[enhancement] Uplift CoSAI-RM Persona Model to Support CoSAI-Identified Personas

[davidlabianca]

Problem Statement

The current CoSAI Risk Map uses a simplified persona model with only two roles:

• personaModelCreator - Model Creator
• personaModelConsumer - Model Consumer

This simplistic model is insufficient for:

1. Control and Risk attribution - Unclear which party owns specific security controls and risks in multi-party AI systems
2. Real-world scenarios - AI systems involve multiple parties with shifting roles across lifecycle and supply chain stages; the same organization may be a data provider, model provider, or application developer at different times
3. Shared Responsibility Model (SRM) - Cannot map to industry-standard organizational roles
4. Framework alignment - Difficult to map to ISO 22989, NIST AI RMF personas

Reference: cosai-oasis/ws3-ai-risk-governance#12

---

Proposed Solution

Expand the persona model to 7 CoSAI-identified standard personas that:

• Are usable by non-experts
• Are actionable with clear control responsibilities
• Provide clarity on partner vs. own obligations
• Create a stable foundation for future expansions
• Remain maintainable (balance utility vs. complexity)

Proposed New Personas

1. AI Model Provider - Develops, trains, evaluates, and tunes foundation or specialized models
2. Data Provider - Supplies training/evaluation data to model providers
3. AI Platform Provider - Provides infrastructure (compute, storage, APIs) for AI systems
4. Agentic Platform and Framework Providers - Provides development environments, frameworks, and orchestration runtimes for agentic systems (LangChain, Semantic Kernel, Cursor, Vertex AI Agent Builder, OpenAI Assistants API)
5. Application Developer - Builds AI-powered applications using models/APIs
6. AI System Governance - Defines security control objectives, measures implementations, and enforces compliance for AI systems
7. AI System Users - Consumes AI applications/services

Note on excluded personas: Policy Makers and Regulators were considered but fall outside CoSAI scope since they do not directly own or implement specific security controls.

Alignment with External Standards

Best effort mapping of CoSAI personas to:

• ISO 22989: AI Producer, AI Partner, AI Consumer roles
• NIST AI RMF: Map, Measure, Manage, Govern functions

---

Scope & Implementation

This epic encompasses four sub-issues with phased branching strategy:

Phase 1a: Persona Schema Updates (Issue #XXX)

• Update personas.schema.json to support 7 new persona IDs
• Add deprecated, mappings fields to schema
• Update validation tooling for deprecated personas
• Maintain backward compatibility during transition

Branch strategy:

• Target: main (infrastructure update)
• Blocked by: None

Phase 1b: Framework Applicability Schema (Issue #XXX)

• Expand framework ID enum to include ISO 22989
• Add applicableTo field to frameworks.schema.json (entity-level only)
• Enable frameworks to specify applicability across personas, controls, and risks
• Update validation for entity-level framework mappings
• Add tests for applicableTo validation

Branch strategy:

• Target: main (infrastructure update)
• Blocked by: None (can run in parallel with Phase 1a)

Reverse Merge: Sync develop with main

Before Phase 2 begins, main must be reverse merged into develop to ensure content branches have latest infrastructure updates.

Phase 2: Content Population (Issue #XXX)

• Add 7 new personas to personas.yaml with framework mappings
• Mark existing personas as "(Legacy)" with deprecation notices
• Add ISO 22989 to frameworks.yaml
• Update existing frameworks with applicableTo field

Branch strategy:

• Target: develop (content changes require offline community review)
• Blocked by: Phase 1a, Phase 1b, and reverse merge of main into develop

Phase 3: Controls & Risks Migration (Issue #XXX)

• Update all 29 persona references in controls.yaml
• Update all 26 persona references in risks.yaml
• Map controls to multiple personas where shared responsibility exists

Branch strategy:

• Target: develop (content changes require offline community review)
• Blocked by: Phase 2

Note: Legacy persona references will remain in mappings during initial migration. Future issues will address migration strategy for existing content using deprecated personas.

---

Success Criteria

• Schema supports 7 new persona IDs (including Agentic Platform and Framework Providers)
• Framework schema enum expanded to include ISO 22989
• ISO 22989 framework added to frameworks.yaml
• Frameworks specify which entity types can map to them (applicableTo field)
• All controls and risks use new persona model
• Legacy personas remain for backward compatibility but are marked deprecated
• Documentation updated (guide-personas.md, guide-frameworks.md)
• All validation tests pass
• High-level visual taxonomy created illustrating persona → activity → control/responsibility relationships (not persona-by-persona to control mappings)
• Agentic Provider persona includes identification questions for usability

---

Migration Strategy

1. Non-breaking addition - New personas coexist with legacy ones
2. Gradual migration - Update controls/risks incrementally
3. Clear labeling - Mark legacy personas in UI/documentation
4. Validation enforcement - Ensure new content uses new personas
5. Community review - RFC period for persona definitions before finalizing

---

Risks & Mitigations

Risk	Impact	Mitigation
Too many personas (>9)	Confuses users	Strict scope control, usability testing
Breaking existing integrations	High	Maintain legacy IDs, versioned schema
Persona overlap/ambiguity	Medium	Clear definitions with examples
Incomplete control mapping	High	Comprehensive audit in Phase 3

---

References

• CoSAI Issue #12
• ISO 22989:2022 - AI Concepts and Terminology
• NIST AI RMF 1.0
• Current schema: risk-map/schemas/personas.schema.json

[victorjunlu]

Hi David, I really like the new persona - Agentic Platform and Framework Providers - Provides development environments, frameworks, and orchestration runtimes for agentic systems (LangChain, Semantic Kernel, Cursor, Vertex AI Agent Builder, OpenAI Assistants API). Hope my understanding about your list of personas are correct: This new Agentic Platform and Framework Providers persona is related to layer 3 of https://cloudsecurityalliance.org/blog/2025/02/06/agentic-ai-threat-modeling-framework-maestro. For MAESTRO Layer 7: Agent Ecosystem, the directly related provider personas in your list could be: AI Model Provider. AI Platform Provider (including identity provider or AI agent registry provider and etc) and Application Developer.

[ChadTinvt]

Hello. I also like the personas and understand the policy persona is outside these objectives. Since policy and governance are hot topics I do think it should be explained (as was done above) that this persona is necessary but falls outside the purview of COSAI scope.

[davidlabianca]

Hello. I also like the personas and understand the policy persona is outside these objectives. Since policy and governance are hot topics I do think it should be explained (as was done above) that this persona is necessary but falls outside the purview of COSAI scope.

Cool - we do call out governance but for policy we've left it as a future discussion.

For now I'd suggest we (as we're doing) maintain the link to the fuller discussion in the ws3 issue.

In the future, the likely location for this sort of clarity would be in a design doc within ./risk-map/docs/design...

• Added the creation of a personas design doc (directory is for memorializing design decisions, history, etc for use in understanding the project) that memorializes the ws3 issue discussion.
  • See update to [Phase 2] Populate New Personas and Add Framework Definitions #112

[davidlabianca]

Hi David, I really like the new persona - Agentic Platform and Framework Providers - Provides development environments, frameworks, and orchestration runtimes for agentic systems (LangChain, Semantic Kernel, Cursor, Vertex AI Agent Builder, OpenAI Assistants API). Hope my understanding about your list of personas are correct: This new Agentic Platform and Framework Providers persona is related to layer 3 of https://cloudsecurityalliance.org/blog/2025/02/06/agentic-ai-threat-modeling-framework-maestro.

+1

For MAESTRO Layer 7: Agent Ecosystem, the directly related provider personas in your list could be: AI Model Provider. AI Platform Provider (including identity provider or AI agent registry provider and etc) and Application Developer.

That's my thinking... agents are a mix of:

• application development
• model use
• model training (likely fine tuning, eval)
• data provision and usage

That's the rationale for why there isn't a persona for agent development ... it is actually an aggregate behavior

[shrey-bagga]

@davidlabianca , I was looking at the proposed personas. I see that as part of cosai-oasis/ws3-ai-risk-governance#12, we had also proposed, Cloud/Platform Provider .. do we want to include it as part of this implementation ? Or are we thinking that AI Platform Provider covers Cloud/Platform Provider ?

[davidlabianca]

@davidlabianca , I was looking at the proposed personas. I see that as part of cosai-oasis/ws3-ai-risk-governance#12, we had also proposed, Cloud/Platform Provider .. do we want to include it as part of this implementation ?

Proposal is to replace ...

Or are we thinking that AI Platform Provider covers Cloud/Platform Provider ?

This - cloud/platform is overly constrained as the full scope includes:

• cloud
• saas
• self-hosted
• mobile systems
• IoT
• etc