Essay
The AI-security framework landscape read as a practitioner: what each artifact actually is, why this practice anchors on the Cloud Security Alliance (CSA) AI Controls Matrix and AI Security Maturity Model, and how the analyst lenses are integrated rather than ignored.
9 July 2026 · 16 min read · Binu Chacko
Situation
Every framework claims to be the map — AICM, ISO, NIST, each with its own structure.
Complication
Adopt two partitions and every control lives twice: double mapping, double evidence, double drift.
The question
“Which single spine can hold everything else as a lens?”
The answer
One MECE partition — CSA AICM, machine-enforced — with every other regime mapped onto it as a lens, never a second catalog.
Every organisation standing up AI security governance in 2026 meets the same three names within the first week: the Cloud Security Alliance’s (CSA) AI Controls Matrix, Forrester’s AEGIS, and Gartner’s AI TRiSM. They are routinely presented as competitors. They are not. They are three different kinds of artifact: an open consensus control standard, a paywalled analyst operating framework, and an analyst market taxonomy. Treating them as interchangeable is how programs end up with a slide instead of a control spine. This paper lays out what each one actually is, from public sources; why this practice anchors on the CSA pair; and how the analyst perspectives are integrated into the app rather than ignored.
You do not choose between these frameworks. You choose one spine you can audit against, and read the others as lenses on it.
The AI-security framework landscape sorts into three families, and the sorting matters more than any individual feature comparison:
The buying decision is not “which framework is best.” It is: which artifact can serve as the spine — the thing every skill, assessment answer, and maturity claim attaches to — and which artifacts are better used as lenses over that spine.
CSA’s AI security stack is three artifacts on one body of work, and the completeness of that stack is the core of the case for it.
The AI Controls Matrix (AICM) launched in July 2025 and was revised to v1.1 in June 2026. It specifies 247 control objectives across 18 security domains — from Audit & Assurance and Governance through Model Security, Data Security & Privacy Lifecycle, Logging & Monitoring, and Threat & Vulnerability Management. Each objective is a specific, testable statement, and each carries CSA’s own authoritative mappings to ISO/IEC 42001, the EU AI Act, and BSI AIC4, plus implementation and auditing guidance written per supply-chain role: Cloud Service Provider (CSP), Application Provider (AP), Model Provider (MP), and Orchestrated Services Provider (OSP). The matrix descends from the Cloud Controls Matrix, which means most of its objectives are AI-specialised versions of controls organisations already operate — a lineage this app quantifies precisely (more below).
The AI Security Maturity Model (AISMM), released in May 2026 after more than six hundred public-review comments, grades how well those controls are run: 12 categories in 3 domains (Foundational, Structural, Procedural), each with its own bespoke 5-level ladder from L1 Initial to L5 Efficient. The per-category rung descriptions are CSA’s own text, which is what makes a placement defensible: you can hand the rubric to the person being graded. CSA’s own framing of the pair: the AICM answers what controls should be in place; the AISMM describes the maturity journey of the program running them.
The AI Consensus Assessments Initiative Questionnaire (AI-CAIQ) turns the matrix into a question set, and STAR for AI (launched October 2025) turns answers into a public registry entry: Level 1 is a published self-assessment; Level 2 adds ISO/IEC 42001 certification with a validated questionnaire. It is the same pattern (CCM → CAIQ → STAR) that became the default due-diligence artifact for cloud vendors, now pointed at AI providers. No analyst framework has an equivalent public-assurance loop. CSA itself positions the stack as complementary to, never competing with, the NIST AI Risk Management Framework and ISO/IEC 42001: those set the risk process and the management system; the AICM is the control-level implementation layer beneath them.
AEGIS — Agentic AI Enterprise Guardrails for Information Security — is a Forrester Vision Report launched on 4 August 2025 (lead author Jeff Pollard, with Allie Mellen, Andras Cser, Heidi Shey, Janet Worthington and others). From Forrester’s public pages, it is a six-domain guardrails framework for securing AI agents and agentic infrastructure:
Its intellectual contribution is three operating principles: least agency (limit the decisions and actions an agent may take, even where access is granted — least privilege extended from access to agency), continuous assurance (replace point-in-time audit with ongoing evaluation of data, model, and agent integrity), and explainable outcomes (guardrail decisions must be explainable to people and systems). Forrester’s October 2025 follow-up positions AEGIS explicitly as “not yet another framework” but a cross-referenced blueprint: it publishes 39 substantive controls with mapping coverage of 100% to both the NIST AI RMF and ISO/IEC 42001, 87% to the OWASP Top 10 for Large Language Models, 74% to the EU AI Act, and 54% to MITRE ATLAS.
What it is not, on the public record: it publishes no maturity model, no graded autonomy ladder, and no public assessment instrument. The control specifications live in a client-licensed report (US$1,495 for non-clients). That is not a criticism — Forrester sells research — but it disqualifies AEGIS as a spine for a practice whose clients must be able to audit the rubric they are graded against.
AI TRiSM — AI Trust, Risk and Security Management — is Gartner’s umbrella for the technology and practice market around trustworthy AI, and it long predates the agentic wave: the underlying research dates to around 2020, and Gartner named it a Top Strategic Technology Trend for both 2023 and 2024. Its original formulation covered model interpretability and explainability, data and content anomaly detection, AI data protection, model operations (ModelOps), and adversarial-attack resistance. The current formulation, as consistently reported across public coverage of Gartner’s Market Guide (the guide itself is client-licensed), organises the market into four layers: AI governance; AI runtime inspection and enforcement; information governance; and infrastructure and stack.
The agentic extension is the guardian agent: Gartner’s own definition is “a blend of AI governance and AI runtime controls in the AI TRiSM framework” that supervises other AI — publicly typed as reviewers (check outputs), monitors (observe and track actions), and protectors (adjust or block actions at run time). Its February 2026 Market Guide for Guardian Agents formalised the category, and Gartner publicly predicts guardian-agent technologies will account for 10 to 15 percent of the agentic-AI market by 2030.
TRiSM’s value is that it names the layers a complete program needs and shapes where the vendor market invests — when Gartner names a layer, products appear in it within eighteen months. But like AEGIS it is an analyst artifact: no open control catalog, no numbered control ids, no maturity rubric, no assessment instrument an assessed party can inspect without a license.
Set side by side, the sorting resolves the choice:
| Artifact | Kind | Control-level spec | Maturity model | Assessment instrument | Access |
|---|---|---|---|---|---|
| CSA AICM + AISMM + AI-CAIQ | Open consensus standard | 247 objectives, 18 domains, per-role audit guidance | 5 levels × 12 categories, per-category rungs | AI-CAIQ (questionnaire) + STAR for AI (registry) | Free, publicly downloadable |
| Forrester AEGIS | Analyst operating framework | 39 controls (text client-licensed) | None published | None published | Client license / US$1,495 |
| Gartner AI TRiSM | Analyst market taxonomy | None (layers, not controls) | None published | None published | Client license |
| ISO 42001 · NIST AI RMF · EU AI Act | Management standards + law | Requirements, not operating controls | Not applicable | Certification / conformity audit | Purchase / public law |
Six criteria drove the anchoring decision, in order of weight:
And the honest other half: what CSA does not give you. The AICM has no agentic operating principles — nothing as crisp as least agency. It has no runtime-enforcement market lens — nothing like guardian agents. And nobody in the landscape, CSA included, ships a graded autonomy ladder: a way to say how far AI has taken over a workflow, which is half of the question every board actually asks. Those three gaps are exactly where the analyst lenses and one honest in-house construct earn their places.
The data layer is a strict MECE partition (Mutually Exclusive, Collectively Exhaustive): every skill in the library maps to exactly one of the 18AICM domains, enforced by a build gate that fails on any violation. Everything else — maturity, frameworks, plays, ownership — is a lens over that partition, never a second partition. One spine, many views.
Control domains do not attend meetings; functions do. Above the partition sits the ownership lens: eight security functions, each the single accountable owner of specific AICM domains — a one-owner-per-domain map (with a consulted-parties overlay for domains that touch several functions):
| Function | Owns (AICM domains) |
|---|---|
| Identity Security (IDS) | IAM |
| Network & Infrastructure Security (NIS) | I&S · DCS |
| Endpoint & Workload Security (EWS) | UEM |
| Application & DevSecAIOps Security (APP) | AIS · MDS |
| Data Security (DAT) | DSP · CEK |
| Cloud & Container Security (CCS) | CCC |
| Security Operations (SOC) | LOG · SEF · TVM |
| Security Governance, Risk & Assurance (GRA) | A&A · GRC · STA · BCR · IPY · HRS |
This is the altitude the assessment operates at: you assess a function, the function’s evidence rolls up to its domains, and the domains roll up to the board scorecard. AEGIS’s six domains map cleanly onto this structure — which is the practical sense in which the app is AEGIS-compatible without being AEGIS-derived:
| AEGIS domain (Forrester) | Where it lands in this app |
|---|---|
| Governance, Risk, and Compliance | The GRA function: GRC · A&A · STA · HRS · BCR · IPY, plus the AISMM Governance category |
| Identity and Access Management | The IDS function: the IAM domain, graded L1–L5 per run |
| Data Security and Privacy | The DAT function: DSP · CEK, plus the privacy-and-governance skill content |
| Application Security and DevSecOps | The APP function: AIS · MDS, plus the DevSecAIOps tollgate framework |
| Threat Management and Security Operations | The SOC function: LOG · SEF · TVM |
| Zero Trust Architecture | Cross-cutting: NIS (I&S · DCS), EWS (UEM), CCS (CCC) — and generalised by the gate, which applies least agency to every workflow, not only network paths |
A function diagnostic scores each AISMM category it covers with a coverage-bounded scorer (a level can only be claimed on positive evidence at that tier, and any absent control caps the level below it), and the result renders as the maturity radar: the 12 CSA categories as fixed spokes, L1 at the hub, L5 at the rim, with target, previous-run, and peer-median overlays. The rubric on the spokes is CSA’s verbatim ladder text, regenerated from the source spreadsheet and guarded against paraphrase at build time.
The landscape’s shared gap is autonomy grading. This practice fills it with the AI Cyber Maturity Model (AI-CMM): 4 rungs from L1 Manual to L4 Autonomous, each with an observable self-placement test. It is our model · calibrated to SAE J3016— our own construct, calibrated to the Society of Automotive Engineers’ J3016 levels-of-automation pattern, and never presented as a CSA, NIST, ISO, or SAE standard. Honest provenance is the price of inventing where the standards are silent.
AEGIS’s least agency is a principle. The app’s gate is that principle as arithmetic: a workflow’s autonomy rung must not exceed what its governance evidence supports — autonomy at level N requires AISMM maturity of at least N, and the higher rungs carry explicit category minimums (running AI in the loop demands Security Monitoring at L3 and Incident Response at L2; removing per-action approval additionally demands Model Security at L2). Every assessment, play, and board row is judged against it.
AEGIS’s continuous assurance lands as the loop: assess, fix the top gaps, re-assess, advance one autonomy rung, repeat — re-assessing on material change or a rung-advance attempt, not on a calendar. Saved baselines, run-over-run deltas, and the previous-run radar overlay are the mechanism; the principle is the reason the mechanism exists.
The third AEGIS principle maps to the app’s evidence taxonomy: every number carries one of five provenance states — illustrative, self-assessed, modeled, measured, verified — and measured is reserved for task-level before/after. Every capped maturity level names the specific control that capped it. A reading you cannot re-derive is a mood, not a reading.
Gartner’s runtime inspection-and-enforcement layer (and its guardian-agent extension) maps to the app’s instruments: testers, corpora, and fitted guards that produce runtime evidence rather than attestation. The reference run is the StoryBond case study — an off-the-shelf jailbreak detector caught 8 of 15 attack classes on a children’s-storybook app; fitting the app’s own guard to its named attack classes took it to 15 of 15 with a held-out set passing — and the SkillGuard supply-chain scanner applies the same runtime-evidence discipline to the skill library itself. TRiSM names the layer; the instruments are what running it looks like.
Sourcing: CSA figures (18 domains, 247control objectives, the 12 AISMM categories and their ladders, the ISO/IEC 42001 · EU AI Act · BSI AIC4 crosswalk) are generated directly from CSA’s published source files and shipped in this app. Forrester AEGIS facts are from Forrester’s public pages (the 4 August 2025 launch blog, the AEGIS technology landing page, and the 22 October 2025 crosswalk blog). Gartner AI TRiSM facts are from Gartner’s public press releases and articles; the four-layer formulation is as consistently reported in public coverage of the client-licensed Market Guide. No licensed report content is reproduced; where something could not be verified publicly, it is not claimed here. All readings this app produces are self-assessed unless explicitly marked measured.
Subscribe for the next essay.