GASP: AICF

Search controls

Search by control ID, name or domain
Integrations

Tools

MCP server for Claude Code, Claude Desktop or any MCP-compatible agent. Database bundled, no extra setup.

Quick start gasp-aicf-mcp on npm ↗
Claude Code, one command
claude mcp add gasp-aicf -- npx -y gasp-aicf-mcp
Claude Desktop / Cursor, add to your MCP config file
{
  "mcpServers": {
    "gasp-aicf": {
      "command": "npx",
      "args": ["-y", "gasp-aicf-mcp"]
    }
  }
}

Restart your client after adding the config. On first run, npx downloads and caches the package; subsequent starts are instant.

AICF MCP Server gasp-aicf-mcp on npm
How it works

The server runs as a local process over stdio, with no open ports or authentication required. Your AI client spawns it via npx and calls its tools like any function. The control database is bundled in the package.

What it exposes

5 read-only tools covering classification, control lookup, questionnaire scoping and evidence checklists.

4 readable resources: domain taxonomy, framework index, control index and the full mapping matrix, returned as structured JSON.

Zero setup

Published on npm with the database bundled. One config block and a client restart. Pair with other MCP servers at the config level.

Advanced

Verify

Restart Claude Code (or run /mcp to reload), then ask:

List the AI governance controls at Tier 2.
Custom database

To use a modified or newer version of the database, set DB_PATH:

{
  "mcpServers": {
    "gasp-aicf": {
      "command": "npx",
      "args": ["-y", "gasp-aicf-mcp"],
      "env": { "DB_PATH": "/absolute/path/to/gasp.db" }
    }
  }
}
Test from the terminal

Pipe JSON-RPC directly to verify the server works:

echo '{"jsonrpc":"2.0","id":1,"method":"tools/list","params":{}}' | npx gasp-aicf-mcp

Tools

classify_tool (category, data_types[]?, is_ai_tool, access_mode?, user_scope?)

Maps a tool's category, data types, access mode and exposure to the relevant AICF control domains and returns a recommended risk tier. Use this first when assessing any new tool.

list_controls (domain_id?, tier_id?, is_ai_specific?, search?)

List canonical controls with optional filters. Returns ID, name, domain, minimum tier and mapping count for each match.

get_control (id)

Full detail for one control: description, rationale, all assessment questions, evidence requirements and framework mappings with strength.

get_questionnaire (domains[], tier_id)

Return all assessment questions scoped to a set of activated domains at a given risk tier. Useful for generating an assessment checklist.

get_evidence_checklist (domains[], tier_id)

Return all evidence requirements for the activated domains and tier. Each item includes evidence type, example artifact and test method.

Resources

Resources are read-only structured data that the AI client can load as context. Each returns the full dataset as JSON.

gasp://domains

All 11 control domains with IDs, names and descriptions. Load this to understand the taxonomy before querying controls.

gasp://frameworks

All 8 mapped frameworks with version numbers. Useful for understanding which standards are covered.

gasp://controls

Condensed index of all 168 canonical controls: ID, name, domain and minimum tier. Faster than list_controls when you just need the index.

gasp://mapping-matrix

Full mapping matrix: every canonical control cross-referenced with every framework, including mapping strength. Use this for compliance gap analysis across frameworks.

Example prompts

Once the server is connected, ask your AI assistant questions in plain language. The client will call the appropriate tools automatically.

Classify a new tool

"We're adopting Notion as a company knowledge base. It will store some PII (employee directories) and business-confidential documents. Classify it against AICF and tell me what controls apply."

Scope a vendor review

"We're evaluating an AI-powered analytics tool that processes financial data. What questionnaire questions and evidence would AICF require for a Tier 3 assessment?"

Build an assessment checklist

"Classify our new AI analytics vendor, then list the Tier 2 questionnaire questions and evidence we'd need to gather for each active domain."

Map to a specific framework

"List all AICF controls that map to NIST AI RMF. For each one, tell me whether the mapping is full or partial and what the gap is."

Pairing with other MCP servers

The AICF MCP server is intentionally standalone. To build richer workflows, add other MCP servers to your client config alongside it.

GASP Standard MCP
GASP ecosystem

Query the SaaS metrics the AI tools you govern are reporting on. AICF controls the adoption layer; GASP Standard defines what agents measure. Install both for end-to-end AI governance.

Visit gaspwiki.com
GitHub MCP

Classify new dependencies or AI features introduced in a PR and list the controls they trigger.

Jira / Linear MCP

Open assessment tickets from a tool's active domains and required evidence.

Slack MCP

Answer "what controls apply to tool X?" in-channel from the control library.