Subscribe

OSRA

Operational Substrate Risk Audit Framework

A four-phase methodology for identifying where AI operational risk converges beneath the governance layer — in the infrastructure substrate that no existing framework audits.

Current Version v1.1
License CC BY-SA 4.0
Author Marco Brondani

Full worked example of the methodology applied OSRA - EuroBank Sentinel

THE GAP

Governance frameworks audit what should happen. OSRA audits what the system actually depends on.

Twelve major AI governance frameworks were analysed — NIST AI RMF, ISO 42001, EU AI Act, DORA, and eight others. None achieves full coverage on infrastructure dependency mapping, failure mode analysis, trust verification, or convergence risk.

Fifteen existing risk methodologies were surveyed. None provides a unified approach that maps infrastructure dependencies, failure modes per dependency, unverified trust signals, and where all three converge.

OSRA fills that gap. It sits beneath and complements existing governance — providing the infrastructure visibility that regulations are beginning to enforce but no framework yet delivers.

THE METHODOLOGY

Four phases. Four artefacts. One convergence risk summary.

Phase 1
Substrate Mapping

"What does this AI system actually depend on to function?"
→ Artefact: The Substrate Map

Phase 2
Failure Surface Analysis

"For each dependency, what does failure look like, and who would notice?"
→ Artefact: The Failure Surface Register

Phase 3
Trust Surface Audit

"Where is the organisation trusting a signal it hasn't verified?"
→ Artefact: The Trust Surface Register

Phase 4
Convergence Mapping

"Where do substrate risks, undetected failures, and unverified trust overlap?"
→ Artefact: The Convergence Risk Summary

AUDIENCE

One methodology, three altitudes

Board / NEDs

A convergence risk summary: the 3-5 points where your AI deployment is most exposed, the regulatory liability at each point, and what to do about it. The document that answers the DORA Art. 15 question.

CISOs

The full four-phase methodology with integration into existing risk management, vendor assessment, and compliance evidence. A programme of work: what to fix first, how to report upward.

CTOs

Infrastructure dependency maps, detection gap analysis, and engineering remediation priorities. What to build, what to monitor, what to renegotiate, in what order.

INTEGRATION

OSRA complements — does not replace — existing frameworks

NIST AI RMF
Phase 1 feeds Map function. Phase 2 extends Measure to infrastructure level.

ISO 42001
Phase 1 provides infrastructure detail that Annex A.9 requires but doesn't specify.

EU AI Act
Phase 1 fulfils Annex IV documentation at genuine depth. Phase 4 provides Art. 9 evidence.

DORA
Phase 2 provides Art. 25-26 resilience scenarios. Phase 4 directly answers Art. 15.

MITRE ATLAS
Phase 2 incorporates ATLAS threat model, extends to operational resilience.

GET STARTED

OSRA is open source. Download it. Run it. Contribute.

The complete methodology, fillable templates, action catalogue, and scoring calibration are available under CC BY-SA 4.0. Use it, adapt it, improve it — just give credit and share alike.