The AI Agent Security Maturity Model: A Five-Level Framework for Enterprise Readiness
Here is the uncomfortable summary of enterprise AI agent security in March 2026.
Fifty-three percent of companies use RAG or agentic pipelines in production. Sixty-four percent of companies with annual turnover above one billion dollars have lost more than one million dollars to AI failures. Forty-three percent of MCP servers are vulnerable to command execution. Thirty-seven percent of network-exposed MCP servers have no authentication. Prompt injection is the most common attack vector against AI systems for the third consecutive year. And most enterprises do not have a single document that describes their AI agent security posture.
The reason is not negligence. It is the absence of a maturity model designed for the problem. NIST AI RMF provides organizational governance structures. ISO 42001 provides documentation requirements. Neither addresses the specific technical controls that CISOs need for agentic deployments: tool call parameter validation, prompt injection logging, inter-agent trust budgets, conversational integrity monitoring, or MCP server supply chain audits.
This framework fills that gap. It provides five maturity levels, each with specific, measurable criteria across five security domains. It is designed to be assessed in a single day by a security architect with access to your AI infrastructure. It produces a score that tells you where you are, what to fix next, and how to prioritize investments.
The Five Domains
AI agent security is not a single capability. It is five interlocking domains, each with its own threat model, controls, and failure modes.
Domain 1: Identity. How accurately can you trace an agent's actions to the human who initiated them? Are agents operating under service accounts or propagated user identity? Can your audit trail survive a compliance review?
Domain 2: Protocol Security. Are your MCP servers spec-compliant? Are your A2A interactions monitored? Are tool definitions pinned against unauthorized modification? Is your protocol supply chain audited?
Domain 3: Data Pipeline Security. Are your RAG indexes segmented by data classification? Is content validated before ingestion? Are retrieval operations scoped to the querying user's permissions? Is your vector database treated as critical infrastructure?
Domain 4: Agent Communication Security. Do you monitor inter-agent conversations? Can you detect session smuggling patterns? Are trust budgets defined and enforced between agent pairs? Is conversational integrity verified?
Domain 5: Governance and Visibility. Do you have an inventory of all AI agents in your environment? Are shadow AI agents discovered and governed? Is your OWASP LLM Top 10 coverage mapped? Do you conduct AI-specific adversarial testing?
The Five Maturity Levels
Level 1: Unaware
The organization has deployed AI agents or LLM-powered applications in production but has no AI-specific security controls, no agent inventory, and no threat model that accounts for LLM-specific risks.
| Domain | Level 1 Characteristics |
|---|---|
| Identity | Agents use service accounts. No identity propagation. Audit trails show service account, not user. |
| Protocol | MCP servers deployed without specification compliance assessment. No allowlisting. No manifest pinning. |
| Data Pipeline | RAG indexes are monolithic. No classification segmentation. No content validation on ingestion. Vector databases treated as application infrastructure. |
| Communication | No monitoring of inter-agent conversations. No behavioral baselines. No trust budgets. |
| Governance | No agent inventory. No shadow AI detection. OWASP LLM Top 10 not mapped. No AI-specific testing. |
Risk Profile: Maximum exposure. Every vulnerability described in the OWASP LLM Top 10 is likely exploitable. Compliance failures are probable for any audit that examines AI systems.
Level 2: Reactive
The organization has begun addressing AI security after an incident, audit finding, or executive directive. Some controls exist but are inconsistent and incomplete. The focus is on the most visible risks.
| Domain | Level 2 Characteristics |
|---|---|
| Identity | High-risk agents identified. Migration planning begun. Some agents on identity propagation; most still on service accounts. |
| Protocol | MCP server inventory started. Known-vulnerable servers patched or decommissioned. Allowlisting partially implemented. |
| Data Pipeline | RAG indexes segmented for highest-sensitivity data. Content validation implemented for primary ingestion sources. Vector database access controls upgraded to identity-level. |
| Communication | Logging implemented for inter-agent communications. No behavioral baselines yet. No trust budgets. |
| Governance | Partial agent inventory. OWASP LLM Top 10 mapped against highest-risk systems. Ad-hoc AI security testing conducted. |
Risk Profile: High exposure with improving trajectory. The most critical vulnerabilities are being addressed, but systematic coverage is absent. A sophisticated attacker can still find undefended paths.
Level 3: Systematic
The organization has a defined AI agent security program with documented policies, consistent controls across all domains, and regular assessment.
| Domain | Level 3 Characteristics |
|---|---|
| Identity | All agents accessing sensitive or regulated data use identity propagation. Service accounts banned for new agent deployments. SIEM rules detect agent actions without linked human identity. |
| Protocol | All MCP servers assessed against June 2025 specification. Manifest pinning implemented. Supply chain audit completed. Network-level allowlisting enforced. |
| Data Pipeline | RAG indexes segmented by data classification. Content validation pipeline covers all ingestion sources. Adversarial testing conducted on RAG pipelines. Retrieval monitoring detects anomalies. |
| Communication | Behavioral baselines established for agent pairs. OER measured and tracked. Trust budgets defined for agent pairs handling sensitive data. Session scope monitoring implemented. |
| Governance | Complete agent inventory maintained. Shadow AI detection runs continuously. OWASP LLM Top 10 mapped against all AI systems. AI-specific penetration testing conducted annually. |
Risk Profile: Managed exposure. Controls exist across all domains. The organization can detect most attacks and has forensic capability for investigation. Remaining risk is from sophisticated, patient attackers and zero-day vulnerabilities.
Level 4: Proactive
The organization anticipates emerging threats and implements defenses before incidents occur. Security is integrated into the AI development lifecycle, not applied after deployment.
| Domain | Level 4 Characteristics |
|---|---|
| Identity | Identity propagation is a platform capability available to all agent developers. OBO flows are automated through middleware. New agent deployments cannot proceed without identity architecture review. |
| Protocol | MCP server security is tested in CI/CD pipelines. Tool definition changes trigger automated security review. Protocol-level monitoring detects behavioral anomalies in real time. |
| Data Pipeline | Content validation includes AI-powered detection of sophisticated injection patterns. Dual-path validation for high-sensitivity indexes. Cross-tier leakage testing conducted quarterly. |
| Communication | Trust budgets enforced architecturally through MNI gates. Authorization drift detection terminates sessions automatically. Swarm isolation separates agent networks by data classification. |
| Governance | AI agent security is a board-level reporting metric. Continuous automated red-teaming of agent systems. Participation in industry threat intelligence sharing for AI-specific threats. |
Risk Profile: Low residual exposure. The organization's security posture adapts to emerging threats. Remaining risk is from novel attack classes that have not yet been discovered or documented.
Level 5: Resilient
The organization's AI agent security operates as an adaptive system that detects, contains, and recovers from attacks autonomously, with human oversight at strategic decision points.
| Domain | Level 5 Characteristics |
|---|---|
| Identity | Cryptographic verification of delegation chains (ARIA-style). Zero-trust identity verification at every agent interaction, including intra-swarm communication. |
| Protocol | Automated protocol compliance verification for all agent communication. Real-time supply chain integrity monitoring. Automatic quarantine of non-compliant servers. |
| Data Pipeline | Self-healing RAG pipelines that detect and isolate poisoned content automatically. Retrieval systems that adapt trust weights based on ongoing integrity assessment. |
| Communication | Real-time conversational integrity verification. Automated detection and containment of session smuggling. Adaptive trust budgets that adjust based on threat intelligence. |
| Governance | Fully integrated AI security operations center. Automated compliance reporting. Proactive threat hunting across agent infrastructure. Contributing to industry standards and threat intelligence. |
Risk Profile: Minimal residual exposure with rapid recovery capability. The organization's agent security posture is a competitive advantage. Few organizations will reach Level 5 before 2028.
Assessment Methodology
Scoring
For each domain, assess your organization against the level descriptions above. Assign the highest level where your organization meets all criteria. The overall maturity score is the lowest domain score, because security chains break at the weakest link.
| Domain | Your Level | Key Gap |
|---|---|---|
| Identity | ||
| Protocol Security | ||
| Data Pipeline Security | ||
| Agent Communication | ||
| Governance and Visibility | ||
| Overall Maturity | (lowest) |
Priority Guidance
If your overall maturity is Level 1: focus exclusively on governance first. You cannot improve what you cannot see. Build the agent inventory. Map the OWASP LLM Top 10. Conduct the MCP server audit. Everything else depends on visibility.
If your overall maturity is Level 2: focus on the domain that is lowest. The most common lagging domain is Agent Communication, because monitoring inter-agent conversations requires new tooling that most organizations have not deployed.
If your overall maturity is Level 3: focus on integration. The controls exist but may not be connected. Ensure that identity events, protocol events, data events, and communication events flow into a single analysis layer where correlations can be detected.
Connecting the Guides
This maturity model is the assessment layer that sits above the six practitioner guides in the Secure AI Fabric reference library.
| Domain | Primary Guide | Level 3 Target |
|---|---|---|
| Identity | Guide 4: AI Agent Identity Architecture | Full identity propagation for sensitive data agents |
| Protocol Security | Guide 3: MCP Security Architecture | Spec compliance, allowlisting, manifest pinning |
| Data Pipeline | Guide 2: Securing RAG Architectures | Segmented indexes, content validation, adversarial testing |
| Agent Communication | Guides 5 and 6: Trust Budgeting and Communication Security | Trust budgets defined, behavioral baselines active |
| Governance | Guide 1: LLM Security Taxonomy | Full OWASP LLM Top 10 mapping, continuous agent inventory |
Each guide provides the implementation detail for advancing within its domain. This model provides the assessment structure for prioritizing across domains.
The Starting Point
If you assess honestly and discover your organization is at Level 1, that is not a failure. It is the starting point that most enterprises are at right now. An EY survey found that 64% of large companies have experienced significant AI-related losses. The AIUC-1 Consortium briefing, developed with input from Stanford, MIT, and over 40 security executives, documented the systematic gap between what AI agents can do and what security teams can observe or control.
The gap exists because AI agent adoption moved faster than security tooling, faster than governance frameworks, faster than the organizational muscle memory that knows how to secure a new technology class.
This model exists to close that gap methodically. Start with the assessment. Identify your lowest domain. Read the corresponding guide. Implement the controls. Reassess in 90 days.
The organizations that reach Level 3 by the end of 2026 will have a security posture that the majority of their peers will not achieve until 2027 or 2028. In a threat landscape that is accelerating, not stabilizing, that lead time matters.
Nik Kale is a Principal Engineer and Product Architect with 17+ years of experience building AI-powered enterprise systems. He is a member of the Coalition for Secure AI (CoSAI), contributes to IETF AGNTCY working groups, and serves on the ACM AISec and CCS Program Committee. The views expressed here are his own.