It's only been four months since I last posted about Sonatype's contributions to the open source security ecosystem — not too bad!
This update is only somewhat related to the previous one — insofar as both efforts will use the same machine readable schema for security control catalogs. That schema, soon to be launched at scale by the OpenSSF, is the slimmest standardized expression of everything from controls and policy to testing and audits.
Last week, a major release of the AI Readiness Governance Framework (AIRGF) coincided with the Open Source in Finance Forum in London. At the same time, FINOS announced the launch of a new "strategic development fund" which will bring together major financial and technical contributors to shape the future of secure AI development.
Screenshot of the AIR Governance Framework website.
As the Chair of the FINOS Technical Oversight Committee, I've been able to watch and advise on the early stages of this fund — and I'm extremely optimistic about it. This effort aligns precisely with Sonatype's vision for the future of secure AI: a world where these critical tools and their components are built and consumed with security at the forefront.
The new initiative will combine past work from the AIRGF and FINOS's Common Cloud Controls project (CCC) with an AI security research workstream to ensure holistic efficacy. The former is a set of high-level guidance for a variety of deployment types, while the latter is a community effort to create threat-informed, technology-specific security control catalogs. Both include detailed mappings to "upstream" guidance and regulatory requirements.
I should take a moment to emphasize that Sonatype holistically believes in the work that FINOS is doing. To encourage wider participation in the foundation, we provide a member's exclusive Dependency Consumption Analysis, free Lifecycle SCA Scanning for all FINOS projects — and our CTO, Brian Fox, is a member of the FINOS Governing Board.
"Historically, the financial services industry has favored proprietary, siloed approaches to software development, often at the expense of collective progress and security. FINOS is transforming this paradigm by uniting the industry to collaborate on joint projects that address critical challenges such as AI security. This initiative exemplifies the power of open collaboration... a principle central to Sonatype's mission of advancing secure, resilient, and innovative systems. I am honored to join the FINOS Governing Board as the Gold member representative to help further this vital mission and drive industry-wide change."
Did I mention that Sonatype won an award related to AI Compliance in 2025? We're pretty keen on this topic.
Check out this quote from David Stone (Director, Financial Services, Office of the CISO, Google Cloud), who has been a long-time supporter of both initiatives — and leads a team that is extremely pleasant to collaborate with:
"We believe that open source standardized controls is the most efficient way for financial institutions to grapple with AI adoption safely and compliantly, which is why we champion the Common Controls for AI Services to foster secure innovation across the industry."
The CC4AI research work that supplements the existing CCC and AIRGF workstreams is also near and dear to our hearts at Sonatype. We have long believed in the value of deep human-led investigation, and bake it into our core business model. A key differentiator in our product ecosystem is the content contributed by our army of security researchers, and I believe we will see the same value in the CC4AI work — especially when compared to other similar efforts.
With the shining exception of outputs from OWASP — which are high quality guidance documents forming the basis of modern AI security discussions — many open source AI security initiatives are bogged down by circular exploration, ideation, and discussion. But CC4AI is positioned to be starkly different from the "talking shops" that many have become critical of lately.
The project will deliver:
-
Technology-neutral baseline standards for AI usage across cloud and hybrid environments;
-
Peer-reviewed governance frameworks aligned with evolving global regulations;
-
Real-time validation mechanisms ("Regulation-as-Code") to improve operational transparency and regulatory readiness.
But while this project is funded by corporate backers, it will be incomplete without significant community support — not only in the form of extra hands but especially as extra eyes. Practitioner feedback and review is absolutely essential to the success of this type of work.
Whether you're an individual contributor, or you have team members you can allocate to future-proofing your security and GRC engineering efforts, there is a place for you to get involved.
Some areas to contribute include:
-
Adoption-readiness feedback (i.e., could you use these outputs in your firm?)
-
Reference architecture design (i.e., cloud-agnostic patterns for AI use cases)
-
Control authoring (help write machine-readable security controls for AI use cases)
-
Control mapping (help map technology-specific controls to regulatory requirements)
-
Change management / Review (ensure that only the highest quality outputs are released)
-
Infrastructure as Code development (write compliant-by-default IaC)
-
Evaluation development (write automated tests to ensure IaC is compliant-by-default)
Sonatype will continue to contribute our expertise to the FINOS CC4AI initiative, and we strongly urge others to come alongside us. Let's create a future we're proud of!
Explore the introductory materials for the Common Cloud Controls and join me in the next CCC All-Hands Meeting to learn more and contribute to the project.
For those interested in AI governance, you can dive into the governance framework here or attend the upcoming AI Governance Framework Working Session.
Discover a Better Way to SCA
Forrester evaluated 10 SCA providers and recognized Sonatype with the highest possible scores. Learn why Sonatype was named a leader in Forrester Wave™ for SCA.