The SANS AI Security Maturity Model is the most useful thing I've read on AI security in a while. It's also where most enterprises hit a wall, the Stage 3 gap isn't a policy gap, it's an infrastructure gap.
The model, and what it actually demands
SANS published its AI Security Maturity Model (AISMM) recently. Chris Cochran, their Field CISO and VP of AI Security, is the author. The pitch: turn AI security from a roundtable topic into something a CISO can measure. Not where the roadmap claims you'll be next year. Where the evidence puts you today.
It's a two-axis grid: three pillars of capability scored across five stages of maturity.
The three pillars:
- Protect: securing your AI against adversarial attacks, prompt injection, model theft, and supply chain risk.
- Utilize: using AI to detect threats, automate response, and improve security operations.
- Govern: policy, risk management, oversight. The foundation everything else rests on.
And the five stages, ascending:
- Stage 1, Unaware / Ad Hoc. No formal approach. Unmanaged AI use across the org, no inventory, no controls. Risk is invisible because nobody's looking for it.
- Stage 2, Reactive / Policy-Emerging. Basic policies exist; tools are either blocked outright or allowed without logging. SANS calls this the Framework of No. The practical outcome, and they're blunt about it, is that AI usage goes underground rather than stopping.
- Stage 3, Defined / Risk-Informed. Formal governance, controlled deployment, and the first stage where controls are enforced at runtime instead of on paper. A complete classified inventory of every AI system and agent. Distinct Non-Human Identities (NHIs) per agent. Prompt-injection defences and structured logging at the data plane. A documented human owner for every deployed agent.
- Stage 4, Managed / Integrated. AI embedded in security ops, systems secured by design. Confused Deputy isolation between untrusted inputs and agent execution. Autonomous response for validated scenarios. Formal NHI lifecycle with automated credential rotation. Board-level AI risk reporting.
- Stage 5, Optimizing / Adaptive. AI-native security with autonomous capabilities. Custom ML models tuned to your environment, A/B testing of detection models, AI-powered threat hunting. Security as a continuously improving discipline, not a static control set.
It maps to NIST AI RMF, the EU AI Act, ISO 42001 and OWASP AI Exchange. For EMEA enterprises under GDPR, DORA and NIS2, those aren't optional alignments. They're audit requirements.
Here's what the framework makes obvious: most enterprises are stuck at Stage 2 heading into Stage 3, and that transition is the hardest one. Not for lack of ambition. Because Stage 3 demands specific, concrete, infrastructure-level controls that no policy document can deliver on its own.
This post maps those requirements, pillar by pillar, stage by stage, to the Solo agentic stack: agentgateway, agentregistry and kagent. SANS tells you what you need. The Solo stack is how you build it on Kubernetes.
Why Stage 2 → Stage 3 is where most enterprises stall
Stage 3 is a real inflection point, not the next checkbox on a maturity ladder. Here's why.
Stage 2 is the Framework of No: a binary acceptable-use policy that usually reads "don't use AI" or "use with caution", tools blocked outright or allowed without logging, no governance structure to speak of. SANS is blunt about the outcome. Block-based policies push AI usage underground, they don't prevent it. Shadow AI is only Shadow AI when a policy exists to violate. But the underlying risk, ungoverned agents calling ungoverned tools with ungoverned credentials, doesn't care what your policy says.
Stage 3, Defined / Risk-Informed, changes the rules. It requires:
- A complete, classified inventory of every AI system, agent and model in your environment.
- Internal AI agents assigned distinct Non-Human Identities (NHIs) with strict, scoped access control.
- Prompt injection and instruction manipulation defences implemented at the data plane.
- Input validation and output filtering deployed in production.
- Structured logging with trace IDs across every agent step and tool call.
- Runtime validation of dynamically loaded agent tools and plugins.
- Secure agent-to-agent communication with mutual authentication.
- Human-in-the-loop thresholds and automated policy enforcement defined for high-risk agent workflows.
- Every deployed AI agent has a documented human owner.
None of it is a policy document or a training programme. It's infrastructure. SANS's own evidence scale makes this explicit: a written or draft policy alone caps you at score 2, "Developing". To reach Stage 3 ("Established") you need approved policy and consistent execution and stakeholder awareness confirmed. You need a data plane that enforces the controls at runtime.
That data plane is agentgateway. The catalog that ensures only vetted tools reach it is agentregistry. The Kubernetes-native layer that makes agents first-class workloads with observable, ownable identities is kagent.
The three planes of the Solo agentic stack
Quick orientation before the pillar mapping. The three products aren't independent tools bolted together. They're three distinct planes of one stack:
| Plane | Product | Role |
|---|---|---|
| Data plane | agentgateway | Proxies all agent traffic: MCP tool calls, LLM inference, A2A agent communication. Enforces policy, auth, rate limiting, guardrails and observability at runtime. |
| Catalog plane | agentregistry | Centralised, governed registry for AI agents, MCP tools and Agent Skills. The source of truth for what is approved, what is discoverable and what is deployed. |
| Control plane | kagent | Kubernetes-native framework for running AI agents as first-class workloads. Agents are CRDs with lifecycle management, identity and reconciliation loops. |
Competitors sell pieces. The hyperscalers (AWS Bedrock AgentCore, Google Vertex AI Agent Builder, Azure AI Foundry) each have capable agentic offerings inside their own cloud. The gap is cross-cloud governance: identity stops at the cloud boundary, observability fragments, policy enforcement duplicates. Solo runs on your Kubernetes cluster, under your IdP, with your audit trail, no matter which LLM or cloud the agent calls into.
Both agentgateway and agentregistry are open-governance now: agentgateway in the Linux Foundation, agentregistry in the CNCF (contributed March 2026, announced at KubeCon EU 2026 in Amsterdam). kagent is a CNCF sandbox project.
Pillar 1 Protect: securing the agent attack surface
The SANS requirement
The Protect pillar at Stage 3 gets specific about what "securing AI implementations" means once agents enter the picture. The threat model shifts. It's no longer about securing the model. It's about securing the agent's access to tools, its credential chain, and its execution path.
Key Stage 3 Protect requirements:
- Complete AI asset inventory with ownership, data classification and scoped access controls.
- Internal AI agents assigned distinct NHIs with strict access control.
- AI tool and API access strictly scoped.
- Prompt injection and instruction manipulation defences implemented.
- Input validation and output filtering deployed.
- Runtime validation of dynamically loaded agent tools and plugins.
- Secure agent-to-agent communication and mutual authentication.
- Controls mapped to MITRE ATLAS techniques.
At Stage 4 it escalates: Confused Deputy defences isolating untrusted inputs from agent execution tools, plus execution guardrails with real-time monitoring on every agent API call.
How agentgateway addresses this
agentgateway sits between the agent and everything it can reach: LLM endpoints, MCP tool servers, backend APIs, other agents. Rust-built, Linux Foundation-hosted, designed for agent traffic, not an API gateway with AI features bolted on.
Many of the capabilities below are demonstrated end-to-end in the Master the Mesh labs: JWT auth and token exchange, per-tool RBAC, PII guardrails, human-in-the-loop, budgets, tool curation, multi-cluster agent traffic.
NHI enforcement at the proxy. Agents don't carry long-lived static credentials. agentgateway validates tokens at ingress and can issue scoped, short-lived tokens per backend. Native JWT auth, with route-level and tool-level authorization expressed in CEL (Common Expression Language). An agent gets exactly the access the current request justifies, not a standing credential waiting to be harvested.
Here's what a JWT-enforced MCP route looks like:
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: snowflake-mcp-route
namespace: agents
spec:
parentRefs:
- name: agentgateway
rules:
- matches:
- path:
type: PathPrefix
value: /mcp/snowflake
backendRefs:
- name: snowflake-mcp-server
port: 8080
---
apiVersion: gateway.solo.io/v1alpha1
kind: AgentgatewayPolicy
metadata:
name: snowflake-jwt-policy
namespace: agents
spec:
targetRef:
group: gateway.networking.k8s.io
kind: HTTPRoute
name: snowflake-mcp-route
jwtAuth:
issuer: "https://your-idp.example.com"
audiences:
- "snowflake-mcp"
remoteJwks:
uri: "https://your-idp.example.com/.well-known/jwks.json"
Tool-level access control. agentgateway does per-tool authorization. Being authenticated to an MCP server doesn't automatically authorize you to call every tool that server exposes. CEL-based RBAC policies restrict tool access by JWT claim, request context, or custom attribute. That's the implementation behind SANS's "AI tool and API access strictly scoped" line.
Prompt injection and guardrails. Multi-layered: regex filters, OpenAI moderation, AWS Bedrock Guardrails, Google Model Armor, custom webhook validators. They run on both sides, the prompt going to the LLM and the response coming back. In MITRE ATLAS terms, that addresses AML.T0051 (LLM Prompt Injection) and the broader instruction-manipulation vectors.
Tool poisoning protection. The docs are explicit about defending against direct tampering, shadowing, and rug-pull attacks on tools. Traditional API gateways don't model any of this. They don't understand the JSON-RPC session state MCP requires.
Secure A2A communication. agentgateway supports the A2A (Agent-to-Agent) protocol. Agents can discover each other's capabilities, negotiate interaction modes, and collaborate on long-running tasks without exposing internal state or tools. mTLS listeners give you mutual authentication between agent workloads.
How agentregistry addresses this
The Protect pillar also calls for model provenance verification and runtime validation of dynamically loaded agent tools and plugins. That's agentregistry's job.
agentregistry is the governed catalog for AI agents, MCP tools, and Agent Skills. Tool discovery runs through it. Every tool in scope has been imported from a known source, catalogued with ownership and classification, and exposed through a controlled interface, not an ad-hoc developer endpoint.
Runtime discovery surfaces shadow inventory: agents and tools deployed outside the governed catalog. That's SANS's Shadow AI made concrete at the infrastructure layer. No DLP rules, no acceptable-use acknowledgements. The system scans your environment and flags what isn't registered.
agentregistry also integrates with Kubernetes, AWS AgentCore, and Google Vertex AI, so teams can deploy agents and MCP servers directly from the registry to whichever runtime they're on. For multi-cloud or hybrid shops, that's how you keep one governed catalog across fragmented targets.
Pillar 2 Utilize: AI for security operations
The SANS requirement
This is the pillar enterprises tend to feel most confident on: SIEM with AI features, maybe a SOAR platform, maybe some UEBA. SANS is precise about what Stage 3 and Stage 4 Utilize actually requires versus vendor defaults:
Stage 3: AI-powered threat detection tuned to your environment (not running at vendor defaults), AI-assisted automated playbooks for common scenarios, behavioural analytics customised for anomaly detection.
Stage 4: Custom ML models for organisation-specific threat detection, autonomous response for validated scenarios, AI-powered threat hunting, continuous model tuning with A/B testing.
The point SANS keeps making: Stage 3 detection speeds, tuned for human-pace adversaries, are increasingly insufficient against AI-augmented threats. Stage 4 is where you build machine-speed defence.
How kagent addresses this
kagent is the Kubernetes-native framework for running AI agents as first-class workloads, created at Solo.io, now a CNCF sandbox project. Most AI agent frameworks treat Kubernetes as somewhere they happen to run. kagent treats it as the operating model: agents are CRDs, configs are declarative, lifecycle is managed by a controller, behaviour is observable through standard Kubernetes tooling.
Why that matters for security operations:
Agents as owned workloads. A kagent-managed agent handling threat detection, alert triage, or automated response has a defined identity, a declared tool scope, a documented human owner, and a reconciliation loop that detects drift. That satisfies SANS's Stage 3 requirement (every deployed agent has a documented human owner) not as a policy statement, but as a CRD annotation the controller enforces.
Declarative tool scope. A kagent Agent resource declares which tools the agent can use. Not advisory. This is the config that drives agentgateway policy enforcement. The agent can only call tools its spec authorises. Machine-enforceable Principle of Least Agency (SANS's term for the agentic counterpart to Least Privilege).
apiVersion: kagent.dev/v1alpha1
kind: Agent
metadata:
name: threat-triage-agent
namespace: security-ops
annotations:
kagent.dev/owner: "security-team@yourorg.com"
kagent.dev/approved-by: "security-governance-council"
spec:
description: "Triages security alerts and enriches with threat intelligence"
systemPrompt: |
You are a security operations agent. Triage incoming alerts,
enrich with threat intelligence, and escalate based on severity.
Do not take remediation actions without explicit human approval.
tools:
- name: threat-intel-lookup
mcpServer: threat-intel-mcp
- name: alert-enrichment
mcpServer: siem-mcp
- name: escalation-notify
mcpServer: pagerduty-mcp
modelConfig:
provider: anthropic
model: claude-sonnet-4-20250514
Human-in-the-loop at the architecture level. SANS wants human-in-the-loop thresholds defined for high-risk agent workflows. In kagent, the system prompt and tool scope define what the agent can do autonomously. Anything outside that scope (remediation, config changes, production deployments) has to escalate to a human approval workflow. This isn't a prompt-engineering guardrail. It's an architectural constraint, enforced by the tool access config.
A2A for multi-agent security workflows. Real security operations increasingly need multi-agent chains: detection → triage → enrichment → response, with defined handoffs. kagent's A2A support gives you authenticated agent-to-agent communication, so the output of one agent is a verified, auditable input to the next.
Pillar 3 Govern: the floor that determines your final score
The SANS requirement
This is the pillar that catches most enterprises off guard, and the one that caps your overall maturity score, no matter how strong everything else is.
The SANS scoring methodology applies a Governance Floor Rule: your overall maturity can't be more than one stage above your Govern pillar score. Govern at Stage 2 means your overall can't exceed Stage 3, even if Protect and Utilize score higher. The logic is sound. Without governance underneath, higher maturity in other areas creates unmanaged risk, not less of it.
For Financial Services orgs (under DORA, PSD2, UK FCA), SANS bumps Protect to 40% (five points above the default), keeps Govern at 35%, and drops Utilize to 25%. Regulatory reality: an FSI firm can have great AI tooling and still be non-compliant if it can't demonstrate both protective controls and governance over its AI estate.
Stage 3 Govern requirements that directly implicate agentic infrastructure:
- AI Governance Council established with decision authority and regular review cadence.
- Every deployed AI agent has a documented human owner.
- Structured logging with trace IDs across agent steps and tool calls.
- Human-in-the-loop thresholds and automated policy enforcement defined for high-risk agent workflows.
- AI-specific incident response procedures in place.
- Third-party AI assessment requirements defined.
Stage 4 adds: formal NHI lifecycle management with automated credential rotation and decommissioning, reasoning traceability and decision audit artefacts, and board-level AI risk reporting.
How the stack closes the governance gap
Audit trail as infrastructure. The SANS governance question is precise: "When your AI agent takes an action that causes harm (a regulatory violation, data exposure, a wrong decision at scale) who is accountable, and can you produce an audit trail that proves the chain of authority from human authorisation to agent action?"
agentgateway produces that trail. Every MCP tool call goes through the proxy. Every call generates a structured log entry with a trace ID. OpenTelemetry is built in: metrics, logs, and distributed tracing land in your existing observability stack (Prometheus, Grafana, Jaeger, Datadog, whatever you're running). This isn't a bolted-on audit feature. It's what falls out naturally when all agent traffic flows through a single, observable proxy.
For DORA Article 28 specifically (third-party ICT risk management) this is the evidence trail for every outbound call to a SaaS tool: a Stripe MCP server, a Salesforce MCP endpoint, a third-party data API. agentgateway captures it at your egress boundary. The third party doesn't need to be DORA-compliant. You need to demonstrate you're monitoring and logging the dependency. The proxy gives you that.
Sanctioned tool catalog as governance evidence. agentregistry is how an AI Governance Council turns its decisions into something runtime-enforceable. The council approves MCP tools. The tools get registered. Developers hit the catalog through UI, CLI, or API. Agents discover tools through semantic search. Anything not in the catalog isn't available at runtime, because agentgateway enforces it.
That gives you a direct answer to one of the SANS assessment questions: "Can you enumerate every AI system, agent and model in your environment, including employee-adopted tools, and demonstrate that each has documented ownership, data classification and scoped access controls?" Yes. agentregistry is your inventory, and runtime discovery actively scans for shadow inventory.
Automated credential rotation. Stage 4's NHI lifecycle requirement (automated rotation and decommissioning) falls out of the External Secrets Operator pattern. Agent credentials are Kubernetes Secrets. ESO rotates them from your secrets backend (Vault, AWS Secrets Manager, Azure Key Vault). agentgateway consumes them without any change to the agent deployment manifest. Lifecycle's automated. The rotation audit trail lives in your secrets backend.
The Governance Floor, practically. Here's how the three products lift your Govern score from Stage 2 to Stage 3:
| SANS Stage 3 Govern requirement | Solo implementation |
|---|---|
| Every deployed AI agent has a documented human owner | kagent Agent CRD annotation (kagent.dev/owner) enforced by controller |
| Structured logging with trace IDs across agent steps and tool calls | agentgateway OpenTelemetry integration; every MCP call traced end-to-end |
| AI tool and API access strictly scoped | agentregistry catalog + agentgateway CEL-based policy enforcement |
| Runtime validation of dynamically loaded tools | agentregistry shadow inventory detection |
| AI-specific incident response procedures | Trace IDs enable reconstruction of exact agent action sequence per incident |
| Third-party AI assessment requirements | agentregistry import workflow enforces vendor assessment before tool registration |
The mapping table: SANS AISMM stages vs. Solo stack
| SANS requirement | Stage | Solo product | Mechanism |
|---|---|---|---|
| AI agent NHI with scoped credentials | 3, Protect | agentgateway | JWT auth, CEL RBAC, per-route token scoping |
| Prompt injection and instruction manipulation defences | 3, Protect | agentgateway | Multi-layer guardrails: regex, moderation APIs, custom webhooks |
| Runtime validation of dynamically loaded tools | 3, Protect | agentregistry | Governed catalog; shadow inventory detection |
| Secure A2A communication and mutual authentication | 3, Protect | agentgateway | A2A protocol support, mTLS listeners |
| Tool and API access strictly scoped | 3, Protect | agentgateway + agentregistry | CEL policies enforce catalog-approved tools only |
| Documented human owner for every agent | 3, Govern | kagent | Agent CRD owner annotation, controller-enforced |
| Structured logging with trace IDs | 3, Govern | agentgateway | OpenTelemetry traces, per-call structured logs |
| Human-in-the-loop thresholds | 3, Govern | kagent | Declarative tool scope; out-of-scope actions require escalation |
| AI asset inventory with ownership | 3, Govern | agentregistry | Centralised catalog with ownership and classification fields |
| AI-powered threat detection tuned to environment | 3, Utilize | kagent | Security operations agents with declarative tool scope |
| Confused Deputy defence | 4, Protect | agentgateway | Enforcement layer between LLM and tool; untrusted inputs don't reach execution tools |
| Execution guardrails with real-time monitoring | 4, Protect | agentgateway | Per-call policy evaluation; rate limiting; output filtering |
| Formal NHI lifecycle with credential rotation | 4, Govern | agentgateway + ESO | External Secrets Operator integration for automated rotation |
| Reasoning traceability and decision audit artefacts | 4, Govern | agentgateway | Distributed traces reconstruct decision chain per agent session |
| Autonomous response for validated scenarios | 4, Utilize | kagent | Multi-agent A2A workflows with human escalation gates |
What "Shadow AI" looks like at the infrastructure layer
One of the model's sharpest moves is the split between BYOAI (Bring Your Own AI, policy-neutral, pre-policy) and Shadow AI (BYOAI that violates an existing policy, only possible once a policy exists to violate).
Most enterprises treat Shadow AI as a human-behaviour problem: employees using unapproved tools, developers standing up agents on their laptops, teams wiring up LLM endpoints without telling IT. The usual response is DLP rules, training programmes, and acceptable-use policies.
The Solo stack treats it as an infrastructure problem with an infrastructure solution. What that looks like:
- agentregistry runtime discovery scans connected runtimes (Kubernetes clusters, AWS AgentCore environments, Google Vertex AI deployments) and flags agents, MCP servers, and tools that are deployed but not registered. Shadow inventory: real workloads with real access, outside the governed perimeter.
- agentgateway policy enforcement means even if a developer deploys an unregistered MCP server inside the cluster, agents going through the gateway can't call it. The backend config is generated from agentregistry's approved catalog. If it isn't approved, it isn't reachable.
- kagent's declarative model means any agent not defined as a CRD misses out on the operational benefits: lifecycle management, identity, reconciliation. That creates an incentive for developers to register agents properly rather than skirt the system.
That's the Framework of No solved architecturally, not culturally. You're not trying to stop people from using AI. You're making sure anything they deploy lands inside the governed perimeter, not alongside it.
Conclusion
What stands out about the SANS AISMM is how actionable it is. NIST AI RMF has the comprehensive ground covered. AISMM tells you what evidence you need at each stage, which pillar is capping your overall score, and what to build next.
The Stage 3 gap is real. Most enterprises have governance documents and security policies. Very few have the infrastructure that makes those policies enforceable at runtime, where agents are actually making decisions, calling tools, and producing outputs that have real operational consequences.
The Solo stack closes that gap. agentgateway enforces policy at the data plane. agentregistry governs the tool catalog. kagent makes agents first-class Kubernetes workloads with identity, ownership, and audit trails built in.
The framework describes the problem. The stack solves it.
Further reading
- SANS AI Security Maturity Model: the source framework this article references. SANS gates the eBook download behind a signup form; that's the canonical source if you want the full text.
- agentgateway documentation: Kubernetes deployment, JWT auth, MCP connectivity, guardrails.
- kagent documentation: agent CRDs, A2A, tool configuration.
- agentregistry on GitHub: CNCF sandbox project, open source catalog.
- Solo.io agentic AI product page: Enterprise capabilities and commercial support.
- Securing MCP and agentic systems, common customer questions: the companion field guide to the patterns referenced throughout this post.