AI SAFE² v3.0 161 CONTROLS

Who are you here as?

We'll show you what matters most for your role.

💡
161
Total Controls
Across 5 pillars + governance
32
Frameworks Mapped
ISO, NIST, EU AI Act + 29 more
3
First-in-Field Controls
CP.7, CP.9, CP.10 — no other framework has these
4
ACT Capability Tiers
Governance scales with agent autonomy

Framework Architecture

6 governance domains
P1 Sanitize
P2 Audit
P3 Fail-Safe
P4 Monitor
P5 Evolve
CP Governance

What Each Domain Protects

CP.1–CP.10: Cross-Pillar Governance OS

NEW IN v3.0

Ten governance controls that operate across all five pillars simultaneously — not within any single domain. Includes three first-in-field standards that no other AI governance framework has published.

Compliance Coverage

32 frameworks in one implementation
AI-Specific
Enterprise
Regulatory
+14 more
CSA, MAESTRO, Google SAIF, MIT AI Risk, AIID, CCPA/CPRA, NIST CSF 2.0 and 7 more
Board-level point: One AI SAFE² v3.0 implementation generates evidence artifacts for 32 compliance frameworks simultaneously. Your team audits once, satisfies everything.

Ready to present your AI risk posture?

The AI SAFE² Implementation Toolkit includes the Risk Command Center dashboard, 161-point audit scorecard, HEAR designation forms, and board-ready compliance evidence packages.

Get the Toolkit — $97 ☆ Star on GitHub
Critical
High
Medium
controls
GOVERNANCE OS CP.1–CP.10 Cross-Pillar Controls ALL NEW IN v3.0
NEW Added in v3.0

ACT Capability Tier Classifier

CP.3 v3.0

Answer 6 questions about your agent. Receive your ACT tier, mandatory controls, and governance requirements.

CP.10 HEAR Designation Required
This tier requires a named Human Ethical Agent of Record with a cryptographic signing key before production deployment. This is a first-in-field governance standard — no other framework defines this.
CP.9 Agent Replication Governance Required
Orchestrators spawning sub-agents must implement lineage tokens, delegation hop limits (max 3), ephemeral credentials, and 500ms kill-switch tree. First-in-field: no other framework covers agent replication.
🛑
CP.8 Catastrophic Risk Thresholds — Deployment Blocker
Document behavioral indicators that trigger emergency suspension before deployment is approved. Required for all ACT-3 and ACT-4 agents.

Mandatory Controls for Your Tier

Next step: Generate your complete deployment governance package including HEAR designation form, CP.9 lineage spec, and audit evidence checklist. Get the Toolkit →
Free: AI Builder Pre-Flight Checklist
35 questions — before you ship any AI agent to production
FREE

Your ACT tier tells you what governance you need. The Pre-Flight Checklist tells you whether your agent is actually ready to deploy. 35 structured questions across every critical risk surface — security, data governance, human oversight, failure modes, and compliance readiness.

Get the Checklist — Free → No account required · GitHub download · 35 questions · Instant access

Builder Reference — Controls by Impact

🚀 FREE RESOURCE

CSI AI Builder Pre-Flight Checklist

35 structured questions that answer one question before you ship: is this agent actually ready? Covers security, governance, human oversight, failure modes, and compliance. Built directly from AI SAFE² v3.0 controls — the same framework you are using right now.

Download Free Checklist
✓ No email required on GitHub
✓ 35 questions · PDF + Markdown
✓ Maps to AI SAFE² v3.0 controls

Scan your codebase now

The AI SAFE² v3.0 scanner checks your code against 40+ rules covering all 5 pillars and CP.1-CP.10. ACT tier estimated from your code structure.

python -m scanner.cli scan . --tier Tier2 --report json
View on GitHub →

Compliance Framework Crosswalk

Select a compliance framework above
See which AI SAFE² v3.0 controls satisfy each requirement
controls
Audit tip: Export the complete gap report with A2.5 execution trace requirements, compliance evidence artifact types, and control implementation status. Export report →

Self-Assessment Scorecard

Check controls you have implemented. Score updates live.

CRITICAL Controls
HIGH Controls
Export your results: The full 161-point audit scorecard with auto-calculated Combined Risk Score, ISO 42001 alignment, and compliance evidence package is in the Toolkit. Get Toolkit →

v3.0 Combined Risk Score Calculator

Score = CVSS_Base + ((100 − Pillar_Score) ÷ 10) + (AAF ÷ 10)
0 10
Vulnerability severity (CVE base score)
0 100
From your assessment above (100 = fully compliant)
0 100
Agentic Amplification Factor (10 factors × 0-10)
CVSS and AAF are estimates from static analysis. Use the MCP server risk_score tool for precise calculation.
CROSS-PILLAR GOVERNANCE OS ALL NEW IN v3.0

CP.1 – CP.10: First-in-Field Standards

Ten governance controls that operate across all five pillars simultaneously. Three have no counterpart in any existing AI governance framework.

Attack Surface Map — Controls by Threat Category

MITRE ATLAS Crosswalk

23 New v3.0 Controls

ADDED IN v3.0
 controls
⭐ FIRST IN FIELD NEW v3.0

·
Builder Problem
Control Requirement
Minimum ACT Tier
Compliance Frameworks