New catastrophic risk initiative, CNA authorization, and strategic agentic AI acquisitions accelerate enterprise AI governance and assurance
The Cloud Security Alliance (CSA), the world’s leading not-for-profit organization committed to AI, cloud, and Zero Trust cybersecurity education, announced a series of milestones that significantly expand the CSAI Foundation’s capacity to deliver on its 2026 mission of Securing the Agentic Control Plane.
Also Read: AiThority Interview with Glenn Jocher, Founder & CEO, Ultralytics
“Today’s announcements give enterprises, auditors, and regulators the technical specifications and assurance scaffolding to say yes to agentic AI without losing control of it.”
Unveiled at the CSA Agentic AI Security Summit, the announcements include the launch of the STAR for AI Catastrophic Risk Annex (Annex), authorization as a CVE Numbering Authority (CNA) through MITRE, and the acquisition of two foundational agentic-AI specifications.
“The global economy is contending with two exponentials at once: frontier models leapfrogging each other month over month, and viral, bottom-up adoption of agents inside the business,” said Jim Reavis, CEO and co-founder, Cloud Security Alliance. “Today’s announcements give enterprises, auditors, and regulators the technical specifications and assurance scaffolding to say yes to agentic AI without losing control of it.”
Launched with support from Coefficient Giving, a philanthropic organization backing long-horizon AI safety work, the Catastrophic Risk Annex extends CSA’s AI Controls Matrix (AICM) and the broader STAR for AI assurance program to address scenarios involving loss of human oversight, uncontrolled system behavior, and other large-scale, irreversible, society-wide consequences, focusing on what can actually be tested in production. A four-phase rollout will begin in June 2026 and continue through December 2027, aligned with the NIST AI RMF, the EU AI Act, and ISO/IEC 42001, culminating in the inaugural State of Catastrophic AI Risk Controls Report.
CSAI Foundation has also made significant progress in advancing its AI Risk Observatory, a mission made more urgent by rapid model advancement and the growing ability of AI systems to discover, generate, and amplify cybersecurity findings at scale. As part of this work, the Cloud Security Alliance has been authorized by the CVE Program as a CVE Numbering Authority (CNA). Our initial operational scope is addressing vulnerabilities in our software tools. CSAI is now organizing research work streams and operational projects with existing CNAs and ecosystem partners focused on building toward responsible agentic-specific vulnerability coordination, CVE/NVD ecosystem gaps, AI-assisted human-verified vulnerability enrichment and practical guidance for defenders.
The Foundation also strengthened the technical and governance foundations required to secure the agentic control plane through two strategic acquisitions. Thanks to the generosity of CSA corporate member Vanta, the Autonomous Action Runtime Management (AARM) specification — an open system specification for securing AI-driven actions at runtime across context, policy, intent, and behavior — has been contributed to the CSAI Foundation. AARM founder Herman Errico will continue to lead the development of the specification as the working group chair. We are also pleased to announce an agreement with Josh Woodruff, founder of MassiveScale.AI to transfer stewardship of the Agentic Trust Framework (ATF). Woodruff, a CSA Research Fellow and co-chair of the CSA Zero Trust Working Group, has applied Zero Trust principles to agentic AI to provide a robust governance framework and will continue to lead the development of ATF.
Also Read: The Infrastructure War Behind the AI Boom
[To share your insights with us, please write to psen@itechseries.com]
Comments are closed.