CoSAI AI SRF · V1.0 · Now Available

The Framework

Five architecture layers, eight stakeholder personas, and four operating models. One accountable party per activity — shifting with your deployment model.

Download the V1.0 paper (PDF) →  ·  Read the CoSAI announcement →

What it is

The AI Shared Responsibility Framework is an accountability framework. It answers who is responsible for each component across the AI stack. It does not replace existing control and management frameworks: NIST AI RMF defines what governance outcomes to achieve, ISO/IEC 42001 defines how to manage an AI management system, and the EU AI Act defines which regulatory obligations apply by risk tier. The SRF answers the prior question of who owns each piece.

Because organizational structures vary widely, the framework uses enterprise architecture layers rather than job titles. The layers encode dependencies that hold constant regardless of how any particular organization is structured.

Principle There should be exactly one accountable party per activity to prevent overlaps.

Order of dependency

Layers are stacked in dependency order. L1 sets the rules; each layer below inherits those constraints and adds its own.

L1 — AI Business & Usage
Governance, Strategy, Compliance
L2 — AI Information
Data Management, Quality, Privacy
L3 — AI Application
Development, Integration, Testing
L4 — AI Platform
Infrastructure, APIs, Tooling
L5 — AI Model Provider
Models, Training, Supply Chain

Layer detail

L1
AI Business & Usage
AI System Users AI Governance

Governance, strategy, and compliance at the executive and business-unit level. This layer owns regulatory obligations, acceptable-use policy, and incident governance. Security and governance requirements set here cascade down to all supporting layers. Industry-specific constraints such as healthcare, finance, and public sector requirements enter the stack at L1.

Components

  • Capabilities & Business Strategy
  • Processes & Governance
  • Business Units & Accountability
L2
AI Information
Data Provider

Data ownership, quality, and privacy. Accountable for training data provenance, master data management, and privacy controls. Data classification decisions made at this layer constrain what AI systems can access at runtime. The EU AI Act's data governance requirements and GDPR Article 22 obligations land here.

Components

  • Master Data Management
  • Privacy Controls & Policies
  • AI Training Data
L3
AI Application
App Developer Agentic Provider

Development, integration, and testing of AI-powered applications. Responsible for guardrails, input validation, output filtering, prompt engineering, RAG pipelines, and agent orchestration. This is where most OWASP LLM Top 10 risks are mitigated. The layer spans both traditional AI applications and agentic systems.

Components

  • Agents & Orchestration Models
  • APIs & Fine-tuned Models
  • Application Platforms
L4
AI Platform
Platform Provider Model Serving

Infrastructure, compute, APIs, and runtime services for hosting, training, and serving AI models. Covers LLM gateways, model routers, guardrail infrastructure, and platform-level IAM. Cloud providers, MLOps platforms, and model API services operate here. AI Model Serving is distinct from the Platform Provider: it focuses on secure orchestration and delivery rather than physical compute.

Components

  • Guardrails & Safety Systems
  • Compute Infrastructure
  • LLM Routers & Gateways
L5
AI Model Provider
Model Provider

Foundation models, model governance, and supply-chain provenance. Accountable for model architecture security, model cards, vulnerability disclosure, and the governance of model distribution. Responsibility assignment at this layer depends on the licensing and deployment approach chosen at L4. SR 26-2 model risk management and FDA AI/ML validation requirements cascade from L1 through this layer.

Components

  • Model Distribution
  • Model Governance
  • Foundation Models

Relationship to other frameworks

The SRF answers who is accountable. Other frameworks define what to achieve, how to manage, and which obligations apply. Full comparison →

FrameworkWhat it answersHow it relates to the SRF
NIST AI RMFWhat governance outcomes to achieveSRF assigns who implements each RMF function at each layer
ISO/IEC 42001How to manage an AI management systemSRF layer model maps into 42001 organizational and technical controls
EU AI ActWhich obligations apply by risk tierSRF assigns who discharges each EU AI Act obligation
OWASP LLM Top 10What application security risks existMost LLM risks are mitigated at L3; some require L4 and L5 action
CSA AICMWhat controls apply across 18 domainsAICM ownership tiers (MP/OSP/AP) map to CoSAI L5, L4, and L3
NIST NICEWho performs AI security work (workforce roles)SRF responsibilities inform candidate NICE Tasks and a proposed AI Security Work Role Category — see the mapping →

Eight stakeholder types across the AI stack. Each persona maps to one or more framework layers and carries a defined set of responsibilities.

Show

Loading personas…

Responsibility shifts significantly depending on whether you are running IaaS, AI-PaaS, Agent-PaaS, or AI-SaaS. Select a model to see the full layer-by-layer breakdown.

Loading…