White Paper | 2026-03-27 | Status: draft
CSAI Master Framework Alignment Matrix
Executive Summary
The Cloud Security Alliance AI Safety Initiative has, since its founding, operated at the intersection of practitioner urgency and standards rigor. The 2026 CSAI program reflects a significant maturation of that mission: where earlier years produced foundational research on AI risk, the current portfolio delivers an integrated system of 27 discrete deliverables designed to secure, govern, audit, and educate across the full lifecycle of agentic AI deployment. That integration, however, creates a navigation challenge. A CISO seeking to implement controls against OWASP ASI Top 10 risks must understand which CSAI deliverables address which risk categories. An auditor preparing for STAR for AI Level 2 certification must know which documents inform the AI-CAIQ controls relevant to their engagement. A working group chair drafting a new technical specification needs to understand where MITRE ATLAS technique coverage is strong and where it is thin.
This document—the CSAI Master Framework Alignment Matrix—exists to answer those questions with precision. It maps all 27 CSAI deliverables against ten distinct framework dimensions: the AICM domain taxonomy, the OWASP ASI Top 10 for Agentic Applications, MITRE ATLAS tactics and techniques, MAESTRO’s seven-layer threat model, the four functions of the NIST AI RMF 1.0, AIUC-1 use case requirements, OpenClaw ecosystem relevance, STAR for AI certification levels, EU AI Act article alignment, and the six CSAI strategic program areas. [1][2][3][4][5][6]
The analysis reveals a program that is deliberately comprehensive but not uniformly distributed. Coverage across NIST AI RMF functions and AICM domains is strong, reflecting CSAI’s foundational investment in governance and controls architecture. Coverage of OWASP ASI execution-layer risks—particularly ASI05 (Unexpected Code Execution) and ASI07 (Insecure Inter-Agent Communications)—is adequate but concentrated in fewer deliverables than its threat severity warrants. The EU AI Act alignment column reveals a structural gap: while several deliverables address high-risk AI system requirements implicitly, only a handful engage explicitly with Article 9, 12, 14, and 15 obligations in ways that regulators and compliance teams can use directly. These gaps inform Section 5’s recommendations for future deliverable development.
The matrix is intended as a living instrument. It will require quarterly updates as deliverables move from draft to final publication, as external frameworks release new versions, and as the CSAI program adds or retires work items. Section 7 describes the maintenance procedures that govern that update cycle.
1. Introduction: Why a Master Alignment Matrix
The proliferation of AI security frameworks is, simultaneously, a sign of the field’s seriousness and a source of genuine operational friction. In the span of roughly eighteen months, practitioners have seen the release of the NIST AI RMF 1.0, the CSA AI Controls Matrix (AICM), the OWASP Top 10 for Agentic Applications, the MITRE ATLAS v5.1 expansion to cover agentic threats, the AIUC-1 agent compliance standard, MAESTRO as a purpose-built agentic threat model, and the full activation of STAR for AI as a global certification scheme anchored to ISO/IEC 42001. [1][7][8][9][10] Each of these frameworks provides real value. None of them, individually, covers the entire problem space. Together, they create a landscape that even experienced practitioners find difficult to navigate without a structured map.
The CSAI program compounds this challenge by design. The twenty-seven deliverables in the 2026 portfolio were developed across five working groups and six strategic program areas, with distinct audiences, timelines, and technical scopes. The ATLAS Agentic Gap Analysis, for example, was produced in close collaboration with the MITRE ATLAS team and is deeply specialized; the TAISE CxO Body of Knowledge, by contrast, is written for board-level executives with no expectation of technical depth. Both documents matter. Helping practitioners understand how they relate—to each other and to the broader framework landscape—is the primary purpose of this alignment matrix.
A secondary purpose is accountability. Without a master map, it is difficult to answer the question: does the CSAI program, taken as a whole, provide adequate coverage of the threats and governance requirements that enterprise adopters of agentic AI actually face? Structural gaps can persist undetected for months when no one is tracking coverage across the full portfolio. This document makes those gaps visible so that working groups can address them deliberately rather than discovering them reactively when a practitioner or auditor points out that a critical threat class has no corresponding CSAI guidance.
A third purpose is integration efficiency. AIUC-1 explicitly maps its fifty-plus requirements to AICM controls, NIST AI RMF, OWASP LLM Top 10, and ISO 42001. [6] STAR for AI Level 2 requires both a Valid-AI-ted AI-CAIQ and an ISO/IEC 42001 certification. [10] An enterprise that has already completed a CSAI-aligned security assessment program should not have to start over when preparing for STAR for AI certification—but capturing that continuity requires knowing precisely which CSAI deliverables satisfy which STAR for AI control requirements. The alignment matrix provides that knowledge in a format that compliance and assurance teams can use directly.
2. Framework Dimension Descriptions
Understanding the alignment matrix requires a clear working definition of each of the ten dimensions. This section provides concise descriptions that establish the scope and structure of each framework as used in the matrix.
2.1 AICM Domains
The CSA AI Controls Matrix (AICM) v1.0, released in July 2025, contains 243 control objectives distributed across 18 security and governance domains. [7] The framework is explicitly designed as a superset of the Cloud Controls Matrix (CCM), extending its domain taxonomy to address AI-specific risks that have no analog in traditional cloud security. The 18 domains are: Agentic AI (AA), AI Security (AIS), Business Continuity Management (BCM), Change and Configuration Control (CCC), Cryptography and Key Management (CEK), Data Center Security (DCS), Data Security and Privacy (DSP), Governance, Risk, and Compliance (GRC), Human Resources Security (HRS), Identity and Access Management (IAM), Interoperability and Portability (IPY), Infrastructure and Virtualization Security (IVS), Logging and Monitoring (LOG), Model Security (MS), Security Ecosystem and Federation (SEF), Supply Chain Transparency and Accountability (STA), Threat and Vulnerability Management (TVM), and Universal Endpoint Management (UEM). [7] For purposes of the alignment matrix, each deliverable is mapped to its primary AICM domain or domains, with a maximum of three domains listed to prevent false completeness.
2.2 OWASP ASI Top 10
The OWASP Top 10 for Agentic Applications—published by the OWASP GenAI Security Project on December 10, 2025, with the 2026 edition subsequently released—documents ten risk categories specific to autonomous and semi-autonomous AI agents. [1] The ten categories are: ASI01 (Agent Goal Hijack), ASI02 (Tool Misuse and Exploitation), ASI03 (Identity and Privilege Abuse), ASI04 (Agentic Supply Chain Vulnerabilities), ASI05 (Unexpected Code Execution), ASI06 (Memory and Context Poisoning), ASI07 (Insecure Inter-Agent Communications), ASI08 (Cascading Failures), ASI09 (Human-Agent Trust Exploitation), and ASI10 (Rogue Agents). [1] The categories were developed through input from over 100 security researchers, industry practitioners, and technology providers, and represent the community consensus on the most dangerous risks associated with agentic AI deployment.
2.3 MITRE ATLAS Techniques
MITRE ATLAS (Adversarial Threat Landscape for Artificial-Intelligence Systems) is the authoritative adversarial framework for AI and machine-learning attacks. As of v5.1 (November 2025), ATLAS covers 16 tactics and 84 techniques, including a significant expansion in October 2025 that added 14 new techniques specifically addressing agentic and generative AI threats. [2][11] Key agentic technique additions include AML.T0096 (AI Service API Abuse), AML.T0098 (AI Agent Tool Credential Harvesting), AML.T0099 (AI Agent Tool Data Poisoning), AML.T0100 (AI Agent Clickbait), and AML.T0101 (Data Destruction via AI Agent Tool Invocation). [11] The framework inherits thirteen tactics from MITRE ATT&CK and adds two AI-specific tactics: ML Model Access (AML.TA0004) and ML Attack Staging (AML.TA0012). In the alignment matrix, deliverables are mapped to the most relevant tactic IDs rather than attempting exhaustive technique enumeration.
2.4 MAESTRO Layers
MAESTRO (Multi-Agent Environment, Security, Threat, Risk, and Outcome) was introduced by the Cloud Security Alliance in February 2025 as a purpose-built threat modeling framework for agentic AI systems. [3] Its seven-layer architecture provides a reference model for locating threats and controls at the appropriate level of the agentic stack. The seven layers are: Layer 1 (Foundation Models), Layer 2 (Data Operations), Layer 3 (Agent Frameworks), Layer 4 (Deployment and Infrastructure), Layer 5 (Evaluation and Observability), Layer 6 (Security and Compliance), and Layer 7 (Agent Ecosystem). [3] Unlike generic threat modeling approaches such as STRIDE, MAESTRO explicitly addresses agent autonomy, multi-agent interaction risks, adversarial machine learning, and data poisoning at the model level. Deliverables in the alignment matrix are mapped to the MAESTRO layers they most directly address.
2.5 NIST AI RMF Functions
The NIST Artificial Intelligence Risk Management Framework 1.0 (NIST AI RMF 1.0), published in January 2023, organizes AI risk management activities across four core functions: Govern, Map, Measure, and Manage. [4] GOVERN applies cross-cuttingly to all stages of the AI risk management process, establishing the policies, roles, and accountability structures within which the other three functions operate. MAP frames the context and identifies AI-related risks. MEASURE employs quantitative and qualitative methods to analyze, assess, benchmark, and monitor those risks. MANAGE defines the actions taken to treat, monitor, and communicate about risks. [4] The four functions are designed to be iterative rather than sequential, and the framework explicitly recognizes that governance must be continuously reinforced through the other three functions. In the alignment matrix, deliverables are mapped to the primary function or functions they support.
2.6 AIUC-1 Use Case Requirements
AIUC-1, developed collaboratively with over 100 Fortune 500 CISOs, is the first compliance standard built specifically for AI agent deployments. [6] Organized across six domains—Data & Privacy, Security, Safety, Reliability, Accountability, and Society—AIUC-1 contains more than fifty auditable requirements grounded in technical testing rather than attestation alone. [6] The standard was designed to operationalize major frameworks including the EU AI Act, NIST AI RMF, ISO 42001, MITRE ATLAS, and AICM, while complementing general security standards such as SOC 2 and ISO 27001. [6] In the alignment matrix, deliverables are tagged with the AIUC-1 domain or domains they most directly support, enabling organizations pursuing AIUC-1 certification to identify which CSAI materials provide implementation evidence.
2.7 OpenClaw Ecosystem Relevance
OpenClaw is the open-source AI security intelligence platform operated as part of the CSAI AI Risk Observatory program area. It functions as an observability and telemetry layer for agentic environments, integrating with the RiskRubric model scanning leaderboard and serving as a vulnerability tracking and reporting hub for the agentic ecosystem. [12] In the alignment matrix, relevance to OpenClaw is rated on a four-point scale: High (the deliverable directly governs or extends OpenClaw capabilities), Medium (the deliverable provides context or guidance that OpenClaw implements), Low (the deliverable has indirect relevance), and None (the deliverable addresses concerns outside OpenClaw’s scope).
2.8 STAR for AI Certification Level
CSA STAR for AI is the extension of the Cloud Security Alliance’s STAR certification program to AI systems. Level 1 requires completion and public publication of the AI Consensus Assessments Initiative Questionnaire (AI-CAIQ) self-assessment. [10] Level 2 requires a Valid-AI-ted AI-CAIQ combined with an ISO/IEC 42001 certification from an accredited certification body, along with independent third-party audit of AI security, governance, and risk management controls. [10] Deliverables are mapped to the STAR for AI level at which they are most relevant—either as direct inputs to the assessment process, as governance foundations for the management system, or as implementation evidence for specific control domains.
2.9 EU AI Act Article Alignment
The EU AI Act, which entered into force in August 2024 with phased implementation timelines extending through 2027, imposes structured obligations on providers and deployers of high-risk AI systems. For purposes of this matrix, the most relevant articles are Article 9 (risk management system requirements, including continuous lifecycle assessment), Article 12 (record-keeping and logging obligations), Article 14 (human oversight requirements and the obligation to implement effective human control measures), and Article 15 (accuracy, robustness, and cybersecurity requirements, including resilience against adversarial manipulation). [5] Deliverables that address regulatory compliance more broadly are also noted against Article 13 (transparency and provision of information to deployers) and Article 17 (quality management system for providers). Mapping EU AI Act articles to CSAI deliverables enables European enterprises and global organizations subject to the Act to understand which CSAI guidance directly supports their compliance obligations.
2.10 CSAI Strategic Program Areas
The CSAI Foundation’s 2026 program is organized across six strategic areas: Program Area 1 (AI Risk Observatory), Program Area 2 (Agentic Best Practices), Program Area 3 (Education and Credentialing), Program Area 4 (CxOtrust), Program Area 5 (Global Assurance and Trust), and Program Area 6 (Future Forward). [12] These program areas are not mutually exclusive—many deliverables serve multiple areas—but each deliverable has a primary home that reflects the sponsoring working group and intended audience. Understanding primary program area membership helps working group chairs manage portfolio coherence and helps enterprise practitioners understand the maturity and maintenance trajectory of each deliverable.
3. The Alignment Matrix
The following tables present the full alignment matrix for all 27 CSAI deliverables. Given the density of information across ten dimensions, the matrix is organized into three tables. Table A maps deliverables against AICM domains, OWASP ASI categories, and MAESTRO layers. Table B maps deliverables against MITRE ATLAS tactics, NIST AI RMF functions, and AIUC-1 domains. Table C maps deliverables against OpenClaw relevance, STAR for AI level, EU AI Act articles, and the primary CSAI strategic program area.
Cells marked “—” indicate that the deliverable has no substantive alignment to that dimension. Cells listing multiple values indicate joint applicability; where three or more values would apply, the most significant are listed with “(+)” to indicate additional coverage exists.
Table A: AICM Domains, OWASP ASI Categories, and MAESTRO Layers
| # | Deliverable | Primary AICM Domains | OWASP ASI Coverage | MAESTRO Layers |
|---|---|---|---|---|
| 1 | ATLAS Agentic Gap Analysis | AA, TVM, AIS | ASI01, ASI02, ASI05, ASI06, ASI07, ASI10 | L1, L2, L3, L7 |
| 2 | CVE/CWE Agentic Vulnerability Catalog | TVM, AIS, STA | ASI01, ASI02, ASI04, ASI05, ASI08 | L1, L3, L4 |
| 3 | AICM Agentic Control Supplement | AA, GRC, IAM | ASI01–ASI10 (all) | L1–L7 (all) |
| 4 | NemoClaw Security Assessment | AIS, TVM, MS | ASI01, ASI06, ASI10 | L1, L2, L5 |
| 5 | MCP Security Best Practices Guide | AA, IAM, STA | ASI02, ASI03, ASI04, ASI07 | L3, L6, L7 |
| 6 | Master Framework Alignment Matrix | GRC, AA, SEF | ASI01–ASI10 (all) | L1–L7 (all) |
| 7 | Agent Identity Governance Framework | IAM, AA, GRC | ASI03, ASI07, ASI09 | L3, L6, L7 |
| 8 | Agentic Secure Development Lifecycle (ASDL) | AIS, STA, CCC | ASI04, ASI05, ASI06 | L1, L2, L3, L4 |
| 9 | NIST AI RMF Agentic Profile | GRC, AA, TVM | ASI01, ASI03, ASI08, ASI10 | L5, L6 |
| 10 | RiskRubric V2 Agentic Extension | TVM, AIS, LOG | ASI01, ASI06, ASI08, ASI10 | L1, L5 |
| 11 | RiskRubric MCP Scanner Specification | TVM, AIS, STA | ASI02, ASI04, ASI07 | L3, L7 |
| 12 | Agent Registry Specification | IAM, AA, GRC | ASI03, ASI07, ASI09 | L6, L7 |
| 13 | STAR for AI Agentic Certification Scheme | GRC, SEF, AA | ASI01–ASI10 (all) | L5, L6 |
| 14 | RiskRubric Agentic Benchmark Suite | TVM, MS, AIS | ASI01, ASI06, ASI08, ASI10 | L1, L5 |
| 15 | AI Risk Observatory Telemetry Architecture | LOG, TVM, AIS | ASI08, ASI09, ASI10 | L5, L7 |
| 16 | OpenClaw Hardening Guide | AIS, IVS, TVM | ASI02, ASI04, ASI05 | L3, L4, L6 |
| 17 | Agentic Cybersecurity Implementation Guide | AA, AIS, GRC | ASI01–ASI07 (+) | L2–L6 (+) |
| 18 | Agentic Transaction Security Framework | AA, IAM, DSP | ASI03, ASI07, ASI08 | L3, L6, L7 |
| 19 | Valid-AI-ted Audit Engine Specification | GRC, LOG, SEF | ASI09, ASI10 | L5, L6 |
| 20 | TAISE Agentic Body of Knowledge | AA, AIS, GRC | ASI01–ASI10 (all) | L1–L7 (all) |
| 21 | TAISE CxO Body of Knowledge | GRC, HRS | ASI09, ASI10 | L6, L7 |
| 22 | Agentic AI Governance Maturity Model | GRC, AA, HRS | ASI09, ASI10 | L6, L7 |
| 23 | Catastrophic Risk Annex | AA, GRC, TVM | ASI08, ASI10 | L1, L7 |
| 24 | TAISE Compass Curriculum | HRS, GRC | ASI09 | L6 |
| 25 | CNA Operations Manual | TVM, STA, LOG | ASI01, ASI04, ASI05 | L1, L3 |
| 26 | Standards Engagement Proposals | GRC, SEF, IPY | — | L6 |
| 27 | Agentic AI Summit Series Program Design | HRS, GRC | ASI09, ASI10 | L6, L7 |
Table B: MITRE ATLAS Tactics, NIST AI RMF Functions, and AIUC-1 Domains
| # | Deliverable | Primary MITRE ATLAS Tactics | NIST AI RMF Functions | AIUC-1 Domains |
|---|---|---|---|---|
| 1 | ATLAS Agentic Gap Analysis | AML.TA0001, AML.TA0003, AML.TA0004, AML.TA0012, AML.TA0014 | Map, Measure | Security, Safety |
| 2 | CVE/CWE Agentic Vulnerability Catalog | AML.TA0001, AML.TA0003, AML.TA0005, AML.TA0014 | Map, Measure | Security, Reliability |
| 3 | AICM Agentic Control Supplement | AML.TA0001–AML.TA0016 (all) | Govern, Map, Measure, Manage | All six domains |
| 4 | NemoClaw Security Assessment | AML.TA0001, AML.TA0004, AML.TA0008, AML.TA0012 | Map, Measure | Security |
| 5 | MCP Security Best Practices Guide | AML.TA0003, AML.TA0009, AML.TA0015 | Manage | Security, Accountability |
| 6 | Master Framework Alignment Matrix | AML.TA0001–AML.TA0016 (all) | Govern, Map, Measure, Manage | All six domains |
| 7 | Agent Identity Governance Framework | AML.TA0009, AML.TA0013, AML.TA0015 | Govern, Manage | Security, Accountability |
| 8 | Agentic Secure Development Lifecycle | AML.TA0002, AML.TA0003, AML.TA0005, AML.TA0006 | Map, Manage | Security, Reliability |
| 9 | NIST AI RMF Agentic Profile | AML.TA0001, AML.TA0006, AML.TA0011, AML.TA0014 | Govern, Map, Measure, Manage | All six domains |
| 10 | RiskRubric V2 Agentic Extension | AML.TA0001, AML.TA0004, AML.TA0011, AML.TA0014 | Measure | Security, Safety |
| 11 | RiskRubric MCP Scanner Specification | AML.TA0001, AML.TA0003, AML.TA0009 | Measure | Security |
| 12 | Agent Registry Specification | AML.TA0009, AML.TA0013, AML.TA0015 | Govern, Manage | Security, Accountability |
| 13 | STAR for AI Agentic Certification Scheme | AML.TA0001–AML.TA0016 (all) | Govern, Measure | All six domains |
| 14 | RiskRubric Agentic Benchmark Suite | AML.TA0001, AML.TA0004, AML.TA0012 | Measure | Security, Reliability |
| 15 | AI Risk Observatory Telemetry Architecture | AML.TA0001, AML.TA0014, AML.TA0015 | Measure, Manage | Security, Reliability |
| 16 | OpenClaw Hardening Guide | AML.TA0003, AML.TA0005, AML.TA0006, AML.TA0008 | Manage | Security |
| 17 | Agentic Cybersecurity Implementation Guide | AML.TA0003–AML.TA0014 (+) | Map, Measure, Manage | Security, Reliability, Accountability |
| 18 | Agentic Transaction Security Framework | AML.TA0009, AML.TA0013, AML.TA0015 | Govern, Manage | Security, Accountability, Society |
| 19 | Valid-AI-ted Audit Engine Specification | AML.TA0001, AML.TA0011, AML.TA0014 | Govern, Measure | Accountability |
| 20 | TAISE Agentic Body of Knowledge | AML.TA0001–AML.TA0016 (all) | Govern, Map, Measure, Manage | All six domains |
| 21 | TAISE CxO Body of Knowledge | AML.TA0011, AML.TA0014 | Govern | Accountability, Society |
| 22 | Agentic AI Governance Maturity Model | AML.TA0011, AML.TA0014 | Govern | Accountability |
| 23 | Catastrophic Risk Annex | AML.TA0011, AML.TA0014 | Map, Measure | Safety, Society |
| 24 | TAISE Compass Curriculum | — | Govern | Accountability |
| 25 | CNA Operations Manual | AML.TA0001, AML.TA0003, AML.TA0005 | Map, Measure | Security |
| 26 | Standards Engagement Proposals | — | Govern | Accountability |
| 27 | Agentic AI Summit Series Program Design | — | Govern | Society |
Table C: OpenClaw Relevance, STAR for AI Level, EU AI Act Articles, and CSAI Program Area
| # | Deliverable | OpenClaw Relevance | STAR for AI Level | EU AI Act Articles | CSAI Program Area |
|---|---|---|---|---|---|
| 1 | ATLAS Agentic Gap Analysis | Medium | Level 1 input | Art. 9, Art. 15 | 1 — AI Risk Observatory |
| 2 | CVE/CWE Agentic Vulnerability Catalog | High | Level 1 input | Art. 9, Art. 15 | 1 — AI Risk Observatory |
| 3 | AICM Agentic Control Supplement | Medium | Level 1 & 2 | Art. 9, 12, 14, 15, 17 | 2 — Best Practices |
| 4 | NemoClaw Security Assessment | High | Level 1 input | Art. 9, Art. 15 | 1 — AI Risk Observatory |
| 5 | MCP Security Best Practices Guide | High | Level 1 input | Art. 9, Art. 15 | 2 — Best Practices |
| 6 | Master Framework Alignment Matrix | Medium | Level 1 & 2 | Art. 9, 12, 14, 15, 17 | 2 — Best Practices |
| 7 | Agent Identity Governance Framework | Medium | Level 1 & 2 | Art. 9, Art. 14 | 2 — Best Practices |
| 8 | Agentic Secure Development Lifecycle | Medium | Level 1 & 2 | Art. 9, Art. 15, Art. 17 | 2 — Best Practices |
| 9 | NIST AI RMF Agentic Profile | Low | Level 1 & 2 | Art. 9, 12, 14, 15 | 2 — Best Practices |
| 10 | RiskRubric V2 Agentic Extension | High | Level 1 input | Art. 9, Art. 15 | 1 — AI Risk Observatory |
| 11 | RiskRubric MCP Scanner Specification | High | Level 1 input | Art. 9 | 1 — AI Risk Observatory |
| 12 | Agent Registry Specification | Medium | Level 1 & 2 | Art. 9, Art. 14 | 2 — Best Practices |
| 13 | STAR for AI Agentic Certification Scheme | Medium | Level 1 & 2 | Art. 9, 12, 14, 15, 17 | 5 — Global Assurance |
| 14 | RiskRubric Agentic Benchmark Suite | High | Level 1 input | Art. 9, Art. 15 | 1 — AI Risk Observatory |
| 15 | AI Risk Observatory Telemetry Architecture | High | Level 1 input | Art. 12, Art. 15 | 1 — AI Risk Observatory |
| 16 | OpenClaw Hardening Guide | High | Level 1 input | Art. 15 | 2 — Best Practices |
| 17 | Agentic Cybersecurity Implementation Guide | Medium | Level 1 & 2 | Art. 9, 12, 14, 15 | 2 — Best Practices |
| 18 | Agentic Transaction Security Framework | Medium | Level 1 & 2 | Art. 9, Art. 14, Art. 15 | 2 — Best Practices |
| 19 | Valid-AI-ted Audit Engine Specification | Medium | Level 2 | Art. 9, Art. 12, Art. 17 | 5 — Global Assurance |
| 20 | TAISE Agentic Body of Knowledge | Low | Level 1 & 2 | Art. 14, Art. 9 | 3 — Education |
| 21 | TAISE CxO Body of Knowledge | None | Level 1 input | Art. 9 | 4 — CxOtrust |
| 22 | Agentic AI Governance Maturity Model | Low | Level 1 & 2 | Art. 9, Art. 17 | 4 — CxOtrust |
| 23 | Catastrophic Risk Annex | Low | Level 2 | Art. 9 | 6 — Future Forward |
| 24 | TAISE Compass Curriculum | None | None | — | 3 — Education |
| 25 | CNA Operations Manual | High | Level 1 input | Art. 9, Art. 15 | 1 — AI Risk Observatory |
| 26 | Standards Engagement Proposals | None | Level 1 & 2 | Art. 9, 12, 14, 15, 17 | 6 — Future Forward |
| 27 | Agentic AI Summit Series Program Design | None | None | — | 3 — Education |
4. Coverage Heat Map Analysis
Reading the alignment matrix as a single object reveals a program whose coverage is intentional and, in most dimensions, deliberately deep—but whose depth is unequally distributed in ways that have practical consequences for practitioners. This section analyzes coverage strength and weakness across each of the ten dimensions, supporting the gap identification analysis in Section 5.
4.1 AICM Domain Coverage
Across the 27 deliverables, the most heavily represented AICM domains are Governance, Risk, and Compliance (GRC), which appears as a primary domain in 14 deliverables; Agentic AI (AA), which appears in 13 deliverables; and Threat and Vulnerability Management (TVM), which appears in 10. AI Security (AIS) and Identity and Access Management (IAM) each appear in eight. This distribution reflects CSAI’s deliberate focus on governance architecture and threat intelligence as the foundational layers of the program portfolio.
Coverage becomes thinner as one moves toward operational and infrastructure domains. Data Center Security (DCS) appears in zero deliverables as a primary domain—an expected gap, as CSAI’s scope is AI-layer rather than physical infrastructure. Cryptography and Key Management (CEK) appears in zero primary mappings, despite the fact that agent-to-agent authentication, model artifact signing, and encrypted telemetry channels all have significant cryptographic dimensions. Similarly, Universal Endpoint Management (UEM) and Interoperability and Portability (IPY) each appear in only one deliverable as a primary domain, suggesting that device management and cross-platform portability concerns receive lighter treatment than their operational significance might warrant.
| AICM Domain | Primary Coverage Count | Assessment |
|---|---|---|
| GRC (Governance, Risk, Compliance) | 14 | Strong |
| AA (Agentic AI) | 13 | Strong |
| TVM (Threat & Vulnerability Mgmt) | 10 | Strong |
| AIS (AI Security) | 8 | Adequate |
| IAM (Identity & Access Management) | 8 | Adequate |
| LOG (Logging and Monitoring) | 4 | Moderate |
| MS (Model Security) | 3 | Moderate |
| STA (Supply Chain Transparency) | 4 | Moderate |
| HRS (Human Resources Security) | 4 | Moderate |
| DSP (Data Security and Privacy) | 2 | Weak |
| SEF (Security Ecosystem & Federation) | 3 | Moderate |
| IVS (Infrastructure & Virtualization) | 1 | Weak |
| CCC (Change & Configuration Control) | 1 | Weak |
| IPY (Interoperability & Portability) | 1 | Weak |
| CEK (Cryptography & Key Mgmt) | 0 | Gap |
| DCS (Data Center Security) | 0 | Gap |
| BCM (Business Continuity Mgmt) | 0 | Gap |
| UEM (Universal Endpoint Mgmt) | 0 | Gap |
4.2 OWASP ASI Coverage
Seven of the ten OWASP ASI categories receive coverage from five or more deliverables. ASI09 (Human-Agent Trust Exploitation) and ASI10 (Rogue Agents) are the most broadly covered, appearing in 12 and 13 deliverables respectively—a distribution that reflects the extensive attention CSAI’s education and governance programs give to human oversight, executive awareness, and alignment risk. ASI01 (Agent Goal Hijack) and ASI03 (Identity and Privilege Abuse) each appear in 9 deliverables, anchored by strong coverage from the ATLAS Agentic Gap Analysis, Agent Identity Governance Framework, and the AICM Agentic Control Supplement. [1]
The more technical execution-layer categories receive comparatively sparse coverage. ASI05 (Unexpected Code Execution) is addressed by only four deliverables—the ATLAS Agentic Gap Analysis, CVE/CWE Agentic Vulnerability Catalog, ASDL, and CNA Operations Manual—none of which provides the kind of prescriptive developer guidance that a software engineering team could use directly. ASI07 (Insecure Inter-Agent Communications) is addressed by five deliverables, but the MCP Security Best Practices Guide and RiskRubric MCP Scanner Specification are the only documents that address the protocol-level specifics of inter-agent message integrity. This is a meaningful gap given that multi-agent orchestration is among the fastest-growing deployment patterns in enterprise agentic AI.
4.3 MAESTRO Layer Coverage
Coverage across MAESTRO’s seven layers is strong at the extremes—Layer 1 (Foundation Models) and Layers 6–7 (Security and Compliance; Agent Ecosystem)—and moderate in the middle layers that represent operational deployment concerns. Layer 5 (Evaluation and Observability) is well served by the AI Risk Observatory Telemetry Architecture, both RiskRubric deliverables, and the Valid-AI-ted Audit Engine Specification, which together form a coherent observability stack. Layer 3 (Agent Frameworks) has adequate coverage through the MCP Security Best Practices Guide, ASDL, and OpenClaw Hardening Guide, though none of these documents addresses the full range of agentic orchestration frameworks currently in enterprise use.
Layer 4 (Deployment and Infrastructure) is the most underserved MAESTRO layer in the current portfolio. Only the ASDL and OpenClaw Hardening Guide address infrastructure-level concerns as a primary focus, and both do so within narrower technical scopes than the full deployment security problem warrants. As enterprises move agentic workloads into Kubernetes-based orchestration environments and containerized agent runtimes, infrastructure hardening guidance specific to agentic deployments will become increasingly important. [3]
4.4 NIST AI RMF and AIUC-1 Coverage
The GOVERN function of NIST AI RMF receives the broadest coverage across the portfolio, with 17 deliverables mapping to it as a primary or strong secondary function. This is expected given the program’s heavy investment in governance-layer documents such as the Agentic AI Governance Maturity Model, NIST AI RMF Agentic Profile, and the suite of TAISE credentialing materials. The MEASURE function is the second strongest, with 14 deliverables, reflecting the program’s deep investment in risk measurement tools through the RiskRubric suite and the Valid-AI-ted audit engine.
The MANAGE function receives coverage from 11 deliverables but is notably thin on operational runbook-style guidance—the kind of step-by-step incident response and remediation materials that security operations teams can use in the moment of a detected agentic incident. The MAP function coverage, at 12 deliverables, is adequate but concentrated in the assessment and taxonomy documents rather than in practice-oriented mapping guides for specific deployment scenarios.
AIUC-1 alignment is strong in the Security and Accountability domains, where nearly all technical Best Practices deliverables map cleanly. The Society domain—addressing catastrophic societal harm, system misuse, and national security implications—is served by only the Catastrophic Risk Annex, Agentic Transaction Security Framework, and the Summit Series Program Design. Given that the Society domain represents AIUC-1’s most differentiated contribution relative to other frameworks, this thin coverage may limit CSAI’s ability to support organizations pursuing AIUC-1 certification for high-stakes deployments. [6]
4.5 EU AI Act and STAR for AI Coverage
Nineteen of the 27 deliverables have substantive EU AI Act article alignment. Coverage of Article 9 (risk management systems) is the strongest, appearing in 17 deliverables, because the risk management system requirement is foundational enough to intersect with nearly every technical and governance document in the portfolio. Article 15 (accuracy, robustness, and cybersecurity) is the second strongest, appearing in 12 deliverables. Article 14 (human oversight) appears in 9 deliverables, with coverage concentrated appropriately in identity governance, certification, and education materials.
Article 12 (record-keeping) is the most poorly served of the four core high-risk articles, appearing in only 6 deliverables. This is significant because logging and audit trail requirements are among the most commonly cited compliance gaps in enterprise AI governance audits. The AI Risk Observatory Telemetry Architecture is the only deliverable that addresses logging architecture in depth; the Valid-AI-ted Audit Engine addresses automated record capture; but no deliverable provides standalone guidance on Article 12 compliance as an organizational readiness concern. A dedicated logging and record-keeping guidance document may be warranted.
STAR for AI coverage is strong: 20 deliverables map to at least Level 1, and 15 provide governance foundations or implementation evidence relevant to Level 2. The STAR for AI Agentic Certification Scheme deliverable is the only one that addresses the certification scheme itself as a subject, ensuring that practitioners have a primary reference for understanding how agentic AI system characteristics affect the certification pathway.
5. Gap Identification
The heat map analysis in Section 4 surfaces several structural gaps that the CSAI working groups should address in the next planning cycle. Each gap is characterized by its affected framework dimensions, its practical consequence for practitioners, and a suggested remediation approach.
The first and most significant gap is the absence of a cryptography and key management deliverable aligned to AICM’s CEK domain. Agent-to-agent authentication in multi-agent systems depends on cryptographic identity binding, and model artifact integrity verification requires signing infrastructure. Neither the ASDL nor the Agent Identity Governance Framework addresses cryptographic controls in sufficient depth for practitioners implementing zero-trust agentic environments. The remediation path is either a standalone CEK guidance document or a technical annex to the Agent Identity Governance Framework.
The second gap involves EU Article 12 record-keeping. No deliverable provides actionable, standalone guidance on logging requirements for high-risk AI systems under the EU AI Act’s Article 12 obligations. The AI Risk Observatory Telemetry Architecture is the closest available resource, but its scope is observability architecture rather than regulatory compliance. An Article 12 compliance annex, potentially co-authored with the STAR for AI Agentic Certification Scheme working group, would close this gap.
The third gap concerns OWASP ASI05 (Unexpected Code Execution). The four deliverables that currently address this risk do so from analysis, taxonomy, and process perspectives, but none provides prescriptive secure coding guidance for developers building agentic systems. The ASDL addresses the development lifecycle at a process level; what is missing is a corresponding secure coding standard that addresses the specific patterns through which agentic systems produce and execute code—sandboxing requirements, input sanitization for code-generating agents, and runtime isolation architectures.
A fourth gap is the near-total absence of AICM BCM (Business Continuity Management) coverage. Agentic systems that become integral to business operations create novel business continuity concerns: automated decision chains can fail in cascading ways (ASI08), and agent ecosystem disruptions can affect dependent processes with speed and scale that traditional BCM frameworks do not anticipate. No current CSAI deliverable provides BCM-specific guidance for agentic deployments. The Catastrophic Risk Annex touches on related themes at a strategic level, but operational continuity planning for agentic systems is not addressed.
A fifth, more latent gap involves AIUC-1’s Society domain. The deliverables currently mapped to this domain—the Catastrophic Risk Annex, Agentic Transaction Security Framework, and Agentic AI Summit Series Program Design—are each valuable but serve different audiences and purposes. What is missing is a coherent practitioner-facing document that addresses the Society domain’s requirements in the structured, auditable format that AIUC-1 certification requires: specific controls against cyber exploitation and misuse at a societal level, with testing and evidence standards.
6. Usage Guidance by Audience
The alignment matrix is a reference instrument, not a reading list, and different audiences will extract different kinds of value from it. This section provides structured guidance for the three primary audiences: enterprise security teams, standards bodies and regulators, and CSAI working groups.
6.1 Enterprise Security Teams
Enterprise security teams approaching the CSAI portfolio for the first time typically have one of three entry points: a specific compliance requirement they need to address, a threat scenario they need to mitigate, or an assessment program they are preparing to undergo. The alignment matrix supports all three entry strategies.
For compliance-driven navigation, teams should begin with Tables C and cross-reference EU AI Act articles or STAR for AI levels against their organizational obligations. An enterprise preparing for STAR for AI Level 2 certification, for example, should prioritize the STAR for AI Agentic Certification Scheme, NIST AI RMF Agentic Profile, Valid-AI-ted Audit Engine Specification, and AICM Agentic Control Supplement—these four deliverables collectively address all major domains of the Level 2 assessment. For EU AI Act Article 9 readiness, the same team should also engage the Agentic AI Governance Maturity Model and the Agent Identity Governance Framework.
For threat-driven navigation, teams responding to a specific OWASP ASI or MITRE ATLAS concern should use Tables A and B to identify the deliverables most relevant to that threat class. A team responding to ASI07 (Insecure Inter-Agent Communications) incidents should prioritize the MCP Security Best Practices Guide, Agent Identity Governance Framework, Agent Registry Specification, and Agentic Transaction Security Framework. A team conducting red-team exercises against MITRE ATLAS AML.TA0012 (ML Attack Staging) techniques should engage the ATLAS Agentic Gap Analysis, RiskRubric V2 Agentic Extension, and RiskRubric Agentic Benchmark Suite.
For assessment preparation, teams should use the matrix to avoid redundant work. If an organization has already completed an AICM self-assessment using the AI-CAIQ, the Valid-AI-ted Audit Engine Specification describes how that assessment can be scored and validated toward STAR for AI Level 2. The Agentic Cybersecurity Implementation Guide provides implementation evidence across multiple AICM domains simultaneously, reducing the number of discrete documents a team needs to master before an assessment.
6.2 Standards Bodies
Standards bodies and regulatory agencies engaging with CSAI deliverables have a fundamentally different information need: they are less concerned with which documents to read than with understanding how CSAI’s outputs relate to, and potentially inform or adopt, their own frameworks. The alignment matrix serves this audience in two ways.
First, it provides a structured accounting of where CSAI has developed original technical content that could inform external framework updates. The ATLAS Agentic Gap Analysis was produced in close collaboration with the MITRE ATLAS team and directly contributed to the October 2025 expansion of ATLAS techniques. [2] The CVE/CWE Agentic Vulnerability Catalog, produced under CSAI’s CNA program, extends the CVE taxonomy with agentic-specific vulnerability patterns that have no direct analog in existing CWE entries. Standards bodies considering how to extend their own frameworks to address agentic AI threats should treat these deliverables as primary inputs.
Second, the matrix reveals where CSAI’s coverage converges with or complements specific framework obligations in ways that could reduce duplication across the standards landscape. The NIST AI RMF Agentic Profile is the most direct example: it was designed explicitly as a profile document within the NIST AI RMF structure, meaning it should be recognized by NIST as an authoritative community profile contribution. The Standards Engagement Proposals deliverable documents CSAI’s formal engagement strategy with external standards bodies, including NIST, ISO, ENISA, and IETF, and can serve as a coordination reference for organizations navigating multiple standards processes.
6.3 CSAI Working Groups
For CSAI working groups, the alignment matrix serves as a coordination and accountability instrument. Working group chairs should review the matrix quarterly to assess whether their deliverables’ alignment profiles remain current as external frameworks update and as the deliverables themselves move from draft to final status.
The gap analysis in Section 5 identifies five areas where the current portfolio has structural weaknesses. Working groups with relevant technical capacity should consider whether gap-closing deliverables fall within their existing scope or whether new working group formation is warranted. In particular, the CEK cryptography gap and the Article 12 logging gap are sufficiently bounded that they could be addressed through targeted annexes to existing deliverables rather than new standalone documents—an approach that has the advantage of maintaining coherence in the existing document structure.
Working groups should also use the matrix to identify collaboration opportunities across program areas. The CVE/CWE Agentic Vulnerability Catalog (Program Area 1) and the ASDL (Program Area 2) address overlapping concerns around supply chain vulnerabilities and agentic code generation risks. Explicit cross-references between these documents, informed by the matrix alignment, would strengthen both without requiring duplicated content. Similarly, the Valid-AI-ted Audit Engine Specification (Program Area 5) and the AI Risk Observatory Telemetry Architecture (Program Area 1) address complementary aspects of the observability and audit problem; joint working sessions between these two teams could surface integration points that neither team would identify working in isolation.
7. Maintenance and Update Procedures
The CSAI Master Framework Alignment Matrix is a living document. Its accuracy and utility depend on a disciplined maintenance cycle that keeps pace with external framework updates, internal deliverable status changes, and the evolving threat and compliance landscape.
The primary maintenance trigger is an external framework version update. When OWASP, MITRE, NIST, CSA, or another body releases an updated version of a framework referenced in the matrix, the CSAI framework alignment team should conduct a review within sixty days of the update’s publication. That review should assess whether the updated framework introduces new categories, techniques, or requirements that affect existing deliverable mappings, and whether any new gaps are created by material changes in framework scope or structure. The October 2025 ATLAS v5.1 update, which added 14 new agentic techniques, is an example of the kind of change that requires a substantive matrix revision: several deliverables that were previously well-aligned to ATLAS now have partial coverage of the new technique set and require updated mapping entries.
A secondary maintenance trigger is deliverable status change. Deliverables move from draft to consultation to published status, and their alignment profiles may shift as they are refined through working group review and public comment. Alignment entries for draft deliverables should be treated as provisional and reviewed when a deliverable reaches final publication. In some cases, the publication process narrows a deliverable’s scope in ways that affect its coverage—for example, a draft that initially addressed all MAESTRO layers may be refined to focus on specific layers in response to reviewer feedback. The matrix should reflect published scope, not intended scope.
A tertiary maintenance trigger is gap remediation. When a new CSAI deliverable is initiated in response to an identified gap, the matrix should be updated to reflect that deliverable’s provisional alignment from the point at which its scope is formally defined by the working group. This ensures that the gap analysis in Section 5 remains current and does not continue to flag gaps that are actively being addressed.
The quarterly CSAI program review cycle is the natural governance mechanism for matrix maintenance. The framework alignment team should present an updated matrix—or a change summary confirming that no material updates are required—at each quarterly review. Major revisions to the matrix, defined as changes affecting five or more deliverable alignment entries or the addition of a new framework dimension, should be published as a new document version with a version increment and a changelog section documenting the specific changes made.
Ownership of matrix maintenance rests jointly with the Best Practices working group, which manages the majority of alignment-heavy deliverables, and the Global Assurance working group, which owns the STAR for AI Agentic Certification Scheme and Valid-AI-ted Audit Engine deliverables—the two deliverables whose alignment accuracy is most directly material to enterprise certification outcomes. Disputed alignment entries should be escalated to the CSAI Technical Advisory Board for resolution.
References
[1] OWASP GenAI Security Project. “OWASP Top 10 for Agentic Applications.” December 10, 2025. https://genai.owasp.org/2025/12/09/owasp-genai-security-project-releases-top-10-risks-and-mitigations-for-agentic-ai-security/
[2] MITRE. “MITRE ATLAS™ Adversarial Threat Landscape for Artificial-Intelligence Systems.” v5.1, November 2025. https://atlas.mitre.org/
[3] Cloud Security Alliance. “Agentic AI Threat Modeling Framework: MAESTRO.” February 6, 2025. https://cloudsecurityalliance.org/blog/2025/02/06/agentic-ai-threat-modeling-framework-maestro
[4] National Institute of Standards and Technology. “Artificial Intelligence Risk Management Framework (AI RMF 1.0).” NIST AI 100-1. January 2023. https://nvlpubs.nist.gov/nistpubs/ai/nist.ai.100-1.pdf
[5] European Parliament. “Regulation (EU) 2024/1689 on Artificial Intelligence (EU AI Act).” Official Journal of the European Union. August 2024. https://artificialintelligenceact.eu/
[6] AIUC. “AIUC-1: The World’s First AI Agent Standard.” 2025. https://www.aiuc-1.com/
[7] Cloud Security Alliance. “AI Controls Matrix (AICM) v1.0.” July 2025. https://cloudsecurityalliance.org/artifacts/ai-controls-matrix
[8] OWASP GenAI Security Project. “OWASP Top 10 for Agentic Applications for 2026.” https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/
[9] Zenity Labs and MITRE ATLAS. “Zenity & MITRE ATLAS Expand AI Agent Attack Coverage.” October 2025. https://zenity.io/blog/current-events/zenity-labs-and-mitre-atlas-collaborate-to-advances-ai-agent-security-with-the-first-release-of
[10] Cloud Security Alliance. “STAR for AI Level 2: AI Security Path.” November 19, 2025. https://cloudsecurityalliance.org/blog/2025/11/19/understanding-star-for-ai-level-2-a-practical-step-toward-ai-security-compliance
[11] Zenity. “MITRE ATLAS AI Security and Agentic Threats 2026 Update.” January 2026. https://zenity.io/blog/current-events/mitre-atlas-ai-security
[12] Cloud Security Alliance. “CSAI: Securing the Agentic Control Plane — 2026 Strategic Mission.” CSAI Foundation Program Overview. 2026. https://www.CSAI.foundation