Skip to main content
EFROS

EFROS Research

Research from the operator side.

Original primary research from the operator side of AI governance. Free, public, source-cited. No gated PDFs, no email walls, no vendor-funded slide decks. Built for the practitioners who have to live with the controls after the auditor leaves.

By Stefan Efros, CEO & Founder, EFROS
Updated ·

Why we publish research

Most cybersecurity and AI-governance research published today is built by analyst houses billing the vendors who score well, by law firms positioning for retainer business, or by trade associations softening recommendations to keep member dues current. None of those incentives produce research a practitioner can actually operate on Monday morning.

EFROS publishes research because we run the controls. Every artifact on this page comes out of real client engagements — the vendor matrices we wrote on whiteboards in conference rooms, the scoring rubrics we use to answer "is this vendor safe for our regulated workload," and the benchmarking work we do to keep our own pricing honest. We publish it free, source-cited, and updated quarterly so it stays useful instead of decaying into marketing.

Featured research

AI Governance · Edition: 2026-Q2

EFROS US AI Vendor Governance Index

Twenty enterprise AI vendors scored against twelve US AI governance axes — BAA / DPA availability, training-data opt-out, US data residency, SOC 2, ISO/IEC 42001, NIST AI RMF, Colorado AI Act readiness, HHS-OCR Section 1557, FRB SR 11-7, ABA Formal Op 512, subprocessor transparency, and trust-center maturity. Source-cited per cell. Sector-weighted composite scoring.

20 vendors · 12 axes · Updated quarterlyOpen →

Regulatory Tracking · Edition: 2026-Q2

US State AI Law Tracker

Public registry tracking US state-level AI laws with explicit compliance dates, enforcement status, scope, obligations, and effective dates. Edition 2026-Q2 covers 9 active or imminent state laws across 7 states — Colorado AI Act SB 24-205, California AB 2013, NYC LL144, Illinois HB 3773 + AIVIA, Tennessee ELVIS Act, Utah SB 149, Texas TDPSA. Each entry linked to authoritative state legislature source.

9 laws · 7 states · Updated quarterlyOpen →

Agentic Readiness · Edition: 2026-Q2

MSSP MCP Server Registry

Primary research dataset tracking US cybersecurity service providers (MSP, MSSP, SOC, MDR, vCISO, GRC) that publish live Model Context Protocol (MCP) servers. Edition 2026-Q2 finding: EFROS is the first US MSSP with a live MCP server conforming to the 2025-09-25 Streamable HTTP transport. 14 surveyed providers; per-vendor verification of endpoint, server-card, tools, and resources.

14 vendors · 6 verification axes · Updated quarterlyOpen →

Upcoming research

The next four quarters of the EFROS research calendar. Dates are targets, not commitments — the only research that ships on time is research that is sound. If you have a regulated workload that would benefit from one of these, the contact form is the fastest way to influence scope.

  • AI Vendor Governance Index — Healthcare Deep Dive

    Q3 2026

    Section 1557 algorithmic non-discrimination, BAA coverage, and FDA SaMD overlap across clinical AI scribes, diagnostic AI, and revenue-cycle AI vendors.

  • US Cyber Insurance AI Underwriting Benchmark

    Q3 2026

    How the top fifteen US cyber carriers underwrite AI exposure — control questionnaires, premium impact of AI vendor stack, and the AI exclusion language to watch for at renewal.

  • MSSP TCO Benchmark — US Mid-Market

    Q4 2026

    Five-year total cost of ownership across the top managed security service providers for US firms in the 100-1,000 employee range. Hidden-fee taxonomy, true tool stack costs, and the disengagement clauses that matter.

  • AI Vendor Governance Index — Legal Deep Dive

    Q4 2026

    ABA Formal Opinion 512 operationalized across the legal-AI vendor stack. Privilege protection, training-data opt-out granularity, and the seven state bar opinions that shape the buying decision.

  • Colorado AI Act Deployer Posture Survey

    Q1 2027

    Pre-effective-date snapshot of Colorado AI Act SB 24-205 readiness across two hundred Colorado-operating deployers. Impact assessment maturity, consumer notice posture, AG enforcement risk model.

Where to take this

From research artifact to operational program

Operational program

AI Governance program

Five-pillar AI program operationalizing the research findings: inventory, US AI risk classification, policy framework, monitoring, quarterly compliance reporting. Mapped to NIST AI RMF + Colorado AI Act + ISO/IEC 42001.

Open

Free tool

AI Risk Score (5-min self-assessment)

Classify your own AI usage against the same frameworks scored in the Vendor Governance Index — Colorado AI Act, NYC LL144, CA AB 2013, NIST AI RMF, HIPAA, SR 11-7, CMMC. Branded PDF report.

Open

Methodology

Vendor Index methodology

How the AI Vendor Governance Index is built: scoring rubric, framework weights, sector overlays, evidence requirements, conflict-of-interest disclosure, refresh cadence.

Open

Vertical · Healthcare

Colorado AI Act for Healthcare

Clinical AI vendor BAA matrix (Abridge, Suki, DAX, Heidi), HHS-OCR Section 1557 algorithmic non-discrimination, HIPAA overlay, 90-day deployer compliance roadmap.

Open

Vertical · Financial Services

SR 11-7 for Community Banks

FRB SR 11-7 model risk management applied to AI: model inventory, validation, ongoing monitoring, examiner-grade documentation.

Open

Decision aid

MSSP vs Law Firm vs GRC Platform

Honest breakdown for buyers still scoping the AI governance buy: which option to use, when, and the practical implications of each.

Open

Use the research, then talk to the operators

The artifacts are free and self-serve. When you're ready to put the controls into production — vendor selection, governance policy, sector overlay implementation — these are the two engagement paths that get there fastest.

Reserve $5K AI Governance AuditRun AI Risk Score →