Skip to main content
EFROS

EFROS Research

Research from the operator side.

Original primary research from the operator side of AI governance. Free, public, source-cited. No gated PDFs, no email walls, no vendor-funded slide decks. Built for the practitioners who have to live with the controls after the auditor leaves.

By Stefan Efros, CEO & Founder, EFROSReviewed by Daniel Agrici, Chief Security Officer, EFROS
Reviewed by CSO ·

Why we publish research

Most cybersecurity and AI-governance research published today is built by analyst houses billing the vendors who score well, by law firms positioning for retainer business, or by trade associations softening recommendations to keep member dues current. None of those incentives produce research a practitioner can actually operate on Monday morning.

EFROS publishes research because we run the controls. Every artifact on this page comes out of real client engagements — the vendor matrices we wrote on whiteboards in conference rooms, the scoring rubrics we use to answer "is this vendor safe for our regulated workload," and the benchmarking work we do to keep our own pricing honest. We publish it free, source-cited, and updated quarterly so it stays useful instead of decaying into marketing.

Featured research

AI Governance · Edition: 2026-Q2

EFROS US AI Vendor Governance Index

Twenty enterprise AI vendors scored against twelve US AI governance axes — BAA / DPA availability, training-data opt-out, US data residency, SOC 2, ISO/IEC 42001, NIST AI RMF, Colorado AI Act readiness, HHS-OCR Section 1557, FRB SR 11-7, ABA Formal Op 512, subprocessor transparency, and trust-center maturity. Source-cited per cell. Sector-weighted composite scoring.

20 vendors · 12 axes · Updated quarterlyOpen →

Upcoming research

The next four quarters of the EFROS research calendar. Dates are targets, not commitments — the only research that ships on time is research that is sound. If you have a regulated workload that would benefit from one of these, the contact form is the fastest way to influence scope.

  • AI Vendor Governance Index — Healthcare Deep Dive

    Q3 2026

    Section 1557 algorithmic non-discrimination, BAA coverage, and FDA SaMD overlap across clinical AI scribes, diagnostic AI, and revenue-cycle AI vendors.

  • US Cyber Insurance AI Underwriting Benchmark

    Q3 2026

    How the top fifteen US cyber carriers underwrite AI exposure — control questionnaires, premium impact of AI vendor stack, and the AI exclusion language to watch for at renewal.

  • MSSP TCO Benchmark — US Mid-Market

    Q4 2026

    Five-year total cost of ownership across the top managed security service providers for US firms in the 100-1,000 employee range. Hidden-fee taxonomy, true tool stack costs, and the disengagement clauses that matter.

  • AI Vendor Governance Index — Legal Deep Dive

    Q4 2026

    ABA Formal Opinion 512 operationalized across the legal-AI vendor stack. Privilege protection, training-data opt-out granularity, and the seven state bar opinions that shape the buying decision.

  • Colorado AI Act Deployer Posture Survey

    Q1 2027

    Pre-effective-date snapshot of Colorado AI Act SB 24-205 readiness across two hundred Colorado-operating deployers. Impact assessment maturity, consumer notice posture, AG enforcement risk model.

Use the research, then talk to the operators

The artifacts are free and self-serve. When you're ready to put the controls into production — vendor selection, governance policy, sector overlay implementation — these are the two engagement paths that get there fastest.

Reserve $5K AI Governance AuditRun AI Risk Score →