, deployed as a proxy between agents and tools.
The framework is published under CC BY 4.0 with a reference implementation on GitHub. The companion book, Agentic AI + Zero Trust: A Guide for Business Leaders, provides the theoretical foundation.
Three independent frameworks in one month. NIST, academia, and CSA converge on the same requirements: cryptographic identity, deterministic access control, runtime scanning, and full audit trail. Oktsec implements all of them today.
ATF provides the governance vocabulary. NIST provides the standards context. The academic paper provides the threat model. Oktsec provides the implementation. Together, they define what agent security looks like for the enterprises that will deploy hundreds of agents in the next twelve months.
If you are building agents for payment systems, healthcare data flows, or any environment where every interaction needs identity, traceability, and a complete audit log: I want to hear about your use case.
Let’s talk agent security governance
Three independent frameworks validate the architecture. The implementation is open source and shipping today.