CoSAI — Coalition for Secure AI
CoSAI (Coalition for Secure AI) is a OASIS-hosted industry consortium producing collaborative AI security guidance. As of Q1 2026, it has 40+ industry partners with 10 Premier Sponsors including Amazon, Microsoft, IBM, Intel, NVIDIA, PayPal, Anthropic, OpenAI, and (as of February 2026) Meta. Google donated the SAIF Risk Map and Risk Assessment to CoSAI in 2024, making CoSAI the primary successor to SAIF content.
CoSAI operates through structured workstreams, with Workstream 4 (Secure Design Patterns for Agentic Systems) being the most active.
Q1 2026 Publications
MCP Security White Paper (January 27, 2026) — The most comprehensive MCP threat taxonomy available:
- Nearly 40 threats across 12 categories
- Categories: identity/access control, input validation, data protection, supply chain integrity, guardrails, and systems security enforcement
- Co-led by IBM and Sarah Novotny
Principles for Secure-by-Design Agentic Systems (February 9, 2026):
- Defense-in-depth principles with practical implementation strategies
- Covers SLSA-based provenance, comprehensive telemetry, and updated incident response playbooks for agentic challenges
Project CodeGuard (February 9, 2026) — Cisco donated this model-agnostic security coding agent skills framework; now governed by CoSAI.
Meta joined as Premier Sponsor (February 3, 2026).
A2A Protocol
The Agent-to-Agent (A2A) protocol is a key CoSAI/Google-originated initiative — current state v1.0.0 (2026-03-12) under Linux Foundation governance since 2025-06-23. Spec covers:
- Transport security (HTTPS / TLS 1.3) and authentication delegated to OpenAPI-style schemes (§7)
- Agent Card signing framework — Canonicalization, Signature Format, Signature Verification (§8.4); algorithm-agnostic
- gRPC, JSON-RPC over HTTP, and Server-Sent Events transports
Opacity principle: “Agents collaborate based on declared capabilities and exchanged information, without needing to share their internal thoughts, plans, or tool implementations.”
Gap: A2A v1.0 has security woven through §7 + §8.4 but no standalone security spec; message integrity, replay protection, and cross-agent delegation remain vendor-side (Oktsec-class) or proposal-side (Issue #1575).
AI Incident Response Framework
The AI Incident Response Framework v1.0 (originally November 2025, continuously updated) is the first industry-wide AI incident response framework following the NIST lifecycle. It is the closest thing to an authoritative AI IR playbook, but lacks AI-specific IoCs and forensic procedures.
Strengths
- MCP Security White Paper is the most comprehensive MCP threat taxonomy of any framework
- Secure-by-Design principles bridge conceptual guidance and operational practice
- AI Incident Response Framework v1.0 provides the only multi-stakeholder AI IR structure
- Collaborative model (40+ partners including all major hyperscalers) gives unique convening power
- A2A protocol’s “opacity principle” is architecturally sound for multi-agent security
- Google SAIF donation ensures content continuity under collaborative governance
Gaps and Shortcomings
- Publications remain principled guidance rather than enforceable specifications
- MCP Security White Paper catalogs threats but does not provide specific, testable control implementations
- Secure-by-Design principles lack maturity assessment criteria
- A2A v1.0 has no standalone security specification — message integrity, replay protection, and cross-agent delegation remain vendor- or proposal-side
- AI Incident Response Framework lacks AI-specific IoCs or forensic procedures
- No AI-BOM requirements
- Cognitive file integrity and proof-of-guardrail concepts unaddressed
- Workstream outputs are not certification-backed
Coverage Against OWASP ASI Top 10
| ASI Category | Coverage |
|---|---|
| ASI01: Agent Goal Hijack | ◐ Partial (MCP paper) |
| ASI02: Tool Misuse | ◐ Partial |
| ASI03: Identity & Privilege | ◐ Partial (A2A Agent Cards) |
| ASI04: Supply Chain | ● SLSA-based provenance |
| ASI05: Data Disclosure | ◐ Partial |
| ASI06: Memory Poisoning | ◐ Partial |
| ASI07: Insecure Inter-Agent | ● A2A protocol + MCP paper |
| ASI08: Cascading Failures | ◐ Partial |
| ASI09: Missing Guardrails | ● Guardrails category |
| ASI10: Rogue Agents | ◐ Partial |
Watch Items (2026)
- Workstream 4 updates to MCP Security White Paper as MCP spec evolves
- A2A protocol security specification — when formalized authorization schemes ship
- Additional workstream outputs on multi-cloud agentic security patterns
See Also
- CoSAI (the organization)
- Google SAIF — Secure AI Framework — original SAIF framework; CoSAI is the institutional successor
- Meta — Premier Sponsor as of February 2026; LlamaFirewall contributor
- Agentic AI Security Capability Maturity Model — A 2026 Practical Proposal — CoSAI Principles → D1; MCP Security white paper Jan 2026 → D5; Agentic IAM Apr 2026 → D2; AI Incident Response Framework v1.0 → D9 Operations & Human Factors; CoSAI contribution is D1 L5 evidence
- OWASP Top 10 for Agentic Applications (ASI Top 10) — ASI Top 10 complements CoSAI’s MCP/agentic guidance