Cloud Security Alliance Introduces New Tool for Assessing Agentic Risk

Capabilities-Based Risk Assessment framework measures key autonomous risk factors

DALLAS, TX — November 12, 2025 — The Cloud Security Alliance (CSA) today announced the release of its latest research whitepaper, Capabilities-Based Risk Assessment (CBRA), a groundbreaking framework developed by the AI Safety Initiative CISO Council to help organizations measure and manage risks stemming from autonomous and agentic AI systems.

As enterprises increasingly deploy AI systems that think, act, and make decisions autonomously, traditional one-size-fits-all governance models have failed to keep pace. The CBRA framework addresses this challenge by introducing a scalable, consequence-driven method to evaluate AI systems based on four interacting dimensions: System Criticality, AI Autonomy, Access Permissions, and Impact Radius. Together, these factors form a composite risk score that quantifies the potential consequences of failure or misuse—enabling organizations to apply proportionate controls and oversight.

“AI autonomy and access are expanding faster than traditional risk management models can adapt,” said Pete Chronis, Co-Chair of the CSA AI Safety Initiative CISO Council. “CBRA allows enterprises to align their governance investments with actual risk exposure—protecting high-impact agentic systems while accelerating safe innovation elsewhere.”

By mapping CBRA’s three-tier risk levels (Low, Medium, and High) directly to CSA’s AI Controls Matrix (AICM)—a comprehensive library of 240+ AI-specific controls across 18 domains—the framework ensures that safeguards scale appropriately with system capability and consequence. Low-risk systems can be managed with foundational hygiene controls, while high-risk agentic AI, such as those operating in healthcare or critical infrastructure, must meet the most stringent governance and validation requirements.

“CBRA represents a major milestone in our mission to Secure the Agentic Control Plane,” said Jim Reavis, CEO of the Cloud Security Alliance. “This is one of dozens of tools CSA will release through 2026 to give enterprises practical ways to measure, monitor, and mitigate agentic AI risks. Together, these efforts will define how we ensure safety, transparency, and accountability in the age of autonomous systems.”

The CBRA framework complements global standards such as the NIST AI Risk Management Framework, ISO/IEC 42001, and the EU AI Act, offering a common methodology that enterprises, auditors, and regulators can adopt to demonstrate trustworthy AI governance. It is designed to evolve alongside the AI systems it evaluates—supporting continuous assessment, vendor transparency, and sector-wide benchmarking.

The Capabilities-Based Risk Assessment whitepaper will be presented publicly for the first time at DataSecAI 2025 in Dallas, where members of CSA’s AI Safety Initiative will discuss its implications for enterprise AI assurance and the broader cybersecurity ecosystem.

About Cloud Security Alliance
The Cloud Security Alliance (CSA) is the world’s leading not-for-profit organization committed to awareness, practical implementation, and credentialing of forward-looking cybersecurity topics, including AI, cloud, and Zero Trust. In an era where digital transformation drives business success, CSA stands as the global authority ensuring organizations can operate securely while harnessing cutting-edge technology. Through volunteer-driven research, globally-accepted standards, and award-winning vendor-neutral education programs that unite technical experts, industry practitioners, and varied associations, governments, chapters, and corporate members, CSA bridges the gap between innovation and pragmatic security execution. Visit CSA’s website to learn more.

Media Contact
Kristina Rundquist
ZAG Communications for the CSA
[email protected]