GTSAF
GTSAF, the Gamut Trust, Security and Assurance Framework, is Gamut’s native AI assurance baseline. It is the deepest framework in the platform: 358 controls across 17 domains, with a workbook-driven scoring workflow. Where the regulatory frameworks tell you what you must achieve, GTSAF gives you a comprehensive, assessable control set to demonstrate how.
At a glance
Section titled “At a glance”| Property | Value |
|---|---|
| Controls | 358 |
| Domains | 17 (lettered A to Q) |
| Gate controls | 71 |
| Critical controls | 70 |
| Crosswalk targets | EU AI Act, ISO/IEC 42001, ISO/IEC 42005, NIST AI RMF |
| Control identifier | GTSAF-<domain>-<nn>, for example GTSAF-A-01 |
Gate controls are the controls that gate progression: weaknesses there hold back a system’s assurance posture until addressed. Critical controls carry the highest risk weighting. Every control has its own objective, risk statement, implementation guidance, evidence expectations and test procedures.
The 17 domains
Section titled “The 17 domains”GTSAF organises its controls into 17 domains, A through Q. Each domain groups related controls so that assessment proceeds in a structured, reviewable way.
| Domain | Name | Controls |
|---|---|---|
| A | Governance, Strategy and Accountability | 11 |
| B | Legal, Regulatory and Contractual Compliance | 11 |
| C | AI Use Case Intake, Approval and Risk Tiering | 11 |
| D | Data Governance, Lineage and Provenance | 11 |
| E | Data Security and Privacy Engineering | 24 |
| F | Secure Data Acquisition and Annotation | 11 |
| G | Model Development, Validation and Robustness | 11 |
| H | Prompt, Context and Retrieval Security | 25 |
| I | Inference, API and Runtime Security | 25 |
| J | Identity, Access and NHI Security | 26 |
| K | Agentic AI and Autonomous Action Governance | 29 |
| L | Third-Party, Model and Software Supply Chain Assurance | 25 |
| M | Monitoring, Detection and AI Security Operations | 35 |
| N | Human Oversight, Transparency and Impact Management | 15 |
| O | Resilience, Continuity and Recovery | 36 |
| P | Auditability, Evidence and Assurance | 11 |
| Q | Infrastructure, Platform and Environment Security | 41 |
The domains span the full surface of AI assurance: governance and legal at the top (A, B, C), data and model integrity through the middle (D to G), the AI-specific attack surface (H, I, J), agentic and supply-chain risk (K, L), security operations and oversight (M, N), and resilience and infrastructure at the base (O, P, Q). Notice the depth on agentic action (K, 29 controls), identity and non-human identity (J, 26 controls), and infrastructure (Q, 41 controls), reflecting where modern AI risk concentrates.
How you use GTSAF
Section titled “How you use GTSAF”- Register and run intake on the AI system.
- Start a GTSAF assessment from the system record.
- Work through the 17 domains, scoring each control with rationale.
- Attach or request evidence and raise findings where there are gaps. Gate and critical controls are the ones to clear first.
- Use reporting to produce assurance and board outputs.
ACRS can route the right GTSAF control depth to a system based on its capability risk, so lower-risk systems are governed proportionately while higher-risk systems get the comprehensive set.
Crosswalk to public frameworks
Section titled “Crosswalk to public frameworks”Every one of the 358 GTSAF controls carries an audited crosswalk to the EU AI Act, ISO/IEC 42001, ISO/IEC 42005 and NIST AI RMF. This means a single body of GTSAF evidence supports assessments against those regimes, and a reviewer can trace any GTSAF control to the external obligations it speaks to.
The table below shows representative anchors for each domain (illustrated by the domain’s lead control). Per-control mappings are more specific and are available on each control inside the product.
| Domain | EU AI Act | ISO/IEC 42001 | NIST AI RMF |
|---|---|---|---|
| A Governance | Arts 9, 14, 17, 26 | 5.1, 5.2, 5.3 | GOVERN, MAP, MEASURE, MANAGE |
| B Legal & compliance | Arts 2, 5, 6, 16 | 4.1, 4.2, 4.3 | GOVERN, MAP, MANAGE |
| C Intake & risk tiering | Arts 6, 9, 11, 14 | 4.1, 6.1.1, 6.1.2 | GOVERN, MAP, MEASURE, MANAGE |
| D Data governance | Arts 10, 11, 12, 13 | 7.5, 8.1 | MAP, MEASURE |
| E Data security & privacy | Arts 9, 10, 15, 17 | 6.1.2, 6.1.3, 8.1 | GOVERN, MAP, MEASURE, MANAGE |
| F Data acquisition | Arts 9, 10, 15, 17 | 6.1.2, 6.1.3, 6.1.4 | GOVERN, MAP, MEASURE |
| G Model development | Arts 9, 10, 11, 12 | 6.2, 7.2, 8.1 | GOVERN, MAP, MEASURE, MANAGE |
| H Prompt & retrieval | Arts 9, 12, 13, 15 | 5.2, 5.3, 8.1 | MAP, MEASURE, MANAGE |
| I Inference & runtime | Arts 12, 14, 15, 17 | 8.1, 9.1, 10.2 | GOVERN, MAP, MEASURE, MANAGE |
| J Identity & NHI | Arts 13, 14, 15, 26 | 5.3, 7.2, 7.3 | GOVERN, MAP, MEASURE, MANAGE |
| K Agentic action | Arts 9, 13, 14, 15 | 6.1.2, 6.1.3, 6.1.4 | GOVERN, MAP, MEASURE, MANAGE |
| L Supply chain | Arts 10, 12, 15, 16 | 5.3, 7.4, 7.5 | MAP, MEASURE, MANAGE |
| M Monitoring & SecOps | Arts 12, 15, 17 | 7.5, 8.1, 9.1 | MEASURE, MANAGE |
| N Human oversight | Arts 9, 13, 14, 26 | 6.1.2, 6.1.4, 7.4 | GOVERN, MAP, MEASURE, MANAGE |
| O Resilience & recovery | Arts 9, 12, 15, 17 | 8.1, 8.3, 9.1 | GOVERN, MAP, MEASURE, MANAGE |
| P Auditability & evidence | Arts 11, 12, 13, 17 | 7.5, 8.1, 9.1 | GOVERN, MAP, MEASURE |
| Q Infrastructure | Arts 12, 13, 15, 17 | 5.3, 7.1, 8.1 | MAP, MEASURE, MANAGE |
- Frameworks overview, how routing and crosswalks work.
- ACRS, routing GTSAF control depth by capability risk.
- Assessments & control testing, the assessment workflow GTSAF uses.