CoSAI — Coalition for Secure AI (Organization)
Sources: CoSAI (homepage)
CoSAI (Coalition for Secure AI) is an OASIS Open-hosted industry consortium focused on collaborative AI security standards. As of Q1 2026, it has 40+ industry partners with 10 Premier Sponsors.
See CoSAI — Coalition for Secure AI for the framework page covering CoSAI’s publications and guidance.
Membership (Key)
Premier Sponsors (10): Amazon, Microsoft, IBM, Intel, NVIDIA, PayPal, Anthropic, OpenAI, Google, and Meta (joined February 3, 2026).
Governance
- OASIS Open hosts CoSAI’s standards process
- Workstreams are the primary production vehicle. The four verbatim workstream names, verified 2026-06-22 in the Google SAIF and CoSAI standards review, are:
- WS1 Software Supply Chain Security for AI Systems
- WS2 Preparing Defenders for a Changing Security Landscape
- WS3 AI Security Risk Governance
- WS4 Secure Design Patterns for Agentic Systems (most active)
- A2A Protocol now under Linux Foundation governance (150+ supporting organizations)
Origin
CoSAI was founded in 2024 when Google donated its SAIF Risk Map and Risk Assessment to the consortium. This transition from a single-vendor framework (Google SAIF) to a multi-stakeholder collaborative is analogous to how OpenID Foundation or FIDO Alliance operate.
CSAI Foundation
The CSAI Foundation (March 23, 2026) is a new 501(c)(3) spun from CSA (separate from CoSAI) with six strategic programs including an AI Risk Observatory. This is a distinct entity from CoSAI.
Published deliverables
The CoSAI resources listing carries eight dated deliverables, verified 2026-06-22 in the standards review: AI Shared Responsibility Framework (2026-05-28); Agentic Identity and Access Management (2026-04-17); The Future of Agentic Security: From Chatbots to Autonomous Swarms (2026-03-31); Model Context Protocol (MCP) Security (2026-01-20); AI Incident Response Framework (2025-10-30); Signing ML Artifacts (2025-09-29); Preparing Defenders of AI Systems (2025-07-16); Establish Risks and Controls for the AI Supply Chain (2025-06-25). The “40 threats across 12 categories” MCP figure was not re-verifiable from the homepage/resources listing in the 2026-06-22 pass and is flagged for a deeper-source check.
Other Q1 2026 Activity
- Principles for Secure-by-Design Agentic Systems (February 9)
- Project CodeGuard donation by Cisco (February 9)
- Meta Premier Sponsor onboarding (February 3)