© 2025 cybersecurityinfocus

Introducing MAESTRO: A framework for securing generative and agentic AI

October 15 12:12 pm

Tags:

No tags

Artificial Intelligence (AI) is advancing at a pace that outstrips traditional security frameworks. Generative AI has already changed how financial institutions analyze data, create insights and engage with customers. The next frontier, agentic AI, is even more transformative. These systems can reason, plan and act autonomously, interacting with APIs, orchestrating workflows and even collaborating with other agents across payment gateways, credit systems and fraud detection platforms.

While frameworks like MITRE ATLAS/ATT&CK, the OWASP LLM Top 10, the NIST AI Risk Management Framework and ISO/IEC 23894 provide valuable guidance, they were not designed to address the systemic risks and emergent behaviors unique to multi-agent AI ecosystems in highly regulated sectors like banking.

To address this gap, the Cloud Security Alliance (CSA) introduced MAESTRO (Multi-Agent Environment, Security, Threat, Risk and Outcome) in 2025. This article provides a deep dive into MAESTRO, what it is, how to apply it in your organization and how it strengthens resilience in business services using banking industry scenarios. In future articles, we will explore how MAESTRO complements MITRE, OWASP, NIST and ISO for a comprehensive AI risk program.

Scope, assumptions and boundaries

Before applying MAESTRO, it’s essential to clarify what it covers and what it does not.

System boundary: MAESTRO reviews focus on models, AI agents, data flows, CI/CD pipelines, supporting tools and third-party APIs. Broader IT security hygiene (patching, identity governance, endpoint protection) is assumed to be managed by existing programs.

Assumptions: organizations have the security baseline configurations and compliance, such as ISO 27XXX, in place. MAESTRO builds on these baselines and emphasizes AI-specific risks.

Threat actors: The framework considers external adversaries, malicious insiders, careless insiders and compromised suppliers. Each actor may target different layers of the AI stack in an organizational context.

This scoping ensures MAESTRO is applied where it is most impactful: securing the AI-driven systems at the heart of modern banking.

Minimum viable controls

Businesses should ask: What do we need to implement first? MAESTRO can be phased in, but a baseline set of controls per layer provides immediate value.

LayerMinimum Specific ControlsFoundation ModelsInput/output validation for chatbots, deny-by-default for API tool use, API key rotation, model provenance verification to prevent tampered LLMsData OperationsEnd-to-end transaction data lineage, signed datasets for regulatory reporting, schema validation at ingestion, anomaly detection on user behavior, card payments, data changes in the datasets, etc.Agent FrameworksPer-agent RBAC tied to transaction type, scoped tokens for fraud detection and credit agents, allowlist of banking APIs (e.g., SWIFT, ACH), execution sandboxing for risky operationsDeployment & InfrastructureIaC scanning for different compliances, such as PCI-DSS, container image signing, egress restrictions for agents accessing APIs and least-privileged cloud service rolesEvaluation & ObservabilityPrompt-injection test suites for banking chatbots, drift monitoring in credit scoring models, transaction anomaly alerts and regulatory explainability loggingSecurity & ComplianceControls mapped to Basel III, GDPR, PCI DSS, immutable audit trails for regulators and DLP policies applied to all model inputs/outputsAgent EcosystemDependency inventory of third-party APIs, blast-radius limits for cross-agent failures, circuit breakers in payment processing flows and multi-agent simulations before deployment

It is crucial to ensure there is a crystal clear, defined RACI table and everyone is briefed and aware of their roles and responsibilities.

To obtain a better understanding, we need to have a deep dive into the 7 layers of MAESTRO by leveraging threats and use cases in the banking sector:

The 7 layers of MAESTRO in banking

MAESTRO organizes AI risk into seven interdependent layers. In banking, each layer presents unique challenges and must be addressed systematically.

1. Foundation models/core services

Large language models power virtual assistants, fraud detection models and risk analytics in banks. Any manipulation at this level can undermine trust in the entire system.

Purpose: Secure the LLMs and APIs underpinning AI services.

Example threat: Adversarial prompts alter model outputs.

Use case: A customer tricks a virtual banking assistant into disclosing loan approval criteria.

Controls: Input/output sanitization, API lifecycle management, watermarking of model responses.

2. Data operations

Transaction, payment and credit data are the lifeblood of banking AI. Compromised data pipelines can poison decision-making and regulatory reporting.

Purpose: Safeguard the integrity and provenance of banking data pipelines.

Example threat: Poisoned transaction records bias loan decisions.

Use case: Attackers inject fake payment histories to secure unauthorized loans.

Controls Include Data lineage, signed datasets and anomaly detection for unusual transaction flows.

3. Agent frameworks/application logic

Banks deploy AI agents for fraud monitoring, payment approvals and customer service. Without strict controls, these agents can be misused or over-privileged.

Purpose: Secure orchestration and business logic in AI agents.

Example threat: Prompt injection disables fraud monitoring.

Use case: A fraud detection agent is tricked into ignoring suspicious transactions during dispute resolution.

Controls: Per-agent RBAC, scoped tokens, allowlisted API usage and sandboxing.

4. Deployment & infrastructure

AI in could be deployed across hybrid cloud and containerized environments, creating opportunities for supply chain attacks and misconfigurations.

Purpose: Secure runtime environments and CI/CD pipelines.

Example threat: Compromised container images in deployment pipelines.

Use case: Backdoored fraud detection images are deployed through an unscanned pipeline.

Controls: IaC scanning for PCI compliance, container image signing and hardened Kubernetes.

5. Evaluation & observability

Banking AI must remain accurate, explainable and compliant. Continuous monitoring ensures that models don’t drift into unsafe or discriminatory behavior.

Purpose: Track AI system health and behavior over time.

Example threat: Credit scoring model drifts, approving risky borrowers.

Use case: Unmonitored drift leads to regulatory penalties for biased lending.

Controls: Drift monitoring, explainability logging, anomaly detection on credit decisions.

6. Security & compliance

Banking is one of the most regulated industries. AI must align with global standards like Basel III, PCI DSS, GDPR and the EU AI Act.

Purpose: Ensure regulatory alignment and enterprise security policy enforcement.

Example threat: Unauthorized data leakage in AI responses.

Use case: A banking chatbot reveals customer account data to the wrong user.

Controls: Immutable audit logs, DLP enforcement, redaction guardrails.

7. Agent ecosystem

Banks operate in complex ecosystems with multiple AI agents coordinating across payment networks, partners and fintech APIs. Risks at this layer are systemic.

Purpose: Manage systemic risks across agent interactions.

Example threat: Feedback loops between payment and fraud agents.

Use case: A fraud agent incorrectly blocks all ACH transactions, halting operations.

Controls: Trust boundaries, multi-agent simulations, circuit breakers for payment systems.

Use cases in practice (Banking)

1. Credit scoring and loan approvals

A loan approval model is poisoned by manipulated transaction histories, resulting in biased or inaccurate credit decisions.

Layers: Data Operations, Evaluation & Observability, Security & Compliance.

Mitigation: Signed datasets, drift monitoring and regulatory explainability requirements.

2. Fraud detection systems

Fraud models are manipulated by adversarial data, causing missed fraud alerts or false positives.

Layers: Foundation Models, Agent Frameworks, Deployment & Infrastructure.

Mitigation: Input validation, scoped agent RBAC and container signing in pipelines.

3. Conversational banking assistants

Virtual assistants are tricked into disclosing sensitive account information.

Layers: Foundation Models, Security & Compliance.

Mitigation: Input/output sanitization, DLP policies, compliance guardrails.

4. Payment processing and transaction flows

AI agents managing transactions create a feedback loop, freezing legitimate payments.

Layers: Agent Ecosystem, Agent Frameworks, Evaluation & Observability.

Mitigation: Circuit breakers, trust boundaries and simulation of agent interactions.

5. Regulatory compliance reporting

AI systems generating regulatory reports drift over time, producing inaccurate filings.

Layers: Evaluation & Observability, Security & Compliance.

Mitigation: Continuous monitoring, immutable audit logs, anomaly detection.

MAESTRO LayerExample ThreatBanking Use CaseKey ControlsFoundation Models / Core ServicesAdversarial prompts alter outputsVirtual assistant tricked into revealing loan approval rulesInput/output sanitization, API lifecycle mgmt., model watermarkingData OperationsPoisoned transaction dataFake payment histories bias credit scoringData lineage, signed datasets, anomaly detection, schema validationAgent Frameworks / Application LogicPrompt injection disables fraud monitoringFraud detection agent ignores suspicious transactionsPer-agent RBAC, scoped tokens, allowlisted APIs and sandboxingDeployment & InfrastructureCompromised container imagesBackdoored fraud detection models deployed via CI/CDIaC scanning (PCI), image signing, hardened Kubernetes, egress restrictionsEvaluation & ObservabilityModel drift degrades performanceThe credit scoring model starts approving risky borrowersDrift monitoring, anomaly alerts, explainability logs, test harnessesSecurity & ComplianceUnauthorized data leakageChatbot exposes customer account infoImmutable audit logs, DLP enforcement, automated redaction, compliance guardrailsAgent EcosystemFeedback loops disrupt workflowsFraud and payment agents block legitimate ACH transfersTrust boundaries, dependency mapping, circuit breakers and pre-production simulations

The infrastructure threat modeling for the AI could be hosted within the on-prem or cloud environment or a SaaS service should be assessed separately as well

A foundation for systemic AI security

AI in organizations is no longer experimental. With agentic AI, organizations face autonomy, unpredictability and systemic risks that traditional frameworks cannot fully address.

MAESTRO provides a structured, layered, outcome-driven framework tailored to these realities. By applying it across data, models, infrastructure and ecosystems, organizations can secure and enhance the efficiency, cost and security and resiliency of their businesses.

While frameworks like MITRE, OWASP, NIST and ISO add tactical and governance layers, MAESTRO serves as the foundation for systemic AI security in banking.

This article is published as part of the Foundry Expert Contributor Network.
Want to join?

Categories

Prev
Next

No Responses

Leave a Reply

Your email address will not be published. Required fields are marked *

© 2025 cybersecurityinfocus. Built with ❤️ using WordPress and Ketos Theme.