TAISE Agentic Body of Knowledge

White Paper | 2026-03-27 | Status: draft

TAISE Agentic Body of Knowledge

Executive Summary

The global AI security workforce faces a structural deficit that no single hiring wave can close. Enterprises are deploying agentic AI systems — autonomous agents capable of planning, tool invocation, multi-step reasoning, and consequential action — at a pace that security teams were not staffed or trained to meet. A December 2025 study found that while 65 percent of organizations view real-time enforcement of agent behavior as critical, fewer than half have implemented any enforcement mechanism, and only 21 percent of executives can account for their agents’ permissions, tool usage, or data access patterns. [1] The resulting exposure is not theoretical: eighty percent of organizations surveyed in early 2026 reported risky agent behaviors, including unauthorized system access and improper data exposure. [2] The problem is not that security professionals lack diligence. It is that the knowledge required to secure agentic systems — spanning novel threat taxonomies, non-human identity frameworks, multi-agent trust models, and a rapidly evolving regulatory landscape — does not yet have a widely recognized and structured professional curriculum.

The Cloud Security Alliance’s Trusted AI Safety Expert (TAISE) certification, introduced in April 2025 and formally launched in October 2025, established the industry’s first credential purpose-built for trustworthy AI deployment. [3] TAISE covers ten modules of AI safety across the full AI lifecycle, from foundational architectures and ethics through governance, risk management, and MLSecOps practice, earning recognition as a finalist for the 2026 SC Awards’ Best Professional Certification Program. [4] As agentic AI has become the dominant enterprise deployment pattern, the CSA AI Safety Initiative has developed this TAISE Agentic Body of Knowledge to define the advanced competency layer specifically addressing autonomous, tool-using, multi-agent systems.

This document defines seven competency domains that together constitute the professional knowledge base for the TAISE Agentic track. The domains were designed through a structured job task analysis of emerging security roles at organizations deploying production agentic systems, cross-referenced against CSAI’s own 2026 deliverable portfolio, the OWASP Top 10 for Agentic Applications, MITRE ATLAS v5.x agentic techniques, the CSA AI Controls Matrix (AICM) v1.0, and the MAESTRO threat modeling framework. [5][6][7][8] Learning objectives are structured using Bloom’s revised cognitive taxonomy, progressing from recall and comprehension through application, analysis, evaluation, and creation — the same framework that governs CISSP, CISM, and CompTIA Security+ domain design, and that research confirms produces demonstrably better outcomes in cybersecurity education programs than competency lists alone. [9]

The seven domains are sequenced to reflect professional learning progression. Domain 1 establishes architectural foundations without which subsequent threat, control, and governance knowledge lacks a referent. Domains 2 through 5 move from threat understanding through hands-on security practice. Domains 6 and 7 address the compliance and governance skills that translate technical security work into organizational accountability. Collectively, the body of knowledge targets security architects, platform engineers, GRC practitioners, red team operators, and enterprise leaders who carry direct responsibility for the safety, integrity, and trustworthiness of agentic AI deployments.

1. Introduction: Building the Agentic Security Workforce

The professional security workforce has confronted new technology paradigms before — cloud computing, containerization, DevSecOps — and each transition demanded not merely updated tool skills but a reconceptualization of the threat model, the control surface, and the professional vocabulary through which risks are communicated. Agentic AI represents a transition of comparable magnitude, and the gap between practitioner preparation and operational need is wider than most previous transitions because the threat surface is qualitatively different rather than merely larger.

A cloud infrastructure security engineer who retrains for container security is extending a skill set built on the same foundational concepts: network segmentation, identity management, secrets protection, and workload isolation. The principles travel. An endpoint security engineer who encounters agentic AI, however, faces a system that initiates actions rather than responding to them, that accumulates permissions across a runtime lifetime that may span hours or days, that communicates with other agents through trust channels that have no analog in traditional PKI, and that can be manipulated through the natural-language interfaces that give it its value. The threat model is structurally different, not merely more complex.

This structural difference is why credentialing matters. Professional certifications serve two functions simultaneously: they define what practitioners in a given role are expected to know, and they signal to employers that the credential holder has demonstrated that knowledge against an objective standard. In an emerging field like agentic AI security, where practitioner knowledge is unevenly distributed and employer expectations are still forming, the body of knowledge that underpins a certification is itself a professional contribution. It establishes a shared vocabulary, a common syllabus, and a reference point for curriculum development that benefits the field well beyond the population of candidates who eventually sit the exam.

The broader policy context reinforces this urgency. President Trump’s April 2025 Executive Order on Advancing Artificial Intelligence Education for American Youth established the White House Task Force on AI Education, chaired by the Director of the Office of Science and Technology Policy, and directed the National Science Foundation and Department of Labor to prioritize AI training and apprenticeship programs. [10] The EU AI Act’s AI literacy obligation, which came into force for deployers and providers from February 2025, requires that organizations ensure staff interacting with AI systems possess a sufficient level of AI literacy commensurate with the risks involved, with the specific competency requirements for high-risk AI system operators becoming enforceable from August 2026. [11] These policy signals from opposite sides of the Atlantic converge on the same professional development imperative: structured, verifiable competency in AI safety is no longer optional for organizations that deploy AI systems in consequential domains.

The TAISE Agentic Body of Knowledge is the CSA’s response to this imperative at the practitioner level. It does not replace foundational AI security literacy — TAISE’s ten-module base curriculum covers that ground — but extends it into the specific, hands-on, analytically demanding territory of autonomous agentic systems. Practitioners who complete the TAISE Agentic track should be equipped to architect secure agentic deployments, conduct threat-informed risk assessments, evaluate compliance postures against the full stack of relevant frameworks, govern agent identity lifecycles, and communicate agentic risk to executive and board-level audiences with the precision and credibility that organizational accountability requires.

2. TAISE Certification Overview

2.1 The Base TAISE Certification

The Trusted AI Safety Expert (TAISE) certificate was developed by the Cloud Security Alliance in partnership with Northeastern University and launched to the market in October 2025 following a development period initiated by CSA’s April 2025 announcement. [3][12] It is the first industry credential designed specifically to prepare professionals for leadership in trustworthy AI deployment, and its market differentiation is grounded in its breadth: TAISE spans the technical, ethical, operational, and governance dimensions of AI safety rather than focusing exclusively on technical security controls.

The base TAISE curriculum is delivered across ten self-paced modules and is offered exclusively as a training-and-exam bundle — there is no exam-only pathway, a design decision that reflects CSA’s commitment to knowledge-based rather than experience-proxy credentialing. The ten modules cover foundational AI knowledge, generative AI architectures, applied use cases, ethics and transparency, governance and compliance, AI lifecycle risk, cloud and data security for AI, MLSecOps practices, and continuous adaptation frameworks. [3] Upon completing the training and passing the assessment, holders earn the TAISE certificate and associated Credly digital badge, which is recognized by industry partners and hiring organizations as evidence of practitioner-level AI safety competency.

The TAISE Agentic track introduced in this body of knowledge is an advanced-level extension of the base certification, analogous in structure to the relationship between CCSK Foundation and CCSK Advanced — or, in the broader certification market, between CompTIA Security+ and CompTIA CySA+. Candidates for the Agentic track are expected to hold, or demonstrate equivalent knowledge to, the base TAISE certificate before commencing advanced track preparation. The Agentic track addresses specifically the security, governance, risk, and compliance challenges of autonomous, tool-using, multi-agent AI systems that operate with extended autonomy in enterprise and critical infrastructure environments.

2.2 Relationship to Other CSA Credentials

The CSA credential portfolio has evolved over more than a decade of cloud security practice, with the Certificate of Cloud Security Knowledge (CCSK) serving as the foundational credential that established the model. CCSK v5, the current version, organizes cloud security knowledge across twelve domains and is widely recognized as the entry-level benchmark for cloud security competency, particularly valuable as a precursor to the (ISC)² Certified Cloud Security Professional (CCSP) credential. [13] TAISE sits alongside CCSK as a practitioner-level, exam-and-training-based credential, but addresses AI-specific rather than cloud-general knowledge.

Within the CSAI program, TAISE is one of three educational deliverables alongside the TAISE CxO track — designed for board-level and executive audiences who require AI risk fluency without deep technical preparation — and this TAISE Agentic Body of Knowledge, which provides the advanced technical and governance curriculum for practitioners operating agentic AI systems directly. The three tracks are designed to serve complementary audiences within a single organizational AI safety program and to create a shared professional vocabulary across technical, operational, and executive layers.

2.3 Target Audience for the Agentic Track

The TAISE Agentic track is designed for practitioners who interact directly with agentic AI systems in security, governance, development, or assurance roles. The primary audience includes security architects and engineers responsible for designing and hardening agentic platforms; GRC practitioners developing compliance programs for AI agent deployments; identity and access management engineers extending NHI governance to agent workloads; red team operators and penetration testers who assess agentic systems adversarially; cloud platform engineers deploying and operating agent orchestration frameworks; and AI product security leads embedded in development organizations building agentic capabilities.

A secondary audience includes auditors preparing for STAR for AI Level 2 engagements against AICM-compliant organizations; compliance officers navigating EU AI Act high-risk system requirements; and enterprise architects who design the organizational structures and policies that govern agentic AI adoption. These practitioners do not require hands-on laboratory proficiency at the same depth as platform engineers, but do require fluency with the technical content sufficient to evaluate vendor claims, interpret assessment findings, and make well-grounded governance decisions.

3. Seven Competency Domains

Domain 1: Agentic AI Architecture and Security Fundamentals

Domain Description

Security practice that lacks architectural grounding produces controls that are misplaced, incomplete, or optimized for threats that do not match the actual system design. Domain 1 establishes the conceptual and technical foundation that all subsequent TAISE Agentic domains presuppose: a precise understanding of how agentic AI systems are built, how they process information and take action, and where their architectural characteristics create security properties and vulnerabilities that differ categorically from those of non-agentic AI deployments.

The MAESTRO framework, developed by the Cloud Security Alliance in February 2025, provides the primary architectural reference for this domain. MAESTRO’s seven-layer model — Foundation Models, Data Operations, Agent Frameworks, Deployment and Infrastructure, Evaluation and Observability, Security and Compliance, and Agent Ecosystem — offers a structured decomposition of the agentic stack at the appropriate level of granularity for security analysis. [8] Domain 1 ensures that practitioners can locate any specific security concern at its correct MAESTRO layer, a prerequisite for meaningful threat modeling, control selection, and gap analysis in subsequent domains.

Beyond MAESTRO, Domain 1 covers the major agent frameworks that practitioners will encounter in enterprise environments — LangChain, LangGraph, AutoGen, CrewAI, and proprietary orchestration platforms — along with their security-relevant architectural characteristics, including how they handle tool registration, memory management, sub-agent spawning, and credential injection. The Model Context Protocol (MCP), which has emerged as the de facto standard for connecting agents to external tools and data sources, receives detailed treatment in this domain, as its architecture directly shapes the attack surface that Domain 2 analyzes. [14] The domain also covers multi-agent system topologies — orchestrator-worker hierarchies, peer-to-peer agent networks, and hybrid human-in-the-loop configurations — and the trust, communication, and delegation patterns characteristic of each.

Learning Objectives

Candidates completing Domain 1 will be able to:

  1. Remember and Understand: Describe the seven layers of the MAESTRO framework and explain the security-relevant characteristics of each layer, including the principal threat categories that originate at that layer and the control families most applicable to its protection.
  2. Understand: Explain how agentic AI systems differ architecturally from interactive AI systems, with specific reference to the role of the planning loop, tool invocation mechanisms, memory subsystems, and sub-agent delegation in creating an extended action surface.
  3. Apply: Given a description of an enterprise agentic deployment, produce a MAESTRO layer-annotated architecture diagram that correctly locates the components of the deployment and identifies the trust boundaries between them.
  4. Analyze: Analyze a specified agent framework’s configuration model to identify its mechanisms for credential injection, tool registration, and context management, and assess the security implications of each.
  5. Evaluate: Compare the security properties of at least two multi-agent topology patterns — specifically orchestrator-worker and peer-to-peer configurations — evaluating the attack surface implications of each for a given threat scenario.
  6. Create: Design a conceptual security architecture for a multi-agent system that addresses the trust, identity, and observability requirements identified in the scenario, justifying design choices by reference to MAESTRO layer security principles.

Key Topics

Domain 1 covers the following technical content areas: foundation model inference architecture and the security implications of prompt context management; agent planning loop mechanics, including chain-of-thought reasoning and its relevance to goal integrity; tool-use patterns and the security properties of tool registration, invocation, and result processing; memory architectures, including in-context memory, external vector stores, and episodic memory systems; MCP protocol architecture, transport mechanisms, authentication model, and server trust assumptions; multi-agent communication patterns, including orchestration metadata, delegation tokens, and result routing; agent lifecycle management from initialization through decommissioning; and the comparative security profiles of major commercially available and open-source agent frameworks.

Key References

Primary framework references for Domain 1 include the MAESTRO threat modeling framework [8], the CSAI MCP Security Best Practices Guide [14], the OWASP Top 10 for Agentic Applications — particularly ASI02 (Tool Misuse and Exploitation) and ASI07 (Insecure Inter-Agent Communications) — [6], and the AICM v1.0 Agentic AI (AA) and Agent Frameworks domain controls [7]. External references include the official documentation for LangChain, AutoGen, and CrewAI; the MCP specification maintained by Anthropic; and the NIST AI RMF 1.0 MAP function guidance for AI system context documentation. [15]

Assessment Criteria

Domain 1 is assessed through multiple-choice questions testing recall and comprehension of MAESTRO layer definitions, architectural component identification, and protocol characteristics; and through scenario-based items requiring candidates to correctly classify deployment components, identify trust boundary violations, and evaluate architectural design choices against security principles. Scenario-based items constitute at least 60 percent of Domain 1 exam coverage, reflecting the applied and analytical learning objectives that define professional competency in this area.

Hands-on Lab Requirements

Candidates must complete laboratory exercises in which they: deploy a multi-agent system using at least one of the three reference frameworks (LangChain, AutoGen, or CrewAI), configure an MCP server connection, and produce a MAESTRO-annotated architecture diagram of the resulting deployment; identify the credential injection pattern used by their deployed framework and assess whether it complies with least-privilege principles; and conduct a structured architectural review of a provided agentic system configuration, documenting at least three security concerns with reference to specific MAESTRO layers. Lab work is evaluated through submitted artifacts, which must demonstrate accuracy in MAESTRO layer assignment and quality of security analysis reasoning.

Domain 2: Agentic Threat Landscape

Domain Description

Understanding the threat landscape that agentic AI systems face is a prerequisite for every downstream security activity — risk assessment, control selection, red team planning, incident response design, and compliance mapping all proceed from threat knowledge. Domain 2 establishes comprehensive fluency with the adversarial techniques, risk categories, and documented incidents that characterize attacks on agentic AI deployments, drawing on three principal taxonomic frameworks: MITRE ATLAS, the OWASP Top 10 for Agentic Applications, and the CSAI Foundation’s own threat intelligence research.

The MITRE ATLAS framework, as of its October 2025 update, contains 15 tactics, 66 techniques, and 46 sub-techniques, including fourteen new techniques developed in collaboration with Zenity Labs that explicitly address AI agent security. [16] Key agentic technique additions include AI Agent Context Poisoning (AML.T0080), which involves manipulating the context window to persistently influence agent responses or actions; Modify AI Agent Configuration (AML.T0081), which involves altering agent configuration files to create persistent malicious behavior; RAG Credential Harvesting (AML.T0082); and Exfiltration via AI Agent Tool Invocation (AML.T0086). [16] Beyond ATLAS’s formal technique taxonomy, the CSAI ATLAS Agentic Gap Analysis, produced in March 2026, identified six additional technique categories not yet formally represented in ATLAS: agent-to-agent lateral movement, tool-chain poisoning, orchestrator hijacking, credential relay through delegation chains, cross-session memory persistence, and MCP server compromise as a pivot point. [17]

The OWASP Top 10 for Agentic Applications, released by the OWASP GenAI Security Project in December 2025 based on input from more than 100 security researchers and practitioners, provides a risk-oriented complement to ATLAS’s technique-oriented taxonomy. [6] The ten risk categories — from ASI01 (Agent Goal Hijack) and ASI02 (Tool Misuse and Exploitation) through ASI10 (Rogue Agents) — map to real-world attack patterns that practitioners will encounter in both red team engagements and production incident investigations. Domain 2 ensures that candidates can navigate both frameworks fluently and understand the relationships between them: a single attacker campaign will typically instantiate multiple ATLAS techniques while realizing multiple OWASP ASI risk categories simultaneously.

Learning Objectives

Candidates completing Domain 2 will be able to:

  1. Remember and Understand: Identify and describe each of the ten OWASP ASI risk categories for agentic applications, explaining the attack mechanism, likely impact, and target system component for each.
  2. Understand: Explain the relationship between MITRE ATLAS tactics and techniques for agentic attacks, distinguishing between model-targeting techniques that predate the agentic threat expansion and agent-specific techniques added in the October 2025 update.
  3. Apply: Map a described attack scenario against the relevant OWASP ASI categories and MITRE ATLAS tactics, providing justification for each mapping with reference to the specific attack behaviors present in the scenario.
  4. Analyze: Analyze a multi-stage attack chain against an agentic deployment, decomposing it into individual ATLAS techniques, tracing the attacker’s lateral movement through agent trust relationships, and identifying the detection opportunities at each stage.
  5. Evaluate: Evaluate the threat relevance of a given ATLAS technique or OWASP ASI risk category against a specified deployment architecture, assessing the technical feasibility of exploitation and the potential business impact.
  6. Create: Develop a threat model for a provided agentic deployment using MAESTRO as a structural reference and ATLAS plus OWASP ASI as threat source taxonomies, producing a prioritized list of high-probability, high-impact attack scenarios.

Key Topics

Domain 2 covers: the OWASP ASI Top 10 in technical depth, including attack mechanisms, detection indicators, and mitigation approaches for each category; MITRE ATLAS tactics and techniques with particular focus on agentic additions; prompt injection and goal hijacking techniques against LLM-based planners; tool misuse and exploitation patterns, including tool-description poisoning and parameter injection; identity and privilege abuse in agent delegation chains; agentic supply chain vulnerabilities, including compromised MCP servers, poisoned tool registries, and malicious agent personas; memory and context poisoning techniques against RAG systems and episodic memory stores; insecure inter-agent communication vulnerabilities; cascading failure propagation in multi-agent workflows; the OpenClaw and NemoClaw vulnerability ecosystem as documented in CSA research, including CVE-2026-25253 and CVE-2026-24763; and documented real-world agentic security incidents from the period 2024–2026.

Key References

Domain 2 references the OWASP Top 10 for Agentic Applications 2026 [6], the MITRE ATLAS framework and technique catalog [16], the CSAI ATLAS Agentic Gap Analysis [17], the CSA research notes on OpenClaw and NemoClaw [18], and the CSAI CVE/CWE Agentic Catalog [19]. External references include the Zenity Labs agentic threat research informing the October 2025 ATLAS update and the MITRE OpenClaw investigation report. [16]

Assessment Criteria

Domain 2 is assessed through multiple-choice items covering ATLAS technique identification and OWASP ASI category definitions, and through scenario-based items that present attack narratives and require candidates to produce accurate threat taxonomy classifications, identify missed detection opportunities, and propose targeted mitigations. Performance-based items presented in a virtual lab environment require candidates to analyze telemetry from a simulated agentic attack, identify the attack technique in use, and document their findings in a structured threat analysis report.

Hands-on Lab Requirements

Candidates must complete laboratory exercises that include: executing a controlled prompt injection attack against a sandboxed agentic system and documenting the attack path using ATLAS technique identifiers; simulating a tool-description poisoning scenario against a reference MCP deployment and demonstrating how agent behavior can be manipulated through malicious tool metadata; and conducting a threat mapping exercise for a provided multi-agent architecture, producing a complete MAESTRO-ATLAS-OWASP ASI threat model with at least six unique attack scenarios. All lab exercises are conducted in controlled, isolated environments provided by the certification program.

Domain 3: Identity and Access Control for Agents

Domain Description

Identity is the foundational control plane for any distributed system, and agentic AI systems present identity management challenges that exceed the scale, dynamism, and complexity of any prior non-human identity (NHI) governance problem. A single enterprise agentic workflow may spawn dozens of ephemeral sub-agents during its execution lifetime, each requiring its own scoped credentials, each interacting with multiple external services, and each accumulating a permission history that must be attributable for audit purposes. The agent that persists across sessions accumulates context and memory that creates continuity of identity without the stable, human-controlled lifecycle that traditional identity management assumes. The agent that delegates to sub-agents must convey not merely instructions but bounded authority — and the mechanisms through which that authority is conveyed, verified, and revoked constitute a new layer of identity infrastructure that most enterprise IAM programs did not plan for.

Domain 3 establishes professional competency in the full lifecycle of agent identity and access control, from the foundational standards — SPIFFE/SPIRE for cryptographic workload identity, OAuth 2.0 scoping for agent authorization, and JWT claims structures for delegation attestation — through the governance frameworks and operational procedures required to manage NHI at enterprise scale. Gartner recognized NHI management as a 2025 strategic technology trend, and SPIFFE has become the de facto industry standard for workload identity, with HashiCorp Vault Enterprise adding native SPIFFE authentication support to simplify NHI provisioning for AI agent workloads. [20] Domain 3 provides practitioners with both the technical depth to implement these solutions and the governance fluency to build the policies and procedures that make them auditable and sustainable.

The AICM v1.0 Identity and Access Management (IAM) domain provides the primary controls framework for this domain, supplemented by the AICM Agentic Control Supplement’s proposed new controls for agent identity lifecycle management — identified in CSA analysis as one of the two areas where the gap between existing AICM controls and agentic system requirements is widest. [21] The principle of just-in-time (JIT) access provisioning, which eliminates standing permissions in favor of temporary credentials scoped to specific tasks, is central to Domain 3 and represents the most impactful single control available for reducing agentic attack surface.

Learning Objectives

Candidates completing Domain 3 will be able to:

  1. Remember and Understand: Describe the SPIFFE identity framework’s core concepts — SPIFFE IDs, SVIDs, and the SPIRE server-agent architecture — and explain how these concepts apply to AI agent workload identity provisioning.
  2. Understand: Explain the structure and security properties of OAuth 2.0 token scoping and JWT claims as applied to agent-to-service and agent-to-agent authorization, distinguishing between authorization delegation and identity impersonation.
  3. Apply: Configure a just-in-time access provisioning workflow for an agentic deployment, demonstrating how temporary credentials are issued, scoped to a specific task, and revoked upon task completion.
  4. Analyze: Analyze an agent delegation chain — a sequence of principal-to-agent and agent-to-sub-agent authorization steps — identifying where excessive privilege accumulates, where delegation attestation is missing, and where credential relay attacks are feasible.
  5. Evaluate: Evaluate an enterprise NHI governance program against the AICM IAM domain requirements and the proposed agentic identity controls, producing a gap assessment with remediation priorities.
  6. Create: Design an agent identity lifecycle management program for a specified enterprise deployment context, including policies for identity issuance, credential scoping, session management, and decommissioning, with supporting audit procedures.

Key Topics

Domain 3 covers: non-human identity taxonomy and governance frameworks; SPIFFE/SPIRE architecture and deployment patterns for AI agent workloads; OAuth 2.0 scoping and the principle of least privilege for agent authorization; JWT claims structures for delegation attestation and their verification requirements; just-in-time access provisioning architectures and their implementation in cloud-native agent deployments; agent credential lifecycle management, including provisioning, rotation, revocation, and audit trail requirements; delegation chain security, including the ATLAS technique for credential relay through delegation chains; multi-agent trust establishment patterns and the protocols available for inter-agent attestation; secrets management for agents, with reference to major vault platforms and their NHI support capabilities; and the AICM IAM domain controls as applied to agentic deployments, including the proposed supplement controls from the AICM Agentic Control Supplement.

Key References

Domain 3 references the AICM v1.0 IAM domain [7], the AICM Agentic Control Supplement Gap Analysis [21], the CSAI Agentic Identity Management guidance, the OWASP ASI ASI03 (Identity and Privilege Abuse) risk category [6], MITRE ATLAS techniques for agent credential harvesting [16], the SPIFFE/SPIRE specification and CNCF documentation [20], and the Non-Human Identity Management Group (NHIMG) published guidance on SPIFFE for agentic identity. [20]

Assessment Criteria

Domain 3 is assessed through multiple-choice items testing understanding of identity protocol concepts and policy requirements, and through scenario-based items that require candidates to diagnose identity and access control failures in described deployment configurations, propose remediation strategies, and design access control policies for novel agent deployment scenarios. Performance assessment requires candidates to demonstrate proficiency in configuring a reference SPIFFE/SPIRE deployment and implementing a JIT access workflow in a laboratory environment.

Hands-on Lab Requirements

Laboratory requirements for Domain 3 include: configuring a SPIRE server and agent deployment, issuing SVIDs to simulated agent workloads, and demonstrating identity attestation in a multi-service request chain; implementing an OAuth 2.0 authorization flow for agent-to-API access with scoped tokens and demonstrating token revocation; auditing a provided agent deployment’s NHI configuration against AICM IAM controls and producing a written gap assessment; and designing and documenting a JIT access policy for a specified multi-agent workflow, including the credential issuance triggers, scope constraints, and revocation conditions that govern each agent role.

Domain 4: Agentic Risk Assessment

Domain Description

Risk assessment is the bridge between threat knowledge and security investment, translating the adversarial landscape catalogued in Domain 2 and the structural vulnerabilities identified in Domain 1 into the quantified, prioritized, and communicable risk statements that drive organizational decision-making. For agentic AI systems, risk assessment requires both adaptation of established frameworks — particularly the NIST AI RMF — to the specific characteristics of autonomous deployments, and the application of agentic-specific assessment tools and methodologies that have no direct analog in traditional IT risk practice.

The NIST Artificial Intelligence Risk Management Framework 1.0 organizes risk management activities across four functions: Govern, Map, Measure, and Manage. [15] All four functions apply to agentic deployments, but the MAP function — which frames the context and identifies AI-related risks — requires substantial adaptation to capture the goal-directed, tool-using, and multi-agent characteristics that distinguish agentic systems from the interactive AI systems the framework primarily addresses. NIST has committed to developing specific overlays for agentic and multi-agent AI systems, and Domain 4 teaches practitioners to perform MAP function activities in the interim using current available guidance supplemented by the CSAI program’s agentic risk assessment tools. [15]

The RiskRubric evaluation framework, developed as part of the CSAI 2026 program, provides a structured methodology for quantifying risk in agentic deployments across five dimensions: autonomy scope, tool invocation surface, delegation depth, memory persistence, and human oversight fidelity. Domain 4 trains practitioners in the application of this framework alongside telemetry analysis techniques that extract risk indicators from agent execution logs, trace data, and behavioral monitoring outputs. The integration of quantitative risk scoring with qualitative regulatory risk assessment — particularly under the EU AI Act’s high-risk system classification criteria — is a core Domain 4 competency that practitioners in compliance-intensive organizations will exercise regularly.

Learning Objectives

Candidates completing Domain 4 will be able to:

  1. Remember and Understand: Describe the four functions of the NIST AI RMF 1.0 and explain how each function applies to the governance and risk management of an agentic AI deployment.
  2. Understand: Explain the dimensions of the RiskRubric evaluation framework and the risk indicators associated with each dimension, including how high-autonomy, high-tool-surface deployments differ in risk profile from bounded, human-supervised agent tasks.
  3. Apply: Apply the NIST AI RMF MAP function to a described agentic deployment, identifying the system’s context, stakeholders, impacts, and risk categories in a format suitable for organizational risk documentation.
  4. Analyze: Analyze agent execution telemetry — including log excerpts, trace data, and behavioral monitoring outputs — to identify anomalous patterns indicative of goal drift, credential abuse, or unauthorized tool invocation.
  5. Evaluate: Evaluate a completed agentic risk assessment using the RiskRubric framework, identifying gaps in coverage, challenging risk severity ratings, and recommending additional assessment activities where the documented evidence is insufficient.
  6. Create: Produce a comprehensive risk assessment for a specified agentic deployment, integrating NIST AI RMF MAP outputs, RiskRubric scoring, telemetry-derived indicators, and regulatory risk classification into a unified risk register with prioritized treatment recommendations.

Key Topics

Domain 4 covers: NIST AI RMF 1.0 in full, with emphasis on Map and Measure function activities as applied to agentic systems; the RiskRubric evaluation framework and its five scoring dimensions; telemetry architecture for agentic systems, including distributed tracing, structured logging, and behavioral monitoring patterns; risk indicator taxonomy for agentic deployments, including goal drift indicators, privilege escalation signals, and memory poisoning indicators; quantitative risk scoring methods and their limitations in novel deployment contexts; EU AI Act high-risk AI system classification criteria and their application to agentic deployments under Annex III categories; integration of AI risk assessments with enterprise risk management programs; risk communication frameworks for translating technical risk assessments into executive-level risk statements; and the AICM Governance, Risk, and Compliance (GRC) domain controls as applied to agentic deployments.

Key References

Domain 4 references the NIST AI RMF 1.0 [15], the CSAI RiskRubric evaluation framework, the AICM v1.0 GRC domain [7], the EU AI Act Annex III high-risk AI system classification criteria [22], the CSAI Master Framework Alignment Matrix [23], and MITRE ATLAS techniques relevant to behavior monitoring evasion. The CSAI AICM Agentic Control Supplement analysis of the AICM Logging and Monitoring (LOG) domain provides the controls context for telemetry-based risk assessment. [21]

Assessment Criteria

Domain 4 is assessed through multiple-choice items on NIST AI RMF concepts, risk scoring methodologies, and regulatory classification criteria; scenario-based items requiring risk assessment analysis and treatment recommendation; and a performance-based item in which candidates are provided with a telemetry dataset from a simulated agentic deployment and must produce a structured risk finding report identifying specific anomalies, their probable causes, and recommended mitigations.

Hands-on Lab Requirements

Laboratory requirements for Domain 4 include: conducting a NIST AI RMF MAP function assessment of a provided agentic system description and producing a structured context and risk identification document; applying the RiskRubric scoring framework to two provided deployment scenarios and comparing the resulting risk profiles with written justification; analyzing a provided telemetry dataset to identify at least three risk indicators, documenting each with the relevant log evidence; and producing a complete risk assessment report for a case study deployment that integrates all assessment inputs into a prioritized risk register with treatment options and residual risk evaluation.

Domain 5: Secure Agentic Development and Deployment

Domain Description

Security by design is the professional standard for any system that carries significant operational risk, and agentic AI systems meet that threshold with room to spare. Domain 5 addresses the full lifecycle of secure agentic system development and deployment — from the threat-informed design principles that should guide architecture decisions, through the platform hardening, runtime monitoring, and incident response capabilities required to maintain security posture over the operational life of a deployed system, to the adversarial testing practices that validate security claims against realistic attack scenarios.

The Agentic Secure Development Lifecycle (ASDL), defined in the CSAI program as the counterpart to traditional SDLC security practices adapted for agentic systems, provides the primary process framework for Domain 5. ASDL incorporates threat modeling at the design phase, security review gates at framework selection, tool registration, and deployment, runtime behavioral monitoring requirements, and post-deployment red team validation as a continuous practice rather than a one-time event. The integration of ASDL into organizational software development processes — including CI/CD pipelines, infrastructure-as-code toolchains, and container orchestration environments — is a practical engineering challenge that Domain 5 addresses with specific implementation guidance.

Platform hardening for agentic deployments introduces security requirements that do not have direct counterparts in traditional application security. Agent sandboxing — the isolation of agent tool invocation contexts to prevent lateral movement through the host environment — requires different technical approaches depending on whether agents run as containerized workloads, serverless functions, or managed platform services. Runtime monitoring for agentic systems must detect behavioral anomalies — goal drift, unexpected tool sequences, anomalous credential usage — in addition to the technical indicators that traditional security monitoring captures. Incident response procedures must account for the difficulty of cleanly terminating an agent mid-execution, the need to preserve behavioral audit trails that capture the agent’s full reasoning and action history, and the possibility that a compromised agent has already taken irreversible actions in connected systems before the compromise was detected.

Learning Objectives

Candidates completing Domain 5 will be able to:

  1. Remember and Understand: Describe the phases and security review gates of the Agentic Secure Development Lifecycle and explain the rationale for each gate in terms of the agentic threat categories it is designed to intercept.
  2. Understand: Explain the security properties and limitations of the major agentic platform hardening techniques — agent sandboxing, tool invocation firewalls, memory isolation, and output filtering — and the contexts in which each is most applicable.
  3. Apply: Apply ASDL security review criteria to a described agentic system design, identifying security gaps that would require remediation before the design should proceed to implementation.
  4. Analyze: Analyze the output of a runtime behavioral monitoring system for a deployed agentic deployment, distinguishing normal operational variation from behavioral anomalies that warrant investigation or intervention.
  5. Evaluate: Evaluate the completeness and realism of a red team testing plan for an agentic deployment, assessing whether the threat scenarios covered are representative of the actual threat landscape and whether the testing methodology will produce actionable findings.
  6. Create: Design a comprehensive security program for a described agentic deployment that integrates ASDL, platform hardening, runtime monitoring, incident response procedures, and red team validation into a coherent operational security posture.

Key Topics

Domain 5 covers: the Agentic Secure Development Lifecycle, including threat modeling integration, security review gates, and integration with CI/CD; agent platform hardening techniques, including sandboxing architectures, tool invocation firewalls, memory isolation, and prompt output filtering; secure tool registration and validation, including tool attestation mechanisms and supply chain integrity controls for MCP servers; runtime monitoring architectures for agentic systems, including behavioral baselining, anomaly detection, and alert triage procedures; agentic incident response, including agent suspension procedures, forensic evidence preservation for agent execution histories, and post-incident behavioral audit; red team testing methodologies for agentic deployments, including adversarial prompt injection, tool manipulation, credential relay, and orchestrator hijacking scenarios; CI/CD security integration for agentic development pipelines; container and serverless security considerations specific to agent workload deployment; and the AICM Infrastructure and Virtualization Security (IVS), Logging and Monitoring (LOG), and Threat and Vulnerability Management (TVM) domain controls as applied to agentic deployments.

Key References

Domain 5 references the CSAI ASDL specification, the AICM v1.0 IVS, LOG, and TVM domain controls [7], the CSAI MCP Security Best Practices Guide [14], the OWASP ASI risk categories relevant to platform security (ASI04, ASI05, ASI08) [6], MITRE ATLAS techniques for agent persistence and evasion [16], and the CSAI Agentic Control Supplement analysis of runtime monitoring gaps. [21] External references include NIST SP 800-53 control families for system monitoring and incident response as applied to AI workloads.

Assessment Criteria

Domain 5 is assessed through multiple-choice items on ASDL phases, hardening techniques, and incident response procedures; scenario-based items requiring candidates to identify security gaps in development and deployment configurations; and performance-based items requiring demonstration of practical red team and monitoring analysis skills in a laboratory environment. The performance-based assessment for Domain 5 carries the highest weight of any single domain assessment item, reflecting the fundamentally practical nature of secure development and deployment competency.

Hands-on Lab Requirements

Laboratory requirements for Domain 5 include: conducting an ASDL-structured security review of a provided agentic system design document and producing a written findings report with prioritized recommendations; configuring a runtime monitoring system for a deployed test agent and demonstrating the detection of at least two injected behavioral anomalies; executing a structured red team scenario against a sandboxed agentic deployment using at least two different attack techniques from the OWASP ASI or MITRE ATLAS taxonomies, documenting the approach, findings, and remediation guidance; and developing an incident response playbook for a specified agentic deployment scenario, including agent suspension procedures, evidence collection steps, and stakeholder notification protocols.

Domain 6: Compliance and Assurance

Domain Description

Compliance and assurance represent the organizational accountability layer that translates technical security practice into auditable, verifiable, and externally recognizable evidence of responsible AI deployment. For agentic AI systems, this layer is undergoing rapid construction: the frameworks that define what organizations must demonstrate — AICM, STAR for AI, ISO/IEC 42001, the EU AI Act, and AIUC-1 — are themselves new or newly extended to cover agentic deployments, and the audit practices that assess compliance against these frameworks are still being established. Domain 6 ensures that practitioners can navigate this landscape with precision, understanding not only what each framework requires but how the requirements interact, where they conflict, and how compliance activities for one framework can be structured to generate evidence useful across multiple frameworks simultaneously.

The CSA AI Controls Matrix (AICM) v1.0, published July 10, 2025, provides 243 control objectives across 18 security and governance domains and is explicitly designed as a superset of the Cloud Controls Matrix (CCM). [7] AICM is the controls framework that underlies STAR for AI, the global AI assurance scheme launched by CSA in October 2025, which provides two tiers of external verification: Level 1, which involves publishing an AI-CAIQ self-assessment to the CSA STAR Registry, and Level 2, which requires both ISO/IEC 42001 certification and a Valid-AI-ted AI-CAIQ scoring designation. [24] ISO/IEC 42001, the world’s first AI management system standard (published December 2023), establishes requirements for establishing, implementing, maintaining, and continually improving an Artificial Intelligence Management System across ten clauses with AI-specific Annex A controls covering bias mitigation, transparency, accountability, and data governance. [25]

The AIUC-1 compliance standard provides agent-centric controls built on ISO 42001, the EU AI Act, and NIST AI RMF, combining governance expectations with technical evaluation and testing requirements reviewed annually and with continuous technical testing conducted at least quarterly. [26] The EU AI Act’s provisions for high-risk AI systems under Article 9, 12, 14, and 15 — governing risk management systems, record-keeping, human oversight, and accuracy requirements respectively — become enforceable for the majority of high-risk AI system categories from August 2026, creating immediate compliance obligations for organizations operating agentic systems in regulated domains. [22] Domain 6 prepares practitioners to manage compliance programs that span this full landscape with efficiency and rigor.

Learning Objectives

Candidates completing Domain 6 will be able to:

  1. Remember and Understand: Describe the structure, scope, and assurance level of each major AI compliance framework — AICM, STAR for AI, ISO 42001, AIUC-1, and the EU AI Act — including the primary obligations each imposes on organizations that deploy agentic AI systems.
  2. Understand: Explain the relationship between AICM control objectives and the AI-CAIQ self-assessment instrument, describing how the AI-CAIQ is used to generate evidence for STAR for AI Level 1 submissions and as preparatory documentation for Level 2 engagements.
  3. Apply: Map the controls coverage of a described organizational security program against AICM domain requirements, identifying gaps that would prevent a successful STAR for AI Level 1 self-assessment or Level 2 audit.
  4. Analyze: Analyze an organization’s agentic AI deployment against EU AI Act Annex III high-risk AI system criteria and the Article 9, 12, 14, and 15 obligations applicable to high-risk systems, producing a compliance gap analysis with supporting rationale.
  5. Evaluate: Evaluate a proposed compliance approach for an organization subject to both STAR for AI Level 2 requirements and EU AI Act high-risk system obligations, assessing whether the proposed approach achieves meaningful compliance or merely formal checkbox completion.
  6. Create: Design an integrated compliance program for a specified organization that simultaneously addresses AICM, STAR for AI, ISO 42001, and relevant EU AI Act obligations, demonstrating how evidence generated for one framework is leveraged across others to minimize duplicative effort.

Key Topics

Domain 6 covers: AICM v1.0 in structural depth, including domain taxonomy, control objective format, implementation guidance, and mapping to external frameworks; the AI-CAIQ instrument and its use in STAR for AI Level 1 self-assessment; STAR for AI Level 1 and Level 2 requirements, including the ISO 42001 certification dependency for Level 2 and the Valid-AI-ted scoring methodology; ISO/IEC 42001 clauses and Annex A controls, with emphasis on clauses most relevant to agentic deployments; AIUC-1 agent-centric controls, audit methodology, and annual renewal requirements; EU AI Act obligations for high-risk AI system providers and deployers, including Articles 9, 12, 13, 14, and 15; EU AI Act prohibited AI practice categories and their relevance to agentic system design decisions; AI literacy obligations under Article 4 of the EU AI Act and their implications for workforce development programs; cross-framework evidence reuse strategies; and audit preparation and management for STAR for AI Level 2 engagements.

Key References

Domain 6 references AICM v1.0 [7], the STAR for AI program documentation [24], ISO/IEC 42001:2023 [25], the AIUC-1 compliance standard [26], the EU Artificial Intelligence Act [22], the CSAI Master Framework Alignment Matrix [23], and the CSAI AICM Agentic Control Supplement [21]. External references include the European Commission’s official AI Act guidance documentation and the CSA’s published guidance on ISO 42001 certification steps. [25]

Assessment Criteria

Domain 6 is assessed through multiple-choice items testing knowledge of framework structures, control requirements, and regulatory provisions; scenario-based items requiring candidates to perform compliance gap analysis, interpret audit findings, and design compliance programs; and a performance-based item requiring candidates to complete an AI-CAIQ assessment for a provided case study organization, demonstrating accurate mapping of organizational controls to AICM domain requirements. Regulatory interpretation accuracy — specifically, correctly classifying AI system scenarios against EU AI Act risk tiers — is assessed with particular rigor, as regulatory misclassification carries significant legal exposure for organizations relying on practitioner advice.

Hands-on Lab Requirements

Laboratory requirements for Domain 6 include: completing an AI-CAIQ self-assessment for a provided case study organization, documenting the rationale for each response with reference to specific organizational controls evidence; conducting a STAR for AI Level 2 readiness assessment for a described organization, identifying gaps in ISO 42001 compliance and AI-CAIQ scoring that would prevent a successful Level 2 designation; performing an EU AI Act risk classification analysis for three provided agentic deployment scenarios, documenting the Annex III category determination and the resulting Articles 9, 12, 14, and 15 obligations; and designing a 12-month compliance roadmap for an organization subject to STAR for AI Level 2 and EU AI Act high-risk system requirements, with quarterly milestones and evidence collection activities.

Domain 7: Agentic AI Governance

Domain Description

Governance is the organizational architecture through which accountability for AI safety is distributed, exercised, and maintained over time. Technical security controls are necessary but not sufficient for responsible agentic AI deployment: without the governance structures that define who is accountable for agent behavior, what standards agents must meet before deployment and throughout their operational lives, how risks are escalated and communicated to decision-makers, and how the organization learns from incidents and near-misses, even technically well-secured agentic systems can produce organizational failures. Domain 7 addresses the design, implementation, and communication of these governance structures, from the policy frameworks that encode organizational commitments to the board-level risk communication that translates technical complexity into fiduciary accountability.

The CSAI governance framework, which addresses policy development, organizational readiness maturity, and the role of AI safety in enterprise risk management, provides the primary reference for Domain 7. The AI-specific maturity model component distinguishes five levels of organizational agentic AI governance maturity, from ad hoc (Level 1, characterized by undocumented practices and reactive risk management) through optimizing (Level 5, characterized by continuous improvement processes, external assurance, and proactive engagement with standards evolution). [23] Understanding where an organization sits on this maturity continuum, and what interventions are most effective for advancing maturity, is a foundational governance competency that practitioners advising organizations on AI safety programs must possess.

Board-level risk communication for agentic AI requires a different vocabulary and analytical framework than internal technical risk assessment. Directors and senior executives who carry fiduciary responsibility for AI governance need to understand the organization’s material AI risks, the investments being made to manage them, and the residual exposure that remains — but not the technical mechanisms through which those risks arise or are mitigated. Translating AICM gap analyses, RiskRubric scores, and ATLAS threat models into board-level risk narratives is a professional communication skill that Domain 7 develops explicitly, drawing on the governance communication frameworks developed in the TAISE CxO track and the CSA CSAI Foundation program materials. [23]

Learning Objectives

Candidates completing Domain 7 will be able to:

  1. Remember and Understand: Describe the key components of an agentic AI governance framework, including policy structure, accountability assignment, risk escalation procedures, and continuous improvement mechanisms.
  2. Understand: Explain the five levels of the agentic AI governance maturity model, describing the characteristic practices, accountabilities, and organizational capabilities at each level.
  3. Apply: Apply the organizational readiness assessment methodology to a described organization’s current state, producing a maturity level determination with supporting evidence and an initial improvement roadmap.
  4. Analyze: Analyze the governance implications of a specific agentic AI deployment decision — such as the authorization of an agent to take irreversible actions in a production environment — identifying the governance structures, review processes, and accountability assignments that responsible deployment requires.
  5. Evaluate: Evaluate the completeness and adequacy of a described organization’s AI governance program, identifying structural gaps where accountability is unclear, escalation paths are absent, or oversight mechanisms are insufficient for the risks being managed.
  6. Create: Design a comprehensive agentic AI governance framework for a specified organization, including policy architecture, accountability assignment across technical and executive roles, board-level reporting mechanisms, incident escalation procedures, and a continuous improvement process.

Key Topics

Domain 7 covers: AI governance framework design, including policy architecture, accountability structures, and decision rights; organizational readiness assessment methodologies for agentic AI; the five-level agentic AI governance maturity model; the role of AI Safety Officers and Chief AI Officers in governance program leadership; board-level AI risk reporting frameworks, including risk appetite statements, key risk indicators, and material risk disclosure; incident escalation and post-incident review procedures for agentic AI systems; the organizational change management requirements of agentic AI adoption, including human oversight role redefinition as agent autonomy increases; third-party and vendor governance for organizations using agentic AI platforms from external providers; the EU AI Act’s governance obligations for high-risk AI system providers and deployers, including the technical documentation and human oversight requirements; and integration of AI governance programs with enterprise risk management, legal and regulatory affairs, and procurement functions.

Key References

Domain 7 references the CSAI Governance Framework, the CSAI Master Framework Alignment Matrix [23], the NIST AI RMF 1.0 GOVERN function [15], ISO/IEC 42001 governance clauses [25], the EU AI Act governance provisions for high-risk AI system deployers [22], and the AICM GRC and Security Ecosystem and Federation (SEF) domain controls [7]. The White House Task Force on AI Education and related Executive Order materials provide policy context for national workforce governance frameworks. [10]

Assessment Criteria

Domain 7 is assessed through multiple-choice items on governance framework concepts, maturity model definitions, and regulatory governance obligations; scenario-based items requiring candidates to diagnose governance failures, design accountability structures, and evaluate the adequacy of described governance programs; and a substantial scenario-based item in which candidates are provided with a detailed organizational case study and must produce a governance maturity assessment, identify the three highest-priority governance gaps, and recommend a phased improvement program with specific interventions and timeline.

Hands-on Lab Requirements

Laboratory requirements for Domain 7 are primarily analytical and communicative rather than technically operational, reflecting the domain’s governance focus. Requirements include: conducting an organizational readiness assessment for a provided case study using the CSAI maturity model, producing a written assessment with maturity level determination and top-five improvement recommendations; drafting a board-level AI risk briefing for a described organization that synthesizes technical risk assessment findings into executive-appropriate language with a risk appetite framing; designing a governance framework policy structure for a provided organizational context, including at minimum an Agentic AI Acceptable Use Policy, an Agent Deployment Authorization Policy, and an AI Incident Escalation Procedure; and presenting the governance assessment findings in a simulated executive briefing format, demonstrating the communication of technical complexity to a non-technical audience.

4. Certification Exam Blueprint

The TAISE Agentic certification examination is designed to assess professional-level competency across all seven domains, with question distribution that reflects both the foundational importance of architectural knowledge and the operational weight of the domains that practitioners exercise most frequently in day-to-day roles. The examination structure follows the domain-weighted methodology used in leading enterprise security certifications including CISSP and CISM, in which domain weights are derived from job task analysis data rather than from curriculum design preferences alone. [27]

The examination consists of 120 questions administered over 180 minutes, yielding an average allocation of approximately 90 seconds per question — consistent with the cognitive demands of scenario-based and applied questions, which require both knowledge recall and situational reasoning. The examination is offered in a computer-adaptive testing format that selects subsequent questions based on candidate response patterns, providing more precise calibration of borderline performance than fixed-form examinations of equivalent length.

Domain Domain Name Question Weight Approximate Question Count
1 Agentic AI Architecture and Security Fundamentals 12% 14
2 Agentic Threat Landscape 18% 22
3 Identity and Access Control for Agents 16% 19
4 Agentic Risk Assessment 14% 17
5 Secure Agentic Development and Deployment 18% 22
6 Compliance and Assurance 12% 14
7 Agentic AI Governance 10% 12
Total 100% 120

The examination incorporates three item types. Multiple-choice questions with a single correct answer assess recall, comprehension, and concept application, and constitute approximately 55 percent of exam items. Scenario-based questions present a brief case narrative followed by one or more questions requiring analytical judgment — evaluating the adequacy of a described control, identifying the most likely attack vector in a described incident, or recommending the most appropriate governance intervention — and constitute approximately 35 percent of exam items. Performance-based questions, which present a technical or analytical task and require a structured constructed response, constitute the remaining 10 percent and are scored using a rubric aligned to the domain’s Bloom’s taxonomy objectives at the Evaluate and Create levels.

The passing score is determined using the modified Angoff standard-setting method, in which a panel of subject matter experts individually estimate the probability that a minimally competent practitioner would answer each item correctly, and the passing score is derived from the mean of these estimates across all items. This approach produces a criterion-referenced standard — passing reflects demonstrated competency rather than performance relative to other examinees — consistent with CSA’s credentialing philosophy across the CCSK and TAISE programs. The passing score established by the standard-setting panel will be reported on a scaled score of 700 on a 1000-point scale, consistent with the reporting convention used for CCSK.

Performance-based items associated with the hands-on laboratory requirements described in each domain section are assessed separately from the written examination. Candidates must complete all seven domain laboratory exercises and receive passing evaluations on all of them before sitting the examination. This sequencing ensures that candidates who pass the examination have demonstrated both knowledge and practical skill — the combination that constitutes genuine professional competency.

The TAISE Agentic track is an advanced professional credential, and its prerequisites are structured to ensure that candidates have the foundational knowledge required to benefit from the advanced curriculum. These prerequisites are not barriers to entry for motivated professionals; they are quality standards that protect the value of the credential by ensuring that all holders have demonstrated a consistent baseline of preparation.

The primary prerequisite is the base TAISE certificate or equivalent demonstrated knowledge of the ten TAISE base curriculum modules. Candidates who hold TAISE and have completed the associated training are prepared for the Agentic track without additional foundational study. Candidates who have not completed TAISE but who can demonstrate equivalent knowledge through professional experience or other credentials may petition for a prerequisite waiver, which is evaluated on a case-by-case basis by the CSAI credentialing committee. Relevant credentials that may support a waiver petition include CCSK v5, CISSP, CISM, CompTIA SecAI+ (launched February 2026), CAISP, or equivalent national or regional AI security certifications.

Beyond formal prerequisites, the TAISE Agentic track assumes a recommended background that candidates without prior relevant experience should develop before attempting certification. Security practitioners without AI experience are advised to complete at minimum a hands-on introduction to LLM-based agent development — sufficient to understand how agents invoke tools, manage context, and produce outputs — before undertaking Domain 1 study. Security professionals with no prior exposure to identity and access management standards are advised to review the OAuth 2.0 specification and SPIFFE/SPIRE documentation before beginning Domain 3. GRC practitioners without prior experience in technical security controls should complete a survey of cloud security fundamentals before approaching Domain 5’s platform hardening content.

The TAISE Agentic Body of Knowledge also specifies a recommended professional experience profile that is not a formal prerequisite but that correlates with stronger exam performance: at least two years of professional experience in security, GRC, identity management, platform engineering, or a related technical discipline, with at least partial overlap with AI system deployment, development, or governance activities. This experience threshold reflects the applied and analytical nature of the competency objectives at the higher Bloom’s taxonomy levels — evaluation and creation — which are more readily achieved by practitioners who have already encountered the practical challenges these objectives address.

6. Continuing Education Requirements

Professional credentialing derives its long-term value from the requirement that holders demonstrate continued engagement with the field, not merely historical competency at the time of initial certification. For agentic AI security, the rate of framework evolution, threat landscape change, and regulatory development makes continuing education not merely a credentialing formality but a genuine professional necessity: a practitioner whose knowledge base is fixed at a 2026 snapshot will be materially unprepared for the governance and technical challenges of 2027 and beyond.

TAISE Agentic certificate holders are required to earn 40 Continuing Education (CE) credits over a three-year maintenance period to maintain their certification in active status. The three-year maintenance period begins on the date of initial certification and recurs on a rolling basis, with CE credits tracked through the CSA’s STAR Registry and learning management system. Holders who do not complete the required CE credits within the maintenance period enter a 90-day grace period during which they may complete the requirement; if credits remain incomplete at the end of the grace period, the certification lapses to inactive status until requirements are fulfilled.

CE activities fall into three tiers based on their relevance to the TAISE Agentic competency domains. Tier 1 activities — those directly advancing agentic AI security knowledge — include completion of CSA working group deliverables, attendance at CSA or partner-sponsored AI security events, completion of formal coursework in TAISE Agentic domains, and contribution to CSAI research outputs. Tier 1 activities earn credits at a 1:1 hour-to-credit ratio. Tier 2 activities — those advancing AI safety knowledge more broadly — include general AI security training, participation in standards body working groups, and completion of complementary certifications such as AIUC-1 auditor training or ISO 42001 lead auditor certification. Tier 2 activities earn credits at a 0.75:1 hour-to-credit ratio. Tier 3 activities — those advancing adjacent professional knowledge — include traditional security training, cloud architecture study, and regulatory compliance coursework not specifically focused on AI. Tier 3 activities earn credits at a 0.5:1 hour-to-credit ratio.

Of the 40 required CE credits per maintenance period, at least 20 must be earned from Tier 1 activities, ensuring that TAISE Agentic holders remain genuinely current with the agentic AI security landscape rather than maintaining their credential through adjacent professional development alone. The CSAI program will publish an annual list of pre-approved CE activities, including CSA research publications, working group sessions, and partner training offerings, to simplify CE tracking for active practitioners.

7. Domain-to-Framework Alignment Table

The following table maps each TAISE Agentic competency domain to its primary CSAI deliverable references, the most relevant OWASP ASI risk categories, the principal MITRE ATLAS tactics addressed, and the primary AICM control domains engaged. This alignment is provided to support practitioners in curriculum planning, organizations in gap analysis, and standards bodies in identifying opportunities for further alignment between the TAISE Agentic credential and the broader framework ecosystem.

Domain Primary CSAI Deliverables OWASP ASI Categories MITRE ATLAS Tactics AICM Control Domains
1: Architecture and Fundamentals MAESTRO Framework; MCP Security Best Practices Guide; Master Framework Alignment Matrix ASI02 (Tool Misuse); ASI07 (Inter-Agent Comms); ASI08 (Cascading Failures) ML Model Access; ML Attack Staging Agentic AI (AA); Infrastructure and Virtualization Security (IVS)
2: Threat Landscape ATLAS Agentic Gap Analysis; CVE/CWE Agentic Catalog; NemoClaw Security Assessment; OpenClaw Research ASI01 (Goal Hijack); ASI02 (Tool Misuse); ASI04 (Supply Chain); ASI05 (Code Execution); ASI06 (Memory Poisoning); ASI10 (Rogue Agents) Reconnaissance; Initial Access; Execution; Persistence; Exfiltration; Impact Model Security (MS); Threat and Vulnerability Management (TVM)
3: Identity and Access Control AICM Agentic Control Supplement; Agentic Identity Management Guidance ASI03 (Identity and Privilege Abuse); ASI07 (Inter-Agent Comms); ASI09 (Trust Exploitation) Credential Access; Defense Evasion; Lateral Movement (agent-to-agent) Identity and Access Management (IAM); Security Ecosystem and Federation (SEF)
4: Risk Assessment RiskRubric Framework; Master Framework Alignment Matrix; AICM Agentic Control Supplement ASI01 (Goal Hijack); ASI08 (Cascading Failures); ASI10 (Rogue Agents) Discovery; Collection Governance, Risk, and Compliance (GRC); Logging and Monitoring (LOG)
5: Secure Development and Deployment ASDL Specification; MCP Security Best Practices Guide; AICM Agentic Control Supplement ASI02 (Tool Misuse); ASI04 (Supply Chain); ASI05 (Code Execution); ASI08 (Cascading Failures) Initial Access; Execution; Persistence; Defense Evasion Infrastructure and Virtualization Security (IVS); Logging and Monitoring (LOG); Threat and Vulnerability Management (TVM)
6: Compliance and Assurance AICM v1.0; AICM Agentic Control Supplement; Master Framework Alignment Matrix; AIUC-1 alignment guidance ASI01 through ASI10 (all, via AICM control mapping) All tactics (via AICM TVM domain) All 18 AICM domains (AI-CAIQ covers full domain scope)
7: Governance CSAI Governance Framework; Master Framework Alignment Matrix; TAISE CxO Body of Knowledge ASI09 (Human-Agent Trust Exploitation); ASI10 (Rogue Agents) Impact; Exfiltration (governance failure scenarios) Governance, Risk, and Compliance (GRC); Human Resources Security (HRS); Security Ecosystem and Federation (SEF)

The alignment demonstrates that no domain exists in isolation: each draws on multiple CSAI deliverables, maps to multiple OWASP ASI risk categories, and engages multiple AICM control domains. Candidates preparing for the TAISE Agentic track should use this table as a study planning tool, ensuring that their preparation for each domain engages the full breadth of its referenced materials rather than focusing on a single framework source. Organizations using the TAISE Agentic Body of Knowledge for curriculum development should note that Domains 3, 5, and 6 engage the highest number of AICM control domains and will therefore produce the broadest controls knowledge improvement relative to investment in training time.

References

[1] Zenity Research, “Agentic AI Rush Exposes Growing Security Gap Across Enterprises,” December 2025. Published by Digital Commerce 360 and available at digitalcommerce360.com.

[2] Help Net Security, “AI went from assistant to autonomous actor and security never caught up,” March 3, 2026. Available at helpnetsecurity.com.

[3] Cloud Security Alliance, “Introducing TAISE: The Trusted AI Safety Expert Certificate,” CSA Blog, October 22, 2025. Available at cloudsecurityalliance.org/blog.

[4] Cloud Security Alliance, “CSA Trusted AI Safety Expert (TAISE) Certificate Honored as 2026 SC Awards Finalist,” CSA Press Release, March 19, 2026. Available at cloudsecurityalliance.org/press-releases.

[5] Cloud Security Alliance AI Safety Initiative, “CSAI Master Framework Alignment Matrix,” CSAI Foundation Publication, Version 1.0, March 27, 2026.

[6] OWASP GenAI Security Project, “OWASP Top 10 for Agentic Applications 2026,” December 9–10, 2025. Available at genai.owasp.org.

[7] Cloud Security Alliance, “AI Controls Matrix (AICM) v1.0,” CSA Publication, July 10, 2025. Available at cloudsecurityalliance.org.

[8] Cloud Security Alliance, “MAESTRO: Multi-Agent Environment, Security, Threat, Risk, and Outcome,” CSA AI Safety Initiative, February 2025. Available at cloudsecurityalliance.org.

[9] IEEE Conference Publication, “Optimizing Cyber Security Education: Implementation of Bloom’s Taxonomy for Future Cyber Security Workforce,” Proceedings of CSCI 2020. Available at ieeexplore.ieee.org.

[10] White House, “Executive Order on Advancing Artificial Intelligence Education for American Youth,” Presidential Actions, April 23, 2025. Available at whitehouse.gov.

[11] European Commission, “EU AI Act — Article 4 AI Literacy Obligation,” Official Journal of the European Union, 2024. Effective February 2, 2025. Available at artificialintelligenceact.eu.

[12] Cloud Security Alliance, “Why We’re Launching a Trusted AI Safety Knowledge Certification Program,” CSA Blog, April 26, 2025. Available at cloudsecurityalliance.org/blog.

[13] Cloud Security Alliance, “Certificate of Cloud Security Knowledge (CCSK) v5,” CSA Education Program. Available at cloudsecurityalliance.org/education/ccsk.

[14] Cloud Security Alliance AI Safety Initiative, “Agentic MCP Security Best Practices Guide,” CSAI Foundation Publication, Version 1.0, March 27, 2026.

[15] National Institute of Standards and Technology, “Artificial Intelligence Risk Management Framework (AI RMF 1.0),” NIST AI 100-1, January 2023. Available at nist.gov.

[16] MITRE Corporation, “ATLAS: Adversarial Threat Landscape for Artificial-Intelligence Systems, v5.x,” October 2025. Available at atlas.mitre.org. October 2025 update includes 14 agentic techniques developed in collaboration with Zenity Labs.

[17] Cloud Security Alliance AI Safety Initiative, “MITRE ATT&CK and ATLAS Agentic Gap Analysis: Techniques Unique to Autonomous Agent Control Planes,” CSAI Research Note, March 27, 2026.

[18] Cloud Security Alliance AI Safety Initiative, “NemoClaw Security Assessment,” CSAI Research Note, March 27, 2026.

[19] Cloud Security Alliance AI Safety Initiative, “CVE/CWE Agentic Catalog,” CSAI Research Note, March 27, 2026.

[20] Non-Human Identity Management Group (NHIMG), “SPIFFE for Agent Identity and Access Management,” NHIMG Community Publication, 2025. Available at nhimg.org. See also HashiCorp, “SPIFFE: Securing the Identity of Agentic AI and Non-Human Actors,” HashiCorp Blog, 2025.

[21] Cloud Security Alliance AI Safety Initiative, “AICM Agentic Control Supplement: Domain-by-Domain Gap Analysis,” CSAI Foundation Publication, Version 1.0, March 27, 2026.

[22] European Parliament and Council, “Regulation (EU) 2024/1689 Laying Down Harmonised Rules on Artificial Intelligence (Artificial Intelligence Act),” Official Journal of the European Union, 2024. High-risk AI system requirements under Annex III and Articles 9, 12, 14, 15 applicable from August 2, 2026.

[23] Cloud Security Alliance AI Safety Initiative, “CSAI Master Framework Alignment Matrix: Cross-Referencing All CSAI Deliverables Across Ten Framework Dimensions,” CSAI Foundation Publication, Version 1.0, March 27, 2026.

[24] Cloud Security Alliance, “Cloud Security Alliance Launches STAR for AI, Establishing the Global Framework for Responsible and Auditable Artificial Intelligence,” CSA Press Release, October 23, 2025. STAR for AI Level 2 launched November 20, 2025. Available at cloudsecurityalliance.org.

[25] International Organization for Standardization and International Electrotechnical Commission, “ISO/IEC 42001:2023 — Artificial Intelligence — Management System,” December 2023. Available at iso.org. See also Cloud Security Alliance, “6 Key Steps to ISO 42001 Certification Explained,” CSA Blog, July 7, 2025.

[26] AIUC, “AIUC-1: A Compliance Framework for AI Agent Risk,” AIUC Publication, 2025. Available at aiuc.com. See also 360 Advanced, “AIUC-1: A New Compliance Framework for AI Agent Risk,” 2025, at 360advanced.com.

[27] (ISC)², “Changes to CISSP Exam Weighting,” November 2023. Available at isc2.org/Insights. See also ISACA, “CISM Exam Blueprint,” 2022, for domain-weighted examination design methodology.