Coalition for Secure AI
The Coalition for Secure AI, or CoSAI, is an OASIS Open Project for shared AI-security practices, open tooling, and secure-by-design guidance.
Definition
The Coalition for Secure AI (CoSAI) is an OASIS Open Project that gathers AI and security practitioners around shared guidance, research, and open technical artifacts for securing AI systems. OASIS announced CoSAI on July 18, 2024 at the Aspen Security Forum. Its launch materials describe the project as an open-source initiative for practitioners and developers who need secure-by-design AI methods, frameworks, and tools.
CoSAI's scope is narrower than "AI safety" as a whole. It is about security: securely building, integrating, deploying, and operating AI systems. OASIS named model theft, data poisoning, prompt injection, scaled abuse, and inference attacks as examples of risks in scope. That puts CoSAI beside MITRE ATLAS, OWASP Top 10 for LLM Applications, and OWASP Top 10 for Agentic Applications, not in place of them.
How It Works
The launch announcement said CoSAI is led by a Project Governing Board and a Technical Steering Committee. CoSAI's own FAQ says the governing board handles lifecycle, business strategy, budgets, marketing, partnerships, and approval of official work products, while the technical steering committee advises on technical direction, releases, and workstreams. Sponsoring organizations have formal governance roles, while technical participation is presented as open to contributors.
The current CoSAI site organizes work around four workstreams: software supply-chain security for AI systems, preparation for a changing cybersecurity landscape, AI security risk governance, and secure design patterns for agentic systems. The supply-chain workstream extends provenance and risk-management ideas toward models, data, and AI applications. The governance workstream aims at controls, checklists, scorecards, readiness assessment, monitoring, and reporting for AI products and services.
Agent Context
CoSAI is especially relevant once AI systems become agents. Its secure-by-design agentic-systems principles frame the problem around human governance and shared accountability, bounded and resilient execution, and transparent, verifiable operation. The point is not that every agent action should wait for manual approval. The point is that authority, entitlements, telemetry, failure modes, and review thresholds should be designed before the agent is placed near tools, data, money, infrastructure, or users.
CoSAI's 2026 MCP security discussion makes the agent-specific issue explicit: an LLM can sit between user intent and system action, so conventional API controls may miss manipulation through natural language, tool descriptions, or context. The associated whitepaper is described as covering 12 threat categories and nearly 40 distinct threats, including identity and access, input handling, data/control boundaries, integrity controls, network isolation, supply-chain integrity, and operational visibility.
Governance and Safety
A practical CoSAI reading starts with evidence. A team invoking CoSAI should be able to show which workstream, document, control, or repository it used; which system boundary it applies to; who approved the interpretation; and what logs, tests, or runtime signals support compliance. A brand-name coalition does not make a model, agent, platform, or deployment secure by association.
CoSAI also inherits the limits of industry-led security coordination. Large vendors can move faster than formal standards bodies and contribute real engineering knowledge, but they may also prioritize problems that map cleanly to their products, infrastructure, and customer base. Public-interest review, independent research, incident disclosure, and regulator-accessible evidence still matter.
Defense Pattern
- Separate security from assurance theater. Cite specific CoSAI artifacts, not the coalition name alone.
- Bind controls to authority. Map each agent, model, connector, tool, and dataset to permitted actions and forbidden zones.
- Preserve telemetry. Store inputs, tool calls, plans, outputs, policy decisions, approvals, and failure events for review.
- Use multiple taxonomies. Pair CoSAI with MITRE ATLAS, OWASP, CWE, CVE, SBOM, and incident-reporting vocabularies where appropriate.
- Test the boundary. Red-team prompt injection, tool poisoning, credential misuse, supply-chain swaps, and cross-agent confusion.
Source Discipline
Claims about CoSAI should distinguish OASIS launch materials, CoSAI website descriptions, GitHub workstream repositories, blog summaries, and final specifications. A blog post may describe a framework, but an implementer still needs the underlying artifact, version, license, and change history. The same discipline applies when vendor members cite CoSAI in marketing copy.
Spiralist Reading
Spiralism reads CoSAI as a sign that AI security is moving from private craft to public coordination. The agent is not only a model; it is an authority-bearing system with tools, credentials, suppliers, operators, logs, and witnesses. CoSAI matters if it turns that system into something inspectable before failure, not merely explainable after damage.
Open Questions
- Which CoSAI artifacts will become stable enough for procurement, audit, and regulatory use?
- How should independent researchers test whether CoSAI guidance works in deployed agent systems?
- What governance safeguards keep industry-led AI-security standards from becoming product-shaped compliance language?
Related Pages
- MITRE ATLAS
- OWASP Top 10 for Agentic Applications
- OWASP Top 10 for LLM Applications
- OWASP AI Vulnerability Scoring System
- Agentic Supply-Chain Vulnerabilities
- AI Agent Identity
- AI Agent Observability
- Secure AI System Development
- SLSA Provenance
- Common Weakness Enumeration
Sources
- OASIS Open, Introducing the Coalition for Secure AI, an OASIS Open Project, July 18, 2024.
- Coalition for Secure AI, homepage, reviewed June 25, 2026.
- Coalition for Secure AI, About and FAQ, reviewed June 25, 2026.
- Coalition for Secure AI, Principles for Secure-by-Design Agentic Systems announcement, reviewed June 25, 2026.
- Coalition for Secure AI, Practical Guide to Model Context Protocol Security, reviewed June 25, 2026.