White Paper | 2026-03-27 | Status: draft
STAR for AI Agentic Certification Scheme
Executive Summary
The deployment of agentic AI systems—autonomous agents capable of planning, tool use, multi-step reasoning, and interaction with other agents—is accelerating faster than the assurance and certification infrastructure designed to govern them. The Cloud Security Alliance’s STAR for AI program, launched in October 2025 with Level 1 self-assessment and extended to Level 2 third-party audit in November 2025, represents the most significant advance in AI trust assurance since the field emerged. [1][2] Early adopters including Anthropic, Sierra, and Zendesk demonstrated in real deployments that enterprise-scale AI governance transparency is not only achievable but commercially valuable. [3] Yet the program as presently defined treats AI systems as a relatively homogeneous category, applying the same AI-CAIQ self-assessment questionnaire and ISO/IEC 42001-based audit requirements regardless of whether an organization is deploying a simple AI-powered feature, a copilot assistant, a fully autonomous agent, or a large-scale multi-agent orchestration platform.
This approach is insufficient for the autonomous agent systems now entering production. An agentic system operating with persistent memory, MCP-connected tool access, and the ability to spawn sub-agents introduces certification challenges that differ in kind, not merely in degree, from those associated with a conventional AI service. A point-in-time ISO 42001 audit establishes that an organization’s AI management system was sound at the moment of assessment; it cannot establish that an autonomous agent’s behavior remains aligned with its certified configuration across thousands of subsequent runtime interactions, tool invocations, and inter-agent message exchanges. The STAR for AI program needs an agentic-specific layer—one that extends the existing framework rather than replacing it—to address these challenges adequately.
This whitepaper specifies the STAR for AI Agentic Certification Scheme. It defines three agentic certification tiers: Level 1 Agentic (self-assessment against the AICM Agentic Supplement), Level 2 Agentic (third-party audit with agentic-specific audit procedures), and Continuous Certification (ongoing compliance monitoring powered by AI Risk Observatory telemetry). It establishes differentiated requirements based on system type, covering copilot systems, autonomous agents, orchestrator systems, and multi-tenant agent services. It provides transition guidance for organizations with existing STAR for AI certifications. And it maps all requirements to the AICM Agentic Supplement, ISO 42001 clauses, EU AI Act articles, and NIST AI RMF functions, providing a complete alignment picture that compliance teams, auditors, and standards bodies can use directly.
The scheme is designed for implementation in 2026, with initial auditor qualification requirements, pilot program enrollment, and registry integration targeted for the second and third quarters of the year. It is a foundational deliverable of the CSAI Foundation’s global assurance program, one of the six strategic programs announced at RSAC 2026 as part of the CSAI mission of Securing the Agentic Control Plane. [4]
1. Introduction: STAR for AI and the Agentic Certification Gap
The STAR program is the Cloud Security Alliance’s flagship assurance framework. For cloud services, STAR operates across three levels—self-assessment, third-party audit, and continuous monitoring—providing a transparency and accountability infrastructure that thousands of cloud providers and enterprise procurement teams use to make security decisions. [5] When CSA launched STAR for AI in October 2025, it applied this proven architecture to a new domain: artificial intelligence governance and security. Level 1 invited organizations to publish AI-CAIQ v1.0.2 self-assessments to the STAR Registry, creating transparent, standardized disclosures aligned with the AICM’s 243 control objectives. Level 2, available from November 2025, combined ISO/IEC 42001:2023 certification with a Valid-AI-ted scored self-assessment to produce a verified, third-party-audited trust designation. [2] Microsoft and Zendesk were the first to achieve Level 2, and the STAR Registry subsequently became the global reference point for AI governance transparency.
What the baseline program does not yet provide is a structured answer to a question that is becoming urgent as agentic deployments proliferate: how should an auditor or a procurement team assess not just whether an organization has sound AI governance policies and processes, but whether a specific autonomous agent system behaves safely and consistently with its stated design specifications across its runtime? This is the agentic certification gap.
The gap is not a design failure in the original STAR for AI program. When Level 1 and Level 2 were launched in late 2025, agentic AI systems were a nascent deployment category. The AI-CAIQ’s control questions are well-suited to traditional AI services, predictive models, and supervised deployments. They address governance policy, model risk management, bias mitigation, explainability, and regulatory alignment at the organizational and system level—all necessary and valuable dimensions of AI trustworthiness. What they do not yet address with sufficient specificity are the distinctive risks introduced by autonomous agent architectures: persistent memory manipulation, tool permission scope creep, inter-agent trust exploitation, goal drift across multi-step planning cycles, and the cascading failures that can propagate through multi-agent pipelines when a single agent’s behavior deviates from its certified configuration. [6]
The CSAI Foundation, launched at RSAC 2026 with a mission of Securing the Agentic Control Plane, identified this certification gap as one of the highest-priority deliverables in its global assurance program. [4] The STAR for AI Agentic Certification Scheme described in this whitepaper is the direct response. It extends STAR for AI upward and outward: upward by adding continuous certification as a fourth tier that connects runtime telemetry to compliance status, and outward by differentiating requirements based on the architectural characteristics and risk profile of the AI system being certified. The scheme preserves full backward compatibility with the base STAR for AI program—existing certifications remain valid, and organizations achieving agentic certification are recognized as having satisfied all base-level requirements as well.
2. STAR for AI Baseline
Understanding the agentic extension requires a precise account of what the base STAR for AI program provides and how it is structured. The program was built on two foundational components: the AI Consensus Assessments Initiative Questionnaire (AI-CAIQ), which operationalizes the AICM’s 243 controls into a self-assessment format, and ISO/IEC 42001:2023, which provides the international standard for AI management systems (AIMS) that underpins third-party audit. [1][7]
Level 1, launched October 23, 2025, requires organizations to complete the AI-CAIQ v1.0.2 and publish their responses to the STAR Registry. [1] The questionnaire covers AI governance policy, model risk management, data quality and bias mitigation, privacy and explainability, incident response for AI systems, and regulatory alignment. Organizations submit documented evidence of their responses, and the resulting registry entry provides public visibility into their AI governance posture. Level 1 is free to submit, and the STAR Registry is publicly searchable, enabling enterprise buyers and procurement teams to compare AI providers on standardized governance dimensions without requiring each buyer to conduct a bespoke assessment. The AI-CAIQ self-assessment is not externally validated at Level 1—it is a disclosure mechanism, not a certification—but the structured format makes misrepresentation detectable by informed reviewers, and the reputational stakes of public disclosure create meaningful accountability.
Level 2, announced November 20, 2025, adds external validation through two combined components. First, organizations must hold a valid ISO/IEC 42001:2023 certification from an accredited certification body. Second, they must complete and submit a Valid-AI-ted scored AI-CAIQ self-assessment—Valid-AI-ted being CSA’s AI governance, risk, and compliance automation and evaluation engine—which cross-checks self-assessment responses against the ISO 42001 certificate scope and any supporting evidence provided. [2] The combination produces a STAR for AI Level 2 designation that reflects both organizational-level AI management system compliance and a standardized, machine-readable governance disclosure. Microsoft and Zendesk received recognition as the first Level 2 certified organizations at the November 2025 launch event. Early adopters Anthropic, Sierra, and Zendesk had also posted their ISO 42001 certificates to the STAR Registry in advance of the formal Level 2 launch, demonstrating the market appetite for third-party-validated AI governance transparency. [3][8]
The STAR Registry itself operates as a searchable public database of AI governance disclosures, analogous in structure to the existing STAR Registry for cloud services. Registry entries display certification level, certification date, scope, the names of any third-party auditors or certification bodies involved, and links to supporting documentation. The registry is integrated with CSA’s broader research and intelligence infrastructure, enabling correlation between registry entries and the AI Risk Observatory’s threat intelligence outputs as that infrastructure matures.
The relationship between STAR for AI and STAR for Cloud is one of parallel programs sharing a common infrastructure and design philosophy rather than a hierarchical relationship. An organization can hold both STAR for Cloud and STAR for AI certifications for different aspects of its service portfolio, and the combined posture provides a more complete assurance picture than either alone. The agentic extension described in this whitepaper sits within the STAR for AI program specifically; it does not introduce new requirements for the STAR for Cloud program, though agentic systems deployed in cloud environments will typically require compliance evidence across both programs.
3. Agentic-Specific Certification Levels
The STAR for AI Agentic Certification Scheme introduces three certification tiers that build on and extend the base Level 1 and Level 2 designations. Each tier is designed to be independently achievable while forming a natural progression: organizations are expected to achieve base STAR for AI Level 1 before pursuing Level 1 Agentic, and Level 1 Agentic before pursuing Level 2 Agentic. Continuous Certification is designed as a complement to Level 2 Agentic rather than a replacement, and organizations choosing not to pursue Level 2 Agentic may still participate in certain elements of the continuous monitoring program as a preparatory step.
Level 1 Agentic: Self-Assessment
Level 1 Agentic is a structured self-assessment against the AICM Agentic Supplement controls, supplementing and extending the AI-CAIQ with agentic-specific control questions. Where the base AI-CAIQ addresses AI systems at the organizational and service level, the Agentic Supplement addresses individual agent systems and their runtime characteristics. Organizations completing Level 1 Agentic submit responses to three categories of supplemental controls: identity and authorization architecture (covering how agents authenticate to tools and services, how agent identities are provisioned and deprovisioned, and how inter-agent trust is established and scoped), runtime behavior governance (covering how agent behavior is monitored, how deviation from expected behavior patterns is detected and responded to, and how memory and context inputs are validated), and tool permission governance (covering how tool access is scoped and enforced, how tool permissions evolve over the agent’s operational lifecycle, and how tool-invocation logs are generated, retained, and reviewed). [4][9]
The self-assessment results are published to the STAR Registry under a new agentic designation, distinct from the base Level 1 listing. The listing includes the agent system name and scope, the version of the AICM Agentic Supplement against which the assessment was completed, the date of assessment, and summary indicators of coverage across the three control categories. Organizations are expected to update their Level 1 Agentic assessments at least annually and upon significant architectural changes to the agent system.
What distinguishes Level 1 Agentic from the base Level 1 is both the control scope and the unit of assessment. Base Level 1 assesses organizational AI governance broadly; Level 1 Agentic assesses a specific agent system or agent service with specificity about its architecture, deployment model, and operational characteristics. An organization may hold multiple Level 1 Agentic listings for different agent systems, each scoped appropriately to the system it describes. The registry structure supports this multi-system model through a parent-child relationship: a parent organizational listing reflects overall AI governance maturity, while child agentic listings provide system-specific disclosure within that governance context.
Level 2 Agentic: Third-Party Audit
Level 2 Agentic replaces self-attestation with independent third-party audit for the agentic control set. It requires organizations to engage a qualified STAR for AI Agentic auditor—an auditing firm or individual practitioner meeting the qualification requirements described in Section 4—to conduct a structured assessment against the AICM Agentic Supplement controls using the audit procedures defined in this scheme. The audit must be conducted against the same agent system scope described in the corresponding Level 1 Agentic listing. Level 2 Agentic does not require a separate ISO 42001 certification beyond what is required for base Level 2, but auditors performing a Level 2 Agentic engagement are expected to verify that the ISO 42001 certification scope encompasses the agentic systems under assessment and that any agentic-specific risks identified during the audit are reflected in the organization’s AIMS risk treatment records. [7][10]
The alignment with ISO 42001 is structural rather than additive. ISO 42001 Clause 8 (Operation) requires organizations to govern the full AI system lifecycle including design, acquisition, testing, deployment, monitoring, and retirement. [10] Level 2 Agentic audit procedures operationalize Clause 8 requirements specifically for agentic systems, translating the standard’s management system requirements into concrete technical verification steps: testing agent identity provisioning and deprovisioning workflows, verifying tool permission boundary enforcement through controlled test scenarios, reviewing inter-agent communication logs for evidence of authentication and integrity controls, and assessing the organization’s behavioral monitoring and anomaly detection capabilities against the agent system’s operational profile.
Auditor qualification requirements reflect the technical depth of these procedures. Qualified Level 2 Agentic auditors must hold STAR for AI audit qualification from an accredited CSA audit partner program, demonstrate documented experience with agentic AI system architectures, and complete a CSAI Foundation agentic audit methodology training module specific to this scheme. Auditing firms seeking to qualify must have at least two qualified individual practitioners and demonstrate access to agentic test infrastructure sufficient to conduct the runtime behavior assessment procedures described in Section 4. Qualification requirements will be reviewed annually and updated as the agentic technology landscape evolves.
Continuous Certification
Continuous Certification is the most technically novel element of the agentic certification scheme, and the one with the greatest long-term significance for how AI trust assurance works in practice. It addresses a fundamental limitation of point-in-time certification: an autonomous agent system that passes a Level 2 Agentic audit is certified as of its audit date, but agentic systems are not static. They are updated, retrained, connected to new tools, given expanded memory access, and exposed to adversarial prompt injection and goal hijacking attempts that can alter their effective behavior without any visible configuration change. A certification scheme that cannot detect behavioral drift is a certification scheme that provides false assurance.
Continuous Certification connects STAR for AI Agentic registry status to real-time telemetry from the AI Risk Observatory, the CSAI Foundation’s continuous monitoring and threat intelligence infrastructure. [4] Organizations participating in Continuous Certification deploy AI Risk Observatory telemetry agents alongside their certified agent systems. These agents collect structured behavioral telemetry—tool invocation sequences, inter-agent message volumes and patterns, memory access patterns, task completion trajectories, and anomaly signals—and transmit it to the Observatory’s analysis pipeline. The Observatory processes this telemetry against the behavioral baseline established at the time of Level 2 Agentic audit and generates compliance status signals that flow back to the STAR Registry.
Automated alert thresholds determine when a compliance status signal changes. Thresholds are calibrated by system type (see Section 5) and control category. An orchestrator system that begins invoking tools outside its certified permission scope, for example, triggers a scope-creep alert within the tool permission governance category. An autonomous agent whose task completion patterns show significant divergence from its audited operational baseline triggers a behavioral drift alert in the runtime behavior governance category. The Registry entry for a system experiencing an active alert transitions from a green Continuously Certified indicator to an amber Under Review indicator, and the certified organization is notified to initiate review and remediation. If the alert is not resolved within a defined window—configurable between 30 and 90 days depending on alert severity—the registry entry reverts to Level 2 Agentic status, indicating that continuous monitoring is no longer active, and the audit expiration timeline resumes.
Behavioral drift that is the result of intentional, documented system updates does not trigger a recertification requirement, provided the organization notifies the Registry of the change and submits updated Agentic Supplement control responses within 30 days of the update. Material architecture changes—defined as changes to the agent’s identity model, its tool permission scope, its memory architecture, or its orchestration role within a multi-agent system—require a new Level 2 Agentic audit for the affected system scope. This threshold is intentionally high to avoid creating compliance burdens that discourage rapid iteration; it is calibrated to capture changes that genuinely alter the risk profile of the agent system rather than routine operational improvements.
4. Audit Procedures for Autonomous Agent Systems
Auditing an autonomous agent system is a materially different activity from auditing a conventional enterprise software system or even a traditional AI model. Conventional audits rely heavily on documentary review—policy documents, architecture diagrams, configuration records, log samples—supplemented by interviews and selective technical testing. Agentic system audits require all of that, plus procedures designed to assess runtime behaviors that may not manifest in documentation: emergent tool invocation patterns, inter-agent trust assumptions, identity lifecycle gaps visible only under test conditions, and behavioral responses to adversarial inputs. This section defines the four core audit procedure categories for STAR for AI Agentic Level 2 engagements.
Runtime Behavior Assessment Methodology
Runtime behavior assessment is the process by which auditors verify that an agent system’s actual operational behavior is consistent with its documented design specifications, permission boundaries, and safety constraints. The assessment proceeds in three phases. In the baseline documentation phase, auditors review the agent system’s behavioral specifications: its defined task scope, its authorized action space, its escalation and human-handoff criteria, its anomaly detection configuration, and its incident response procedures for behavioral deviation. This documentation establishes the benchmark against which runtime behavior will be assessed.
In the controlled scenario testing phase, auditors execute a structured test suite against a representative deployment of the agent system—either a production-equivalent staging environment or, with appropriate safeguards, a controlled segment of the production environment. The test suite includes standard task scenarios designed to verify normal behavior, boundary scenarios designed to probe the edges of the agent’s authorized action space, and adversarial scenarios including prompt injection attempts, goal redirection inputs, and simulated malicious tool responses. Auditors document the agent’s responses to each scenario category, capturing tool invocations, memory reads and writes, inter-agent messages, and escalation decisions. Results are compared against the behavioral specifications reviewed in the documentation phase.
In the log analysis phase, auditors review a representative sample of production operational logs—minimum 90 days of logs for established agent systems, or full operational history for systems less than 90 days old—for evidence of behavioral patterns inconsistent with documented specifications. Log analysis focuses particularly on tool invocation anomalies, permission boundary violations that were resolved without escalation, and inter-agent communication events that deviate from documented trust relationships. Auditors produce a Behavioral Assessment Report documenting findings from all three phases, which becomes part of the Level 2 Agentic audit record.
Inter-Agent Communication Security Verification
Multi-agent architectures introduce security risks that are invisible at the individual agent level: an agent that is individually well-governed may participate in communication patterns with other agents that create systemic risks through identity spoofing, message tampering, unauthorized data exfiltration via inter-agent channels, or trust escalation exploits. Inter-agent communication security verification assesses these risks by examining the authentication, integrity, and authorization mechanisms governing message exchange between agents. [6]
Auditors verify that each inter-agent communication channel employs mutual authentication—that both sending and receiving agents verify each other’s identity before exchanging messages—and that message integrity is protected against tampering in transit. For orchestrator-subordinate architectures, auditors verify that subordinate agents validate the authority of instructions received from orchestrators and that orchestrators cannot be impersonated by unauthorized agents. The verification includes review of the organization’s agent identity registry and its procedures for establishing, updating, and revoking inter-agent trust relationships.
Auditors also assess the data governance controls applied to information flowing across inter-agent channels. Agentic pipelines can inadvertently create data-exfiltration pathways when agents are authorized to read sensitive data in one context and to communicate with agents operating in lower-trust contexts. The audit procedure includes a review of inter-agent data flow documentation against the organization’s data classification policy, with particular attention to personal data and confidential business information that may traverse agent boundaries.
Agent Identity Lifecycle Audit Procedures
Agent identity is one of the most consequential and least mature dimensions of agentic system governance. Unlike human users, whose identities are managed through well-established IAM processes, agents are often created and decommissioned programmatically, their credentials rotated infrequently, and their permission assignments inherited from service accounts designed for different purposes. The agent identity lifecycle audit verifies that agents are treated as first-class identity principals with lifecycle governance equivalent to that applied to human users and traditional service accounts.
The audit examines four identity lifecycle phases: provisioning, operation, modification, and deprovisioning. In the provisioning phase, auditors verify that each agent receives a unique, non-shared identity credential, that its initial permission assignments are documented and approved through a defined authorization process, and that its identity is registered in the organization’s agent identity inventory before it is placed in operation. In the operation phase, auditors verify that credential rotation schedules are defined and enforced, that access reviews are conducted at defined intervals, and that any privilege escalation events are logged, reviewed, and approved. In the modification phase, auditors verify that changes to an agent’s identity scope—including new tool access grants, expanded memory permissions, and new inter-agent trust relationships—are processed through the same approval workflow as initial provisioning. In the deprovisioning phase, auditors verify that agent credentials are revoked upon decommissioning, that the agent identity inventory is updated, and that any trust relationships referencing the decommissioned agent are reviewed and updated.
Tool Permission Governance Verification
Tool access is the primary mechanism through which autonomous agents take consequential actions in the external world, making tool permission governance one of the highest-stakes dimensions of agentic security assurance. An agent that can invoke file system operations, execute code, send emails, make API calls to external services, or transfer funds has a real-world action scope that must be governed with the same rigor applied to privileged human access. [9]
The tool permission governance verification procedure assesses whether an agent system’s tool access is governed by a documented, enforced permission model that applies least-privilege principles and includes both preventive and detective controls. Auditors review the organization’s tool permission policy, its tool inventory documentation, its process for authorizing new tool connections, and its runtime enforcement mechanisms. Technical testing verifies that permission boundaries are actually enforced—that an agent configured for read-only file access cannot invoke write operations, that an agent limited to a specific API scope cannot expand that scope through indirect invocation paths, and that tool permission grants are recorded in durable, tamper-evident logs.
Auditors also examine the organization’s processes for detecting and responding to tool permission anomalies. An agent that begins invoking tools at substantially higher rates than its operational baseline, that invokes tools in sequences inconsistent with its documented task types, or that attempts to invoke tools outside its defined permission scope represents a potential behavioral deviation that may indicate compromise, prompt injection, or unintended emergent behavior. The audit procedure verifies that these anomaly patterns are defined, that monitoring systems are configured to detect them, and that there is a documented, tested incident response procedure for tool permission anomalies.
5. Certification Requirements by System Type
Agentic AI systems span a wide range of architectural complexity and operational autonomy, and a certification scheme that applies the same requirements uniformly across this range will be either burdensome for simpler systems or inadequate for complex ones. The STAR for AI Agentic Certification Scheme defines four system-type categories with differentiated certification requirements calibrated to the risk profile of each category.
Copilot systems are AI-assisted tools that operate in close collaboration with human users, augmenting human decision-making rather than acting autonomously. They are characterized by a human in the loop for all significant actions, limited tool access scoped to the immediate task context, no persistent memory beyond the current session, and no inter-agent communication with other autonomous systems. Copilot systems represent the lowest-complexity category in the agentic scheme. Level 1 Agentic requirements for copilot systems are satisfied by completing the identity and authorization control category of the Agentic Supplement plus a subset of the runtime behavior governance questions focused on session scope and human escalation procedures. Level 2 Agentic audit for copilot systems does not require the full inter-agent communication security verification procedure; it does require the runtime behavior assessment and tool permission governance verification procedures at a scope proportional to the system’s tool access breadth.
Autonomous agents are systems that execute multi-step tasks with significant independence from real-time human oversight. They may maintain persistent memory across sessions, invoke a defined set of tools autonomously, and make consequential decisions within their task scope without per-action human approval. Autonomous agents represent the core use case for which the agentic certification scheme was primarily designed, and they carry the full set of Level 1 and Level 2 Agentic requirements. The runtime behavior assessment for autonomous agents includes adversarial scenario testing at a minimum depth of 50 test cases covering the agent’s defined task scope and tool access profile. Agent identity lifecycle requirements apply in full, including quarterly access reviews and 90-day maximum credential rotation cycles.
Orchestrator systems direct and coordinate the activities of subordinate agent systems, decomposing complex tasks into sub-tasks, assigning them to specialized agents, and integrating their outputs. Orchestrators may control large numbers of subordinate agents and can amplify the consequences of a behavioral failure across many downstream agents simultaneously. They carry the most demanding certification requirements in the scheme. In addition to all requirements applicable to autonomous agents, orchestrator systems must complete the inter-agent communication security verification procedure for each distinct subordinate agent type in their coordination scope. Level 2 Agentic audits for orchestrators must include end-to-end pipeline testing that exercises the orchestrator’s coordination logic under both normal and adversarial conditions, including scenarios where one or more subordinate agents return unexpected, malformed, or adversarially crafted responses. Organizations operating orchestrators at scale—coordinating more than 20 distinct subordinate agent types—may apply for a phased audit scope that covers a representative sample of subordinate types, provided they demonstrate that their governance controls apply uniformly across all types.
Multi-tenant agent services are platforms that provision and operate agentic AI capabilities for multiple distinct tenant organizations, with each tenant’s agents potentially sharing underlying infrastructure, model weights, or tool connectivity while operating under tenant-specific permission and data isolation boundaries. Multi-tenant services carry an additional certification dimension beyond the requirements applicable to their constituent system types: tenant isolation assurance. Level 1 Agentic for multi-tenant services requires disclosure of the isolation architecture, including how tenant-specific memory, tool access, and agent identity are segregated from those of other tenants. Level 2 Agentic audit must include verification of tenant isolation controls through cross-tenant injection testing—a structured test procedure in which auditors attempt to demonstrate that data, context, or influence from one simulated tenant’s agent operations can cross into another simulated tenant’s agent scope. Certification of a multi-tenant service as meeting isolation assurance requirements allows tenants of that service to rely on the platform-level certification for the isolation dimensions, supplementing it with their own Level 1 Agentic assessments covering governance dimensions specific to their tenant configuration.
6. Transition Guidance
Organizations that have achieved base STAR for AI Level 1 or Level 2 certification and are now deploying agentic systems have a clear path to extending their certification posture without duplicating the work already completed. The transition guidance in this section is designed to minimize duplication while ensuring that the agentic certification is grounded in a fresh assessment of the agentic-specific control dimensions.
For organizations holding STAR for AI Level 1, the transition to Level 1 Agentic begins with identifying the specific agent systems to be certified and scoping each system’s Agentic Supplement assessment appropriately. The AI-CAIQ responses already submitted as part of base Level 1 remain valid and do not need to be resubmitted; the Level 1 Agentic assessment is additive, covering only the agentic-specific control categories not addressed in the AI-CAIQ. Organizations should review their existing Level 1 disclosures to identify any agentic system descriptions already included in their current registry entries and use those as the starting point for the Level 1 Agentic scoping exercise. The registry entry structure for Level 1 Agentic is designed to link to the parent Level 1 organizational entry, so the transition produces an updated profile rather than an entirely new listing.
For organizations holding STAR for AI Level 2, the transition to Level 2 Agentic builds on the existing ISO 42001 certification and Valid-AI-ted scored assessment. The primary question for transition planning is whether the ISO 42001 certification scope encompasses the agentic systems to be certified. If it does, the Level 2 Agentic engagement can proceed as a supplemental audit against the agentic control set without requiring a new ISO 42001 assessment cycle. If the ISO 42001 scope does not include the relevant agentic systems, organizations should plan to extend their AIMS scope to include those systems before or concurrent with the Level 2 Agentic audit, since the agentic audit procedures verify alignment between agent system governance and the organization’s documented AIMS. [7]
Organizations that are planning both a base Level 2 and a Level 2 Agentic certification for the first time should consider sequencing the engagements concurrently rather than sequentially. A single audit engagement that covers both the ISO 42001-based base Level 2 requirements and the agentic supplement audit procedures will typically require less total effort than two sequential engagements, since the documentation review, evidence collection, and stakeholder interviews for both programs draw on the same governance infrastructure. Auditing firms qualified for Level 2 Agentic are required to also hold STAR for AI audit qualification, enabling them to conduct combined engagements. Organizations should confirm that their chosen auditor holds both qualifications before scheduling.
The timeline for transition will vary significantly by system type and organizational complexity. As a general guide, a copilot-class system at an organization with an existing Level 2 certification should expect a Level 2 Agentic transition engagement requiring two to four weeks of auditor time distributed across a six-to-twelve week engagement window. A large-scale orchestrator system at an organization without an existing STAR for AI certification should expect a combined base Level 2 and Level 2 Agentic engagement of twelve to twenty weeks, incorporating the ISO 42001 certification process as a prerequisite. Multi-tenant agent service providers should allow additional time for the tenant isolation assurance testing component, which typically adds four to eight weeks depending on the number and diversity of tenant configurations.
7. Relationship to Other Certification Programs
The STAR for AI Agentic Certification Scheme is designed to complement rather than duplicate the other major certification and conformity assessment programs that AI developers and deployers are navigating. This section describes the relationship between the agentic scheme and four programs: ISO 42001, SOC 2, FedRAMP, and the EU AI Act conformity assessment framework.
ISO/IEC 42001:2023 is the international standard for AI management systems and the normative foundation for STAR for AI Level 2. [10] The relationship between the agentic scheme and ISO 42001 is tight: the agentic scheme’s Level 2 audit procedures are designed to operationalize and extend ISO 42001 Clause 8 requirements for agentic system lifecycles, and the agentic scheme explicitly requires that the ISO 42001 certification scope encompass agentic systems under assessment. Organizations pursuing ISO 42001 certification for the first time as a pathway to STAR for AI Level 2 Agentic should ensure that their AIMS risk register explicitly addresses agentic-specific risks—tool misuse, inter-agent trust exploitation, goal hijacking, and behavioral drift—so that ISO 42001 Clause 6 (Planning) requirements are met at the appropriate level of specificity. ISO 42001 provides the management system architecture; the STAR for AI Agentic scheme provides the technical audit procedures and registry transparency that translate that architecture into publicly verifiable assurance.
SOC 2 remains one of the most widely recognized enterprise security attestation frameworks, and many organizations pursuing STAR for AI Agentic certification will already hold SOC 2 Type II reports. The two programs address complementary dimensions: SOC 2 audits organizational security controls across the Trust Services Criteria, while STAR for AI Agentic audits the AI-specific governance and agentic system-specific technical controls described in this scheme. A SOC 2 Type II audit does not satisfy the STAR for AI Agentic Level 2 audit requirements, but organizations that have invested in SOC 2 Type II programs will find that the evidence collection and control documentation work is substantially reusable in a STAR for AI Agentic engagement. The availability controls, change management evidence, and logging and monitoring documentation relevant to SOC 2 all map to AICM control domains audited in the agentic scheme, reducing the marginal documentation burden of pursuing both programs concurrently.
FedRAMP is the US federal authorization framework for cloud services deployed in government environments, and its relevance to the agentic certification scheme is increasing as federal agencies begin deploying agentic AI capabilities. FedRAMP’s AI-related requirements are still developing; current FedRAMP guidance addresses AI systems primarily through the AI Risk Management section of NIST SP 800-53 Rev. 5 and through agency-specific AI governance policies. [11] STAR for AI Agentic certification is not a substitute for FedRAMP authorization, and the two programs have distinct scopes and purposes. However, organizations pursuing FedRAMP authorization for agentic AI products will find that STAR for AI Agentic Level 2 certification provides useful preparation: the audit evidence, control documentation, and behavioral assessment records produced in a STAR for AI Agentic engagement align well with the documentation requirements for a FedRAMP AI system boundary analysis, and the behavioral assessment methodology provides a structured framework for the continuous monitoring activities that FedRAMP requires.
The EU AI Act is the most consequential regulatory development for AI systems operating in European markets, and the agentic certification scheme is explicitly designed to support conformity with its requirements. The Act’s conformity assessment obligations for high-risk AI systems—which include many categories of autonomous agent deployment—became enforceable from August 2, 2026, with full obligations applying from August 2027. [12] The Act requires providers of high-risk AI systems to implement risk management systems, maintain technical documentation, ensure appropriate human oversight, and carry out conformity assessments before placing systems on the market. STAR for AI Agentic Level 2 certification is not a notified-body conformity assessment under the EU AI Act, and organizations subject to the Act’s high-risk system requirements must complete the applicable conformity assessment procedure as a separate compliance step. However, the agentic scheme’s audit procedures and documentation requirements are designed to produce evidence that directly supports EU AI Act conformity: the behavioral assessment report satisfies elements of Article 9 risk management documentation requirements, the agent identity and tool permission governance records satisfy elements of Article 12 logging obligations, and the runtime behavior assessment addresses Article 14 human oversight requirements for autonomous systems. Organizations that complete Level 2 Agentic certification before undertaking EU AI Act conformity assessment will have substantially completed the technical investigation and documentation work required for that assessment, reducing both the time and the cost of the conformity process.
8. Framework Alignment
The table below presents the complete certification-level-to-framework alignment for the STAR for AI Agentic Certification Scheme. Each row represents a certification tier or system type; columns map requirements to the AICM Agentic Supplement control domains, ISO 42001 clauses, EU AI Act articles, and NIST AI RMF functions. This table is designed as a working reference for compliance teams, auditors, and procurement specialists navigating multi-framework alignment.
| Certification Tier / System Type | AICM Agentic Supplement Control Domains | ISO 42001 Clauses | EU AI Act Articles | NIST AI RMF Functions |
|---|---|---|---|---|
| Level 1 Agentic — All Systems | AA (Identity & Authorization); AA (Runtime Behavior); AA (Tool Permission Governance) | Cl. 4 (Context), Cl. 5 (Leadership), Cl. 6 (Planning) | Art. 9 (Risk Mgmt), Art. 13 (Transparency) | Govern, Map |
| Level 1 Agentic — Copilot | AA (Identity & Authorization, partial); AA (Human Escalation) | Cl. 6.1 (Risk Assessment), Cl. 8.4 (AI System Lifecycle) | Art. 13, Art. 14 (Human Oversight) | Govern, Map |
| Level 1 Agentic — Autonomous Agent | AA (Identity & Authorization); AA (Memory & Context); AA (Runtime Behavior); AA (Tool Permissions) | Cl. 6.1, Cl. 8 (full), Cl. 9.1 (Monitoring) | Art. 9, Art. 12, Art. 14, Art. 15 (Accuracy & Robustness) | Govern, Map, Measure |
| Level 1 Agentic — Orchestrator | AA (all domains); MS (Model Security); IAM (Agent Identity) | Cl. 6.1, Cl. 8 (full), Cl. 9 (full) | Art. 9, Art. 12, Art. 14, Art. 15, Art. 17 (Quality Mgmt) | Govern, Map, Measure, Manage |
| Level 1 Agentic — Multi-Tenant Service | AA (all domains); IAM (Tenant Isolation); DSP (Data Segregation) | Cl. 6.1, Cl. 8 (full), Cl. 9.1, Cl. 9.2 (Audit) | Art. 9, Art. 12, Art. 13, Art. 25 (Deployer Obligations) | Govern, Map, Measure, Manage |
| Level 2 Agentic — All Systems | All Level 1 Agentic domains + evidence validation | Cl. 6 (Planning), Cl. 8 (Operation), Cl. 9.2 (Internal Audit), Cl. 10 (Improvement) | Art. 9, Art. 11 (Technical Documentation), Art. 12, Art. 14, Art. 15 | Govern, Map, Measure, Manage |
| Level 2 Agentic — Runtime Behavior Assessment | AA (Runtime Behavior); TVM (Adversarial Testing); LOG (Behavioral Logging) | Cl. 8.3 (AI System Testing), Cl. 8.5 (Operational Monitoring), Cl. 9.1 | Art. 9(7) (Residual Risk), Art. 12, Art. 15 | Measure, Manage |
| Level 2 Agentic — Inter-Agent Comms Verification | AA (Inter-Agent Trust); IAM (Agent Authentication); LOG (Comms Audit) | Cl. 8.2 (AI System Requirements), Cl. 8.4 | Art. 12, Art. 15 | Map, Measure |
| Level 2 Agentic — Agent Identity Lifecycle | IAM (Agent Identity Provisioning, Deprovisioning); AA (Credential Governance) | Cl. 7.2 (Competence), Cl. 8.4 (Lifecycle Mgmt) | Art. 9, Art. 12, Art. 17 | Govern, Manage |
| Level 2 Agentic — Tool Permission Governance | AA (Tool Permissions); IAM (Least Privilege); LOG (Tool Invocation Audit) | Cl. 8.3 (Testing), Cl. 8.5 (Operational Monitoring), Cl. 9.1 | Art. 9, Art. 12, Art. 14 | Measure, Manage |
| Continuous Certification | All Level 2 Agentic domains + real-time telemetry | Cl. 9.1 (Performance Eval), Cl. 9.3 (Management Review), Cl. 10.2 (Corrective Action) | Art. 9(8) (Regular Review), Art. 72 (Post-Market Monitoring) | Measure, Manage |
The mapping in this table reflects the state of the AICM Agentic Supplement, ISO 42001:2023, the EU AI Act, and the NIST AI RMF 1.0 as of the publication date of this whitepaper. All four source frameworks are subject to update; the CSAI Foundation will maintain this alignment table as a living document and publish updated versions as source frameworks evolve. Organizations using this table for compliance planning should verify against current source framework versions before finalizing their compliance documentation.
One alignment observation deserves specific attention: the NIST AI RMF Measure and Manage functions are heavily weighted toward the Level 2 Agentic and Continuous Certification tiers rather than Level 1. This reflects a deliberate design choice. Self-assessment at Level 1 Agentic is principally a governance and mapping exercise—organizations document what their systems do and how they govern them—while third-party audit and continuous monitoring are where measurement and management activities are verified to be actually functioning. The implication for organizations planning their certification roadmap is that Level 1 Agentic alone provides limited assurance for procurement purposes in contexts where NIST AI RMF alignment is evaluated; the Measure and Manage functions are substantially verified only at Level 2 Agentic and Continuous Certification.
The EU AI Act column highlights another structural consideration: several articles relevant to high-risk autonomous agent systems—particularly Article 9 (risk management), Article 12 (logging), Article 14 (human oversight), and Article 15 (accuracy and robustness)—appear across all certification tiers, while Article 72 (post-market monitoring for high-risk systems) aligns exclusively with Continuous Certification. This reflects the Act’s requirements for ongoing monitoring of high-risk AI systems throughout their operational lifecycle, not just at the time of initial conformity assessment. Organizations subject to the EU AI Act’s high-risk provisions should treat Continuous Certification as a compliance-relevant designation for Article 72 purposes, even though STAR for AI Agentic certification is not itself a notified-body conformity assessment procedure under the Act.
References
[1] Cloud Security Alliance. “Cloud Security Alliance Launches STAR for AI, Establishing the Global Framework for Responsible and Auditable Artificial Intelligence.” CSA Press Release, October 23, 2025. https://cloudsecurityalliance.org/press-releases/2025/10/23/cloud-security-alliance-launches-star-for-ai-establishing-the-global-framework-for-responsible-and-auditable-artificial-intelligence
[2] Cloud Security Alliance. “Cloud Security Alliance Announces Availability of STAR for AI Level 2 and Valid-AI-ted for AI.” CSA Press Release, November 20, 2025. https://cloudsecurityalliance.org/press-releases/2025/11/20/cloud-security-alliance-announces-availability-of-star-for-ai-level-2-and-valid-ai-ted-for-ai
[3] Cloud Security Alliance. “Cloud Security Alliance Launches STAR for AI.” October 23, 2025. (Early adopters Anthropic, Sierra, and Zendesk posted ISO 42001 certificates to the STAR Registry.) https://cloudsecurityalliance.org/press-releases/2025/10/23/cloud-security-alliance-launches-star-for-ai-establishing-the-global-framework-for-responsible-and-auditable-artificial-intelligence
[4] Cloud Security Alliance. “Cloud Security Alliance Launches CSAI Foundation With Mission of ‘Securing the Agentic Control Plane.’” CSA Press Release, March 23, 2026. https://cloudsecurityalliance.org/press-releases/2026/03/23/csa-securing-the-agentic-control-plane
[5] Cloud Security Alliance. “STAR | Cloud Security Alliance (CSA).” https://cloudsecurityalliance.org/star
[6] OWASP GenAI Security Project. “OWASP Top 10 for Agentic Applications.” December 2025. Referenced in Cloud Security Alliance. “The Agentic Trust Framework: Zero Trust Governance for AI Agents.” February 2, 2026. https://cloudsecurityalliance.org/blog/2026/02/02/the-agentic-trust-framework-zero-trust-governance-for-ai-agents
[7] ISO/IEC 42001:2023. “Information Technology — Artificial Intelligence — Management System.” International Organization for Standardization, 2023. https://www.iso.org/standard/42001
[8] Anthropic. “Anthropic Achieves ISO 42001 Certification for Responsible AI.” January 2025. https://www.anthropic.com/news/anthropic-achieves-iso-42001-certification-for-responsible-ai
[9] Cloud Security Alliance. “AI Controls Matrix.” CSA Artifact, July 2025. https://cloudsecurityalliance.org/artifacts/ai-controls-matrix
[10] Cloud Security Alliance. “6 Key Steps to ISO 42001 Certification Explained.” CSA Blog, July 7, 2025. https://cloudsecurityalliance.org/blog/2025/07/07/6-key-steps-to-iso-42001-certification-explained
[11] NIST. “Artificial Intelligence Risk Management Framework (AI RMF 1.0).” NIST AI 100-1, January 2023. https://nvlpubs.nist.gov/nistpubs/ai/nist.ai.100-1.pdf
[12] European Commission. “EU AI Act: Timeline and Compliance Requirements.” (High-risk AI system obligations effective August 2, 2026; full obligations from August 2027.) https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai
[13] Zendesk. “Zendesk Sets a New Baseline for AI Transparency: First to Achieve CSA STAR AI Levels 1 & 2 Certification.” Zendesk Blog, 2025. https://www.zendesk.com/blog/zip2-csa-star-ai-levels-1-2-certification/
[14] Cloud Security Alliance. “Securing the Agentic Control Plane in 2026.” CSA Blog, March 20, 2026. https://cloudsecurityalliance.org/blog/2026/03/20/2026-securing-the-agentic-control-plane
[15] Cloud Security Alliance. “Understanding STAR for AI Level 2: A Practical Step Toward AI Security Compliance.” CSA Blog, November 19, 2025. https://cloudsecurityalliance.org/blog/2025/11/19/understanding-star-for-ai-level-2-a-practical-step-toward-ai-security-compliance