CSAI Standards Engagement Proposals

White Paper | 2026-03-27 | Status: draft

CSAI Standards Engagement Proposals

Executive Summary

The international standards landscape for agentic AI security has undergone rapid and simultaneous development. In the twelve months ending March 2026, MITRE expanded ATLAS to cover agent-specific attack techniques, NIST launched its AI Agent Standards Initiative, OWASP published a dedicated Top 10 for Agentic Applications, and ISO 42001’s certification ecosystem reached commercial maturity. Each of these developments creates an opening for substantive technical contribution from the Cloud Security Alliance AI Safety Initiative — but only if CSAI engages strategically rather than opportunistically.

The CSAI 2026 program has generated research and technical outputs that directly address the gaps visible in each of these frameworks. The MITRE ATLAS Agentic Gap Analysis (CSAI Deliverable 1) specifies six attack technique categories with no adequate ATLAS representation, complete with STIX-compatible technique descriptions and supporting case study references. The NIST AI RMF Agentic Profile (CSAI Deliverable 9) proposes concrete extensions to each of the four RMF functions — GOVERN, MAP, MEASURE, and MANAGE — grounded in autonomy tier classification, tool-use risk modeling, and delegation chain governance. The AICM Supplement Gap Analysis (CSAI Deliverable 3) identifies control gaps under ISO 42001’s AI management system requirements that map directly to clauses in the 2023 standard scheduled for revision through the SC 42 maintenance cycle. The RiskRubric and MCP Scanner specifications (CSAI Deliverable 8) constitute ready-to-reference implementation artifacts that OWASP’s GenAI working groups can integrate into their expanding guidance library.

This document provides the engagement roadmap that translates these technical assets into formal standards contributions. The central premise is that CSAI operates most effectively as a contributor to existing frameworks rather than as an additional framework producer. The standards ecosystem does not need another AI security taxonomy; it needs high-quality, evidence-grounded contributions that fill specific gaps in the frameworks already commanding enterprise adoption. Each of the four engagements described here is scoped accordingly: CSAI proposes additions that the target framework is structurally designed to receive, through the contribution processes each body has already established, at a pace calibrated to the revision cycles those bodies are actually running.

The four engagements together require an estimated 3.8 to 5.2 full-time equivalent staff years of effort spread over an eighteen-month primary engagement window. Given the catalytic effect that accepted standards contributions have on CSAI’s credibility and adoption — each accepted technique or profile section creates a permanent citation relationship between the standard and CSAI’s technical work — this investment is among the highest-leverage activities the initiative can undertake. A consolidated resource requirements table in Section 7 provides detailed breakdowns by engagement, activity type, and timeline phase to support planning and budget allocation.

1. Introduction: CSAI’s Standards Engagement Philosophy

The proliferation of AI security standards, frameworks, and guidance documents that characterized 2024 and 2025 has produced a landscape simultaneously richer and harder to navigate than what preceded it. Practitioners charged with governing agentic AI deployments face a genuine abundance problem: they must reconcile the NIST AI RMF’s risk management vocabulary with OWASP’s threat-oriented Top 10 lists, align both against MITRE ATLAS’s adversarial technique taxonomy, satisfy the control requirements of ISO 42001 for AI management system certification, and do all of this against a backdrop of rapidly evolving CSAI frameworks including AICM, MAESTRO, and AAGATE. The cognitive burden of cross-referencing these sources, even for well-resourced security teams, is substantial [1]. For smaller organizations, it is frequently prohibitive.

The instinctive response to standards proliferation is often to propose another standard — a meta-framework that harmonizes all the others, a comprehensive taxonomy that supersedes existing ones, or a certification scheme that offers a unified assessment against all applicable bodies. This instinct should be resisted. The organizations that produce the frameworks already in wide use — MITRE, NIST, OWASP, ISO — have invested decades in building the community trust, institutional processes, and operational infrastructure that give their publications authority. A new framework from a well-regarded organization like CSA may earn adoption among existing CSA adherents, but it does not displace the NIST AI RMF in federal procurement conversations or make OWASP’s developer community recommendations redundant. Fragmenting the standards landscape further compounds the practitioner burden it ostensibly aims to address.

CSAI’s engagement philosophy, accordingly, is organized around three principles: reuse first, extend second, create last. Where an existing framework already provides adequate coverage of an agentic security concern, CSAI should develop implementation guidance and mapping tools that help practitioners apply that framework rather than producing a parallel treatment. Where an existing framework has structural gaps that CSAI technical work can fill — gaps that are specific enough to be addressed through the framework’s normal contribution process — CSAI should make those contributions through established channels. Where no existing framework addresses a genuinely new requirement and the requirement is mature enough to warrant standardization, CSAI may develop original guidance — but even then, the goal should be eventual incorporation into an established body’s catalog rather than permanent CSAI ownership of the specification [2].

This philosophy shapes the four engagements described in this document. CSAI is not proposing to compete with MITRE ATLAS, the NIST AI RMF, OWASP’s GenAI project, or ISO 42001. It is proposing to make each of them better by contributing the specific technical work — technique specifications, profile extensions, implementation guidance, clause language — that its research programs have produced. The measure of success for each engagement is not whether CSAI retains ownership of the contribution but whether the contribution is accepted, published, and referenced by practitioners as part of the authoritative framework. Accepted standards contributions serve CSAI’s mission better than independently published guidance documents that say the same thing, because they reach audiences that CSAI’s own publication channels do not.

Underlying this approach is a recognition that CSAI occupies a distinctive position in the standards ecosystem. As a practitioner-driven organization with deep technical credibility in cloud and AI security, CSAI functions as a bridge between the academic and vendor communities that generate novel threat research and the institutional bodies that codify that research into durable standards. MITRE benefits from CSAI’s structured threat intelligence. NIST benefits from CSAI’s practitioner experience in implementing governance frameworks. OWASP benefits from CSAI’s tool development expertise. ISO benefits from CSAI’s controls architecture work. Each engagement is therefore a mutually beneficial collaboration, not a unilateral donation — and CSAI should approach each body with the expectation of co-authorship credits, shared working group membership, and reciprocal alignment between the body’s outputs and CSAI’s own publications [3].

2. MITRE — ATLAS Agentic Technique Contributions

2.1 Current ATLAS State and CSAI’s Proposed Additions

MITRE ATLAS has evolved rapidly from its origins as a machine learning threat taxonomy into a framework that increasingly addresses AI agents as operational actors rather than merely as models to be attacked. The September 2025 release of ATLAS v5.0.0 introduced the Technique Maturity field, classifying each technique as Feasible, Demonstrated, or Realized based on the evidential record of real-world exploitation [4]. More consequentially, the October 2025 collaboration between MITRE and Zenity Labs added fourteen agent-focused techniques and sub-techniques — including AI Agent Context Poisoning (AML.T0080), Modify AI Agent Configuration (AML.T0081), RAG Credential Harvesting (AML.T0082), and Exfiltration via AI Agent Tool Invocation (AML.T0086) — marking the first systematic expansion of ATLAS beyond the model layer to encompass agent operational behavior [5]. The February 2026 OpenClaw investigation by MITRE’s Center for Threat-Informed Defense identified seven additional techniques observable in the exploitation of the CVE-2026-25253 and CVE-2026-24763 vulnerabilities, further accelerating the community contribution pipeline [6].

Despite this progress, the CSAI MITRE ATLAS Agentic Gap Analysis (Deliverable 1) identifies six attack technique categories that remain structurally absent from ATLAS v5.x. The gaps share a common characteristic: they describe attack behaviors that presuppose a multi-agent system with a persistent orchestration layer, rather than attacks on a single model or the infrastructure that hosts it. ATLAS’s intentional exclusion of lateral movement and command-and-control as tactics — a design decision appropriate for single-agent systems — creates a coverage gap when agents function as persistent, networked actors that can serve as footholds for compromising other agents in the same environment.

The six proposed technique categories are: Agent-to-Agent Lateral Movement (AML.T0090 candidate), which describes an adversary using a compromised agent’s trust relationships to reach and influence other agents in the same orchestration environment; Tool-Chain Poisoning (AML.T0091 candidate), which involves modifying the agent’s runtime tool registry to redirect invocations to attacker-controlled endpoints; Orchestrator Hijacking (AML.T0092 candidate), which targets the central coordination agent in a multi-agent system to gain control over all subordinate agents’ instructions; Credential Relay Through Agent Delegation Chains (AML.T0093 candidate), which exploits improperly scoped delegation tokens to accumulate permissions across agent boundaries; Memory Persistence Across Sessions (AML.T0094 candidate), which uses adversarial writes to long-term memory stores to achieve persistence that survives agent restarts and incident response actions; and MCP Server Compromise (AML.T0095 candidate), which targets the Model Context Protocol server tier to intercept tool calls, harvest credentials, and redirect agent actions. Each technique is fully specified in Deliverable 1, with procedure examples drawn from real-world CVE investigations, detection guidance, and mitigation mappings to AICM control domains and MAESTRO architecture layers.

2.2 Submission Process and Technical Format

MITRE ATLAS accepts community contributions through the public mitre-atlas/atlas-data GitHub repository. The repository contains the complete ATLAS dataset in YAML format for human authoring and STIX 2.1 format for machine-readable distribution [7]. Community members contribute through standard GitHub pull requests, with the MITRE ATLAS team reviewing submissions against the framework’s evidential standards before incorporating accepted contributions into subsequent releases. The submission format expects each technique to include a unique ID, name, description, tactic assignment, platform scope, procedure examples drawn from observed or demonstrated incidents, detection guidance, and at least one associated mitigation reference. The October 2025 Zenity Labs contribution provides the most recent precedent for a coordinated, multi-technique contribution package at scale, and CSAI should use that contribution as the structural model for its own submission.

Supporting evidence plays a critical role in technique maturity classification. Techniques with procedure examples drawn from confirmed real-world incidents receive Realized or Demonstrated classifications that carry significantly more weight in practitioner threat models than Feasible classifications. The CSAI submission package for the six proposed techniques benefits from a strong evidential foundation: the OpenClaw CVE investigation provides case studies for lateral movement and credential relay; the JFrog CVE-2025-6514 disclosure provides a concrete, in-the-wild procedure example for MCP Server Compromise; and the Zenity Labs and Adversa AI research records provide supporting evidence for Tool-Chain Poisoning and Memory Persistence [5][6][8]. CSAI should supplement these with any additional incident records collected through MITRE’s AI Incident Sharing initiative prior to submission, as additional case studies strengthen the maturity classification of each technique.

Beyond GitHub pull requests, MITRE ATLAS engages the community through the NIST AI Risk Management Framework workshops, the MITRE ATT&CKcon conference series, and direct bilateral engagements with organizations making substantial framework contributions. CSAI should initiate contact with the MITRE ATLAS team — currently led by Dr. Christina Liaghati — through the official channels at atlas.mitre.org prior to submitting the pull request, to establish a working relationship and confirm that the proposed technique scope and format align with the MITRE team’s current priorities for the framework. This pre-submission engagement is consistent with how the Zenity Labs contribution was developed and significantly reduces the risk of technical feedback requiring substantial revision of the submission package [9].

2.3 Engagement Timeline and Milestones

Phase Activity Target Date Dependencies
Preparation Pre-submission outreach to MITRE ATLAS team April 2026 Deliverable 1 final draft
Preparation STIX 2.1 format conversion of six technique specifications April–May 2026 GitHub repository structure review
Preparation Incident record compilation through MITRE AI Incident Sharing May 2026 CVE and case study documentation
Submission Pull request submission to atlas-data June 2026 Pre-submission MITRE alignment
Review MITRE review and feedback cycle June–August 2026 MITRE team capacity
Revision Address MITRE feedback; supplemental case studies if required August 2026 Review feedback receipt
Acceptance Anticipated acceptance and v5.2 staging Q3–Q4 2026 MITRE release cycle
Publication ATLAS v5.2 release incorporating CSAI techniques Q4 2026 MITRE publication schedule

2.4 Success Metrics

Success for the MITRE engagement is measured primarily against a binary outcome: acceptance of the six proposed techniques into ATLAS through the standard review process. Secondary metrics include the Technique Maturity classification assigned to each technique (with Demonstrated or Realized classifications representing stronger outcomes than Feasible), the acknowledgment of CSAI as a contributing organization in the ATLAS release notes, and the degree to which the accepted techniques reference CSAI’s Deliverable 1 research note as a source document. Longer-term success indicators include community usage of the CSAI-contributed techniques in threat model exercises — measurable through ATLAS Navigator usage data — and citations of the techniques in subsequent vendor and academic publications.

2.5 Point of Contact Roles and Resource Requirements

The MITRE ATLAS engagement requires a designated technical lead from CSAI’s threat intelligence working group with direct experience in STIX 2.1 data modeling and familiarity with the ATLAS contribution process. This person serves as the primary point of contact with the MITRE ATLAS team, owns the GitHub pull request, and coordinates the revision cycle. An estimated 0.5 FTE for six months, concentrated in the preparation and submission phases, represents the core staffing requirement. Additional support from CSAI’s AI incident documentation team is needed for approximately 0.2 FTE during the case study compilation phase to ensure that procedure examples meet MITRE’s evidential standards.

3. NIST — AI RMF Agentic Profile

3.1 CSAI’s Proposed Agentic Profile

The NIST AI Risk Management Framework has achieved the status of a governing standard across the U.S. federal government and a broad cross-section of the private sector. Its four-function structure — GOVERN, MAP, MEASURE, and MANAGE — provides a sound conceptual architecture that organizations have successfully adapted to diverse deployment contexts. The framework’s design foresight in building around use-case profiles rather than prescriptive requirements has made it extensible: the GenAI Profile (NIST AI 600-1), published in 2024, demonstrated how the core framework could be extended with deployment-specific subcategories without requiring modifications to the base document [10].

The CSAI NIST AI RMF Agentic Profile (Deliverable 9) proposes a similar extension for autonomous agent deployments. The profile’s four principal additions map directly to the RMF’s four functions. The GOVERN extension introduces an autonomy tier classification system that maps deployment architectures to oversight obligation levels — a taxonomy that establishes when human-in-the-loop oversight is optional, recommended, or mandatory based on the scope and irreversibility of agent actions. The MAP extension adds a tool-use risk model that requires organizations to enumerate an agent’s tool capabilities, assess the harm potential of each tool and tool combination, and map tool-use patterns to the threat scenarios in MITRE ATLAS [11]. The MEASURE extension introduces runtime behavioral metrics — action velocity, delegation depth, tool-call anomaly rates, permission scope deviation — that provide the early warning indicators for runaway agents, compromised agents, and behavioral drift that current RMF monitoring frameworks lack. The MANAGE extension provides structured incident response procedures specific to agent compromise, including delegation chain revocation, memory store sanitization, and principled agent decommissioning with attestation logging.

The proposed profile is aligned throughout with the CSA AI Controls Matrix (AICM) and with the AAGATE reference architecture published by the Cloud Security Alliance in December 2025. AAGATE translates the RMF’s governance principles into a Kubernetes-native runtime governance overlay for agentic systems, providing the operational implementation layer that the profile’s governance requirements need to become actionable in real deployments [12]. The alignment between Deliverable 9 and AAGATE ensures that organizations adopting the NIST Agentic Profile can follow a direct implementation path to the reference architecture rather than treating the two documents as independent sources of guidance.

3.2 Fit Within NIST’s Profile Methodology

NIST’s profile methodology, established in the core AI RMF document, defines a profile as an implementation of the framework’s functions, categories, and subcategories for a specific setting, application, or technology based on the requirements, risk tolerance, and resources of the framework user [10]. Profiles are not modifications to the base framework; they are structured instantiations of it for particular contexts. The GenAI Profile (AI 600-1) established the precedent that a profile may introduce new subcategories specific to the deployment context that have no equivalent in the base framework’s control catalogue, as long as those subcategories are clearly organized within the existing function and category structure. CSAI’s Agentic Profile follows this same approach: every proposed extension is presented as a new subcategory within an existing RMF function, with explicit cross-references to the base framework’s existing categories and to the GenAI Profile’s relevant subcategories.

NIST has signaled active receptivity to agentic extensions through the February 2026 announcement of the AI Agent Standards Initiative at the Center for AI Standards and Innovation (CAISI). The initiative explicitly plans an AI Agent Interoperability Profile for Q4 2026 [13]. CSAI’s Agentic Profile is therefore not proposing a direction that NIST has not already identified; it is offering a practitioner-developed first draft of exactly the document that NIST has announced it intends to publish. This creates an exceptional engagement opportunity: rather than submitting unsolicited contributions that NIST must evaluate against its own roadmap, CSAI can position its profile work as a candidate input to a NIST initiative that is actively seeking community contributions.

The NIST AI Resource Center (AIRC) maintains the AI RMF Profiles registry, which catalogs community-developed profiles alongside NIST-published profiles and provides a curated reference for organizations implementing the framework [14]. CSAI’s Agentic Profile should be submitted to the AIRC registry once finalized, establishing a citable record that practitioners can reference independently of whether NIST adopts the full profile text in its own publications. Registry listing provides immediate visibility while the formal engagement with the CAISI AI Agent Standards Initiative proceeds on a longer timeline.

3.3 Alignment with AAGATE

The AAGATE reference architecture, published by the Cloud Security Alliance in December 2025, provides the operational implementation counterpart to the governance framework that Deliverable 9 specifies. Where the Agentic Profile articulates what governance capabilities organizations should establish — autonomy tier policies, tool-use risk registers, runtime behavioral monitoring — AAGATE specifies how those capabilities should be implemented in a production agent infrastructure [12]. The two documents are designed to be used together, and the engagement proposals in this section reflect that integration.

In the NIST engagement, CSAI should present the Agentic Profile and AAGATE as companion documents — the profile providing the framework-aligned governance vocabulary and the architecture providing the implementation blueprint. This framing is attractive to NIST because it addresses a common practitioner complaint about governance frameworks: that they describe what to do without providing sufficient guidance on how to do it. By coupling a profile extension with a reference architecture, CSAI offers NIST a contribution that is unusually complete by standards-body norms.

3.4 NIST Engagement Process

NIST engages the public AI risk management community through multiple channels. The most direct path for contributing to the AI Agent Standards Initiative is through the CAISI public engagement process, which solicits technical input through structured comment periods associated with each initiative phase. CSAI should monitor the CAISI publication calendar and submit formal technical comments at each comment opportunity, providing the specific profile text from Deliverable 9 as comment exhibits. This ensures that CSAI’s technical positions are formally recorded in the NIST rulemaking record regardless of whether they are adopted verbatim.

Supplementing formal comment submission, CSAI should pursue bilateral engagement with NIST’s AI research staff through the NIST AI Safety Institute (AISI) working groups, which meet regularly and include participation from standards-developing organizations in the security and AI governance communities [13]. CSA already has an established relationship with NIST through the Cloud Controls Matrix mapping program and the CSA STAR certification alignment with FedRAMP, and this existing relationship should be activated in initiating the NIST AI engagement. Working group participation provides visibility into draft framework language before it reaches public comment, allowing CSAI to shape the substance of the work at the stage when it is most malleable.

3.5 Timeline and Milestones

Phase Activity Target Date Dependencies
Preparation Finalize Deliverable 9 for profile submission readiness April 2026 Technical review completion
Preparation Submit Agentic Profile to NIST AIRC profiles registry May 2026 Profile finalization
Engagement Initiate CAISI bilateral engagement; attend AISI workshops April–June 2026 CAISI calendar
Submission Submit formal comments to CAISI AI Agent Standards Initiative Q3 2026 CAISI comment period opening
Contribution Provide profile text as candidate input to NIST AI Agent Interoperability Profile Q3–Q4 2026 NIST initiative phase gates
Co-development Participate in profile review and revision cycles Q4 2026–Q2 2027 NIST internal review process
Publication NIST AI Agent Interoperability Profile published, citing CSAI inputs Q4 2026–Q1 2027 NIST publication schedule

3.6 Resource Requirements

The NIST AI RMF engagement is the most governance-intensive of the four engagements and requires a senior staff member with deep familiarity with both the AI RMF framework structure and CSAI’s Deliverable 9. An estimated 0.75 FTE for twelve months covers the AIRC registry submission, CAISI comment preparation, AISI workshop participation, and co-development support. Legal review of formal NIST comment submissions is recommended and should be budgeted separately.

4. OWASP — Implementation Guidance and Tool Integration for Agentic Top 10

4.1 Current OWASP ASI Top 10 State

The OWASP GenAI Security Project released the Top 10 for Agentic Applications in December 2025, following more than a year of community research, review, and practitioner validation across more than 100 contributing organizations [15]. The release marked a significant maturation of OWASP’s engagement with agentic AI risk: where the Top 10 for LLM Applications (2025 edition) addressed risks concentrated in the model inference layer — prompt injection, output handling failures, and data poisoning — the Agentic Top 10 addresses the distinct risks that emerge when AI systems operate autonomously with tool access, inter-agent communication, and delegated authority. The ten risk categories — Goal and Objective Hijacking (ASI01), Authorization and Escalation (ASI02), Identity and Privilege Abuse (ASI03), Agentic Supply Chain (ASI04), Unexpected Code Execution (ASI05), Memory and Context Poisoning (ASI06), Insecure Inter-Agent Communications (ASI07), Cascading Failures in Multi-Agent Systems (ASI08), Inadequate Human Override (ASI09), and Rogue Agents and Alignment Drift (ASI10) — collectively represent the community’s current best understanding of where agentic deployments fail in ways that cause real harm [16].

Despite the depth of the risk taxonomy, the December 2025 release acknowledged that the Agentic Top 10 was designed as a risk identification framework rather than an implementation guide. The companion resources released alongside it — the State of Agentic Security and Governance, the Agentic Security Solutions Landscape, and the Practical Guide to Securing Agentic Applications — extend the framework toward implementation but do not provide the level of specificity that security engineers need to implement technical controls against each risk category [15]. Concrete guidance on scanning tooling, configuration validation, behavioral monitoring implementation, and integration with existing security toolchains remains sparse relative to what practitioners need. This implementation guidance gap is the precise space where CSAI’s tooling and technical specifications provide value.

4.2 CSAI’s Proposed Contributions

CSAI proposes two categories of contribution to the OWASP GenAI Security Project. The first is a set of implementation guidance documents, one for each of the ten ASI risk categories, that provide specific technical controls, detection logic, configuration recommendations, and integration patterns for organizations implementing defenses against each risk. These documents are intended to complement the existing Top 10 entries — which describe the risk, its potential impact, and high-level mitigation approaches — with the specificity needed for engineering teams to build and test actual controls. Each implementation guide references AICM control objectives, MAESTRO architecture layers, and relevant MITRE ATLAS techniques to give practitioners a cross-framework view of where the OWASP risk fits in the broader security architecture.

The second category consists of tool integration specifications for the RiskRubric and MCP Scanner tools specified in CSAI Deliverable 8. The MCP Scanner performs automated assessment of MCP server deployments against the security requirements most directly relevant to ASI03 (Identity and Privilege), ASI04 (Supply Chain), and ASI07 (Inter-Agent Communications) — the three ASI categories most directly implicated in MCP-layer vulnerabilities [17]. RiskRubric provides a quantitative risk scoring methodology for agentic system architectures, calculating composite risk scores based on tool access scope, delegation depth, human override availability, and autonomy tier — providing measurable, comparable risk metrics that support the ASI10 (Rogue Agents) and ASI02 (Authorization and Escalation) governance requirements [17]. Tool integration specifications would describe how these tools map to OWASP ASI controls, what their output format looks like, and how their assessments can be consumed by existing security programs.

The implementation guides and tool integration specifications are structured as OWASP project contributions rather than standalone CSAI publications. This means they would be hosted in the OWASP GenAI Security Project’s GitHub repository, reviewed by the project’s working group, and published under OWASP branding with CSAI credited as a contributing organization. This structure maximizes the reach and authority of the content while ensuring that OWASP’s community review process validates the technical quality before publication.

4.3 OWASP Engagement Process

OWASP operates as an open community, and its contribution process is correspondingly accessible. The GenAI Security Project maintains a public GitHub repository where all project deliverables are developed through pull requests and working group review [15]. Community members can join the project’s Slack channel (#project-top10-for-llm on the OWASP Slack) and attend the project’s regular working group meetings, scheduled and posted at genai.owasp.org/meetings/. The project’s core team has actively solicited additional implementation guidance content since the December 2025 Agentic Top 10 release, making this an unusually receptive environment for a substantive contribution.

CSAI should initiate engagement by attending OWASP GenAI working group meetings as an observer before submitting any content, in order to understand the current state of the project’s roadmap, identify areas where CSAI’s contributions will be most valued rather than duplicative of work already in progress, and establish relationships with the project maintainers who will review the eventual pull requests. This initial engagement phase should take four to six weeks and should include explicit discussions with project leadership about the scope of the implementation guidance contribution. OWASP projects welcome substantive contributions from CSA — the two organizations have a history of complementary work, and CSA’s STAR certification ecosystem has cited OWASP controls in the past — but the contribution proposal should be framed in terms of what the OWASP community needs rather than what CSAI has already produced.

4.4 Proposed Collaborative Deliverables

The following table summarizes the proposed OWASP collaborative deliverables, their relationship to existing ASI Top 10 categories, the relevant CSAI source material, and the anticipated publication channel.

Deliverable ASI Categories Addressed CSAI Source OWASP Format
Implementation Guide: Goal and Objective Hijacking ASI01 Deliverable 1 (ATLAS T0080, T0092), Deliverable 9 (MAP extensions) Markdown in OWASP GenAI repo
Implementation Guide: Authorization and Escalation ASI02, ASI03 Deliverable 9 (GOVERN autonomy tiers), AICM IAM domain Markdown in OWASP GenAI repo
MCP Scanner Integration Specification ASI03, ASI04, ASI07 Deliverable 8 (MCP Scanner spec) OWASP Tool Reference doc
Implementation Guide: Agentic Supply Chain ASI04 Deliverable 1 (ATLAS T0091, T0095), AICM SCT domain Markdown in OWASP GenAI repo
Implementation Guide: Memory and Context Poisoning ASI06 Deliverable 1 (ATLAS T0094), Deliverable 9 (MEASURE extensions) Markdown in OWASP GenAI repo
Implementation Guide: Insecure Inter-Agent Communications ASI07 Deliverable 1 (ATLAS T0090, T0093), AAGATE architecture Markdown in OWASP GenAI repo
RiskRubric Integration Specification ASI02, ASI09, ASI10 Deliverable 8 (RiskRubric spec) OWASP Tool Reference doc
Cross-Risk Implementation Checklist All 10 categories Master Framework Alignment Matrix (Deliverable) OWASP quick-reference format

4.5 Timeline and Milestones

The OWASP engagement has the shortest time-to-value of the four proposals in this document because OWASP’s open, GitHub-based contribution process does not require formal institutional approval before contributions become visible to the community. A well-prepared pull request can achieve community review and provisional acceptance within sixty days of submission, compared to the six-to-twelve month timelines typical for MITRE and NIST engagements. CSAI should plan to initiate the OWASP engagement first among the four proposals, establishing a contribution track record that strengthens its credibility in the MITRE and NIST engagements that follow.

Working group participation should begin in April 2026. Initial pull requests for two to three implementation guides should be submitted by June 2026, with the remaining guides and tool integration specifications following on a rolling basis through Q3 2026. The MCP Scanner and RiskRubric integration specifications should be submitted in Q3 2026, once the working group has reviewed the initial implementation guides and the contribution relationship is established. A complete CSAI contribution set to the OWASP GenAI project should be achievable by Q4 2026, with all deliverables through the review and acceptance process.

5. ISO — Autonomous Agent Governance for ISO 42001 Revision

5.1 Current ISO 42001 Status

ISO/IEC 42001:2023, the international standard for Artificial Intelligence Management Systems (AIMS), was published in December 2023 and quickly established itself as the compliance anchor for enterprise AI governance. Its management system structure — following the familiar Annex SL format shared by ISO 27001, ISO 9001, and ISO 14001 — provides organizations with an auditable framework for establishing, implementing, maintaining, and continually improving AI governance. The standard’s Annex A defines 38 control objectives across 9 domains covering AI system lifecycle management, data governance, human oversight, and organizational AI use policies [18]. ISO 42001 maps to NIST AI RMF, the EU AI Act, and AICM, and CSAI’s STAR for AI certification scheme is anchored to it as the primary reference standard for Level 2 certification.

The 2023 standard was developed in a period when production AI deployments were predominantly discriminative or generative systems operating in bounded, human-supervised contexts. As with the NIST AI RMF, the standard’s governance requirements assume a relatively clear boundary between AI system behavior and human decision-making — an assumption that agentic deployments systematically undermine. ISO 42001’s requirements for human oversight (Clause 6.1.4), system performance monitoring (Clause 9.1), and corrective action (Clause 10.2) are written at a level of generality that does not provide specific, auditable requirements for organizations deploying agents that operate autonomously with delegated authority and tool access [18].

Under ISO’s standard maintenance cycle, ISO/IEC 42001 entered its first systematic review period in 2025 — two years after publication, consistent with ISO’s normal schedule for standards that address rapidly evolving technology domains. The ISO/IEC JTC 1/SC 42 subcommittee, which has responsibility for AI standards including 42001, is the body through which revision proposals must be channeled [19]. SC 42 operates through national body delegations, with contributing member countries participating in working group deliberations and balloting on draft revisions. Organizations seeking to influence the 42001 revision must engage through national body processes rather than through direct submission to ISO — typically by working with the national standards body that holds SC 42 membership to have proposed revision language presented at the working group level.

5.2 CSAI’s Proposed Contributions and Gap Analysis

The CSAI AICM Agentic Control Supplement (Deliverable 3) provides the technical basis for ISO 42001 revision proposals. The supplement’s domain-by-domain gap analysis identifies control gaps that correspond to specific 42001 clauses where the current text requires strengthening for agentic deployments. The proposed contributions focus on five areas of the standard.

Clause 6.1.4 (AI risk assessment) currently requires organizations to assess risks associated with AI systems but does not distinguish between AI systems based on their degree of operational autonomy. CSAI proposes the addition of autonomy-tiered risk assessment requirements — language that establishes distinct risk assessment obligations for AI systems operating at different autonomy levels, requiring that high-autonomy systems undergo more rigorous assessment of their action scope, delegation mechanisms, and behavioral boundaries. This mirrors the GOVERN extension proposed for the NIST AI RMF Agentic Profile, and the two proposals are deliberately aligned to present a consistent governance vocabulary across both standards.

Clause 8.4 (AI system operation) provides high-level requirements for operating AI systems in accordance with organizational policies but does not address the operational characteristics specific to agents: tool access governance, inter-agent communication controls, or runtime behavioral monitoring. CSAI proposes additional sub-clauses establishing requirements for tool capability registries, tool-use audit logging, and anomaly detection against established behavioral baselines as core operational requirements for agentic AI system deployment.

Clause 9.1 (Monitoring, measurement, analysis, and evaluation) requires performance monitoring but does not specify what should be monitored for agentic systems whose risks are primarily behavioral and dynamic rather than performance-based in the traditional sense. CSAI proposes explicit requirements for runtime behavioral telemetry, delegation chain monitoring, and periodic autonomy calibration assessment — the specific monitoring capabilities that the MEASURE extension in the NIST Agentic Profile also introduces, ensuring cross-standard consistency.

Annex A controls covering human oversight and accountability require organizations to ensure that humans can intervene in AI system operations, but they do not address the specific challenge of maintaining meaningful human oversight over systems that act faster than human review cycles. CSAI proposes additional control objectives specifying override mechanism requirements, escalation thresholds for autonomous action beyond defined scope, and logging requirements for human override events that make the audit record of human-AI interaction complete and verifiable.

Finally, CSAI proposes additions to Annex B (guidance on the application of controls), which provides implementation guidance for Annex A controls, specifically addressing multi-agent system architectures. The guidance additions would describe how delegation chain governance, orchestrator accountability, and inter-agent communication security should be implemented to satisfy the Annex A control objectives — translating standards requirements into architecture requirements in a way that auditors and implementers can both use.

5.3 ISO TC/SC 42 Engagement Process

Engaging with ISO’s standards development process requires a longer time horizon and a different strategic approach than the MITRE, NIST, and OWASP engagements. ISO does not accept direct public contributions in the way that GitHub-based open projects do; all technical input is channeled through national standards bodies (NSBs) that hold membership in the relevant subcommittee [19]. For ISO/IEC JTC 1/SC 42, the primary contributing national bodies include ANSI (United States), BSI (United Kingdom), DIN (Germany), AFNOR (France), SAC (China), and SIS (Sweden), among others. CSAI, as a U.S.-incorporated organization, should engage primarily through ANSI’s U.S. Technical Advisory Group (TAG) for JTC 1/SC 42, which coordinates U.S. positions for SC 42 working groups and submits U.S. contributions to ISO.

The practical path for CSAI contribution is to become an active participant in the ANSI JTC 1/SC 42 TAG, attend its meetings, and develop the specific revision language described in Section 5.2 in collaboration with TAG members before it is submitted as a U.S. national body position at the SC 42 working group level. This process is slow — TAG meetings occur quarterly, and revision language must go through multiple rounds of national body review before it reaches the SC 42 ballot — but the durability of the output is proportional to the investment. Clause language adopted in an ISO 42001 revision will remain in the standard for at least five years and will be referenced in millions of compliance assessments worldwide.

Supplementing U.S. TAG engagement, CSAI should brief its international affiliate organizations and contributor networks in EMEA and Asia-Pacific on the proposed revision language, with the goal of encouraging parallel national body submissions in multiple jurisdictions. Multi-country support for revision language significantly accelerates its adoption through the SC 42 process, as revisions supported by several national bodies carry more weight in the balloting process than proposals from a single national position.

5.4 National Body Engagement Strategy

The ANSI TAG for JTC 1/SC 42 can be accessed through ANSI’s online working group portal. CSAI should apply for participating observer status in the TAG at the earliest opportunity, attend at least two TAG meetings in observer capacity before presenting revision proposals, and develop relationships with the TAG’s secretariat and technical committee chairs. Existing CSA members who hold ANSI TAG membership — particularly those from organizations that are active in ISO certification — are the most natural introductions to the TAG community and should be identified and engaged early in the process.

The revision proposals should be presented to the TAG as a package rather than as individual clause changes. Presenting the full scope of the proposed agentic governance additions together — autonomy-tiered risk assessment, operational requirements for agentic systems, runtime monitoring specifications, human oversight controls, and Annex B guidance — allows TAG members to evaluate the coherence of the proposals as a system rather than responding to each change in isolation. The CSAI Deliverable 3 gap analysis document should be provided as supporting material, along with the cross-standard alignment demonstrating that the proposed language is consistent with the NIST Agentic Profile and with the AICM Supplement.

6. Coordination Strategy

6.1 Maintaining Cross-Standard Consistency

The most significant risk in a simultaneous four-body standards engagement is the introduction of inconsistencies between contributions. If the autonomy tier taxonomy proposed in the NIST Agentic Profile uses different tier definitions and governance thresholds than the autonomy risk assessment language proposed for ISO 42001 Clause 6.1.4, organizations trying to implement both will face unnecessary interpretation work, and reviewers at both bodies may question whether the contributions reflect a coherent technical position. The same risk applies to technique nomenclature in MITRE ATLAS — if the technique names and IDs used in the ATLAS submission differ from those referenced in the OWASP implementation guides, the cross-framework mappings that practitioners rely on become unreliable.

Preventing these inconsistencies requires a single, authoritative internal vocabulary document that all four engagement teams reference. This document — the CSAI Agentic Standards Vocabulary — should be maintained by the initiative’s standards coordination function and should contain the canonical definitions of terms used across multiple engagements: autonomy tier levels and their definitions, tool-use risk categories, delegation chain concepts, behavioral monitoring metric definitions, and the ATLAS technique IDs proposed for the six gap techniques. Any CSAI contributor drafting language for any of the four engagements is required to use this vocabulary document as the source of record, and any proposal to change a definition in the vocabulary must be reviewed and approved by the coordination function before it is used in any external submission.

6.2 Cross-Body Reference Architecture

The four engagements collectively constitute a layered technical architecture. MITRE ATLAS provides the threat intelligence layer: a vocabulary of adversarial techniques that the other three frameworks reference when describing what controls are needed and why. The NIST AI RMF Agentic Profile provides the risk management governance layer: a structured approach to identifying, assessing, and managing agentic risks that aligns with the most widely adopted AI governance vocabulary in the U.S. and internationally. ISO 42001 provides the management system compliance layer: auditable requirements that organizations must meet to achieve certification and satisfy regulatory obligations. OWASP provides the practitioner implementation layer: concrete guidance and tooling that security engineers use to implement the controls the other three frameworks require.

This layering is not incidental — it is a deliberate architecture that CSAI should articulate explicitly in its engagement with each body. When submitting to MITRE, CSAI should note that the proposed techniques are referenced in implementation guidance being contributed to OWASP. When engaging NIST, CSAI should provide the OWASP implementation guides as evidence of the profile’s operational tractability. When presenting to the ISO TAG, CSAI should reference the NIST profile as a pre-existing governance framework that the proposed ISO clauses complement. This cross-referencing reinforces the coherence of the overall contribution and positions CSAI as an organization with a programmatic strategy rather than a collection of independent research outputs.

6.3 Avoiding Conflicting Obligations

Each standards body has intellectual property policies governing contributions made to its development process. MITRE, NIST, and OWASP all operate under open-publication models in which contributed content can be freely reproduced and referenced, but the specifics of attribution, derivative work rights, and the conditions under which contributed content can be cited in commercial products vary. ISO’s contribution process is more restrictive: national body contributions become ISO intellectual property, and the resulting standard text is subject to ISO copyright restrictions [19].

CSAI’s coordination function should conduct a legal review of the IP policies for each of the four bodies before finalizing any contribution submissions. The review should specifically assess whether contributing the same underlying technical content to multiple bodies — for example, using the same autonomy tier definitions in both NIST profile submissions and ISO clause proposals — creates any IP conflicts or attribution ambiguities. In general, contributing consistent vocabulary to multiple bodies strengthens standards harmonization and is compatible with the open-licensing models that MITRE, NIST, and OWASP employ; the ISO contributions require more careful attention to the distinction between CSAI’s own AICM and related publications (which CSAI retains the right to cite and update) and the specific clause text submitted to ISO (which becomes ISO property upon adoption).

6.4 Joint Working Group Participation

Participating in working groups across multiple standards bodies provides CSAI with visibility into how the bodies’ own work is evolving and creates opportunities to identify and address potential inconsistencies before they become entrenched in published text. CSAI staff participating in NIST AISI workshops, OWASP GenAI project meetings, and the ANSI JTC 1/SC 42 TAG should report regularly to the coordination function on developments within each body that may affect CSAI’s pending contributions. Where one body’s draft language differs from another’s on a topic of shared concern — for example, if NIST and ISO are developing different approaches to autonomy level classification — CSAI is in a unique position to raise the issue in both forums and propose harmonized language that serves both bodies’ audiences.

CSAI should also facilitate introductions between the four bodies where opportunities arise. A meeting between NIST’s CAISI team and MITRE’s ATLAS lead, mediated by CSAI, could accelerate the alignment between NIST’s planned AI Agent Interoperability Profile and ATLAS’s technique taxonomy. A presentation to the OWASP GenAI working group by CSAI staff who have participated in the ISO TAG could raise awareness within the OWASP community of the ISO 42001 revision and the proposed agentic control additions, encouraging OWASP contributors to submit comments to their national bodies in support of the proposals. These facilitated interactions are difficult to pre-plan in detail but should be treated as high-priority opportunities when they arise.

7. Resource Requirements Summary

The following table consolidates the resource requirements for all four standards engagements across the primary eighteen-month engagement window from April 2026 through September 2027. FTE estimates reflect the number of equivalent full-time positions needed for each activity category and do not assume that dedicated headcount is required — CSAI working group participants contributing part-time effort can satisfy these requirements if the cumulative hours are available. Budget estimates are provided as ranges reflecting variation in staff seniority, participation in in-person events (travel costs), and legal review requirements.

Standards Body Primary Engagement Activities FTE (18-month total) Timeline Budget Range (USD)
MITRE ATLAS Pre-submission outreach; STIX 2.1 conversion; incident record compilation; pull request submission and revision 1.2 FTE-months April–December 2026 $45,000–$65,000
NIST AI RMF AIRC registry submission; CAISI formal comments; AISI workshop participation; co-development support 9.0 FTE-months April 2026–September 2027 $180,000–$240,000
OWASP GenAI Working group participation; implementation guide drafting and review; tool integration specification; pull request management 6.0 FTE-months April–December 2026 $90,000–$120,000
ISO TC/SC 42 ANSI TAG membership and participation; revision language development; national body briefings; international affiliate coordination 8.0 FTE-months June 2026–September 2027 $150,000–$210,000
Coordination Function Vocabulary maintenance; IP legal review; cross-body consistency checking; facilitated body interactions 4.0 FTE-months April 2026–September 2027 $80,000–$110,000
Total 28.2 FTE-months 18 months $545,000–$745,000

The coordination function is listed as a separate line item because it represents a distinct organizational capability rather than activity-specific effort. The coordination function’s work — maintaining the CSAI Agentic Standards Vocabulary, conducting IP policy reviews, facilitating cross-body interactions, and tracking consistency across all four engagements — creates value for all four engagement tracks simultaneously and cannot be attributed to any single one.

The NIST engagement carries the highest FTE and budget estimates because it involves the most sustained multi-year participation in a structured institutional process. Working group memberships, formal comment preparation, and co-development review cycles all require consistent staff availability over an extended period. The OWASP engagement, while lower in total effort, requires the most concentrated short-term work because GitHub-based contributions move quickly and the implementation guide drafting work is labor-intensive. The MITRE engagement is the most focused in both scope and duration: six technique specifications have already been drafted in Deliverable 1, and the primary remaining work is format conversion and review cycle management.

Organizations assessing the resource requirements should consider the return on this investment in terms of the leverage it provides. A single accepted ATLAS technique entry creates a permanent citation relationship that strengthens every subsequent CSAI publication referencing that technique. An accepted NIST profile establishes CSAI’s Agentic Profile as the practitioner-standard extension to the most widely cited AI governance framework in the United States. OWASP implementation guides become the standard reference for engineering teams implementing OWASP ASI controls, positioning CSAI tools as the default assessment mechanism. And ISO 42001 clause additions become part of the standard against which every 42001 certification audit is conducted — a scale of practitioner impact that no CSAI-published document, however well-written, can independently achieve.

References

  1. Cloud Security Alliance. “CSAI Master Framework Alignment Matrix.” CSAI Foundation, March 2026. /output/white-papers/agentic-master-framework-alignment-matrix-v1.md

  2. Cloud Security Alliance. “AI Safety Initiative Strategic Plan 2026.” CSAI Foundation, 2026. https://cloudsecurityalliance.org/research/working-groups/ai-safety-initiative

  3. Cloud Security Alliance. “Cloud Controls Matrix v4.0.” CSA Artifacts. https://cloudsecurityalliance.org/artifacts/cloud-controls-matrix-v4

  4. MITRE Corporation. “ATLAS Data Release v5.0.0.” GitHub, mitre-atlas/atlas-data. September 2025. https://github.com/mitre-atlas/atlas-data/releases

  5. Bargury, M.; Zenity Labs. “Zenity Labs and MITRE ATLAS Collaborate to Advance AI Agent Security.” Zenity Blog. October 2025. https://zenity.io/blog/current-events/zenity-labs-and-mitre-atlas-collaborate-to-advances-ai-agent-security-with-the-first-release-of

  6. MITRE Corporation. “MITRE ATLAS OpenClaw Investigation: Discovering New and Likeliest Techniques.” MITRE Center for Threat-Informed Defense. February 2026. https://ctid.mitre.org/blog/2026/02/09/mitre-atlas-openclaw-investigation/

  7. MITRE Corporation. “atlas-data: ATLAS Tactics, Techniques, and Case Studies Data.” GitHub, mitre-atlas/atlas-data. https://github.com/mitre-atlas/atlas-data

  8. JFrog Security Research. “Critical RCE Vulnerability in mcp-remote: CVE-2025-6514 Threatens LLM Clients.” JFrog Blog. 2025. https://jfrog.com/blog/2025-6514-critical-mcp-remote-rce-vulnerability/

  9. MITRE Corporation. “MITRE ATLAS Overview: Dr. Christina Liaghati.” NIST Cybersecurity and Privacy Events, September 2025. https://csrc.nist.gov/csrc/media/Presentations/2025/mitre-atlas/TuePM2.1-MITRE%20ATLAS%20Overview%20Sept%202025.pdf

  10. National Institute of Standards and Technology. “Artificial Intelligence Risk Management Framework: Generative Artificial Intelligence Profile (NIST AI 600-1).” NIST. July 2024. https://airc.nist.gov/Docs/2

  11. Cloud Security Alliance. “NIST AI Risk Management Framework: Agentic Profile.” CSAI Foundation, March 2026. /output/white-papers/agentic-NIST-AI-RMF-profile-v1.md

  12. Cloud Security Alliance. “AAGATE: Agentic AI Governance and Trust Environment Reference Architecture.” CSAI Foundation. December 2025. https://cloudsecurityalliance.org/artifacts/aagate

  13. National Institute of Standards and Technology. “AI Agent Standards Initiative — Center for AI Standards and Innovation.” NIST CAISI. February 2026. https://www.nist.gov/artificial-intelligence/executive-order-safe-secure-and-trustworthy-artificial-intelligence

  14. National Institute of Standards and Technology. “AI RMF Profiles.” NIST AI Resource Center. https://airc.nist.gov/airmf-resources/airmf/6-sec-profile/

  15. OWASP GenAI Security Project. “OWASP GenAI Security Project Releases Top 10 Risks and Mitigations for Agentic AI Security.” OWASP GenAI. December 2025. https://genai.owasp.org/2025/12/09/owasp-genai-security-project-releases-top-10-risks-and-mitigations-for-agentic-ai-security/

  16. OWASP GenAI Security Project. “OWASP Top 10 for Agentic Applications 2026.” OWASP GenAI. https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/

  17. Cloud Security Alliance. “RiskRubric and MCP Scanner Specifications.” CSAI Foundation, March 2026. /output/white-papers/CSA_research_note_RiskRubric_MCP_scanner_spec_20260327.md

  18. International Organization for Standardization. “ISO/IEC 42001:2023 — Artificial Intelligence — Management Systems.” ISO. December 2023. https://www.iso.org/standard/81230.html

  19. ISO/IEC JTC 1/SC 42. “Subcommittee on Artificial Intelligence.” JTC 1 Information. https://jtc1info.org/sd-2-history/jtc1-subcommittees/sc-42/

  20. Cloud Security Alliance. “MITRE ATT&CK and ATLAS Agentic Gap Analysis.” CSAI Foundation, March 2026. /output/white-papers/CSA_research_note_ATLAS_agentic_gap_analysis_20260327.md

  21. Cloud Security Alliance. “AICM Agentic Control Supplement: Domain-by-Domain Gap Analysis.” CSAI Foundation, March 2026. /output/white-papers/agentic-AICM-supplement-gap-analysis-v1.md

  22. Cloud Security Alliance. “AI Controls Matrix (AICM) v1.0.” CSA Artifacts. July 2025. https://cloudsecurityalliance.org/artifacts/ai-controls-matrix

  23. Cloud Security Alliance. “Agentic AI Threat Modeling Framework: MAESTRO.” CSA Blog. February 2025. https://cloudsecurityalliance.org/blog/2025/02/06/agentic-ai-threat-modeling-framework-maestro

  24. OWASP GenAI Security Project. “Meetings and Working Groups.” https://genai.owasp.org/meetings/