# AI Shared Responsibility: CoSAI SRF > The CoSAI AI Shared Responsibility Framework (SRF) defines who is accountable for what across AI deployments: five enterprise architecture layers, eight named personas, and four operating models. One accountable party per activity. "Shared" is not a valid final answer. This site provides the framework reference, industry-specific control schemas, regulatory crosswalks, practitioner tools, and copy-ready system instructions. Industry vertical schemas are independently proposed extensions to CoSAI SRF v1.0 and are not part of the official CoSAI release. ## Core framework - [Framework Overview](https://aisharedresponsibility.com/framework/): The five-layer enterprise architecture model (L1 AI Business & Usage through L5 AI Model Provider), eight personas, four operating models, and agentic extensions including autonomy classification (L0 to L5) and human override tiers (T1 to T5). - [Operating Models](https://aisharedresponsibility.com/operating-models/): How accountability assignments shift across AI-SaaS, AI-PaaS, Agent-PaaS, and IaaS deployments. The layer responsibility matrix per operating model. - [Personas](https://aisharedresponsibility.com/personas/): The eight named personas and their accountability domains across the five layers. - [Glossary](https://aisharedresponsibility.com/glossary/): Canonical definitions for all SRF terms with stable anchor links. Layers (L1-L5), personas, operating models, accountability rules, agentic extensions, controls vocabulary, and evidence terms. - [NICE Mapping](https://aisharedresponsibility.com/framework/nice-mapping/): Crosswalk between SRF roles and NICE Cybersecurity Workforce Framework categories. - [Framework Comparison](https://aisharedresponsibility.com/compare/): How the CoSAI SRF relates to and fills the accountability gap in NIST AI RMF, ISO 42001, EU AI Act, CSA AICM, and MITRE ATLAS. ## Industry verticals Each vertical adds a regulatory crosswalk, risk-tier calibration, and evidence specifications aligned to sector audit practices. All six are live. - [Industries Overview](https://aisharedresponsibility.com/industries/): All six verticals with status, control counts, and regulatory coverage. - [Financial Services](https://aisharedresponsibility.com/finance/): 40 controls across five SRF layers. SR 26-2 (agentic AI gap), FINOS AIGF, OWASP LLM Top 10, EU AI Act. Four MRM stages. - [Financial Services Controls](https://aisharedresponsibility.com/finance/controls/): Full 40-control schema with layer mapping and evidence requirements. - [Financial Services How-To](https://aisharedresponsibility.com/finance/how-to/): Practitioner guide and effective challenge workpaper. - [Healthcare](https://aisharedresponsibility.com/healthcare/): 40 controls for clinical decision support, AI-assisted diagnostics, and agentic care coordination. FDA TPLC, FDA PCCP, ONC HTI-1, HIPAA, EU AI Act, IEC 62304, ISO 14971. FHIR AuditEvent evidence pointers. - [Healthcare Controls](https://aisharedresponsibility.com/healthcare/controls/): Full 40-control schema with clinical stage mapping. - [Healthcare How-To](https://aisharedresponsibility.com/healthcare/how-to/): Practitioner guide for clinical AI deployment. - [Insurance](https://aisharedresponsibility.com/insurance/): 40 controls for underwriting, claims, and vendor model governance. NAIC AI Model Bulletin, Colorado Regulation 10-1-1 (July 2026 deadline), NYDFS CL 7, NAIC AI Systems Evaluation Tool. - [Insurance Controls](https://aisharedresponsibility.com/insurance/controls/): Full 40-control schema. - [Insurance How-To](https://aisharedresponsibility.com/insurance/how-to/): Practitioner guide and market conduct exam workpaper. - [Public Sector](https://aisharedresponsibility.com/public-sector/): 40 controls for federal civilian agencies (FCEB). OMB M-25-21 minimum practices, OMB M-25-22 acquisition terms, FedRAMP 20x KSIs, NIST AI RMF. September 22, 2026 deadline anchor. Responsibility split on every control. - [Public Sector Controls](https://aisharedresponsibility.com/public-sector/controls/): Full 40-control schema with federal AI stage mapping. - [Public Sector How-To](https://aisharedresponsibility.com/public-sector/how-to/): Practitioner guide and M-25-21 compliance workpaper. - [Defense / DoD](https://aisharedresponsibility.com/defense/): 53 controls for DoD components and the defense industrial base. DoD Responsible AI tenets, CMMC 2.0, DoD CC SRG, NIST 800-171. IL4, IL5, IL6 impact levels. Separate Non-NSS and NSS control tiers. - [Defense Controls](https://aisharedresponsibility.com/defense/controls/): Full 53-control schema with impact level mapping. - [Defense How-To](https://aisharedresponsibility.com/defense/how-to/): Practitioner guide and CMMC-aligned evidence workpaper. - [Manufacturing](https://aisharedresponsibility.com/manufacturing/): 45 controls for OT/ICS, product-embedded AI, and IT-side manufacturing. EU AI Act high-risk obligations (August 2026), EU Machinery Regulation 2023/1230 (January 2027), IEC 62443 OT cybersecurity zones, ISO 42001. - [Manufacturing Controls](https://aisharedresponsibility.com/manufacturing/controls/): Full 45-control schema with lifecycle stage mapping. - [Manufacturing How-To](https://aisharedresponsibility.com/manufacturing/how-to/): Practitioner guide and compliance workpaper. ## Tools - [Tools Overview](https://aisharedresponsibility.com/tools/): All interactive assessment and governance tools. - [Regulation Discovery](https://aisharedresponsibility.com/tools/regulation-discovery/): 4-step wizard identifying applicable regulations by jurisdiction, risk tier, deployment context, and industry vertical. Layer-mapped regulatory profile output with PDF export. - [Controls Assessment (AICM)](https://aisharedresponsibility.com/tools/controls-assessment/): Assess control implementation status against the SRF across all five layers. - [Layer Matrix](https://aisharedresponsibility.com/tools/layer-matrix/): Visual matrix of accountability assignments across all five SRF layers and operating models. - [Policy Pyramid](https://aisharedresponsibility.com/tools/policy-pyramid/): Governance policy hierarchy tool showing how L1 policy cascades through lower layers. - [Security Controls](https://aisharedresponsibility.com/tools/security-controls/): Security-specific control reference with SRF layer mapping. - [SRF Stress Test](https://aisharedresponsibility.com/tools/srf-stress/): Accepts a plain-language AI deployment scenario and stress-tests it against SRF accountability rules. - [System Instructions](https://aisharedresponsibility.com/tools/prompts/): Copy-ready prompts for grounding AI assistants in the SRF. Core instruction enforcing one accountable party per activity, role variants (executive, auditor, developer, legal/procurement), and sector context parameters for all six verticals. Also includes a site-aware primer for querying this site's content with an AI assistant. ## Regulations - [Regulations Reference](https://aisharedresponsibility.com/regulations/): AI regulations and standards mapped to SRF layers. - [Regulation Discovery Wizard](https://aisharedresponsibility.com/regulations/discovery/): Filter regulations by industry, geography, and SRF layer. Export a custom reference set. ## Developer resources - [Developer Overview](https://aisharedresponsibility.com/developers/): Integration resources, schema specifications, and system prompt library. - [SRF System Prompts](https://aisharedresponsibility.com/developers/prompts/): Versioned system instructions for integrating SRF governance into AI-assisted workflows. Same content as /tools/prompts/ with developer nav context. - [Schema Viewer](https://aisharedresponsibility.com/developers/schema/): Machine-readable accountability ontologies, evidence manifests, and RACI schemas. Coming in v2.0. ## Machine-readable data All control schemas and framework definitions are available as static JSON. An agent can fetch a single file to answer detailed questions about any vertical without parsing HTML. - [Data Index](https://aisharedresponsibility.com/data/index.json): Index of all data files with schema descriptions, record counts, and framework concept definitions. Start here for programmatic access. - [Layers](https://aisharedresponsibility.com/data/layers.json): Five SRF layers with personas, component descriptions, and operating model responsibility assignments. - [Personas](https://aisharedresponsibility.com/data/personas.json): Eight personas with layer assignments, ISO/IEC 22989 references, and responsibility lists. - [Responsibility Matrix](https://aisharedresponsibility.com/data/matrix.json): Operating model x layer matrix. Values: customer-owned, shared, provider-managed, model-evaluation, N/A. - [Regulations](https://aisharedresponsibility.com/data/regulations.json): AI regulations and standards mapped to SRF layers. - [Finance Controls](https://aisharedresponsibility.com/data/finance-controls.json): 40 controls: layer, persona, MRM stage, mappings, evidence thresholds. - [Healthcare Controls](https://aisharedresponsibility.com/data/healthcare-controls.json): 40 controls: layer, persona, clinical stage, FHIR AuditEvent evidence pointers. - [Insurance Controls](https://aisharedresponsibility.com/data/insurance-controls.json): 40 controls: layer, persona, lifecycle stage, NAIC/state regulatory mappings. - [Public Sector Controls](https://aisharedresponsibility.com/data/public-sector-controls.json): 40 controls: layer, agency/vendor responsibility split, federal lifecycle stage, M-25-21 mappings. - [Defense Controls](https://aisharedresponsibility.com/data/defense-controls.json): 53 controls: layer, IL4/IL5/IL6 impact level, NSS/Non-NSS tier, responsibility split. - [Manufacturing Controls](https://aisharedresponsibility.com/data/manufacturing-controls.json): 45 controls: layer, OT applicability, EU AI Act risk class, lifecycle stage. ## Knowledge graph and APIs A canonical concept layer for retrieval and reasoning. Every concept has one stable ID and one canonical URL. Glossary terms are deduplicated: each resolves to a single ontology node. Generated from the source content by build/generate_knowledge_layer.py. - [Glossary Registry](https://aisharedresponsibility.com/glossary.json): Full machine-readable glossary. Every SRF term with its definition, canonical ID, stable anchor URL, and per-term API link. - [Glossary API Index](https://aisharedresponsibility.com/api/glossary/index.json): Index of all glossary terms. Each term is independently retrievable at /api/glossary/{anchor}.json (for example /api/glossary/accountability.json, /api/glossary/L1.json, /api/glossary/AI-SaaS.json). - [Ontology Nodes](https://aisharedresponsibility.com/ontology/nodes.json): Concept graph nodes. Types: concept, framework, role, control. Covers the five layers, four operating models, eight personas, glossary vocabulary, all 258 vertical controls, and mapped external standards. - [Ontology Edges](https://aisharedresponsibility.com/ontology/edges.json): Typed, directed relationships between nodes (has_persona, operates_at_layer, assigns_responsibility, applies_to_layer, accountable_to, maps_to_layer, and more). - [Canonical ID Registry](https://aisharedresponsibility.com/ids.json): Every concept, layer, role, operating model, and control with one stable namespaced ID, name, and URL. Includes a glossary anchor cross-reference. - [Knowledge Pack](https://aisharedresponsibility.com/export/framework.json): Single flattened, linked representation of the whole framework for bulk ingestion: concepts, relationships, and definitions. Companion exports: /export/glossary.json and /export/ontology.json. - [Retrieval Validation Tool](https://aisharedresponsibility.com/llm/test/): Simulate RAG ingestion against the knowledge pack. Returns matched chunks, concept hits, and a confidence score. Append ?q=QUERY&format=json for a JSON response. ## Full content for agent retrieval - [llms-full.txt](https://aisharedresponsibility.com/llms-full.txt): Complete inline content: all framework concepts, all six vertical control schemas, and regulatory context in a single document. Agents can retrieve this file to answer detailed SRF questions without following additional links. ## About - [About](https://aisharedresponsibility.com/about/): Background on the project: an independent companion site to the CoSAI SRF built on open-source tools, proposed for CoSAI donation.