This document was approved by the CoSAI PGB, 22 July 2024. Updates were approved by the PGB on 29 July 2024. Further updates were approved by the PGB on 22 October 2025.
This document defines the Coalition for Secure AI (CoSAI) Open Project governance. This document changes infrequently by the process defined below.
The Coalition for Secure AI (CoSAI) unites diverse stakeholders to tackle critical challenges inherent to building and deploying secure AI systems. Through collaborative AI security research and product development, best practice sharing, and joint initiatives, the Coalition for Secure AI aims to enhance threat mitigation strategies and drive security advancements that can be shared across the AI ecosystem to build societal trust in secure AI systems.
CoSAI, an OASIS Open Project, is committed to building an open, inclusive, productive and self-governing open source community. This community is governed by this document and in accordance with the OASIS Open Project Rules. The purpose of this document is to define how the CoSAI community should work together to achieve their goals.
The PGB follows and is responsible for upholding the OASIS Open Project Rules, and any Standing Rules it adopts.
The CoSAI Open Project follows the OASIS Participants Code of Conduct. The Project will operate in a collaborative and transparent manner.
The CoSAI Open Project maintains a no-solicitation policy covering all meetings, webinars, and other events. Additionally, it is expected that participation in this Open Project will not result in future solicitations unless specifically invited.
Any violations to the Code of Conduct or rules of collaboration can be brought to the Open Project Administrator.
This document applies to all code repositories under the CoSAI github organization that resides at https://github.com/cosai-oasis.
The Project Governing Board (PGB) is the group responsible for the overall lifecycle or business strategy of the project and for the approval of official work products. The PGB also oversees activities such as events, marketing, partnerships, promotion, budget, and so forth. The PGB also follows and is responsible for upholding the OASIS Open Projects Rules, and any Standing Rules it adopts.
Each Sponsoring organization has the option to have one voting representative on the PGB. One PGB seat is also reserved for a representative from the Technical Steering Committee (TSC).
All PGB members' participation is governed by OASIS Open Project Rules section 15.3.
Non-voting guests are permitted at PGB meetings by invitation of a PGB chair.
The PGB must at all times have a Chair or two co-Chairs. Only members of the PGB are eligible to be Chair or co-Chair. For the remainder of this section, Chair shall mean either the single Chair or each of the two co-Chairs, whichever the group has.
The Chair is elected or re-confirmed every two years by a Full Majority Vote of the PGB. If the PGB does not have a Chair, then all activities, with the exception of the selection of a new Chair, are suspended. Existing Chairs serve until they resign or are replaced in an election. The PGB may also remove a Chair at any time with a Full Majority Vote.
Chair responsibilities include providing leadership, acting as primary liaison to OASIS staff and in general ensuring that the PGB works efficiently to achieve its goals. The Chair is responsible for preparing the agenda for the PGB meetings, facilitating the meetings, and making sure minutes are recorded and published. Further description of the chair role and responsibilities can be found in the OASIS Open Project Rules.
The PGB can also appoint one or two board coordinators to support the Chairs by lazy consensus.
The PGB roster is maintained here.
For most decisions, the PGB operates by lazy consensus. In addition to the votes required by OASIS Open Project Rules, a full majority vote of the PGB is required for decisions including (but not limited to):
- Any action or decision that may bind the CoSAI project to commitments or obligations with any external party or entity, including but not limited to legal, financial, or intellectual property related commitments or obligations
- Election of PGB Chairs/Co-Chairs
- Starting a new workstream into CoSAI
- Endorsements, partnerships, or liaisons with other groups
- Substantive changes to the Governance policies or documents
Promoting work to stages in the OASIS standards track (Project Specification Draft, Project Specification, or submission as candidate for OASIS Standard) requires a Special Majority Vote run by OASIS staff. Please see the Open Project Rules for promoting work through its various stages.
The TSC is responsible for the overall technical health and direction of the project and advises the PGB on such matters. Further, the TSC is responsible for releases, and overseeing work of Workstreams, WS Chairs, Contributors, and Maintainers.
Premier Sponsors and Founding Sponsors will have the option for one TSC Representative. This person may be different from the PGB representative and should be a subject matter expert. CoSAI Founding Sponsors are the group of general level sponsors that joined CoSAI at the founding of the project.
The PGB also creates a set number of TSC seats for non-sponsoring participants which are held for academic institutions, non-profit organizations, and other non-commercial entities such as government organizations. TSC non-sponsor representatives are expected to attend TSC meetings regularly and be active in at least one workstream. TSC non-sponsor organizations will be expected to sign the OASIS Open Project Membership Agreement without modification as well as agree to all intellectual property rules adopted by the project. The term of the seats is for one year from the signature of the Membership Agreement and can be revisited annually. This seat does not come with any other rights of OASIS membership or automatic benefits of other sponsors. This seat is not eligible to vote in TSC matters or have an official status on the Project Governing Board. Conditions may be amended by the PGB.
The TSC will be populated by the following process:
- TSC members representing sponsoring members are selected by that sponsoring member as they know their talent the best. This person can be switched out with prior notice to the PGB and OASIS staff.
- Appointment for the non-sponsor seats is done by a consensus vote by the PGB up the number of seats previously set by the PGB.
The PGB can adjust the process for populating the TSC once the membership number normalizes and will review this rule on TSC membership eligibility, including non-sponsor seats, on an annual basis.
The PGB can also reappoint or re-confirm the non-sponsor seats on an annual basis.
The TSC has two Co-Chairs elected by the TSC with a Full Majority Vote. The Chairs of a TSC are responsible for preparing an agenda for each meeting, organizing and facilitating the meetings, making sure minutes are taken and published, and working with OASIS staff to schedule ballots. The Chairs should have a firm understanding of the technology under the TSC's purview.
The TSC has to select one member to represent it on the PGB. This representative’s organization shall not already be represented on the PGB to avoid any one organization having two votes on the PGB.
The TSC will also need to appoint at least one Maintainer who will serve as principal editor of the Project’s technical work managed within its Project Repositories. If the TSC fails to appoint a maintainer, the PGB shall appoint one. The TSC chairs also have the option of filling this role.
The TSC is also tasked with creating a Maintainer policy and a Contributing policy. The latter defines what type of contributions are accepted, how they are reviewed and what the general contribution process looks like.
All TSC members are expected to attend the committee meetings on a regular basis and contribute to the objectives and outcomes of those meetings. Every TSC member should be involved in at least one work stream. Further governance for the TSC and the Workstreams can be found here.
Any community member may submit a request for recall of a TSC chair to the PGB at any time by submitting the request and sufficient justification to the PGB chair or co-chairs. Such requests shall be held in confidence by the PGB chair or co-chairs. In the event of receipt of such a request, the chair or co-chairs shall schedule the recall as an item for discussion at the next PGB meeting, which shall be held no later than 30 days after the receipt of the request. After subsequent discussion, the recall shall be decided upon by a Full Majority Vote of the PGB. In the event of a recall vote passing, the TSC chair shall at that time be considered immediately recalled and be relieved of all responsibilities conferred via the position. If needed, a new TSC Chair or Co-Chair shall be appointed by the PGB.
Workstreams (WS) are defined by the PGB. Topic, scope, milestones, and deliverables for each WS are also defined by the PGB. See this file for the initial workstreams and deliverables.
Workstream contributors can also propose amendments to the scope and deliverables for their workstream to the TSC. This feedback may be communicated by the Workstream Chair.
Workstreams (WS) can occur concurrently or consecutively as decided by the PGB based on resources and timeline planning.
Contributors can be assigned to a WS by the PGB. The PGB can also delegate this task to the TSC.
When a WS completes a work product that it wants approved, the WS team sends the work product to the TSC for a vote, and then the TSC can send it to the PGB for final approval consistent with the OASIS rules. Further governance for the workstreams can be found here.
There are two types of CoSAI deliverables: major deliverables and other deliverables.
Major deliverables include but are not limited to: new white papers, strategic or opinion blog posts or announcements that represent CoSAI as a whole, new features and/or new content, code releases, work products etc. that represent CoSAI as a whole, and/or work products that take a position on behalf of the CoSAI OP.
Originating in the PGB: A review period followed by a consensus vote of the eligible voters of the PGB. A specified majority vote may be requested.
Originating in a Committee: After an internal agreement among the deliverable’s author(s) and committee chair/leads, a review period is needed followed by a call for consensus. A specified majority vote may be requested.
In the case of work products originating in workstreams, it is expected that workstream leads will have secured agreement among the workstream contributors before raising the deliverable for approval by the TSC. When the WS leads agree on the approval of the work product, they should request a 5-day review by the TSC and the PGB at the same time, followed by a Full Majority Vote of the TSC. Once the TSC approval is confirmed, the TSC will request approval from the PGB. The PGB will then start a call for consensus (3-5 days). A specified majority vote may be requested.
In both cases, the call for consent of the PGB will be documented on the project’s official tools for visibility and archival permanence. PGB members are welcome to raise objections in the matter specified in the call. In the event of substantive objections, OASIS administrators will consult with the project leads on the best resolution.
In the interest of agile processes that allow CoSAI to move at the speed of relevance, lesser deliverables, such as release announcement blog posts, updated versions to existing and approved white papers, bug fix PRs etc., will adhere to an abbreviated approval process.
Deliverables in this category will be considered approved once they receive consensus from the committee (or workstream) in which they originated and a call for consent by the TSC (in the case of workstreams) or PGB (in the case of other committees) has been deemed successful.
Any committee has the option of holding a specified majority vote and/or increased approvals for these deliverables if deemed necessary.
If there is uncertainty on which category work products or deliverables fall into, the OASIS administrators will consult with project leads to make the determination that is in the best interest of the project.
If CoSAI produces specifications, then the OASIS process as written at the time must be followed.
In addition to the TSC, the PGB may form other groups as they deem necessary, such as a Marketing Group, Advisory Council (experts who may be advocates for the project without being deeply involved), or an Executive Steering Committee in the event the PGB grows too large.
The PGB may form these groups by lazy consensus and shall appoint a Committee Chair or Co-Chairs. The process to populate the committee will also be established at the time of commencement. Ideally, these groups are populated by appointment or are self-selecting.
Members of these committees are Contributors to the CoSAI project and thus are required to sign a Contributor License Agreement (CLA) and need to conform with this Governance and the OASIS Participants Code of Conduct.
These committees should report back to the PGB on a regular basis.
The CoSAI Open Project is an Open Source project and anyone can join as a contributor, whether they are employed by a sponsor organization or not. Contributors do not have to be a member of the PGB or the TSC.
Contributors: A Contributor is someone who has agreed to the Contributor License Agreement (CLA) and who makes regular contributions to one or more CoSAI workstreams and repositories (including but not limited to activities such as documentation, code reviews, responding to issues, participation in proposal discussions, contributing code, etc.). Any person (whether or not an OASIS member or CoSAI sponsor) may participate in CoSAI as a Contributor. The role of contributor is furthermore defined in the OASIS Open Project Rules.
Maintainers: A Maintainer is someone who has agreed to the Contributor License Agreement (CLA) and has been selected by the TSC to oversee one or more components of a CoSAI repositories to review code and pull requests, prepare releases, triage issues, and similar tasks. Maintainers and their requisite duties are managed by the TSC. Any person (whether or not an OASIS member or CoSAI sponsor) may be appointed as a project Maintainer. The role of Maintainer is furthermore defined in the OASIS Open Project Rules.
Contributors to any CoSAI project must abide by the OASIS Open Projects IPR Policy and Apache 2.0 License agreement as well as the CC-BY 4.0 license agreement as outlined in the license.md files.
All contributors are required to make these rights available by signing a Contributor License Agreement (CLA) and patent non-assert for non-trivial contributions releasing contributions under the Apache License v2.0 for source code and models and CC-BY 4.0 for documentation and data contributions. If you have questions about these policies, please contact the OASIS Open Project Administrator.
All participants must also abide by the terms of the OASIS Participants Code of Conduct.
All substantive changes in Governance require a Full Majority Vote of the PGB.
The Executive Steering Committee shall be composed of Premier sponsors and Founding Members of the CoSAI PGB. This structure will be re-evaluated after one year. The Chair(s) of the Executive Steering Committee will be the same as the Chairs of the PGB.
Founding Members are considered as organizations who signed the membership agreement prior to the official project launch on July 18, 2024.
Duties of this Committee could include but are not limited to drafting PGB meeting agendas, draft strategy and communications plans for the entire PGB's feedback, coordinating the use of supplemental services for Premier Sponsor allocations, and more. The Executive Steering Committee will act in the best interest of the entire PGB and Open Project.
The PSC is a subcommittee of the PGB. Any PGB member or their alternate can join this committee, but no organization can have more than one vote.
The purpose of the Public Sector Committee (PSC) is to define and document how CoSAI members and contributors engage and interact with in-scope standards bodies, civil society entities, and non-legislative government entities. The committee is responsible for developing and proposing the overall public sector engagement strategy and implementation. See Public Sector Committee Governance for more details.