CoSAI — Coalition for Secure AI (Organization)

Sources: CoSAI (homepage)

CoSAI (Coalition for Secure AI) is an OASIS Open-hosted industry consortium focused on collaborative AI security standards. As of Q1 2026, it has 40+ industry partners with 10 Premier Sponsors.

See CoSAI — Coalition for Secure AI for the framework page covering CoSAI’s publications and guidance.

Membership (Key)

Premier Sponsors (10): Amazon, Microsoft, IBM, Intel, NVIDIA, PayPal, Anthropic, OpenAI, Google, and Meta (joined February 3, 2026).

Governance

  • OASIS Open hosts CoSAI’s standards process
  • Workstreams are the primary production vehicle. The four verbatim workstream names, verified 2026-06-22 in the Google SAIF and CoSAI standards review, are:
    • WS1 Software Supply Chain Security for AI Systems
    • WS2 Preparing Defenders for a Changing Security Landscape
    • WS3 AI Security Risk Governance
    • WS4 Secure Design Patterns for Agentic Systems (most active)
  • A2A Protocol now under Linux Foundation governance (150+ supporting organizations)

Origin

CoSAI was founded in 2024 when Google donated its SAIF Risk Map and Risk Assessment to the consortium. This transition from a single-vendor framework (Google SAIF) to a multi-stakeholder collaborative is analogous to how OpenID Foundation or FIDO Alliance operate.

CSAI Foundation

The CSAI Foundation (March 23, 2026) is a new 501(c)(3) spun from CSA (separate from CoSAI) with six strategic programs including an AI Risk Observatory. This is a distinct entity from CoSAI.

Published deliverables

The CoSAI resources listing carries eight dated deliverables, verified 2026-06-22 in the standards review: AI Shared Responsibility Framework (2026-05-28); Agentic Identity and Access Management (2026-04-17); The Future of Agentic Security: From Chatbots to Autonomous Swarms (2026-03-31); Model Context Protocol (MCP) Security (2026-01-20); AI Incident Response Framework (2025-10-30); Signing ML Artifacts (2025-09-29); Preparing Defenders of AI Systems (2025-07-16); Establish Risks and Controls for the AI Supply Chain (2025-06-25). The “40 threats across 12 categories” MCP figure was not re-verifiable from the homepage/resources listing in the 2026-06-22 pass and is flagged for a deeper-source check.

Other Q1 2026 Activity

  • Principles for Secure-by-Design Agentic Systems (February 9)
  • Project CodeGuard donation by Cisco (February 9)
  • Meta Premier Sponsor onboarding (February 3)