gasp-aicf-mcp

Model Context Protocol server for GASP: AICF for SaaS — 168 canonical controls across SOC 2, ISO 27001, NIST 800-53, NIST AI RMF, EU AI Act, ISO 42001, CSA CCM, and GDPR. Includes a full question bank, evidence checklists, and cross-framework mapping matrix.

Wire it into Claude Code, Claude Desktop, or any MCP-compatible agent and query the entire control library in plain language — no browser required.

The database is bundled in the package. No setup beyond adding the config block.

Quick start — Claude Code

Add this block to ~/.claude/settings.json:

{
  "mcpServers": {
    "gasp-aicf": {
      "command": "npx",
      "args": ["-y", "gasp-aicf-mcp"]
    }
  }
}

Restart Claude Code (or run /mcp to reload), then ask:

"List the AI governance controls at Tier 2."

Quick start — Claude Desktop

Add to ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or %APPDATA%\Claude\claude_desktop_config.json (Windows):

{
  "mcpServers": {
    "gasp-aicf": {
      "command": "npx",
      "args": ["-y", "gasp-aicf-mcp"]
    }
  }
}

Using a custom database

If you have a modified or newer version of gasp.db, point DB_PATH at it:

{
  "mcpServers": {
    "gasp-aicf": {
      "command": "npx",
      "args": ["-y", "gasp-aicf-mcp"],
      "env": {
        "DB_PATH": "/absolute/path/to/gasp.db"
      }
    }
  }
}

Tools

| Tool | Args | Description | |------|------|-------------| | classify_tool | category, data_types[], is_ai_tool | Maps category + data types → active domains + recommended risk tier | | list_controls | domain?, tier?, is_ai_specific?, search? | List controls with optional filters | | get_control | id | Full detail: description, questions, evidence, framework mappings | | get_questionnaire | domain_ids[], tier | All assessment questions for the given domains and tier | | get_evidence_checklist | domain_ids[], tier | All evidence requirements for the given domains and tier | | create_submission | tool_name, category, tier, responses[], evidence[] | Create an intake submission | | get_submission | id | Retrieve a submission with decision and conditions | | get_gap_report | submission_id | Gap analysis: blocker / conditional / flagged / clean | | list_submissions | status? | List submissions with optional status filter |

Resources

| URI | Description | |-----|-------------| | gasp://domains | All 11 control domains with IDs and descriptions | | gasp://frameworks | All 8 mapped frameworks with versions | | gasp://controls | Condensed control index (ID, name, domain, tier) | | gasp://mapping-matrix | Full mapping matrix: control → framework → strength |

Example prompts

Classify a new tool:

We're adopting Notion as a company knowledge base. It will store some PII (employee directories) and business-confidential documents. Classify it against AICF and tell me what controls apply.

Scope a vendor review:

We're evaluating an AI-powered analytics tool that processes financial data. What questionnaire questions and evidence would AICF require for a Tier 3 assessment?

Review a gap report:

Run a gap report for intake submission 3. Summarise the blockers and suggest which controls to prioritise first.

Map to a specific framework:

List all AICF controls that map to NIST AI RMF. For each one, tell me whether the mapping is full or partial and what the gap is.

Pairing with other MCP servers

The AICF server is standalone — no changes needed. Add other servers to your client config alongside it:

• Jira / Linear MCP — attach intake decisions to tickets, trigger reviews from issue creation
• GitHub MCP — run gap reports against PRs that introduce new dependencies or AI features
• Slack MCP — notify reviewers when a submission is created or a decision is reached
• Calendar MCP — schedule condition review deadlines using the due_date in decisions

Links

• Reference site — browse controls, matrix, and question bank
• GASP — the broader AI governance standard
• GitHub

License

MIT