Framework Map¶
Navigate the framework by role or goal. Pick a reading path, follow it, branch when something connects.
New: Stakeholder Views — dedicated entry points for Security Leaders, Risk & Governance, Enterprise Architects, Product Owners, AI Engineers, and Compliance & Legal. Each page answers "what's in this for me?" with a targeted reading path and Monday-morning actions.
Two Architectures, One Framework¶
This framework has two halves. The Foundation covers single-model AI deployments. MASO extends it to multi-agent orchestration. Both share the same three-layer pattern (Guardrails → Judge → Human Oversight) and PACE resilience methodology — MASO adds the controls needed when agents communicate, delegate, and act across trust boundaries.
Foundation — Three-layer runtime security for single-model AI. Risk classification, 80 infrastructure controls, PACE resilience, fast lane for low-risk deployments. → Start here
MASO — Six control domains, 93 controls, three implementation tiers, dual OWASP coverage. For systems where multiple agents collaborate autonomously. → Start here
Reading Paths¶
"I need to explain this to leadership"¶
Start with strategy, then the business case for controls.
- AI Strategy — business alignment, data reality, human factors, progression
- The First Control: Choosing the Right Tool — frames the design-thinking question
- Why Your AI Guardrails Aren't Enough — the case for the Judge layer
- Humans Remain Accountable — accountability model
- When Agents Talk to Agents — the multi-agent problem statement
Then the two operational gap articles most boards haven't heard about: The Supply Chain Problem and RAG Is Your Biggest Attack Surface.
For multi-agent specifically, the MASO worked examples (financial services, healthcare, critical infrastructure) translate technical controls into business scenarios.
"I'm deploying a single-model AI system"¶
Follow the foundation path:
- Quick Start — zero to working controls in 30 minutes
- Risk Tiers — classify your system
- Controls — implement the three-layer pattern
- PACE Resilience — define fail postures and fallback paths
- Checklist — track progress
If your system qualifies for the Fast Lane (internal, read-only, no regulated data, human-reviewed), start there instead — minimal controls, self-certification, deploy in days.
If your system is agentic (single agent with tool access), add Agentic Controls after step 3.
"I'm building a multi-agent system"¶
Start with the foundation path above — the single-agent controls are the baseline. Then layer on MASO:
- MASO Overview — architecture, control domains, OWASP mapping
- Tier 1 — Supervised — start here (human approves all writes)
- Integration Guide — LangGraph, AutoGen, CrewAI, AWS Bedrock patterns
- Red Team Playbook — 13 adversarial test scenarios
Graduate to Tier 2 and Tier 3 as your controls mature. The tier guides include graduation criteria — don't skip tiers.
"I'm an architect designing the pipeline"¶
Start with the challenges that affect your architecture:
| If you're deploying... | Read this first |
|---|---|
| Multimodal models | Multimodal Breaks Guardrails |
| Reasoning models | When AI Thinks Before It Answers |
| Single agents with tools | Agentic Controls |
| Multi-agent orchestration | MASO Overview → Integration Guide |
| Streaming responses | Can't Validate What Hasn't Finished |
| RAG pipelines | RAG Is Your Biggest Attack Surface |
Then the data-layer controls: RAG Security, Supply Chain, Memory & Context.
For infrastructure enforcement: Infrastructure Controls — 80 controls across 11 domains with AWS, Azure, and Databricks patterns.
"I run a SOC and need to operationalise AI monitoring"¶
- Behavioral Anomaly Detection — what you're looking for and why traditional detection doesn't apply
- SOC Integration — alert taxonomy, SIEM rules, triage
- Anomaly Detection Ops — baselining and detection engineering
- Cost & Latency — budget the evaluation layer
For multi-agent monitoring, the MASO Observability domain covers decision chain audit, anomaly scoring, drift detection, and independent kill switch architecture. The Incident Tracker maps 10 real-world AI security incidents to specific controls.
"I need regulatory alignment"¶
| Standard | Single-Agent Mapping | Multi-Agent Mapping |
|---|---|---|
| OWASP LLM Top 10 (2025) | OWASP mapping | MASO OWASP coverage |
| OWASP Agentic Top 10 (2026) | — | MASO OWASP coverage |
| ISO 42001 | ISO 42001 mapping | MASO regulatory alignment |
| NIST AI RMF | NIST mapping | MASO regulatory alignment |
| EU AI Act | EU AI Act mapping | MASO regulatory alignment |
| NIST SP 800-218A | SP 800-218A mapping | — |
| DORA | — | MASO regulatory alignment |
"I need to test and red team AI controls"¶
Single-agent: Threat Model Template → Testing Guidance. Design adversarial tests targeting guardrails, Judge, and human oversight. Results feed back into control tuning — testing is continuous, not a pre-deployment gate.
Multi-agent: Red Team Playbook — 13 structured scenarios across three tiers, from basic inter-agent prompt injection (RT-01) to PACE transition under active attack (RT-12). Includes success criteria, detection latency targets, and escalation guidance.
Document Index¶
Entry Points¶
| Document | What It Is |
|---|---|
| Root README | Framework overview — the narrative arc from problem to solution |
| Foundation | Single-model AI security — full reference |
| MASO Framework | Multi-agent security operations — full reference |
| Quick Start | Zero to working controls in 30 minutes |
| Cheat Sheet | Entire framework on one page |
| Decision Poster | Visual one-page reference — print it |
| Fast Lane | Pre-approved path for low-risk deployments |
Core Documents¶
| Document | Purpose |
|---|---|
| Risk Tiers | Classify your system |
| Controls | Three-layer implementation |
| Agentic | Single-agent tool and autonomy controls |
| PACE Resilience | Fail postures and fallback paths |
| Checklist | Implementation tracker |
| Emerging Controls | Multimodal, reasoning, streaming (theoretical) |
| Implementation Guide | Tools, cloud provider docs, what to build |
MASO Documents¶
| Document | Purpose |
|---|---|
| MASO Overview | Architecture, PACE integration, OWASP mapping |
| Prompt, Goal & Epistemic Integrity | 20 controls for instruction integrity and information quality |
| Identity & Access | NHI, zero-trust, scoped permissions |
| Data Protection | Cross-agent data fencing, DLP, RAG integrity |
| Execution Control | Sandboxing, blast radius, Judge gate |
| Observability | Audit, anomaly scoring, kill switch |
| Supply Chain | AIBOM, tool manifests, MCP vetting |
| Risk Register | 30 emergent risks beyond OWASP |
| Tier 1 — Supervised | Human approves all writes |
| Tier 2 — Managed | NHI, signed bus, Judge, continuous monitoring |
| Tier 3 — Autonomous | Self-healing PACE, adversarial testing, kill switch |
| Incident Tracker | 10 real-world incidents mapped to controls |
| Emerging Threats | 8 forward-looking threat patterns |
| Red Team Playbook | 13 adversarial test scenarios |
| Integration Guide | LangGraph, AutoGen, CrewAI, Bedrock patterns |
| Worked Examples | Finance, healthcare, critical infrastructure |
Insights¶
| Article | Key Argument |
|---|---|
| The First Control | Design thinking before technology selection |
| Why Guardrails Aren't Enough | You need detection for unknown-bad |
| The Judge Detects. It Doesn't Decide. | Async evaluation for nuanced decisions |
| Infrastructure Beats Instructions | You can't secure AI with prompts |
| Risk Tier Is Use Case | Classification reflects deployment context |
| Humans Remain Accountable | Humans own outcomes |
| The Verification Gap | Can't confirm ground truth |
| Behavioral Anomaly Detection | Drift detection signals |
| Multimodal Breaks Guardrails | New attack surfaces |
| When AI Thinks | Reasoning-aware controls |
| When Agents Talk to Agents | Multi-agent accountability gaps |
| The Memory Problem | Persistent memory risks |
| Can't Validate Unfinished | Streaming validation |
| Open-Weight Models | Self-hosted control burden |
| When the Judge Can Be Fooled | Judge threat model |
Strategy¶
| Article | Key Question |
|---|---|
| AI Strategy Overview | Where do I start with AI strategy? |
| Business Alignment | Is this the right problem for AI? Can we deliver and operate it? |
| Data Reality | Is our data ready for the strategy we want to pursue? |
| Human Factors | Can our people build, operate, and sustain this? |
| Progression | How do we move from low-risk to high-risk safely? |
| Framework Tensions | Where does the framework help strategy — and where does it constrain it? |
| Use Case Definition | How do we define use cases so security and governance can work with them? |
| From Idea to Production | What's the complete process from idea to running system to ongoing control? |
Extensions & Infrastructure¶
| Resource | Purpose |
|---|---|
| Infrastructure Controls | 80 controls, 11 domains, platform patterns |
| Regulatory Mapping | ISO 42001, EU AI Act |
| Technical Extensions | Bypass prevention, metrics, SOC integration |
| Templates | Threat models, testing guidance, playbooks |
| Worked Examples | Per-tier implementation walkthroughs |
AI Runtime Behaviour Security, 2026 (Jonathan Gill).