GASP: AICF

Search controls

Search by control ID, name or domain
AICF for SaaS

Eight frameworks, one control library

GASP: AICF for SaaS normalizes 886 controls from SOC 2, ISO 27001, NIST, EU AI Act, GDPR and more into 168 auditable canonical controls, each with evidence requirements, risk tiers and a full question bank.

168
Canonical controls
8
Frameworks
807
Mappings
343
Questions
329
Evidence records
Controls Library

168 canonical controls normalized from 8 frameworks, each with evidence requirements and risk tier assignments.

168 controls
Mapping Matrix

Cross-framework coverage at a glance. See which canonical controls satisfy SOC 2, ISO 27001, NIST and EU AI Act.

8 frameworks
Question Bank

Boolean, select and multi-choice questions derived from controls. Ready for vendor reviews and enterprise questionnaires.

343 questions
Framework Controls

886 raw controls from all 8 source frameworks, searchable and filterable, with links back to canonical mappings.

886 source controls

Source frameworks

SOC 2 ISO 27001 NIST 800-53 NIST AI RMF EU AI Act ISO 42001 CSA CCM GDPR

Why these eight frameworks?

The selection covers the full compliance surface of a SaaS company operating with AI, from baseline security certification through AI-specific regulation and data privacy law. Each framework was chosen to fill a gap the others leave.

Security baseline
ISO 27001:2022
The globally recognised ISMS certification that enterprise procurement teams require as table stakes.
NIST SP 800-53 Rev 5
The most comprehensive security control catalogue available, covering every control family that ISO 27001 implies but doesn't specify.
SOC 2 (TSC 2017)
The standard SaaS audit report for US enterprise sales; maps directly to the Trust Services Criteria.
CSA CCM v4.1
Cloud-native security coverage that fills gaps in cloud config, shared responsibility and vendor risk.
AI governance
NIST AI RMF 1.0
The US government's risk management framework for AI. Defines GOVERN, MAP, MEASURE and MANAGE functions that structure the AIG domain.
EU AI Act 2024
The first binding AI regulation with real enforcement teeth. Required for any AI system accessible to EU users, regardless of where the company is based.
ISO 42001:2023
The AI management system standard that complements the EU AI Act with an auditable AIMS certification path.
Data and privacy
GDPR 2018
Required for any SaaS handling EU personal data. Articles 5, 25, 28, 32, 33 map directly to data protection, processor obligations and breach notification controls.
What we excluded
HIPAA: excluded because the scope is SaaS and AI rather than healthcare delivery. HIPAA controls would be added via a domain extension for health-focused products.

The library at a glance

Eight frameworks, one canonical layer

Each framework on the left maps to multiple canonical controls on the right. Drag a node to feel the connections, or follow an edge to see which framework introduces which requirement.

Security AI Privacy Canonical control Drag a node
GASP Ecosystem

GASP Standard, SaaS metrics

AICF governs how you adopt AI tools. The GASP Standard defines the SaaS metrics those tools report on. 300 canonical metrics across 13 departments with formulas, benchmarks and a knowledge graph, available as an MCP server.

Explore the GASP Standard
Metrics
300
Departments
13
MCP
gasp-standard-mcp
MCP Integration npm · gasp-aicf-mcp

Published on npm as gasp-aicf-mcp. Add one config block in Claude Code or Claude Desktop. The database is bundled.

5 read-only tools
  • classify_tool: category + data types → tier
  • get_questionnaire: scoped questions
  • get_evidence_checklist: evidence per control
  • list_controls: filtered control lookup
  • + get_control
4 resources
  • gasp://domains
  • gasp://frameworks
  • gasp://controls
  • gasp://mapping-matrix
Pairs with
  • Jira / Linear MCP: open assessment tickets from active domains
  • GitHub MCP: classify new dependencies in PRs
  • Slack MCP: answer "what controls apply?" in-channel
$ claude mcp add gasp-aicf -- npx -y gasp-aicf-mcp Setup guide