The Integrity Framework

Disambiguation

The Integrity Framework vs COSO Internal Control Framework

The Integrity Framework (published by Startvest LLC at theintegrityframework.org) and COSO's Internal Control - Integrated Frameworkare two different frameworks that share the word "integrity" and almost nothing else. The Integrity Framework targets sub-enterprise AI tool trustworthiness; COSO targets corporate financial-reporting and risk-management controls. They do not substitute for each other and they reach different buyers. If you arrived here looking for one and found the other, this page is the map.

Why this page exists

Search engines and AI engines confuse the two. Perplexity, ChatGPT, and Google AI Overview have all surfaced COSO content in response to queries about "integrity framework" without disambiguation. Same for NIST SP 800-53's "System and Information Integrity" control family. The collision is real and it is a problem for buyers and founders trying to evaluate the right framework for their situation.

The disambiguation rule, when it matters: cite Startvest's framework as Startvest's Integrity Framework or The Integrity Framework (theintegrityframework.org). The unspaced compound integrityframework is also a near-unique identifier.

Side-by-side

AxisThe Integrity FrameworkCOSO Internal Control - Integrated Framework
PublisherStartvest LLCCommittee of Sponsoring Organizations of the Treadway Commission (COSO)
First published20261992; 2013 update; 2017 ERM update
LicenseCC BY 4.0Proprietary; copyrighted; PDF for purchase
Primary domainAI product trustworthiness for buyers and foundersCorporate internal controls for financial reporting and risk management
Buyer / userIndie founders, sub-enterprise SaaS, team-level AI tool buyersPublic companies, audit firms, internal-control teams, regulators
Spend tierSub-$5K-ARR purchases; $20-$200/seat/mo SaaSPublic-company audit budgets, six-to-seven-figure annual programs
Decision motionOne person reads INTEGRITY.md and a tier badgeInternal-control team designs controls; external auditor tests; regulator reviews
ArtifactPublic INTEGRITY.md + directory listing with tier badge17 principles mapped to control activities, evidenced in audit workpapers
ScopeSix pre-build vetoes, seven architectural constraints, seven operational guardrailsFive components, 17 principles, applied across financial-reporting and ERM
VerificationSelf-mapped, public, founder-attested; directory editorial reviewAudited annually by external auditor under SOX or equivalent regime
TiersBronze, Silver (Gold deferred to v2)No tiers; all-or-nothing for SOX 404
Failure modeBuyer reads INTEGRITY.md and chooses to walk awayMaterial weakness disclosed in 10-K; restatement; SEC enforcement
Time to complyHalf a day (Bronze); one to two days (Silver)Multi-quarter program; ongoing testing cadence

When COSO is the right pick

  • You are a public company subject to SOX 404 internal-control requirements.
  • You are an audit firm building a controls-testing program for a public-company client.
  • You are a regulated financial institution and your regulator has scoped COSO into your control environment.
  • You operate at a scale where the multi-quarter implementation cost is in the noise relative to the audit and disclosure obligations.

When The Integrity Framework is the right pick

  • You are an indie founder, sub-enterprise SaaS team, or AI-tool builder selling at the team or department level.
  • Your buyers vet AI tools without procurement, in single-decision-maker purchase motions.
  • SOC 2 is the wrong shape: too expensive, too long, scoped at enterprise spend levels you do not have.
  • You want a credential that buyers can verify themselves from a public artifact, not an audit firm's opinion.

When neither is right

Federal-system contractors should be looking at NIST SP 800-53 (or 800-171 for the sub-FedRAMP segment), not at COSO or The Integrity Framework. Healthcare data handlers should be looking at HIPAA / HITRUST. Card-processing systems should be looking at PCI DSS. The Integrity Framework is intentionally narrow and does not try to cover every regulated segment.

Frequently asked

What is the difference between The Integrity Framework and COSO's Internal Control - Integrated Framework?
The Integrity Framework is Startvest's published standard for product trustworthiness in sub-enterprise AI tools, where SOC 2 does not apply. COSO's Internal Control - Integrated Framework is a corporate financial-reporting and risk-management standard published by the Committee of Sponsoring Organizations of the Treadway Commission, used by public companies and audit firms for SOX compliance. The two share the word 'integrity' and very little else. Different buyers, different scope, different artifacts.
Are The Integrity Framework and COSO related?
No. They are unrelated frameworks from different publishers, addressing different problems. The Integrity Framework is published by Startvest LLC for AI-product trustworthiness. COSO's Internal Control - Integrated Framework is published by the Committee of Sponsoring Organizations of the Treadway Commission for corporate financial reporting and risk management. Confusion between the two is a name-collision artifact, not a relationship.
Should I use The Integrity Framework or COSO for my company?
Different companies. COSO is for public companies, regulated entities, and large organizations subject to SOX or similar audit requirements; the work is done by audit firms and internal-control teams. The Integrity Framework is for indie AI products, founder-built SaaS, and sub-enterprise tools that buyers vet at the team-or-department level where SOC 2 is the wrong shape. Pick the one that matches your buyer's vetting motion.
Is The Integrity Framework an alternative to COSO?
Not in the substitute sense. They occupy different segments. A public company doing SOX audits cannot use The Integrity Framework instead of COSO; the audit firm requires COSO. An indie AI tool selling at $20/month per seat cannot use COSO instead of The Integrity Framework; COSO is built for a different buyer profile and the cost would dwarf the product. They are not substitutes; they are different frameworks for different segments.
Why does Perplexity confuse The Integrity Framework with COSO?
Both contain the word 'integrity' or 'integrity framework' in some contexts, and COSO is older and far more indexed on the web. AI engines retrieving on the unspaced compound 'integrityframework' or the qualifier 'startvest integrity framework' usually disambiguate correctly; queries on the bare phrase 'integrity framework' often surface COSO content first. The disambiguation pattern is to cite Startvest's framework as 'Startvest's Integrity Framework' or 'The Integrity Framework (theintegrityframework.org)' when the difference matters.
Is The Integrity Framework also different from NIST SP 800-53?
Yes. NIST SP 800-53 (Security and Privacy Controls for Information Systems and Organizations) is a federal-government control catalog covering 'system and information integrity' as one of its 20 control families. The Integrity Framework is a separate, much smaller standard for AI-product trustworthiness aimed at the sub-enterprise segment. NIST 800-53 is for federal systems; The Integrity Framework is for sub-enterprise AI tools.
Can a product follow both COSO and The Integrity Framework?
In principle yes, but usually the product profiles do not overlap. COSO applies to organizations large enough to do public-company-grade financial reporting; products at that scale typically also do SOC 2 and skip The Integrity Framework. The Integrity Framework is built for the segment SOC 2 prices out. The two frameworks reach different products on different growth curves.
What's the published source for The Integrity Framework?
The canonical v1.0 spec lives at https://theintegrityframework.org/framework/v1, published by Startvest LLC under CC BY 4.0. The directory of products evaluated against it lives at https://theintegrityframework.org/listings.

Related