The Right AI Security Framework Depends on the Question You’re Asking
There are now more than 20 frameworks claiming to address AI security risk. I’ve seen both failure modes: teams that try to implement all of them at once and produce six months of documentation with no usable threat model, and teams that pick one at random, skim it superficially, then wonder why it didn’t help.
A team I reviewed spent three months mapping their agent deployment across MAESTRO, NIST AI RMF, and ISO 42001. They had a 60-page alignment document. They had no threat model.
Both failures come from the same mistake: asking the wrong question.
The wrong question is: which framework is best?
The right question is: which framework answers the specific question I’m trying to answer right now?
Different frameworks exist because different stakeholders have different questions. A board asking “are we governing AI risk properly?” needs a different tool than a security architect asking “what could go wrong with this agent before we ship?” The answer to the first question won’t help the second.
Here’s the decision guide.
The 5 frameworks that actually matter
Over 20 frameworks exist. Most are vendor positioning built on top of one of these five. The ones worth your time:
MAESTRO, for agentic AI systems
Multi-Agent Environment, Security, Threat, Risk, and Outcome. Developed by the Cloud Security Alliance, released February 2025. It is the only major framework built for agentic AI.
MAESTRO gives you a 7-layer reference architecture for decomposing agent systems into discrete attack surfaces: Foundation Models, Data Operations, Agent Frameworks, Deployment Infrastructure, Evaluation and Observability, Security and Compliance, and the Agent Ecosystem. Map your system to the layers, identify threats per layer, then analyze the cross-layer attack paths. That’s where the most dangerous incidents originate.
MAESTRO tells you how to find threats. MITRE ATLAS tells you which threats to look for. That distinction matters.
Use it when: You’re deploying agents, using MCP, or building any multi-step autonomous workflow. For agentic systems in 2026, MAESTRO is the default starting point.
STRIDE-AI, for organizations already using STRIDE
A formal adaptation of Microsoft’s STRIDE methodology to AI systems, published May 2026 (arXiv:2605.17163). It reinterprets each STRIDE category for AI: spoofing becomes identity confusion in multi-agent systems, tampering covers training data contamination, information disclosure covers model inversion and training data extraction, and elevation of privilege covers jailbreaking and prompt injection bypassing safety controls.
Use it when: Your security organization already runs STRIDE-based reviews and you need AI threat modeling that integrates with your existing SDL. Adding a parallel methodology creates governance fragmentation. STRIDE-AI extends what you already have.
NIST AI RMF, for governance and compliance
The NIST AI Risk Management Framework provides four functions: GOVERN, MAP, MEASURE, MANAGE. It is the governance vocabulary for AI risk in the US, adopted across federal agencies, financial institutions, and major technology organizations. The EU AI Act references NIST AI RMF alignment as demonstrating strong risk management.
Both NIST AI RMF and ISO 42001 are governance frameworks, not threat modeling tools. NIST is the US regulatory vocabulary; ISO 42001 is the international certification. They serve different audiences.
Use it when: You need to demonstrate AI governance to regulators, customers, or your board. Most enterprises deploying AI in 2026 need RMF alignment, whether they use it for hands-on threat modeling or not.
MITRE ATLAS, as a coverage check
Adversarial Threat Landscape for Artificial-Intelligence Systems. Maintained by MITRE, the same team behind ATT&CK. It catalogs 16 tactics, 84+ techniques, and documented real-world case studies of how attackers actually attack AI systems.
ATLAS describes threats. It does not prescribe methodology or mitigations. You use it after completing a MAESTRO or STRIDE-AI exercise to verify coverage. If you cannot map your threat model’s findings to ATLAS techniques, you have gaps.
MITRE ATLAS is often confused with a threat modeling methodology. It is a threat catalog, not a process.
Use it always, as a coverage validation step, not as the primary modeling tool.
ISO 42001, for selling to regulated buyers
Published December 2023, ISO 42001 is the first international standard for AI management systems. Built on the same structure as ISO 27001. It defines AI roles, AI risk assessment processes, AI system impact assessments, and AI lifecycle controls.
Certification is resource-intensive. 12-18 months and $200K-$500K for mid-market organizations. It is a management system standard, not a threat modeling tool.
Use it when: You’re selling AI products to regulated buyers in financial services, healthcare, government, or defense. Certification is increasingly a requirement to close enterprise deals. If you already have ISO 27001, you are about 40% of the way there since the management system structure is identical.
The decision in three questions
Question 1: Who is asking?
| Audience | Framework |
|---|
| Board / regulators | NIST AI RMF + ISO 42001 |
| Security architect / engineering team | MAESTRO or STRIDE-AI |
| Red team | MAESTRO + MITRE ATLAS |
| Enterprise sales / compliance | ISO 42001 |
Question 2: What are you building?
| System type | Start with |
|---|
| Standalone LLM application | STRIDE-AI |
| Agentic system with tools | MAESTRO |
| AI system in a regulated industry | STRIDE-AI + NIST AI RMF |
| Multi-agent or MCP-based system | MAESTRO |
Question 3: What is your current security maturity?
| Maturity level | Approach |
|---|
| No existing threat modeling process | Start with MAESTRO |
| Existing STRIDE-based SDL | Extend it with STRIDE-AI |
| Compliance-driven organization | NIST AI RMF first, MAESTRO for technical depth |
| Full security program | Run the complete stack |
How they layer together
These frameworks do not compete. Mature AI security programs use them as a layered stack:
- ISO 42001 defines the management system, the operating model for how AI risk is governed organizationally
- NIST AI RMF provides the governance functions (GOVERN, MAP, MEASURE, MANAGE)
- MAESTRO or STRIDE-AI is the threat modeling methodology, how you actually identify threats
- MITRE ATLAS validates coverage, did you find what attackers actually do
- OWASP LLM Top 10 / Agentic Top 10 maps findings to specific vulnerability categories
- Garak or PyRIT operationalize testing, the tools that prove your threat model is correct
You don’t need all five layers at once. Identify your current gap, fill it, add the next layer when you’ve exhausted the first.
A fintech deploying its first customer service agent: run MAESTRO for the threat model, check findings against ATLAS, then prepare NIST AI RMF documentation for your banking partners. You don’t start all four at once.
The most common mistake
Teams read all five frameworks and then try to build a unified super-framework incorporating everything. This produces documentation. It does not produce a threat model.
The practical approach: pick the one framework that matches the question being asked right now. Run it. Produce output. Use that output to make a decision. Then add the next framework when you need what it specifically provides.
For most teams in 2026 deploying their first production AI agent: start with MAESTRO. Read the CSA whitepaper. Decompose your system against the 7 layers. Identify the top five threats per layer. That is a usable threat model you can complete in a week, without waiting to also implement NIST AI RMF mapping and ISO 42001 alignment first.
Once you know which framework to use, the next step is running the threat modeling process end-to-end. I’ve written a complete 7-phase methodology that synthesizes all five frameworks into a practical pre-production workflow.
Need something you can check off before shipping? Grab the AI Agent Pre-Deployment Security Checklist — 25 controls across five families, each a yes or no.
For weekly analysis of how these frameworks are being applied in production, and where they fall short: subscribe to the AI Security Intelligence newsletter.
Amine Raji, PhD, CISSP. AI and LLM security. Get in touch if you need help running a threat model before your next AI deployment.
