Agentic Trust Framework (ATF)

The Agentic Trust Framework (ATF) is Gamut’s native model for the trust, autonomy and control of agentic AI. It defines what it means to trust an agent to take action, and the controls that make that trust defensible. The agentic stack is the runtime implementation of ATF.

Why agents need their own framework

Assessing a model at design time tells you whether it is fit for purpose. It does not tell you whether an agent, a system that takes action through tools and APIs, is acting within policy right now. Agentic AI needs governance that operates at runtime, on every action, not only at the point of assessment.

The five control elements

ATF organises agent controls into five elements. Each element carries a set of controls that map directly to GTSAF control families, so agent trust ties back to the wider assurance baseline.

Element	What it governs	Example GTSAF anchors
Identity	Agent identity, credential binding, ownership, purpose and capability declaration.	IAM-06, IAM-07, IAM-08, GRC-03
Behavioral Monitoring	Structured logging, attribution, baselines, anomaly detection and explainability.	LOG-02, LOG-05, LOG-10, AIS-06
Data Governance	Schema validation, injection prevention, sensitive-data protection, output validation and lineage.	AIS-04, AIS-05, DSP-12, MDS-10
Segmentation	Resource allowlists, action boundaries, rate limits, transaction limits and blast-radius containment.	IAM-04, IVS-05, IVS-02, AIS-07
Incident Response	Circuit breaker, kill switch, session revocation, rollback and graceful degradation.	SEF-07, SEF-05, SEF-06, BCR-10

These five elements correspond to the runtime capabilities in the agentic stack: identity and segmentation are enforced by Gateway on every action, behavioral monitoring produces the runtime evidence fed back to Agentic CISO, and incident response is the kill-switch and containment layer.

The four autonomy levels

ATF expresses how much an agent is trusted to act on its own as one of four levels. Higher levels demand stronger controls and a higher trust score before promotion.

Level	Name	Autonomy
L1	Intern	Observe and report only. Read-only operation under continuous human oversight.
L2	Junior	Recommend actions, with explicit human approval required before execution.
L3	Senior	Act within defined guardrails and notify humans after actions.
L4	Principal	Autonomous within an approved domain, with strategic oversight only.

An agent earns its autonomy level rather than being granted it. Moving up requires both a sufficient trust score and passing the promotion gates below.

The five promotion gates

Before an agent is promoted to a higher autonomy level, it must clear five gates. Each gate is a deliberate checkpoint, not an automatic threshold.

Performance, the agent does its job reliably and accurately.
Security Validation, its controls hold up under security review.
Business Value, it delivers value that justifies its autonomy.
Incident Record, its incident history supports more trust, not less.
Governance Sign-off, an accountable owner approves the promotion.

This gated promotion model is how Gamut keeps agent autonomy proportionate and defensible: trust is built incrementally and reviewed at every step.

Implementation stacks

ATF can be adopted in phases. Gamut describes three implementation stacks of increasing depth, so teams can start light and harden over time.

Stack	Phase	Typical effort	Complexity
MVP Stack	Phase 1	2 to 3 weeks	Low
Production Stack	Phase 2	4 to 6 weeks	Medium
Enterprise Stack	Phase 3	8 to 12 weeks	High

ATF and ACRS

ATF defines how an agent is trusted and controlled; ACRS scores how risky an agent’s capabilities are. Together they set governance that is proportionate to what an agent can do: a high ACRS score points to a lower starting autonomy level and stricter ATF controls.

Agentic stack overview, how ATF is implemented at runtime.
Agentic CISO, where ATF assessment and agent governance live.
ACRS, scoring agent capability risk.