CoSAI SRF · Industry Verticals

AI shared responsibility by industry

The CoSAI SRF defines accountability across operating models and personas. These vertical schemas translate that foundation into industry-specific controls, regulatory crosswalks, and practitioner guides. Vertical schemas are experimental, independently proposed extensions; they are not part of CoSAI SRF v1.0.

Why industry-specific schemas?

The base SRF defines who is accountable and for what. It does not resolve how a hospital, a bank, or a federal agency should implement those accountabilities under their specific regulatory regimes. Each vertical closes that gap.

Every vertical schema adds: a regulatory crosswalk to the sector's primary AI or model governance standard, tier parameters calibrated to the sector's risk appetite, and evidence specifications aligned to the sector's audit and examination practices.

Available verticals

🏦
Live

Financial Services

40 controls across five SRF layers, calibrated for banks, asset managers, and fintechs. Addresses the SR 26-2 gap for agentic AI, with FINOS AIGF and OWASP LLM Top 10 crosswalks.

SR 26-2 FINOS AIGF OWASP LLM Top 10 EU AI Act
40 controls · 4 MRM stages Explore
🏥
Live

Healthcare

40 controls across five SRF layers, covering clinical decision support, AI-assisted diagnostics, and agentic care coordination. Maps to FDA TPLC and PCCP guidance, ONC HTI-1, HIPAA, EU AI Act, IEC 62304, and ISO 14971. FHIR AuditEvent evidence pointers throughout.

FDA TPLC FDA PCCP ONC HTI-1 HIPAA EU AI Act IEC 62304
40 controls · 4 clinical stages Explore
📋
Live

Insurance

40 controls for underwriting, claims, and vendor model governance. Aligned to the NAIC Model Bulletin, Colorado Regulation 10-1-1 (July 2026 deadline), NYDFS CL 7, and the NAIC AI Systems Evaluation Tool used in market conduct exams.

NAIC AI Model Bulletin CO Reg 10-1-1 NYDFS CL 7 EU AI Act
Explore insurance controls →
🏛️
Live

Public Sector

40 controls for federal civilian agencies (FCEB). The agency side of the FedRAMP Customer Responsibility Matrix for AI, with responsibility_split on every control. Mapped to OMB M-25-21 minimum practices, M-25-22 acquisition terms, FedRAMP 20x KSIs, and NIST AI RMF. September 22, 2026 deadline anchor.

OMB M-25-21 OMB M-25-22 FedRAMP 20x NIST AI RMF
40 controls · 4 federal AI stages Explore
🛡️
Live

Department of War

53 controls for DoD components and the defense industrial base. Maps Responsible AI tenets to named accountability across IL4, IL5, and IL6 impact levels, with separate Non-NSS and NSS control tiers and CMMC-aligned evidence for contractors.

DoD RAI CMMC 2.0 DoD CC SRG NIST 800-171
53 controls · IL4 / IL5 / IL6 Explore
🏭
Live

Manufacturing

45 controls for OT/ICS deployments, product-embedded AI, and IT-side manufacturing systems. Aligned to EU AI Act high-risk obligations (August 2026 deadline), EU Machinery Regulation 2023/1230 (January 2027), and IEC 62443 OT cybersecurity zones.

EU AI Act IEC 62443 ISO 42001 NIST AI RMF
45 controls · 4 lifecycle stages Explore