The Standards Layer at a Glance — Series 11 Closing Readout — Luminity Digital
Series 11 · The Standards Layer · Series Readout · May 2026

The Standards Layer at a Glance

Five specs. Four surfaces. One architecture. The four-post series read what the field arrived at; this readout is the visual close — every spec laid out structurally, every surface bound to the next, in one place to return to.

May 2026 Tom M. Gomez Luminity Digital 8 Min Visual
00 · Overview

The four-surface architecture the convergence landed on

Between February 2025 and May 2026, five standards bodies independently published frameworks that converge on the same architecture. Each spec answers one architectural question. Each is bounded by its body’s charter. The surfaces compose; they do not compete. Open any tab below to see the spec’s structure laid out.

SURFACE 01
Threat‑Modeling Vocabulary
“What attacks exist and where do they live?”
MAESTROCSA · OWASP — 7 layers + cascading
OWASP Top 10 Agenticcategorical taxonomy
Five Eyes Risk Taxonomy5 domains · institutional
SURFACE 02
Runtime Enforcement
“What must the system do at the moment an action executes?”
AARM Core (R1–R6)CSAI Foundation · per-action
AARM Extended (R7–R9)least-privilege · capability-scope
SURFACE 03
Governance Progression
“What controls govern autonomy over the agent’s lifecycle?”
ATF Maturity LevelsCSAI Foundation · Intern → Principal
AWS Scoping Matrix1:1 cross-walk to ATF
SURFACE 04
Risk‑Management Workflow
“What functions must the program execute over time?”
NIST AI RMFGovern · Map · Measure · Manage
CAISIinstitutional venue · empirical baseline
AAGATEacademic composition demo
SURFACE 05
Institutional Baseline
“What does nation-state threat assessment treat as expected?”
Five Eyes Technical Baseline4 domains · procurement floor
Five Eyes Risk Taxonomy5 domains · risk evaluation

Open any tab above to see the spec’s structure laid out spatially. Tabs 05 (Composition), 06 (River’s Edge), and 07 (Trajectory) close the readout by showing how the surfaces wire together, where the spec layer ends, and where the institutional architecture is heading.

Series sources P1 · The Convergence P2 · The Spec’d Layer P3 · What the Convergence Doesn’t Reach P4 · Reading the Trajectory
01 · AARM — Autonomous Action Runtime Management

The runtime enforcement spec, requirement by requirement

Originated by Herman Errico at Vanta (Feb 2026, arXiv:2602.09433). Stewardship transferred to the CSAI Foundation on April 29, 2026. Core (R1–R6) is the MUST-bar; Extended (R7–R9) is the SHOULD-bar. Vendor conformance attestations attest against these requirements.

action-layer enforcement per-action evaluation structural choke point CSAI Foundation steward
Core conformance · MUST · R1–R6
R1

Pre-execution interception

Every action the agent attempts is intercepted before execution. The structural choke point on which everything else rests — the agent cannot reach the external system without crossing it.

R2

Context accumulation

Prior actions and accumulated state are available at decision time. The runtime evaluates against trajectory and accumulated policy state, not in isolation.

R3

Policy evaluation with intent alignment

Decisions consider the agent’s stated intent, not just the action signature. Intent becomes a first-class authorization input.

R4

Authorization decisions (incl. STEP-UP)

Every action receives an explicit allow, deny, or step-up. Human-in-the-loop is a structural primitive of the runtime, not an out-of-band exception.

R5

Tamper-evident receipts

Decisions and actions are logged in integrity-protected form — an attestable record downstream auditors and ATF-level governance can rely on.

R6

Identity binding

Every action is bound to a verified agent identity. Actions are not anonymous; they are attributable to a specific agent under a specific governance posture.

Extended conformance · SHOULD · R7–R9
R7

Capability-scoped credentials

Credentials issued to the agent are scoped to the capabilities the agent needs — narrower than a human-equivalent identity would carry.

R8

Cross-agent coordination

Coordination patterns between agents are spec’d: how agent A’s receipts inform agent B’s authorization, how trust propagates across the ecosystem.

R9

Least-privilege enforcement

The structural minimum: the agent has access only to what it needs. Maps onto the Five Eyes Least-Privilege Access baseline domain.

What AARM deliberately does not specify

Implementation language, deployment topology, or service mesh choice — those are the implementer’s concern. Threat-model coverage — that surface belongs to MAESTRO. Governance progression of the agent itself — that is ATF’s surface. Empirical efficacy under adversarial conditions — no published red-team data yet for AARM-conformant systems at scale. Conformance is a declaration of architectural shape, not a measurement of defensive strength.

Adoption signals 50+ companies implementing CSAI attestation registry VeriGuard · CABP · GuardAgent · Winston SMT AAGATE academic op’l
Sources aarm.dev arXiv:2602.09433 VeriGuard · arXiv:2510.05156 CSAI Foundation announcement
02 · ATF — Agentic Trust Framework

The governance progression spec, level by level

Originated by Josh Woodruff at MassiveScale.AI (Feb 2026), with foreword by John Kindervag (originator of Zero Trust). Licensed CC BY 4.0. Stewardship transferred to the CSAI Foundation on April 29, 2026. Operates per-agent across the deployment lifecycle — not per-action at runtime. AARM operates per action; ATF operates per agent. The surfaces compose.

program-lifecycle layer per-agent progression Zero Trust extension CSAI Foundation steward
LEVEL 01

Intern

Supervised apprentice
  • Mandatory human approval for all consequential actions
  • Narrow capability portfolio
  • Broad approval scope
  • Actions reviewed before consequence
Promotion
LEVEL 02

Junior

Partially autonomous
  • Approval scope narrows; capability widens
  • Some action categories operate autonomously
  • Others remain gated
  • Time-in-level evidence required
Promotion
LEVEL 03

Senior

Autonomous in scope
  • Operates autonomously within scope
  • Audit and rollback as safety mechanism
  • Most production agents will sit here
  • Demotion triggers in force throughout
Promotion
LEVEL 04

Principal

Policy-bound autonomy
  • Full autonomous execution across scope
  • Continuous attestation, policy-bound capability
  • Restrictions are policy-encoded
  • Strongest evidence required
Each promotion is gated by four criteria
01 · Time-in-levelMinimum residency at the current level before promotion can be considered.
02 · Performance evidenceDocumented evidence of consistent performance against expected actions.
03 · No-harm evidenceEvidence that no significant harm occurred during the residency period.
04 · Policy validationThe governance policy that authorizes the elevated level is itself validated.

Demotion triggers · Explicit conditions under which an agent moves backward — policy violations, unexpected behavior patterns, changes in deployment context that invalidate the original promotion evidence.

What ATF deliberately does not specify

ATF is not a runtime spec. It does not specify per-action behavior — that surface belongs to AARM. It does not specify the format that evidence-of-performance and evidence-of-no-harm must take — those are left to implementers and sector regulators. It does not specify industry-specific policy overlays — banking, healthcare, and critical infrastructure overlays are the work of sector-specific working groups.

Adoption signals Microsoft adoption AWS Scoping Matrix · 1:1 cross-walk Kindervag foreword · Zero Trust lineage
Sources agentictrustframework.ai AWS Scoping Matrix CSAI stewardship transfer
03 · MAESTRO — Multi-Agent Environment, Security, Threat, Risk, and Outcome

The threat-modeling spec, seven layers with cascade

Originated by Ken Huang as a CSA blog (Feb 6, 2025), formalized as the OWASP GenAI Multi-Agentic System Threat Modelling Guide v1.0. Dual-body lineage. Decomposes agentic risk across seven architectural layers — and names the cross-layer cascading dynamics single-layer frameworks miss.

threat-modeling vocabulary 7 layers · cascading CSA · OWASP dual lineage
cascade direction
↑↑↑
7L7

Agent Ecosystem

Multi-agent emergent threats: viral propagation, swarm coordination, cross-agent influence. Threats that exist only when multiple agents interact at scale.

6L6

Security and Compliance

Policy-layer threats. Compliance theater, audit-trail gaps — failure modes that emerge when security and compliance are present as artifacts rather than operative controls.

5L5

Evaluation and Observability

Gaming the evaluation, telemetry manipulation, audit-log tampering. Threats that target the systems supposed to detect threats — the meta-layer becomes the target.

4L4

Deployment Infrastructure

Sandbox escape, container or VM compromise, lateral movement — traditional infrastructure threats reframed for agentic workloads. Log-linear scaling in escape success demonstrated empirically.

3L3

Agent Frameworks

Orchestration-layer threats: prompt-template injection, framework-level escalation. Attacks against the agent’s internal scaffolding rather than the foundation model.

2L2

Data Operations

Training-data poisoning, retrieval-augmented generation attacks, vector store integrity. Risks from data the model consumes during operation, not during training.

1L1

Foundation Models

Model-layer threats: prompt injection, jailbreaks, alignment drift, model-level capability misuse. The risks at the layer where the LLM itself reasons and generates.

The cross-layer cascading dynamic

MAESTRO’s distinctive contribution beyond the seven-layer decomposition. A compromise at L1 (foundation model) propagates upward through L3 (agent framework) and L7 (ecosystem). A weakness at L2 (data operations) shapes what agents at L3 can be made to do. A telemetry gap at L5 makes a defense at L6 ineffective. The cascading is what single-layer frameworks miss — and what MAESTRO is specifically designed to surface.

What MAESTRO deliberately does not specify

MAESTRO is a threat-modeling framework. It does not specify defenses — that work falls to AARM, ATF, and the implementations that realize them. It does not specify quantitative risk scoring — that surface belongs to OWASP AIVSS and SEI SSVC. It does not specify implementation patterns. The framework’s job ends at “here are the threats, decomposed by layer, with cross-layer dynamics named.”

Adoption signals AAGATE Map function OWASP, NIST, CSA cross-reference vendor threat-model documents
Sources CSA blog · Feb 2025 OWASP MAESTRO v1.0
04 · Five Eyes Joint Guidance

The institutional baseline, two taxonomies and one cross-walk

Careful Adoption of Agentic AI Services, May 1, 2026. Coordinated guidance from six agencies: CISA, NSA (US); NCSC (UK); CCCS (Canada); ASD ACSC (Australia); NCSC-NZ (New Zealand). Gartner reads it as the new procurement baseline for critical infrastructure.

political baseline procurement floor 6 national agencies

Five-Domain Risk Taxonomy

what categories of risk must be evaluated
  • 01 · PrivilegeWhat the agent can do
  • 02 · Design & ConfigurationHow the agent is constructed and deployed
  • 03 · BehavioralHow the agent acts under operational conditions
  • 04 · StructuralHow the agent’s architecture creates or constrains risk
  • 05 · AccountabilityHow the agent’s actions are attributable and reviewable

Four-Domain Technical Baseline

what must be in place — the procurement floor
  • 01 · Identity & AuthenticationVerified, attributable agent identities
  • 02 · Least-Privilege AccessNarrowest credential scope sufficient for purpose
  • 03 · Human Oversight & Approval GatesStep-up paths for high-consequence actions
  • 04 · Logging & Behavioral MonitoringTamper-evident, attestable record

The 1:1 mapping onto AARM Core

Five Eyes states the requirement at the institutional baseline; AARM states the enforcement vocabulary at the runtime layer. The two surfaces compose.

Five Eyes Technical Baseline → AARM Conformance Requirement
Identity & Authentication
R6Identity Binding
Least-Privilege Access
R9Least Privilege Enforcement (Extended)
Human Oversight & Approval Gates
R4Authorization Decisions (incl. STEP-UP)
Logging & Behavioral Monitoring
R5Tamper-Evident Receipts
What the joint guidance deliberately does not specify

The guidance does not specify implementation. It does not specify the format of conformance attestation. It does not specify sector-specific overlays beyond the critical infrastructure framing. The guidance establishes the floor below which deployments will not pass nation-state-level procurement scrutiny; the work of meeting that floor in a specific environment falls below the river’s edge.

Sources CISA · Careful Adoption NCSC-NZ ASD ACSC
05 · How the surfaces compose

NIST AI RMF as workflow, AAGATE as the working demonstration

Five specs define what must happen at five surfaces. The question that remains is how they compose into a working program. Two artifacts answer — the NIST AI Risk Management Framework provides the program-level workflow vocabulary; AAGATE (arXiv:2510.25863) demonstrates the composition as a Kubernetes-native control plane.

NIST AI RMF · the four functions

The program-level vocabulary every responsible AI program executes. AAGATE shows which spec fills each function.

FUNCTION 01

Govern

Filled by

Organizational and policy-setting function. ATF’s per-agent governance progression operates here — the maturity levels and demotion triggers are how Govern is realized at the agent level.

ATF maturity
FUNCTION 02

Map

Filled by

Threat-and-risk identification. MAESTRO’s seven-layer decomposition with cross-layer cascading dynamics fills this function in AAGATE’s reference architecture.

MAESTRO 7-layer
FUNCTION 03

Measure

Filled by

Risk quantification. AAGATE composes OWASP AIVSS with SEI SSVC for the scoring vocabulary. AIVSS scores agentic-specific risk; SSVC delivers an action band.

AIVSS + SSVC
FUNCTION 04

Manage

Filled by

Risk treatment. The CSA Agentic AI Red Teaming Guide provides the activity vocabulary AAGATE binds into the Manage function — selection of threats, scoring, response.

CSA Red Team Guide
AAGATE — Agentic AI Governance Assurance & Trust Engine

Huang et al., November 2025. Operationalizes the integration inside a Kubernetes-native control plane aligned to the NIST AI RMF. Map filled by MAESTRO; Measure by AIVSS + SSVC; Manage by the CSA Red Teaming Guide. Govern threads through via ATF maturity levels.

AAGATE does not implement AARM directly — the paper operates one layer up at the workflow level. But its policy enforcement points map onto AARM-pattern runtime requirements, and the architecture demonstrates that workflow and runtime surfaces can be coordinated inside a single control plane. This is what composition looks like at the academic-operationalization layer: not five separate frameworks, but five surfaces of the same control plane.

EMPIRICAL ANCHOR · CAISI + Gray Swan + UK AISI · 250,000+ attack attempts · 13 frontier models · ≥1 successful attack against every target

The flow at runtime

What composes with what, and where each spec lands in the program’s operating loop.

How spec-level composition becomes program-level practice

Each node names one place where a body’s contribution feeds another. The composition is not a single direction — it is a control plane.

MAESTRO L1–L7→ AAGATE Map functionThreats decomposed by layer become the analytic input the workflow operates against.
Five Eyes 4-domain baseline→ AARM Core R4, R5, R6, R9Political baseline becomes runtime enforcement. The procurement floor is operationalized at the action layer.
AARM R5 receipts→ ATF promotion evidencePer-action receipts accumulate into the performance and no-harm evidence ATF promotions require.
AIVSS + SSVC scores→ ATF demotion triggersWhen risk scoring escalates, the agent’s maturity level can demote — closing the runtime-to-governance loop.
ATF maturity levels→ AWS Scoping Matrix1:1 cross-walk means ATF-tier evidence is directly usable in AWS-native governance programs.
CAISI empirical baseline→ all bodies’ threat assumptions250,000 attacks · 13 models · no model immune. The empirical anchor every spec assumes.
Sources AAGATE · arXiv:2510.25863 NIST AI RMF CSA Red Teaming Guide CAISI red-team baseline
06 · River’s Edge

Where the spec layer ends and the practitioner layer begins

The spec layer raises the floor. The ceiling — the working production agent at 2 AM, integrated with a particular stack, under particular regulators — is not the spec layer’s surface. It is the practitioner’s. P3 reads that surface: five categories of practitioner-side work, three disciplines, two composing charters. None of it is a gap in standards-body coverage. All of it is structural.

structural reading practitioner charter river’s-edge principle

The five categories of practitioner-side work

Where the spec layer terminates and practitioner judgment, environment-specific knowledge, and operational reality begin.

CATEGORY 01

Environment-Specific Integration

The spec layer defines what runtime enforcement must do. It does not specify how to wire R1 into a particular service mesh, map R6 onto a particular workload identity provider, or translate R9 into a particular policy-as-code configuration. Integration is the architect’s.

terminates at · AARM R1, R6, R9
CATEGORY 02

Empirical Efficacy Measurement

Architectural conformance and measured defensive strength are two different surfaces. The spec layer addresses the first. Red-teaming the actual deployment against the threats most relevant to its specific environment is the practitioner’s program to build and run.

terminates at · CSA Red Team Guide vocabulary
CATEGORY 03

Sector-Specific Overlay Construction

The spec layer is sector-neutral by design. Sector overlays — HIPAA audit-trail mapping, FFIEC examination alignment, SEC cybersecurity disclosure coordination — are the work of sector regulators and industry consortia operating with the spec layer rather than inside it.

terminates at · sector-neutral charter
CATEGORY 04

Cross-Spec Composition in Production

The bodies specify what composes; the operational details of composition in a specific environment are the practitioner’s. How AARM R5 receipts flow into ATF promotion-review systems, how attestations get coordinated across federated identity domains — this is environment-specific work.

terminates at · spec-level composition
CATEGORY 05

Multi-Agent Ecosystem Dynamics

MAESTRO Layer 7 names the layer. Spec-level guidance on ecosystem dynamics is not yet mature; the research literature is still consolidating. Until that work matures into spec-level guidance, the layer’s operational treatment falls to practitioners.

terminates at · MAESTRO L7

Three practitioner-side disciplines

The five categories describe where the work happens. The three disciplines describe what the work is.

DISCIPLINE 01

Architecture

Designing the deployment to satisfy AARM Core conformance, ATF maturity progression, and the Five Eyes technical baseline simultaneously in a specific environment. Sidecar vs. inline gateway; co-located vs. remote PDPs; centralized vs. federated identity.

DISCIPLINE 02

Operations

Running the deployment — monitoring it, responding to incidents, maintaining conformance evidence, updating for adversary evolution, feeding operational reality back into governance evaluation. The CSA Red Teaming Guide provides the Manage-function vocabulary; the operational program is the practitioner’s.

DISCIPLINE 03

Governance

Aligning ATF maturity progression with the organization’s risk tolerance, audit expectations, regulatory exposure, and governance bodies the organization answers to. ATF specifies the criteria categorically; what constitutes adequate evidence in a regulated environment is the practitioner’s translation.

The two charters compose

The standards-body charter and the practitioner charter cover different surfaces of the same working ecosystem. Vendors sit between. Luminity reads the composition.

STANDARDS-BODY CHARTER

In scope, by charter

  • Publishing requirements that hold across the design space
  • Defining conformance vocabulary at each architectural surface
  • Maintaining stewardship of open specifications
  • Establishing institutional infrastructure for ongoing development
  • Coordinating across bodies on composition vocabulary
  • Hosting attestation registries
PRACTITIONER CHARTER

In scope, by charter

  • Designing the deployment to satisfy spec conformance in the specific environment
  • Implementing environment-specific integration
  • Running empirical efficacy measurement against the actual threat surface
  • Coordinating with sector regulators on sector overlays
  • Operating cross-spec composition in production
  • Monitoring multi-agent ecosystem dynamics until spec-level guidance matures
Series source P3 · What the Convergence Doesn’t Reach
07 · Trajectory

Four institutional structures, and the gravity each one creates

The convergence established institutional architecture for ongoing standards development that did not exist eighteen months ago. Four structures now operate where none operated before. Each one is trajectory infrastructure. Each one creates conditions for specific patterns of further maturation across 2026. This is reading, not predicting.

institutional architecture reading not predicting trajectory infrastructure
STRUCTURE 01

CSAI Foundation

vendor-neutral spec stewardship · launched April 29, 2026
What it does now

Hosts AARM and ATF under formal stewardship. Maintains the conformance attestation registry. Coordinates working groups across the CSA infrastructure. Provides the institutional venue where vendor implementations and practitioner adopters interact with the specifications as they evolve.

What conditions suggest
  • Additional spec stewardship as independent open specifications mature
  • Cross-spec composition vocabulary — formal binding between AARM receipts and ATF promotion evidence
What this is not

Not a prediction of which specifications migrate or on what timeline. Not a forecast that the Foundation dominates institutional space — OWASP, CSA working groups, and NIST workstreams continue to operate.

STRUCTURE 02

NIST CAISI

workflow infrastructure for ongoing AI agent standards · February 2026
What it does now

Houses the AI Agent Standards Initiative. Coordinates partnerships with research-side institutions (Gray Swan AI, UK AISI) producing the empirical evidence the standards layer rests on. Operates inside NIST’s AI RMF — providing the program-level vocabulary CAISI’s initiatives populate.

What conditions suggest
  • Empirical baseline maintenance — the 250,000-attack floor as living dataset
  • Workflow-level standards development at additional layers
  • International coordination — the UK AISI pattern is replicable
What this is not

Not a prediction of which initiatives or publications CAISI produces. Not a forecast of which nations adopt the CAISI model. Not a claim that CAISI displaces NIST’s broader AI work — CAISI is a center within NIST.

STRUCTURE 03

Five Eyes Coordination

nation-state-level institutional ceiling · published May 1, 2026
What it established

A coordinated political baseline across six agencies that historically publish independently. Five-domain risk taxonomy + four-domain technical baseline. Shared vocabulary subsequent agency-specific guidance can rest on. Read by Gartner as the procurement floor.

What conditions suggest
  • Agency-specific elaboration — CISA sector overlays, ASD ACSC supplements
  • Procurement integration — GSA schedules, UK framework agreements
  • Follow-on coordination on specific adversary patterns
What this is not

Not a prediction of when specific agencies publish elaboration. Not a forecast of which procurement vehicles adopt first. Five Eyes coordination is subject to political variables — bilateral relationships, agency leadership transitions, budget cycles.

STRUCTURE 04

Vendor Conformance Attestation

practitioner-vendor bridge · the spec layer’s marketplace face
What it now is

The practitioner-vendor bridge the spec layer enables. Practitioners select implementations against published conformance attestations; vendors compete on breadth and depth of conformance claims; the CSAI attestation registry keeps the conversation coherent across vendors and time.

What conditions suggest
  • Procurement standardization around AARM-conformance attestations
  • Vendor differentiation shifting toward what is above the baseline rather than at the baseline
What this is not

Not a prediction of which vendors lead or lag. Not a forecast of which procurement bodies adopt requirements first. Not a claim that conformance attestation guarantees defensive efficacy — P3’s distinction between conformance and measured strength remains.

The four structures reinforce each other

The trajectory is not four independent venues moving in parallel. Each one creates institutional gravity for the others.

CSAI Foundation hosts→ specs CAISI operates againstAARM Core conformance is the runtime enforcement vocabulary RMF Manage applies; ATF maturity is what RMF Govern operates within.
CAISI empirical baseline→ Five Eyes threat realityThe 250,000-attack baseline establishes the floor of empirical threat against which Five Eyes binding-intent expectations are calibrated.
Five Eyes procurement gravity→ AARM-conformance attestationsThe four-domain Five Eyes baseline maps cleanly onto AARM Core; AARM attestations become the practical evidence format.
Vendor attestation ecosystem→ CSAI Foundation registryThe institutional artifact that catalogs which vendor implementations claim conformance against which requirements.
Series source P4 · Reading the Trajectory
Closing the series

The convergence is the field’s accomplishment. The trajectory is the field’s institutional architecture. The four posts read what the field arrived at; this readout is the visual close. The spec layer is the floor. The work above it continues from there — in environments practitioners specify, on threat surfaces practitioners measure, under governance practitioners interpret.

If the readout raises questions for your environment

The spec layer makes the river-crossing tractable. It does not perform the crossing. If thinking through what the converged architecture means for a specific deployment is useful, the conversation starts here.

Schedule a Conversation
Series 11  ·  The Standards Layer
Post 01 · Published The Convergence
Post 02 · Published The Spec’d Layer
Post 03 · Published What the Convergence Doesn’t Reach
Post 04 · Published Reading the Trajectory
Series Readout · Now Reading The Standards Layer at a Glance
© 2026 Luminity Digital, Inc. · Series 11 Closing Readout · luminitydigital.com

Share this:

Like this:

Like Loading…