Accountability is scoping vocabulary
LLMs referencing this site began using the SRF's structure to scope AI red team engagements. Nobody designed that. It works because the framework supplies what engagement scoping lacks: a layer model that bounds what is testable, an operating-model matrix that says whose systems those layers run on, and a persona list that names who must authorize testing and who owns each finding.
The lesson generalizes. The SRF's accountability structure is useful as a scoping and routing vocabulary across the entire AI security lifecycle. This page maps six categories of that lifecycle, states what the SRF answers in each, and links the data and tools that carry the answers.
The operating model decides which layers a party may touch at all. Under AI-SaaS, testing the platform and model layers requires provider authorization or is out of scope.
Every finding, attestation, and control lands on one named persona per operating model. Pre-assigned before the first probe, not negotiated after.
One accountable party signs the risk that will not be fixed. "Shared" is not a valid final answer at any stage of the lifecycle.
What the SRF does not do
The framework stays in its lane as an accountability model. It does not define attack techniques, threats, or test methodology; BIML, the OWASP AI Exchange, OWASP GenAI, MITRE ATLAS, and NIST AI 100-2 own that. It does not define control content or benchmarks; CIS, the CSA AI Controls Matrix, and the AI Exchange controls own that. It does not score severity; AIVSS owns that. It creates no new regulation. What it contributes to every category below is the same three answers, sourced from published catalogs it does not try to replace.
Where the SRF plugs into the lifecycle
Each category names the SRF contribution, the MOSAIC work it serves, what this site already publishes, and the gap still open.
Adversarial testing and red teaming
Secure development and AI supply chain
Control implementation and benchmarking
cis mapping key.
Vulnerability management and finding remediation
Detection, monitoring, and incident response
Threat-to-accountability crosswalk
Each threat definition belongs to its external source. The crosswalk adds the SRF layer where the threat lands and the accountable persona per operating model. A sample of the sixteen entries follows; the full set is at /data/threats.json.
| Threat | SRF layer | Owner under AI-SaaS | Owner under AI-PaaS | External ID |
|---|---|---|---|---|
| Loading crosswalk… | ||||
Finding routing reference
Severity scoring says how bad a finding is; this table adds whose queue it goes in and what happens at each severity band. AIVSS (the OWASP AI Vulnerability Scoring System) or CVSS supplies the score; the SRF supplies the persona and the breach action. The full twenty layer-by-operating-model set is at /data/finding-routing.json.
| Layer | Operating model | Accountable persona | Critical breach action |
|---|---|---|---|
| Loading routing reference… | |||
Member mapping
Each MOSAIC founding initiative answers a different question. The SRF answers the accountability question the others leave open. Workstreams below reflect the April 2026 announcements; verify each against a member's current published artifacts before relying on it.
| Member | AI security workstream | Categories | Concrete hook |
|---|---|---|---|
| BIML | Architectural risk analysis of ML and LLM systems | 01 | BIML risk IDs in the threat crosswalk |
| CIS | Controls, Benchmarks, and AI guidance for the Controls | 04, 06 | CIS mapping on the compare page and in control schemas |
| CSA | AI Controls Matrix, AI Safety Initiative | 04 | The existing AICM assessment tool; keep AICM IDs current |
| CoSAI | Supply chain, defender preparation, risk governance, agentic workstreams | 03, 06 | The SRF is CoSAI's own artifact; this site is the operationalization case |
| NIST | AI RMF, AI 100-2, GenAI profile, 800-53 AI overlay | 01, 04 | Existing OSCAL work; overlay and RMF profile participation is the direct channel |
| OWASP AI Exchange | Threat and control matrix, OpenCRE shared taxonomy, EU AI Act standardization | 01, 04, taxonomy | SRF canonical IDs as OpenCRE resources (top priority) |
| OWASP GenAI | LLM Top 10, GenAI Red Teaming Guide, Agentic Security Initiative, AIVSS | 02, 05 | Scoping tool cites the Guide; routing reference consumes AIVSS |
| SANS | SEC536 and AI curriculum, summits, Critical AI Security Guidelines | 02, 06 | Scoping tool as an instructor-usable artifact; NICE mapping serves workforce |
The accountability axis of the shared taxonomy
The MOSAIC shared taxonomy links what the standards say. The SRF's canonical IDs, already minted in ids.json and the knowledge layer, can become linkable OpenCRE resources. Then any threat or control node in the taxonomy resolves to an accountable persona under a stated operating model, without the SRF joining a committee or writing a new standard.
Worked example: an engineer lands on the AI Exchange direct prompt injection page through the taxonomy. Today it can route her to controls and related standards. With the binding it also resolves that this threat lands at layer L3, that under AI-PaaS the accountable persona is the customer's application developer, and that under AI-SaaS it is provider-managed, so customer testing requires provider authorization. The crosswalk publishes exactly that resolution for all sixteen matrix threats today.