Between February 2025 and May 2026, the agentic AI standards ecosystem did something it had not done in the eighteen months preceding: it converged. The convergence was not announced. No working group declared it. No single body coordinated it. What happened, instead, is that five separate bodies — OWASP, NIST, the Cloud Security Alliance, the newly-formed CSAI Foundation, and the Five Eyes intelligence partnership — published frameworks across this fifteen-month window that, when read together, describe the same stratified architecture for agentic AI security. Different authors, different intellectual lineages, different bodies, different release dates. And yet the architecture each body landed on is recognizably the same.
This matters because the field had not converged on this before 2025. Eighteen months ago, agentic AI security was a debate among competing schools. Prompt-engineering practitioners argued that the model layer was the right surface for control. Alignment researchers argued that the training process was the right surface. Red-team practitioners argued for adversarial testing as the primary discipline. Governance and IAM teams argued for traditional identity controls extended to non-human entities. Each school had a partial answer. None of them composed cleanly with the others. The state of the field was a vocabulary problem as much as an architectural one — practitioners reading research literature on Tuesday and standards-body publications on Wednesday were reading about adjacent concerns described in non-overlapping language.
The 2025–2026 corpus is the resolution. Each school’s contribution is now spec’d at its appropriate architectural surface, and the surfaces compose. The convergence is not Luminity’s doing — Luminity named it before the citations existed, but the work belongs to the standards bodies and the spec authors. What Luminity can now do, with the corpus in hand, is read the convergence on the field’s own terms.
The Five Bodies and What Each Body Shipped
The five bodies that constitute the convergence are listed below with what each contributed. The framing matters: each body is described as defining what must be done at its layer — not as building implementations, not as fighting production fires, not as carrying enterprise risk. These are charter limits. The bodies stop at the river’s edge by design. What they ship is the vocabulary, the threat models, the conformance requirements, and the institutional baseline that practitioners cross the river with.
OWASP — The Threat-Surface Catalog
OWASP’s contribution to the convergence is the most extensive corpus in pure document count. The OWASP Top 10 for Agentic Applications 2026, peer-reviewed by more than one hundred contributors, is the most-cited threat catalog for agentic AI. The OWASP Agentic Security Initiative provides the taxonomy that vendor implementations and research papers reference for cross-comparison. The MCP Security Cheat Sheet and AI Agent Security Cheat Sheet provide protocol-level and agent-level guidance practitioners can act on directly. The AI Security Solutions Landscape Q2 2026 maps vendor products against the OWASP taxonomy, making procurement decisions traceable to threat coverage. OWASP’s role in the convergence is to define what attacks exist, what threat surface to map against, and what vocabulary the rest of the ecosystem should use when describing them.
NIST — The Risk-Management Workflow
NIST’s contribution is the function-level vocabulary that operationalizes risk management around agentic AI. The NIST AI Risk Management Framework defines four functions — Govern, Map, Measure, Manage — that every responsible AI program is expected to execute. In February 2026, NIST launched the AI Agent Standards Initiative within its Center for AI Standards and Innovation (CAISI), establishing the institutional infrastructure for ongoing standards development specifically around AI agents. CAISI subsequently partnered with Gray Swan AI and the UK AI Security Institute to publish empirical analysis of a large-scale red-teaming competition — more than 250,000 attack attempts from 400+ participants against 13 frontier models — finding that at least one successful attack was identified against every target model. The figure is the empirical baseline the convergence rests on. No model was immune. NIST’s role at the river’s edge is to define what risk-management looks like at the function level, and to coordinate the empirical evidence that the threats are real. The “how” of executing the four functions in a particular enterprise environment falls to practitioners.
CSA + OWASP (Dual Lineage) — The Threat-Modeling Vocabulary
The MAESTRO (Multi-Agent Environment, Security, Threat, Risk, and Outcome) framework decomposes agentic AI risk across seven architectural layers: foundation models, data operations, agent frameworks, deployment infrastructure, evaluation and observability, security and compliance, and the agent ecosystem itself. The framework was originally published by Ken Huang as a Cloud Security Alliance blog post in February 2025, and was subsequently formalized as the OWASP GenAI Multi-Agentic System Threat Modelling Guide v1.0. The dual lineage is intentional: Huang holds standing across CSA, OWASP Top 10 for LLMs, and NIST GenAI, and the framework’s cross-body publication reflects a deliberate decision to make MAESTRO a shared analytical resource rather than a body-specific artifact. The academic-side validation followed in November 2025 with the publication of AAGATE — Agentic AI Governance Assurance & Trust Engine, which operationalizes MAESTRO as the Map function inside a Kubernetes-native NIST AI RMF control plane. MAESTRO’s role in the convergence is to define the analytical structure for stratifying agentic AI risk surface in a way that captures the cross-layer cascading dynamics single-layer frameworks miss. The framework names what can go wrong, layer by layer. It does not implement defenses.
CSAI Foundation — The Specification Layer
The CSAI Foundation is the newest body in the convergence — announced April 29, 2026 at the CSA Agentic AI Security Summit, with stewardship affiliated with the Cloud Security Alliance’s working group structure. Its institutional contribution is to host open specifications under stewardship rather than originating frameworks itself. In its first announced action, the CSAI Foundation acquired stewardship of two independent open specifications that had been published earlier in 2026 — AARM — Autonomous Action Runtime Management (originated by Herman Errico at Vanta, arXiv:2602.09433) and ATF — the Agentic Trust Framework (originated by Josh Woodruff at MassiveScale.AI, with foreword by John Kindervag, the originator of Zero Trust). AARM specifies what a runtime security system must do at the action layer — pre-execution interception, context accumulation, policy evaluation with intent alignment, authorization decisions, tamper-evident receipts, identity binding — through Core (R1–R6, MUST) and Extended (R7–R9, SHOULD) conformance requirements that vendor implementations are now attesting against. ATF specifies the governance progression through four maturity levels (Intern, Junior, Senior, Principal) with explicit promotion criteria, demotion triggers, and minimum residency periods. Microsoft has adopted ATF. Fifty-plus companies are implementing AARM-conformant systems. The CSAI Foundation’s role at the river’s edge is to host the specifications that define what runtime security must do and what governance progression looks like — the vendor-neutral conformance vocabulary the rest of the ecosystem builds against.
Five Eyes — The Political Anchor
The Five Eyes joint guidance on agentic AI security, published May 1, 2026, is the convergence’s institutional ceiling. Six national signals intelligence agencies — CISA and NSA in the United States, NCSC in the United Kingdom, the Canadian Centre for Cyber Security, the Australian Cyber Security Centre, and the New Zealand National Cyber Security Centre — issued coordinated binding-intent guidance with a five-domain risk taxonomy (Privilege, Design and Configuration, Behavioral, Structural, Accountability) and a four-domain technical baseline (Identity and Authentication, Least-Privilege Access, Human Oversight and Approval Gates, Logging and Behavioral Monitoring). The guidance has been read by Gartner as the new baseline for procurement and governance — the bar below which enterprise agentic AI deployments will not pass critical-infrastructure scrutiny. The Five Eyes role in the convergence is to establish what nation-state-level threat assessment treats as expected. The guidance does not specify how enterprises implement the baseline. That work, again, falls below the river’s edge.
Why the Architecture Is the Same Across All Five Bodies
This is the analytical center of the post. Five bodies, five publications, five different authors, five different release dates — and the architecture each one landed on is recognizably the same. The convergence is not stylistic. It is structural. Each body addresses a distinct surface of what is functionally the same architecture.
At the threat-modeling surface, the question being answered is “what attacks exist and where do they live?” MAESTRO answers this with a seven-layer decomposition. OWASP answers it with a categorical taxonomy in the Top 10 for Agentic Applications. The Five Eyes answers it with a five-domain risk taxonomy. The three frameworks are not interchangeable — they use different decomposition lenses — but they each define the same kind of artifact: a map of what can go wrong, intended to drive selection of which controls to deploy. None of the three implements defenses. All three define what defenses must address.
At the runtime enforcement surface, the question being answered is “what must the system do at the moment an action executes?” AARM answers this directly through its Core conformance requirements — pre-execution interception, context accumulation, policy evaluation with intent alignment, authorization decisions, tamper-evident receipts, identity binding. The empirical research literature (VeriGuard, CABP, GuardAgent, Winston SMT) demonstrates the patterns in controlled research conditions. AAGATE demonstrates the architecture as a working Kubernetes-native reference. AARM specifies what production systems must implement; the research and academic operationalization shows it is feasible. The runtime enforcement surface is the layer at which security materializes as an operation on an external system, regardless of how the agent’s reasoning reached the decision to perform that operation.
At the governance progression surface, the question being answered is “what controls govern an agent’s autonomy level over its lifecycle?” ATF answers this through the four-level maturity model with promotion criteria and demotion triggers. AWS provides the 1:1 cross-walk to its Agentic AI Security Scoping Matrix. The ATF model is not in competition with traditional IAM — it is a non-human identity overlay that operates at the program-lifecycle layer rather than the per-session layer. Where AARM operates per action, ATF operates per agent across the agent’s deployment lifecycle. The two surfaces compose; they do not compete.
At the risk-management workflow surface, the question being answered is “what functions must the program execute over time?” NIST answers this with the four AI RMF functions — Govern, Map, Measure, Manage — and AAGATE demonstrates that the four functions can be operationalized by composing MAESTRO (Map), OWASP AIVSS plus SEI SSVC (Measure), and CSA’s Agentic AI Red Teaming Guide (Manage) inside a single control plane. The workflow surface is what holds the architecture together as an ongoing program rather than a deployment-time exercise.
At the institutional baseline surface, the question being answered is “what does nation-state threat assessment treat as expected?” The Five Eyes joint guidance answers this directly. The four technical baseline domains map cleanly onto AARM Core requirements: Identity and Authentication onto AARM R6 (Identity Binding); Least-Privilege Access onto AARM R9 (Least Privilege Enforcement, in Extended); Human Oversight and Approval Gates onto AARM R4 (Authorization Decisions, including STEP-UP); Logging and Behavioral Monitoring onto AARM R5 (Tamper-Evident Receipts). What the Five Eyes guidance treats as the baseline, AARM specifies as the runtime enforcement vocabulary.
Before the convergence (pre-2025), the field was fractured: agentic AI security was debated across competing schools — prompt-engineering, alignment, red-team, governance — speaking non-overlapping vocabularies. There was no peer-published spec for runtime enforcement at the action layer. There was no peer-published spec for governance progression at the program layer. There was no coordinated nation-state baseline. OWASP coverage existed as a risk-surface map, with nothing yet at the enforcement-tier level.
After the convergence (February 2025 to May 2026), five bodies converged on stratified architecture across four surfaces. MAESTRO provides the cross-body threat-modeling vocabulary. AARM specifies the runtime enforcement layer under CSAI Foundation stewardship. ATF specifies the governance progression layer under CSAI Foundation stewardship. NIST CAISI provides the risk-management institutional infrastructure. Five Eyes guidance establishes the nation-state baseline. These are not five different architectures. They are five different surfaces of the same architecture, each body defining what must happen at its layer. Stratified by surface, coordinated across bodies. The convergence is the field arriving at a shared map.
What the Convergence Is Not
This is the section that locates Luminity precisely. The convergence is real and worth reading on its own terms, but four things it is not should be said clearly, because the rest of the series and the citation discipline that follows depend on them.
The convergence is not the standards bodies finishing the work. Standards bodies stop at the river’s edge — they define what must be done, not how to do it in a particular Salesforce-integrated procurement agent running at two in the morning under a particular IAM stack with a particular auditor and a particular regulator. By charter, this is correct. OWASP does not write production code. NIST does not run production incident response. The Cloud Security Alliance does not configure your service mesh. The CSAI Foundation does not deploy AARM-conformant gateways for you. The Five Eyes agencies do not write your IAM policy. The river-crossing falls to practitioners. The standards layer makes the crossing tractable; it does not perform the crossing.
The convergence is not Luminity vindication. The argument Luminity has been making since the policy-layer series is that agentic AI failures are protocol-level architectural problems that governance and operational controls can mitigate but not structurally resolve. The corpus now provides peer-published citation for that argument. But the convergence belongs to the bodies. The intellectual work was done by Huang, by Errico, by Woodruff, by the OWASP working groups, by the NIST CAISI team, by the Five Eyes agencies. Luminity reads what the field landed on. Luminity does not claim what the field built.
The convergence is not “every gap is closed.” There are residual gaps in what the standards layer reaches — gaps in empirical efficacy measurement of the new specs, gaps in cross-spec composition formalization, gaps in standards-body coverage of multi-agent ecosystem dynamics at the spec level, gaps in sector-specific overlays beyond banking and infrastructure. Post 3 of this series covers those. But the framing matters: the residual gaps are not failures of the standards bodies. They are the natural endpoint of the standards-body charter. Beyond the river’s edge is by design.
The convergence is not “compliance now equals safety.” Stratified architecture is the precondition for safety, not the substitute for it. AARM specifies what a runtime security system must do; it does not measure efficacy of any single deployment. ATF specifies what governance progression looks like; it does not validate any single agent. MAESTRO specifies how to decompose the threat surface; it does not implement defenses against any specific threat. The convergence raised the floor. The ceiling is still where the architects work.
Standards bodies publish taxonomies, controls catalogs, governance frameworks, threat models, and posture guidance. Their charter ends at “what must be done” stated as standards. They name the risks, define the control objectives, and specify what evidence looks like. They do not — and cannot, by charter — ship working implementations or close the gap between control objective X and the particular runtime in front of a particular practitioner on Tuesday at 2 AM. Academic research demonstrates feasibility under controlled conditions; it does not carry production incident response. Practitioners do the river-crossing. Luminity’s role is the interpretive translation layer between the three.
Reading the Series Against the Convergence
The next three posts read against the map this one has drawn.
Post 2 — The Spec’d Layer walks each spec at depth. What AARM Core (R1–R6) actually specifies and what conformance attestations look like. What ATF’s four-level maturity model demands and what promotion criteria mean in practice. What MAESTRO’s seven layers and cross-layer cascading dynamics actually capture. What the Five Eyes four-domain technical baseline reads as in procurement contexts. The post is a depth pass through the artifacts the convergence ships.
Post 3 — What the Convergence Doesn’t Reach reads the river’s edge from the practitioner side. What the standards layer cannot specify by charter, what the residual gaps are, and what the practitioner-side work consists of. The post will not frame the gaps as failures of the bodies — they are the natural endpoint of the charter. It will read what falls to architects, what falls to security leaders, and what falls to compliance teams once the standards layer has done its work.
Post 4 — Reading the Trajectory closes the series by reading where the converged standards layer heads across the rest of 2026. Vendor conformance attestation programs maturing, the CSAI Foundation’s stewardship taking on additional specifications, sector-specific overlays beginning to crystallize, and the next inflection point the field is approaching. The post is forward-looking but disciplined: it reads trajectory from evidence, not from speculation.
What the April 2026 teaser pointed toward — the gap between OWASP coverage as a risk-surface map and the enforcement-tier vocabulary needed to make it operational — is now spec’d at every layer. AARM at the action layer. ATF at the program layer. MAESTRO across the surface. NIST CAISI for the workflow. Five Eyes for the institutional baseline. The teaser is no longer ahead of the corpus. The corpus is the convergence.
The standards ecosystem converged on stratified architecture for agentic AI security across the fifteen months between February 2025 and May 2026. Five bodies — OWASP, NIST, CSA, CSAI Foundation, Five Eyes — independently published frameworks that, read together, define a coherent four-surface architecture: threat-modeling vocabulary, runtime enforcement specification, governance progression specification, risk-management workflow, and institutional baseline. The architecture is the field’s, not Luminity’s. Naming the convergence is what the next three posts read against.
