The Deepest Map, the Largest Gap: MAESTRO

If a framework built specifically for agentic complexity closes the gap, the first two dispatches were describing an accident — two charters that happened to stop short.

MAESTRO is that framework. It does not close the gap. It has the largest one of the three, and that is the finding the series was built to reach.

MAESTRO — the CSA agentic threat-modeling framework — does not enumerate a risk list to match against. It decomposes an agentic system into seven layers: foundation models, data operations, agent frameworks, deployment infrastructure, evaluation and observability, security and compliance, and the agent ecosystem at the top. Its signature is the cross-layer dimension: the most dangerous attack paths are not contained in one layer, they chain — a foundation-model capability actuated through deployment infrastructure into the ecosystem before any human observes it.

What MAESTRO sees

On the agentic internals, this is the deepest map in the field. Multi-agent risk is native here — the agent ecosystem layer plus the cross-layer chain is the only place in this series that models marketplace manipulation, compromised agent registries, and inter-agent goal manipulation as first-class concerns. Weapons and cyberattacks stop being a single entry and become a cascade: capability at the foundation layer, actuated through infrastructure, into the ecosystem. And observability is its own structural layer — where NIST treats interpretability as a trustworthy-AI characteristic and OWASP barely reaches it, MAESTRO makes it a place in the architecture.

Where the sight ends

Then the same four risks fall out the bottom — and more.

MAESTRO’s Tier 3 is the largest of the three because the framework is the most precisely what it is: an architecture decomposition. Every layer is a layer of the agent stack. Bias is not a layer. Market power is not a layer. Labor displacement is not a layer. None of them live in a seven-layer technical architecture, so none of them appear — including environmental harm, which NIST could name because output-cost is downstream of the model, but which MAESTRO cannot, because there is no architectural layer for a carbon footprint.

What this dispatch establishes

Now the three sit together, and the shape is visible. OWASP drew its boundary at the agentic attack surface and stopped there. NIST drew its boundary at content harm — what the system produces — and stopped there. MAESTRO drew its boundary at the agent architecture — the layers of the stack — and stopped there. Three independently-chartered bodies, three different geometries, three boundaries placed for three unrelated reasons. And the same cluster falls past all three: power centralization, inequality, competitive dynamics, governance failure.

Those four are not a random residue. None of them is technical. Power centralization is market structure. Inequality is labor economics. Competitive dynamics and governance failure are properties of institutions. Each framework was chartered to map a technical surface — an attack surface, an output, an architecture — and these four are not on any technical surface, so no framework, however deep, has a place for them. Two of the four — power centralization and inequality — are also among the five risks the MIT panel judged to stay above 10% catastrophic probability even after pragmatic mitigations are applied: the risks the experts said governance and operational controls reduce but cannot structurally resolve. The frameworks stop precisely where the risk stops being technical.

That is not the end of the map. There is an outer ring — the assurance and accountability artifacts that begin where threat-modeling stops. Whether that ring reaches the cluster the inner three could not is the closeout.