Solutions Aegis Industries Insights Pricing Company Request Briefing
OASF — OneCompliant AI Security Framework

The governance architecture that makes AI controls operational.

OASF is not another framework document. It is a structured, domain-based governance architecture that defines the control boundaries your organisation needs — and drives what Aegis enforces at runtime. Aligned directly to EU AI Act and NIST AI RMF.

Explore the framework Request briefing
6
Control domains covering the full AI governance lifecycle
40+
Individual controls across all domains
4
Regulatory frameworks mapped — EU AI Act, NIST, NIS2, ISO 42001
100%
Controls are operational — not just documented
Framework Architecture

Six control domains. Every dimension of AI governance covered.

Each domain addresses a distinct governance dimension — from how AI data is classified and handled, to how models are approved and monitored, to how incidents are detected and responded to. Click any domain to explore its controls.

OASF-DG · Domain 1 of 6

Data Governance

Defines how data is classified, handled, protected, and controlled throughout AI interactions. Establishes the data minimisation, purpose limitation, and protection rules that Aegis Guard enforces at runtime — ensuring sensitive data never reaches unapproved AI models.

Aegis enforcement

OASF-DG controls drive the Aegis Guard inspection rules — defining which data classifications trigger redaction, blocking, or elevated routing at runtime.

AI Data Classification PolicyOASF-DG-001

Defines data sensitivity tiers for AI contexts — from public to restricted. Specifies which data categories may be processed by which AI model types.

EU AI Act Art. 10NIST GOVERNAegis Guard
Personal Data in AI WorkflowsOASF-DG-002

Controls governing the use of personal data in AI prompts, training, and outputs. Enforces GDPR data minimisation and purpose limitation at the point of AI interaction.

GDPR Art. 5EU AI Act Art. 10Aegis Guard
Special Category Data ProhibitionOASF-DG-003

Prohibits processing of GDPR Art. 9 special category data (health, biometric, ethnic origin) through unapproved AI systems. Defines approved exceptions and controls.

GDPR Art. 9ISO 42001Aegis Guard
Third-Country AI Transfer ControlsOASF-DG-004

Controls governing data transferred to AI providers outside the EU/EEA. Defines approved transfer mechanisms and routing restrictions for sensitive data classifications.

GDPR Ch. VAegis Routing
OASF-MG · Domain 2 of 6

Model Governance

Defines how AI models are evaluated, approved, catalogued, monitored, and retired. Establishes the approved model registry that Aegis Routing uses to select and enforce model access — ensuring employees only interact with vetted, approved AI models.

Aegis enforcement

OASF-MG controls populate the Aegis Routing catalogue — defining which models are approved for which data classifications and business contexts.

AI Model Approval ProcessOASF-MG-001

Defines the evaluation and approval process for AI models before enterprise deployment. Includes security review, bias assessment, explainability evaluation, and regulatory compliance check.

EU AI Act Art. 9NIST MAPAegis Routing
Approved Model RegistryOASF-MG-002

Maintains the authoritative registry of approved AI models, providers, and permitted use cases. Defines model-to-data-classification matching rules and access boundaries.

EU AI Act Art. 13Aegis Routing
Model Integrity MonitoringOASF-MG-003

Ongoing monitoring of deployed AI models for drift, bias, performance degradation, and adversarial manipulation. Defines escalation thresholds and response procedures.

NIST MEASUREISO 42001 Cl.9Aegis Risk
Shadow AI DetectionOASF-MG-004

Controls for identifying and managing unapproved AI tool usage across the enterprise. Defines discovery methods, risk classification, and remediation procedures for shadow AI.

NIS2 Art. 21NIST GOVERNAegis Audit
OASF-AI · Domain 3 of 6

Access & Identity

Defines how identity is verified, access is authorised, and roles are enforced for AI interactions. Every AI interaction must be identity-bound — ensuring the audit trail can reconstruct who accessed what, when, and why.

Aegis enforcement

OASF-AI controls drive Aegis Gateway identity binding — SSO integration, MFA enforcement, and role-aware access to approved AI models.

AI Identity BindingOASF-AI-001

Requires all AI interactions to be bound to a verified enterprise identity. Prohibits anonymous or shared-account AI access. Enforces SSO integration with enterprise IAM.

EU AI Act Art. 14NIS2 Art. 21Aegis Gateway
Role-Based AI AccessOASF-AI-002

Defines role-based access controls for AI model usage. Business roles determine which models, data classifications, and AI capabilities are accessible — enforced at the governance layer.

NIST GOVERNISO 42001Aegis Policy
Privileged AI Access ManagementOASF-AI-003

Enhanced controls for privileged access to AI systems — model administrators, governance officers, and audit reviewers. Defines approval workflows and just-in-time access procedures.

NIS2 Art. 21Aegis Gateway
OASF-OS · Domain 4 of 6

Operational AI Security

Defines the technical security controls protecting AI systems from adversarial attack, manipulation, and misuse. Covers prompt injection defence, adversarial robustness, and AI-specific threat modelling — the security controls that SIEM tools and traditional DLP were not built for.

Aegis enforcement

OASF-OS controls drive Aegis Guard prompt inspection — detecting injection attacks, jailbreak attempts, and policy evasion before they reach the model.

Prompt Injection DefenceOASF-OS-001

Controls for detecting and blocking prompt injection attacks — attempts to override AI governance controls through malicious instructions embedded in prompts or input data.

NIST MANAGEAegis Guard
Adversarial Input DetectionOASF-OS-002

Monitoring and detection controls for adversarial inputs designed to manipulate model outputs, extract training data, or cause model misbehaviour in production environments.

EU AI Act Art. 15NIST MEASUREAegis Risk
AI Threat ModellingOASF-OS-003

Structured threat modelling for AI systems — identifying attack surfaces, threat actors, and attack vectors specific to AI deployments in regulated enterprise environments.

NIST MAPISO 42001
AI Supply Chain SecurityOASF-OS-004

Security controls for AI model supply chains — vetting model providers, validating model integrity, and managing third-party AI component risk.

NIS2 Art. 21EU AI Act Art. 9
OASF-AC · Domain 5 of 6

Audit & Compliance

Defines the logging, reporting, and evidence generation requirements that make AI governance demonstrable to regulators, boards, and auditors. Every AI interaction must be reconstructable — who, what data, which model, what policy applied, what was the outcome.

Aegis enforcement

OASF-AC controls define the Aegis Audit log schema — every field, every classification, every policy decision that must be captured and retained.

AI Interaction LoggingOASF-AC-001

Mandatory logging requirements for all AI interactions — timestamp, user identity, data classifications detected, policies applied, model used, and policy outcome. Tamper-evident log integrity required.

EU AI Act Art. 12NIS2 Art. 21Aegis Audit
Governance ReportingOASF-AC-002

Defines the governance reporting cadence, report formats, and metrics required for board, executive, and regulatory reporting. Includes AI risk score, policy compliance rate, and incident summary.

EU AI Act Art. 17ISO 42001 Cl.9Aegis Risk
Regulatory Evidence ManagementOASF-AC-003

Controls for generating, maintaining, and producing regulatory evidence — GDPR processing records, EU AI Act conformity documentation, NIS2 security measure evidence, and audit trail exports.

GDPR Art. 30EU AI Act Art. 12Aegis Audit
OASF-IR · Domain 6 of 6

AI Incident Response

Defines how AI-specific security incidents are detected, classified, contained, investigated, and reported. Traditional incident response playbooks were not designed for AI misuse, model manipulation, or governance failures — this domain fills that gap.

Aegis enforcement

OASF-IR controls define Aegis alerting thresholds — when policy violations, anomalous patterns, or credential incidents trigger automated escalation.

AI Incident ClassificationOASF-IR-001

Defines the AI-specific incident taxonomy — data leakage, model manipulation, governance bypass, credential compromise, adversarial attack, and compliance breach. Maps to GDPR 72-hour notification and NIS2 reporting requirements.

GDPR Art. 33NIS2 Art. 23Aegis Risk
AI Incident Response PlaybookOASF-IR-002

Structured response procedures for each AI incident category — containment steps, investigation requirements, notification obligations, and governance escalation paths.

NIST MANAGENIS2 Art. 21
Post-Incident Governance ReviewOASF-IR-003

Mandatory post-incident review process for AI security events — root cause analysis, control gap identification, OASF framework update requirements, and regulatory notification documentation.

ISO 42001 Cl.10EU AI Act Art. 17
Regulatory Alignment

OASF speaks the language of the regulator.

Every OASF control is mapped to the regulatory frameworks your organisation is already accountable to. OASF is not a new language to learn — it is a practical implementation of the standards you already know.

EU AI Act

Art. 9 Risk management system
Art. 10 Data governance
Art. 12 Record keeping
Art. 13 Transparency
Art. 14 Human oversight
Art. 17 Quality management

NIST AI RMF

GOVERN — Policies and accountability
MAP — Risk identification and context
MEASURE — Risk analysis and tracking
MANAGE — Risk response and monitoring

NIS2 Directive

Art. 21 Security measures
Art. 23 Incident reporting
Supply chain security
Access control requirements

ISO 42001

Clause 6 — Planning
Clause 8 — Operation
Clause 9 — Performance evaluation
Annex A — AI controls

Ready to operationalise your AI governance?

OASF defines the governance architecture that Aegis enforces at runtime — typically established through an OASAT assessment that identifies your governance gaps and the controls your organisation needs.

Request OASF Briefing See the Assessment demo