Skip to content

Early Access opens July 12 · $99/mo · all suites during the launch window · price locked through Q1 2027 · Join the waitlist →

CSA STAR Registry for AI · Orchestrated Service Provider

Trustworthy AI architecture, verified.

acipta is on track for listing on the Cloud Security Alliance STAR Registry for AI as an Orchestrated Service Provider — the category for platforms that integrate and govern AI models in enterprise environments. Our architecture maps to AICM v1.0.3 controls across 18 security domains.

Deterministic Precision. Experiential Intuition. Autonomous Agents.

What this listing means

STAR is the largest public registry of security and trust for cloud and AI providers.

Level 1 listing is a self-assessment against the Cloud Security Alliance's AI Controls Matrix — a vendor-neutral framework for trustworthy AI systems aligned to ISO/IEC 42001, NIST AI RMF, BSI AIC4, and the EU AI Act.

18

AICM security domains mapped to acipta architecture.

243

control objectives surveyed across the OSP role.

5

aligned frameworks: ISO 42001 · NIST AI RMF · BSI AIC4 · EU AI Act · ISO 27001.

OSP

role classification · Orchestrated Service Provider.

Why Orchestrated Service Provider

CSA defines five provider roles in the AI stack. acipta is squarely OSP.

The OSP layer is the platform between an enterprise's AI workloads and the regulators, auditors, and boards that need to inspect them.

PILLAR 01

Model orchestration

Multiple frontier models vote at a high-confidence threshold. Sub-floor cases route to human reviewers, not another model pass.

PILLAR 02

Governance & control catalog

One canonical control catalog projecting to multi-framework attestations — SOC 2, HIPAA, GDPR, EU AI Act, DORA, NIS2 — from a single evidence chain.

PILLAR 03

Tamper-evident evidence

Every verdict cryptographically signed at write time with hybrid Ed25519 + post-quantum signatures. Byte-identically replayable five years out.

The architectural mapping

The 18 AICM domains.

Our submission maps the acipta architecture to each AICM domain. The full self-assessment publishes on the CSA STAR Registry once listed.

A&A

Audit & Assurance

AIS

Application & Interface Security

BCR

Business Continuity & Resilience

CCC

Change Control & Configuration

CEK

Cryptography, Encryption & Keys

DCS

Datacenter Security

DSP

Data Security & Privacy Lifecycle

GRC

Governance, Risk & Compliance

HRS

Human Resources Security

IAM

Identity & Access Management

IPY

Interoperability & Portability

I&S

Infrastructure Security

LOG

Logging & Monitoring

MDS

Model Security

SEF

Incident Mgmt & E-Discovery

STA

Supply Chain & Transparency

TVM

Threat & Vulnerability Management

UEM

Universal Endpoint Management

Integrity standard alignment

AICM controls satisfy ALCOA+ by construction.

ALCOA+ — Attributable, Legible, Contemporaneous, Original, Accurate, plus Complete, Consistent, Enduring, Available — is the integrity standard regulators converge on. Originally formalized for FDA-regulated records under 21 CFR Part 11, ALCOA+ now anchors HIPAA Security Rule AI updates, EU AI Act Article 12 record-keeping, SOX 404 for AI-augmented financial controls, and emerging SEC AI disclosure requirements. AICM's 18 domains map cleanly onto ALCOA+ because both describe the same property of trustworthy systems: every consequential action remains reconstructible, attributable, and verifiable independently of the platform that produced it.

The nine ALCOA+ principles map 1:1 to the AICM domains above. Capability tokens + signed manifests deliver Attributable. Canonical-JSON I/O delivers Legible. RFC 3161 timestamps at write time deliver Contemporaneous. Hash-chained verdict ledgers deliver Original. Three-frontier-model consensus at a high-confidence threshold floor delivers Accurate. The CMC framework projections deliver Complete. Byte-identical 5-year replay delivers Consistent. Hybrid post-quantum signing delivers Enduring. The standalone offline verifier delivers Available.

For the full ALCOA+ mapping with substrate primitives per principle, see For Auditors and The Defensible Agent Test.

How this fits the bigger picture

STAR for AI is one of several third-party signals.

We publish multiple third-party credentials so customers, auditors, and regulators don't have to take our word for anything.

LEVEL 01

STAR for AI Level 1

Self-assessment against AICM v1.0.3. Public, free, demonstrates architectural intent and coverage today.

CERT 02

SOC 2 Type 2 + HIPAA

Third-party audit attestation for security and healthcare data handling. Published alongside STAR listing at our August 2026 GA.

LEVEL 02

STAR for AI Level 2

Third-party certification against AICM controls. On our roadmap, bundled with HITRUST and ISO/IEC 42001 attestation work.

Standards we map to

One control catalog · N framework attestations.

AICM's value is that one set of controls projects cleanly to the standards our customers and their regulators already use.

ISO 42001

AI Management Systems

NIST AI RMF

AI Risk Management Framework

EU AI Act

AI Act + GPAI obligations

BSI AIC4

German AI cloud catalog

ISO 27001

Information Security Management

SOC 2

Trust Services Criteria

HIPAA

Security & Privacy Rules

GDPR Art. 30

Records of Processing

See the full architecture

Architecture behind the listing.

The architecture behind the STAR Registry listing — cryptographically signed verdicts, three-model consensus, and a canonical control catalog that projects across frameworks — is documented in our Platform page.

Last reviewed · Reviewed by the acipta compliance & accessibility team.

Was this page helpful?