Primary question
Can the control story hold before implementation starts?
Start here when the hard part is the control story, review language, or assurance posture around the system.
Path briefing
Back to all pathsSecurity path
When the control language has to come before the build
This lane is for teams that do not want to bolt governance onto an AI system after the architecture is already drifting in production.
What is at stake
If the control language arrives late, the build gets ahead of policy, the policy gets detached from reality, and the remediation work becomes more expensive than the original build.
Likely lead
AI Security Foundation
AISF leads the standards and governance side: control language, implementation-layer security framing, and the shape of a certification path.
Visit lead siteWhat gets sorted first
ASG gets business, security, and build teams talking about the same system before controls and execution split into separate workstreams.
Primary concerns
- Controls language
- Governance posture
- Implementation handoff
Inside the route
What this lane is really sorting
The route pages are where the stakeholder view gets more specific and the handoff logic becomes tangible.
Scenario
CISOs, risk owners, and compliance leads who need an AI control story they can defend before implementation starts.
Typical next move
Start with ASG. AISF frames the control story first, then MRI and ASI carry the work into validation and build.
MRI and ASI join when the question turns from standards to implementation, validation, private deployment, or operational hardening.
What this lane is really sorting
What gets blocked first
Security teams usually inherit a half-formed system description and are asked to bless it quickly. That is where trust evaporates and timelines slip.
What has to be true
The policy frame, implementation frame, and evidence frame all need to point at the same system, not three different abstractions built by three different teams.
Why ASG first
ASG keeps the controls discussion attached to the real work. AISF leads the standards and governance lane, then MRI or ASI step in when the discussion turns operational.
Proof in context
Governance lead
AISF's public site describes standards and certification work mapped to NIST AI RMF, MITRE ATLAS, ISO/IEC 42001, and OWASP guidance.
Operational follow-through
MRI and ASI are already part of the routing model, so the governance work does not dead-end when the system needs validation or private deployment.
Decision hygiene
ASG keeps the first meeting small, specific, and tied to the actual system boundary instead of a broad AI policy conversation with no owner.
Lead entity
AI Security Foundation
AISF was formally incorporated as a 501(c)(6) in November 2025. It houses the AI security standards work already underway through MRI's IC and defense engagements, and is building an AI Security Controls Matrix mapped to NIST AI RMF, MITRE ATLAS, ISO/IEC 42001, and OWASP guidance. Manbir Gulati, founding director and president, authored the AI evaluation methodology AISF now publishes as open standards.
Visit siteSupporting entity
Mojave Research Inc.
MRI's public site lists Reston, VA, CAGE 10S34, and CMMC Registered Practitioner status. It also says cleared personnel for delivery are confirmed during contracting and highlights secure-enclave and air-gapped delivery environments.
Visit siteSupporting entity
Agentic Secure Inc.
ASI is the IP development and innovation engine within the ASG operating model — taking ideas into top-end AI products, owning the intellectual property, and building the systems that move from concept into production-grade delivery.
Explore other paths
First briefing
Bring the parts that change ownership fastest
These are usually the details that make the lead team, review context, and next move obvious without turning the call into a long discovery loop.
- Control concern
- Current architecture
- Decision owner or audit trigger
Start with ASG. AISF frames the control story first, then MRI and ASI carry the work into validation and build.