SecurityBrief US - Technology news for CISOs & cybersecurity decision-makers
United States
Responsible secure cloud network ai agent layered shields modern illustration
#
Cloud Security
#
AI Security
#
Zero Trust Security

Cloud Security Alliance launches AI risk initiative

Wed, 29th Apr 2026 (Today)
Author image
By Shannon Williams, News Editor

The Cloud Security Alliance has launched a new AI catastrophic risk initiative, gained authority to issue CVE identifiers within a limited scope, and added two agentic AI governance specifications to its CSAI Foundation. Together, the moves expand the foundation's work on oversight of autonomous AI systems.

The new STAR for AI Catastrophic Risk Annex is designed to extend the alliance's existing AI Controls Matrix and STAR for AI assurance programme. It targets scenarios such as loss of human oversight, uncontrolled system behaviour, and other large-scale harms, with a focus on controls that can be tested in production.

The rollout is planned in four phases from June 2026 to December 2027. The work is being aligned with the NIST AI Risk Management Framework, the EU AI Act, and ISO/IEC 42001, and is due to conclude with a State of Catastrophic AI Risk Controls Report.

Support for the annex is coming from Coefficient Giving, a philanthropic organisation focused on long-horizon AI safety work.

Vulnerability role

Separately, the Cloud Security Alliance has been authorised by the CVE Programme, through MITRE, as a CVE Numbering Authority. Its initial scope covers vulnerabilities in its own software tools.

The designation gives the group a defined role in the vulnerability disclosure ecosystem at a time when security researchers and policymakers are paying closer attention to the risks posed by increasingly autonomous AI systems. The CSAI Foundation is now organising research and operational work with existing numbering authorities and other partners on agentic-specific vulnerability coordination, gaps in the CVE and National Vulnerability Database system, AI-assisted but human-verified vulnerability enrichment, and guidance for defenders.

These steps sit within the foundation's wider AI Risk Observatory effort, which has become more urgent as AI systems improve and as their ability to discover, generate, and amplify cybersecurity findings at scale grows.

Specification transfers

The foundation has also taken stewardship of two technical frameworks intended to address governance and control issues in agentic AI.

One is the Autonomous Action Runtime Management specification, known as AARM, an open system specification for securing AI-driven actions at runtime across context, policy, intent, and behaviour. The specification was contributed with support from Vanta, a corporate member of the alliance.

Herman Errico, founder of AARM, will continue to lead development of the specification as Working Group Chair.

The second is the Agentic Trust Framework, or ATF, which is being transferred under an agreement with MassiveScale.AI founder Josh Woodruff. Woodruff is also a CSA Research Fellow and co-chair of the CSA Zero Trust Working Group, and the framework applies Zero Trust principles to agentic AI governance.

He will continue to lead development of that framework under the foundation's stewardship.

The announcements reflect how industry groups are trying to build governance structures around agentic AI, a term for systems that can take actions with limited human intervention. The effort is drawing in standards bodies, regulators, auditors, and security practitioners as businesses begin to test or deploy agents inside corporate systems and workflows.

For the Cloud Security Alliance, the latest steps also deepen the role of its CSAI Foundation, which was created to focus exclusively on AI security and safety. The foundation has framed its 2026 mission as securing what it calls the agentic control plane, shorthand for the policies, controls, oversight mechanisms, and technical standards that govern autonomous AI behaviour inside organisations.

Jim Reavis, Chief Executive Officer and Co-Founder of the Cloud Security Alliance, described the announcements as a response to the pace of change in both AI model development and business adoption.

"The global economy is contending with two exponentials at once: frontier models leapfrogging each other month over month, and viral, bottom-up adoption of agents inside the business," said Jim Reavis, Chief Executive Officer and Co-Founder of the Cloud Security Alliance.

"Today's announcements give enterprises, auditors, and regulators the technical specifications and assurance scaffolding to say yes to agentic AI without losing control of it," Reavis said.

Related stories
360 Privacy expands C-suite with four executive appointments
Thrive appoints Matt Kosovsky as Chief Financial Officer
CIP marks 10 years of Linux support for infrastructure
Simbian cyber defence benchmark finds all 11 AI models fail
AI now powers most dangerous cyber threats, warns SANS

Top stories

Cybersecurity experts warn of password risks as day nears
Miggo launches Pulse in bid to speed AI exploit response
Milestone expands XProtect & Arcules with new tools
Healthcare faces growing AI medical device security risks
Qualys warns cloud risk now stems from identity design