Accelerate AI adoption by making responsibility clear.
CoSAI SRF maps every obligation and control to an accountable owner.
It complements the regulations and standards you already follow (NIST AI RMF, ISO/IEC 42001, the EU AI Act) by answering the one question they leave open: who is accountable. The SRF assigns exactly one accountable party to every activity, across every layer of your AI stack and every operating model you deploy. Clear ownership is what lets organizations adopt AI and agents with confidence instead of stalling in committee. Know who owns what, and you can ship.
Know exactly what your vendor owes you, before an incident, not after. No more finger-pointing across a multi-vendor stack.
Map accountability →Define your accountability boundary clearly, then turn it into contract language, product documentation, and security commitments customers can verify.
See my obligations →Every control gets a named owner. Satisfy auditors, demonstrate NIST and EU AI Act alignment, and find accountability gaps before they become incidents.
Start assessment →However you enter, you finish in the same place: a signed Accountability Decision Record that names one accountable party per layer for your deployment, captures the residual gaps, and carries a sign-off.
Create a Decision Record
Describe your AI deployment.
Get an accountability analysis.
The SRF Stress Test takes a plain-language description of your AI scenario — the model, platform, deployment model, and use case — and returns a layered accountability breakdown, gap analysis, and risk flags in seconds. Powered by GPT-4o.
Try the SRF Stress Test →How the SRF complements what you already use
Other frameworks define what. SRF assigns accountability.
The SRF does not compete with or replace your existing frameworks; it sits alongside them and fills the gap they all leave open. NIST AI RMF defines what governance outcomes to achieve. ISO/IEC 42001 defines how to manage AI within your organization. EU AI Act defines which regulatory obligations apply by risk tier. None assigns who holds accountability when an incident crosses vendor boundaries.
NIST AI RMF defines the governance outcomes to achieve — Govern, Map, Measure, Manage. SRF adds the missing layer: which party in a multi-vendor deployment is accountable for each outcome.
The EU AI Act defines which regulatory obligations apply by risk tier. SRF maps those obligations to specific layers and operating models — the implementation detail the regulation intentionally leaves to practitioners.
ISO/IEC 42001 defines how to manage AI within a single organization's boundary. SRF provides the multi-party accountability model that 42001's Clause 5 and 6 require but leave undefined for cloud AI deployments.
Five layers. One accountable party each.
Governance requirements cascade from L1 downward. Each layer has exactly one accountable party — shifting with your operating model.
Accountability shifts by operating model. In AI-SaaS, the provider owns L3–L5. In IaaS, you own everything. See the full operating model matrix →
Interactive tools
Browser-based. No account. Nothing leaves your device.
Nine assessment tools built on the framework. State saves in your browser and exports as JSON or PDF.
Name one accountable party per layer for a specific deployment, flag residual gaps, and export a signed one-page record. The artifact your reviewer approves.
✦ AI-poweredDescribe any AI deployment scenario and get a layered accountability analysis, gap flags, and risk summary from GPT-4o.
ReferenceInteractive responsibility matrix — who owns what across all four operating models and five layers.
PDF exportWork through 243 CSA AICM controls mapped to SRF layers, with MITRE ATLAS technique crosswalk.
PDF exportLayer-by-layer security controls assessment with OWASP LLM Top 10 and ATLAS adversarial threat mapping.
PDF exportFilter regulations and standards by industry, geography, and SRF layer. Export a custom reference set.
PDF exportMap your governance documents to the SRF layer hierarchy. Identify gaps in your policy coverage.
ReferenceCanonical SRF system instructions for use in LLMs and AI assistants. Machine-readable format.
ReferenceBrowse the machine-readable SRF schema — layers, operating models, and accountability assignments as structured data.
For LLMs & agents
Built to be read by machines, not just people.
The whole framework is published as plain text, JSON, and a concept graph with stable IDs. Point an agent at any of these to ground it in the SRF.
A concise, linked map of the framework, verticals, tools, and data. The place to start an agent.
llms-full.txtFull site content as a single text file for retrieval and bulk ingestion. No HTML to parse.
JSONEvery control schema, layer, persona, and responsibility matrix as static JSON. Start at the data index.
GraphConcept nodes and typed, directed edges for the layers, personas, operating models, controls, and mapped standards.
ReferenceBrowse the machine-readable SRF schema: layers, operating models, and accountability assignments as structured data.
✦ ValidateSimulate RAG ingestion against the knowledge pack. Returns matched chunks, concept hits, and a confidence score.
OSCAL / CSVThe accountability matrix as an OSCAL 1.1.2 catalog and a flat CSV, ready to ingest into ServiceNow, GRC, and spreadsheet tools.