Blog

min read

Introducing SAIL 2.0 Framework: A Practical Guide to Secure AI Agents

By

Guy Balzam

and

Hadar Yakir

July 8, 2026

min read

Today we are launching SAIL 2.0, the new version of the Secure AI Lifecycle (SAIL) Framework.

A year ago, we released SAIL V1 in collaboration with AI and cybersecurity leaders, from early-stage startups to Fortune 500 enterprises. They kept pointing to the same gap: security teams needed a unifying framework that turns high-level principles into practical, actionable guidance across the entire AI lifecycle, not another set of abstract governance documents. Their real-world challenges and battle-tested approaches shaped every phase.

Since then, the community made SAIL real. More than 50,000 downloads later, security teams, CISOs, and AI practitioners told us how they implemented it, adapted it to their environments, and translated it into working AI security roadmaps. They also showed us where SAIL had to evolve next. Gartner recently recognized Pillar Security among the coolest vendor innovations in AI software security, naming the SAIL Framework as one of the innovations behind that recognition.

Sam Altman predicted that AI agents would "join the workforce," and he was right. Sometime in the last year, AI stopped being a tool that employees use and became a worker sitting next to them. These agents hold credentials to a company's most sensitive systems, and they act on their own: chaining tool calls and making changes faster than anyone can review them. They live in CI/CD pipelines, on agentic and SaaS platforms, and on developer laptops across entire organizations. And they are already changing what businesses produce.

The security stack built over the last twenty years assumes humans make decisions and software executes them. Agents break that assumption. The dangerous failures live in the reasoning layer, where no firewall or EDR can see. Static policy can't govern a non-deterministic actor. And the shadow agents your teams already shipped sit outside the perimeter you're protecting.

SAIL 2.0 is built for that reality. It keeps the seven-phase structure and extends it to the agentic attack surface: reasoning manipulation, tool misuse, privilege escalation through delegation chains, shadow agents, and cascading failures across multi-agent workflows.

From 50,000 Downloads to Version 2

The feedback from those teams is the backbone of V2. The most consistent message was that the ground had moved. 

Like V1, SAIL 2.0 was co-developed with practitioners, for practitioners. A new cohort of reviewers, including CISOs and security leaders from JPMorganChase, Philip Morris International, Orange Cyberdefense, MyHeritage, Eleos Health, and others. The framework remains free and open source.

In practice, teams use SAIL to:

  • Build an AI security roadmap and benchmark maturity, phase by phase
  • Turn the standards mappings into compliance checklists across the EU AI Act, ISO 42001, OWASP, DASF, and AIUC-1
  • Prioritize controls by zone, asset, and agent autonomy tier
  • Drive vendor assessments and RFPs with agentic-literate questions
  • Give security, legal, compliance, and engineering teams one shared vocabulary

What's New in SAIL 2.0?

SAIL 2.0 adds a map of where agentic risk lives, a larger and restructured risk catalog, and mappings to the agentic standards 

The three zones

Agentic assets now exist everywhere an enterprise builds, buys, or runs software. SAIL organizes that surface into three zones, each with a different risk signature and different owners:

  • Zone 1, AI Assets in Code & Pipeline, covers models, datasets, prompts, and agent configurations as artifacts in source control and CI/CD, where a single poisoned artifact propagates into every downstream build. 
  • Zone 2, Cloud Agents, covers agents executing inside managed platforms like Microsoft Copilot Studio, Salesforce Agentforce, AWS Bedrock AgentCore, and others, where delegated authority outpaces visibility. 
  • Zone 3, Endpoint Agents, covers coding assistants, agentic browsers, and computer-use agents running on workstations with the user's local credentials in reach, the most under-governed zone of the three.

90+ mapped risks

The catalog grows from more than 70 risks in V1 to 91, each with a stable SAIL ID, a concrete example, the assets affected, mitigations, and standards citations. New entries cover memory poisoning, inter-agent instruction smuggling, maker-identity inheritance, MCP and tool-description poisoning, sandbox escape, and agent decommissioning.

Expanded standards mappings

V2 adds the EU AI Act, the OWASP Top 10 for Agentic Applications (2026), and AIUC-1, alongside updated mappings to ISO/IEC 42001, NIST AI RMF, the OWASP Top 10 for LLM Applications (2025), and DASF. Teams can filter the catalog by the framework they are accountable to and get a control checklist in that framework's language.

The SAIL Skill

Alongside the framework and the downloadable PDF, SAIL 2.0 ships as an interactive skill that turns the framework into working outputs: an AI security roadmap, a maturity assessment, a compliance checklist, or vendor-assessment questions.

https://www.pillar.security/sail

The Seven Phases, Rebuilt for Agents

SAIL's spine remains the seven lifecycle phases. What changed is what each phase must handle when the system it secures can reason, hold memory, and act on its own. The agent lifecycle shares its skeleton with the traditional SDLC, but SAIL covers the agent loop: the agentic-specific risks and controls that AppSec and DevSecOps weren't built to handle.

AI Policy (Plan). Before any agent is built or bought, teams align agentic initiatives with business objectives, regulatory requirements, and risk-based protection levels. SAIL focuses now onthreat modeling for agent-specific risks and formalizes how new models, tools, MCP servers, and data sources get vetted before they enter the environment.

AI Discovery (Code/No Code). You cannot secure what you cannot see, and the gap between known agents and actual agents is where risk concentrates. This phase catalogs every agent and AI asset, regardless of origin: models, datasets, agent configurations, tool connections, MCP servers, agent identities, and no-code builders where a business analyst can ship an agent that inherits their access with no security review.

Agentic Posture Management (Build). This phase maps and graphs the agent surface: identities, tool and connector scopes, memory and RAG dependencies, and agent-to-agent edges, to expose the attack paths that span them. It surfaces chokepoints like maker-identity inheritance early, and organizations prioritize controls per asset against the protection requirements set in Plan.

Agentic Red Teaming (Test). Agents undergo adversarial testing that goes beyond functional validation: goal hijacking, prompt injection across tool chains, privilege escalation through delegation, memory poisoning, inter-agent instruction smuggling, and cascading failure propagation. Testing depth aligns with the autonomy tier and covers all three zones, from repository artifacts to cloud platforms to endpoints.

Runtime Controls (Deploy). An agent can stay within its permitted access while composing a chain of actions that becomes collectively harmful. Agentic security is action control, not only access control: authorize every action, not just every session. This phase puts active enforcement in place before an agent goes live, validating every action against policy, scoping tool access per invocation, and retaining the ability to pause, redirect, or terminate an agent mid-execution.

Sandbox (Operate). In production, agents run inside isolated environments that limit blast radius, defining what file systems, networks, APIs, and credentials an agent can reach. Isolation applies to agent-to-agent communication too: a compromised agent should not pivot into another agent's scope, and an endpoint coding agent with local secrets in reach should not escalate from reading a repository file to harvesting credentials.

Govern (Monitor & Retire). This phase monitors agent activity in production, collecting telemetry across reasoning chains, tool invocations, data access, and inter-agent communication to catch drift, misuse, or compromise. Retirement is new in V2: an orphaned agent with live credentials and a scheduled trigger is an unowned identity with production access, so SAIL defines decommissioning end to end, from revoking the non-human identity and rotating credentials to wiping memory and capturing an end-of-life audit record.

A Collective Effort in Securing AI

The agentic attack surface is moving faster than any single team can track. Existing standards define what to govern and which risks to consider; SAIL 2.0 turns that knowledge into an operating model, with a shared vocabulary and a phase-by-phase structure that security, legal, compliance, and engineering teams can execute against together.

We welcome your feedback, suggestions, and insights to keep SAIL a practical, current resource for the AI and cybersecurity community. Send feedback and get involved: sail@pillar.security

Get Started With SAIL 2.0

Acknowledgements


We would like to extend our gratitude to the following reviewers and contributors. Their
constructive input and insightful feedback were invaluable throughout the development of this
framework. We deeply appreciate their willingness to share their expertise and their commitment
to advancing Al security practices within the community.

SAIL 2.0

Ben Hacmon, CISO, Perion Network
Fabian Wipf, CISO, LAKE Solutions AG
Feras Batainah, UK CISO & Principal Advisory Consultant, Orange Cyberdefense
lan Schneller, CISO, Individual contributors
James Berthoty, Founder & CEO, Latio Tech
John Paramadilok, Executive Director, JPMorganChase
Kai Wittenburg, CEO, neam IT-Services GmbH
Matan Ofir, VP Information Security, Oddity
Nate Lee, Co-founder and CISO/CEO, TrustMind
Nir Yizhak, CISO & VP, Firebolt Analytics
Oren Talmor, CISO, MyHeritage
Patricia (Patti) Titus, CISO
Rajat Sharma, CEO, CWS
Raz Karmi, CISO, Eleos Health
Robert Oh, Chief Digital & Information Officer (CDIO), International
Vladimir Lazic, Deputy Global CISO, Philip Morris International

SAIL

Allie Howe, vCISO, Growth Cyber
Assaf Namer, Head of Al Security, Google Cloud
Ben Hackmon, CISO, Perion Network
Bill Stout, Technical Director, Al Product Security, ServiceNow
Brandon Dixon, Former Partner Al Strategist, Microsoft
Casey Mott, Associate Director, Data & Al Security, Oscar Health
Chris Hughes, Founder, Resilient Cyber
Cole Murray, Al Consultant
Colton Ericksen, CISO, Starburst
Dušan Vuksanovic, CEO of Swisscom Outpost in Silicon Valley
Erika Anderson, Senior Security and Compliance, SAP Sovereign Cloud
Fabian Libeau, Cyber Security GTM Lead
Francis Odum, Chief Cybersecurity Analyst, Software Analyst Cyber Research
James Berthoty, Founder & CEO, Latio Tech
José J. Hernández, CISO, Corning Inc.
Kai Wittenburg, CEO, Neam GmbH
Manuel García-Cervigón, Security & Compliance Strategic Product Portfolio Architect, Nestlé
Matthew Steele, CPO, Generate Security
Mor Levi, VP Detection and Response, Salesforce
Moran Shalom, CISO, Honeybook
Nir Yizhak, CISO & VP, Firebolt Analytics
Raz Karmi, CISO, Eleos Health
Robert Oh, Chief Digital & Information Officer (CDIO), International
Sean Wright, CISO, AvidXchange
Steve Mancini, CISO, Guardant Health
Steve Paek, Expert - Cybersecurity (Al Security), AT&T
Steven Vandenbrug, Security Architect - Al, Cotiviti
Tomer Maman, CISO, Similarweb
Vladimir Lazic, Deputy Global CISO, Philip Morris International

FAQs

What is the SAIL Framework?

The Secure AI Lifecycle (SAIL) Framework is a free, open source AI agent security framework that embeds security actions into each phase of the AI and agent lifecycle. It maps 91 AI-specific risks across seven phases, from policy and discovery through build, test, deployment, runtime operation, and governance, and assigns each risk to the system components it affects. SAIL was co-developed with CISOs and AI security leaders and has been downloaded by more than 50,000 security teams since July 2025.

What's new in SAIL 2.0?

SAIL 2.0 extends the framework to autonomous AI agents. It adds a three-zone map of the agentic attack surface (code and pipeline, cloud agents, endpoint agents), grows the risk catalog to 90+ risks, defines 29 agentic system components across six layers, introduces autonomy tiers that set control intensity per agent, expands standards mappings to cover the EU AI Act, the OWASP Top 10 for Agentic Applications, and AIUC-1, and ships with an interactive SAIL Skill for generating roadmaps and assessments.

How does SAIL 2.0 map to the EU AI Act and ISO 42001?

Every risk in the SAIL 2.0 catalog cites the strongest-fit controls from up to five external frameworks: ISO/IEC 42001, NIST AI RMF, the OWASP Top 10 for Agentic and LLM Applications, the EU AI Act, DASF, and AIUC-1. Teams can filter the catalog by the framework they are accountable to and produce a compliance checklist in that framework's language. Mappings indicate alignment, not automatic compliance.

How is SAIL different from NIST AI RMF or OWASP?

SAIL is process-oriented where most standards are risk - or governance-oriented. NIST AI RMF provides strategic risk management, ISO 42001 provides management system structure, and the OWASP lists identify vulnerabilities. SAIL complements them by mapping every risk to a specific lifecycle phase and specific components, so teams know where in their workflow to intervene. It is the operational layer that connects those standards to day-to-day security work.

Is SAIL 2.0 free to use?

Yes. SAIL 2.0 is a free resource for the community. The framework, the downloadable PDF, and the SAIL Skill are available to everyone at pillar.security/sail, with no registration wall on the framework content. Feedback and contributions are welcome at sail@pillar.security.

Subscribe and get the latest security updates

Back to blog

MAYBE YOU WILL FIND THIS INTERSTING AS WELL

Pillar Security Named as a 2026 Gartner® Cool Vendor in AI Software Security

By

Ziv Karliner

and

Dor Sarig

July 6, 2026

News
From a Copilot to Cluster Admin: inside AtlasOps, our free agent-security CTF

By

Ariel Fogel

and

Eilon Cohen

June 26, 2026

Blog
The Fable Recall Puts the Spotlight in the Wrong Place

By

Eilon Cohen

and

Ariel Fogel

June 14, 2026

Blog