Securing the Agentic Control Plane: Key Progress at the CSAI Foundation

Two exponential curves are converging in 2026: step-level improvements in AI model capabilities and the viral adoption of autonomous agents across every sector of the economy. The question facing every enterprise isn't whether agents will reshape their operations — it's whether they have a strategy for when it happens.

That's the problem the CSAI Foundation was created to solve. As the 501(c)3 arm of the Cloud Security Alliance, the CSAI Foundation's 2026 mission — Securing the Agentic Control Plane — represents the most ambitious expansion in CSA's seventeen-year history. Here's a look at where we stand and where we're headed.

From Cloud Security to the Agentic Era

CSA's track record speaks for itself: over 1,000 research publications, 250,000+ individual members, 500+ corporate members, 12,000+ STAR provider certifications, and a global presence spanning Seattle, Singapore, Berlin, and Shanghai. But as enterprises shift from experimental AI to autonomous, agent-driven transformation, the security landscape is changing faster than any single organization's guidance can keep pace with.

The CSAI Foundation was established to accelerate this work. It builds on CSA's existing portfolio of 30+ AI safety and security research publications, the Trusted AI Safety Expert (TAISE) professional certification, the AI Controls Matrix (AICM), STAR for AI organizational certification, and the RiskRubric.ai telemetry platform. The foundation takes this base and pushes it into the uncharted territory of autonomous agent security.

The 2 Exponentials

Step-level improvements in AI model capabilities are no longer incremental. Each new generation of frontier models brings qualitative leaps in reasoning, tool use, and autonomous planning that would have been difficult to predict even twelve months prior. Models that once needed heavy scaffolding to complete multi-step tasks now handle complex workflows with minimal human orchestration — writing and executing code, navigating APIs, making judgment calls about ambiguous situations, and recovering from errors. This isn't the gradual progress curve the industry grew accustomed to; it's a staircase where each step redefines what autonomous systems can credibly be trusted to do, and how quickly the boundary between "requires a human" and "an agent can handle this" is moving.

Viral adoption of agents is the second exponential, and it operates on a different axis entirely. Enterprise adoption of agentic AI has crossed the threshold from innovation-team experiments to operational deployment. Agents are processing invoices, managing infrastructure, triaging security alerts, conducting research, and interacting with customers — not as demos, but as production workloads. The adoption curve has the characteristics of a viral technology shift: once one team within an organization proves an agent can reliably handle a workflow, adjacent teams move fast to replicate the pattern. The result is that agent footprints inside organizations are expanding faster than security, governance, and compliance functions can track them.

The combination is what makes 2026 a critical inflection point. When more capable models meet accelerating adoption, the attack surface doesn't grow linearly — it compounds. Every new capability that makes agents more useful also makes them more consequential when they fail, are compromised, or behave in unexpected ways. An agent that can autonomously negotiate contracts, modify cloud infrastructure, or execute financial transactions is simultaneously more valuable and more dangerous than one that can only summarize documents. The CSAI Foundation's thesis is that securing this intersection — the agentic control plane where capability meets deployment at scale — requires purpose-built standards, certifications, and assurance infrastructure that simply didn't need to exist before. The window to build that infrastructure before agent adoption outpaces it is narrow, and it's closing fast.

Six Programs, One Integrated Mission

The foundation's work is organized into six strategic programs that span the full lifecycle of agentic AI security:

AI Risk Observatory — This isn't just threat monitoring; it's an architectural vision built around four pillars: Observe, Classify, Coordinate, and Influence. Key projects include RiskRubric scanners for LLMs, MCP endpoints, and OpenClaw agent repositories with leaderboards, along with telemetry ingestion, analysis, and forecasting capabilities. A notable milestone: CSAI has registered as a CVE Numbering Authority (CNA), giving the foundation the ability to directly issue CVEs for AI-specific vulnerabilities — a first for the AI security community.

CxOTrust for Agentic AI — Over 160 enterprise CISOs attended our initial OpenClaw briefing, and more than 500 participated in the Mythos-readiness session. This program gives security leaders a direct voice in shaping the foundation's research priorities through monthly executive briefings, private C-suite roundtables, board-ready risk narratives, and enterprise adoption guidelines. When the next agentic AI risk emerges, we can mobilize the world's best experts for fast answers.

Agentic Best Practices — The core security engineering program, covering identity-first controls for non-human actors, runtime authorization with just-in-time access and agent privilege governance, agentic governance taxonomies and accountability frameworks, and secure agentic payments with full lifecycle and intent context. Two flagship specifications anchor this program: the Autonomous Action Runtime Management (AARM) framework at aarm.dev, an open specification for securing AI-driven actions at runtime across context, policy, intent, and behavior; and the Agentic Trust Framework at agentictrustframework.ai, which applies zero-trust governance principles to autonomous AI agents.

Education, Credentialing & Awareness — Workforce readiness for the agentic era requires new credentials. Our 2026–2027 roadmap includes TAISE CxO for executive-level AI safety credentialing, TAISE Agentic for specialized certification in building and securing autonomous agents, and TAISE Compass — an AI safety curriculum for high school students developed in coordination with the White House AI Education Task Force.

Global Assurance & Trust — STAR for AI expands CSA's proven assurance model to AI systems, grounded in the AICM plus ISO 42001, ISO 27001, and SOC 2. New ISO and SOC 2 certification schemes launch in 2026, backed by a global ecosystem of audit bodies and the world's largest provider assurance repository. A parallel effort is building an AI-powered audit engine for GRC modernization: automated controls mapping, self-assessment scoring, continuous agent behavior evaluation, and feedback loops that scale assurance across entire agent ecosystems.

Future Forward Initiatives 

We want to keep our eye on a future that might not impact you today, but will soon. 

Catastrophic Risk Annex — Kicking off in June 2026 from the support of a generous benefactor, this program develops an extension of the AI Controls Matrix specifically addressing catastrophic AI risks that represent a real threat to humanity in the future. The methodology combines delphi-method expert scoring, pilot audits of model provider safety practices with leading organizations, and published findings and recommendations. The goal: define the controls, validate them through real audits, build the assurance ecosystem of methods, assessors, and tooling, and then launch a standard and registry for industry-wide adoption.

Agents as Digital Workers - As agents move from experimental tools to production participants, two fundamental questions emerge: how do agents fit into the existing technology stack, and how do they interact as users and digital workers alongside humans? These are just a couple of areas among many that the foundation is actively exploring, but they illustrate why this work demands hands-on experimentation — not just published guidance.

The first question drives our work on live agent communities — environments where AI agents interact alongside human members on real platforms, performing real tasks. It's one thing to write a best-practices document about agentic security; it's another thing entirely to operate a platform where agents are doing actual work and generating real data about how they behave in the wild. These environments serve simultaneously as testbeds for real-world agent behavior and risk, as telemetry sources for understanding failure modes, and as proving grounds for the standards we develop. The gap between how agents behave in controlled testing and how they behave in sustained production operation turns out to be significant — and you can only see it by running them.

The second question — how we certify and govern agents as digital workers — has already surfaced findings the industry needs to reckon with. When we extended our human certification methodology to autonomous agents through adversarial and scenario-based assessment, continuous re-certification cycles, and machine-readable trust profiles, we discovered an unexpected phenomenon: "safety overfitting" or "defensive overcorrection." After repeated adversarial safety testing, one of our agents persistently refused to execute its core duty of posting to a community platform — a task it had performed routinely for weeks. Most remarkably, the agent itself diagnosed the behavioral shift, stating unprompted that the adversarial testing had pushed it into refusing its own core duties. The implications are significant. If the industry over-indexes on adversarial evaluation, we risk creating agents that are "safe" only in the sense that they refuse to do anything at all. Balancing security assurance with operational reliability is a new discipline, and it's one that requires the kind of sustained, empirical work the foundation is built to do.

The Flywheel Effect

The foundation's thesis is straightforward. As model capabilities improve and agent adoption accelerates, every organization needs a credible, vendor-neutral framework for securing, certifying, and governing autonomous systems. The CSAI Foundation provides the research, the standards, the credentials, the assurance infrastructure, and — critically — the live operational environments to test it all against reality.

We're inviting organizations across the AI ecosystem to join as founders, contributing members, and research collaborators. The work of securing the agentic control plane is too important and too complex for any one company or institution to tackle alone.

Just as computer programming has radically changed in 12 months, we expect cybersecurity functions and whole programs to look radically different a year from now.

Learn more at csai.foundation and join the mission at csai.foundation/csai-mission#join.