Frameworks Don't Build Trust. Adoption Does
Security Boulevard, Monday, May 4th, 2026
CSA extends its STAR assurance framework to AI, but agentic AI security vendors risk fragmenting the market by not adopting the standards themselves.
The Cloud Security Alliance launched STAR for AI in October 2025, extending its proven assurance framework into artificial intelligence with the AI Controls Matrix covering 243 control objectives across 18 security domains.
The CSAI Foundation announced the STAR for AI Catastrophic Risk Annex in April to address emerging failure modes like autonomous system behavior and loss of human oversight that existing frameworks don't fully capture.
However, a legitimacy problem threatens the ecosystem: purpose-built agentic AI security vendors are conspicuously absent from the STAR registry, raising concerns that the companies selling AI security controls won't submit to the frameworks they claim to enforce.
The author argues that enterprise buyers deserve to evaluate agentic AI security vendors against the same standards those vendors promote, and warns that without vendor participation, the assurance ecosystem risks fragmenting before it coheres.