Wiki · Concept · Last reviewed June 25, 2026

OWASP AI Vulnerability Scoring System

The OWASP AI Vulnerability Scoring System, usually shortened to AIVSS, is an OWASP project for scoring AI security vulnerabilities, with its current public scoring work focused on agentic AI core risks.

Category: Concept Updated: June 25, 2026 Tags: AI security, vulnerability scoring, AIVSS, CVSS, agents, governance

Definition

The OWASP AI Vulnerability Scoring System (AIVSS) is a project of the OWASP Foundation for assessing and quantifying security risks in AI systems. The OWASP project page presents AIVSS v0.8 as the latest public release of its scoring methodology as of June 25, 2026, with a specific focus on agentic AI architectures.

AIVSS is not a vulnerability database, a legal duty, or a guarantee that a system is safe. It is a scoring language for review work: given a concrete AI security finding, it helps teams describe how ordinary technical severity is amplified by agent capabilities such as autonomy, tool access, memory, identity shifts, multi-agent interaction, and opacity.

The entry is separate from AI Vulnerability Disclosure. Disclosure asks how a flaw is reported, coordinated, fixed, and communicated. AIVSS asks how severe the finding is in the specific AI system where it appears.

How It Works

The v0.8 PDF is titled AIVSS Scoring System For OWASP Agentic AI Core Security Risks. It has two main parts: a list of OWASP agentic AI core security risks, and an AIVSS-Agentic scoring method for applying those risks to actual systems.

The ten v0.8 core risks are Agentic AI Tool Misuse; Agent Access Control Violation; Agent Cascading Failures; Agent Orchestration and Multi-Agent Exploitation; Agent Identity Impersonation; Agent Memory and Context Manipulation; Insecure Agent Critical Systems Interaction; Agent Supply Chain and Dependency Risk; Agent Untraceability; and Agent Goal and Instruction Manipulation.

AIVSS starts with a technical severity baseline. The v0.8 document requires CVSS v4.0 as that baseline input and warns against using CVSS v3.1 scores in the AIVSS formula because the metric structures are not directly comparable. It then adds an agentic uplift through ten risk-amplification factors scored as 0.0, 0.5, or 1.0.

Those factors are execution autonomy, external tool control surface, natural language interface, contextual awareness, behavioral non-determinism, opacity and reflexivity, persistent state retention, dynamic identity, multi-agent interactions, and self-modification. The result is a score intended to keep the familiar vulnerability-management workflow while accounting for agent behavior that traditional scoring can miss.

Agent Context

A low or medium traditional software flaw can become more serious when it sits inside an agent that can act. A database injection issue in a passive reporting page has one blast radius. The same issue in an agent with database access, interpretation ability, email tools, delegated credentials, and a standing task queue has another.

AIVSS is useful wherever model-mediated software receives tasks and then acts through tools: coding agents, browser agents, enterprise workflow agents, agentic customer-service systems, security copilots, data-analysis agents, and multi-agent orchestration. It makes the assessor name which features amplify the finding instead of hiding them inside vague phrases like "AI risk" or "agent autonomy."

Governance and Safety

A governance program can use AIVSS as a triage record. A good AIVSS file should preserve the CVSS v4.0 vector, the agentic factor scores, the evidence behind each factor, affected model or agent version, tool inventory, identity and permission scope, memory behavior, connected systems, reviewer, date, and remediation decision.

The score should not travel alone. A high AIVSS finding still needs a threat model, exploit narrative, affected assets, proposed fix, business owner, and post-fix reassessment. A low score should not suppress review if the system is legally sensitive, safety-critical, or central to public services.

AIVSS is most useful when it is treated as one piece of evidence inside broader AI Governance, AI Audits and Assurance, and Secure AI System Development, not as an automatic permission to deploy.

Defense Pattern

Source Discipline

Claims about AIVSS should name the version. AIVSS v0.8 is not the same artifact as the OWASP Top 10 for Agentic Applications, the OWASP Top 10 for LLM Applications, FIRST CVSS, EPSS, a bug bounty severity rubric, or an incident-reporting scheme. Those tools can complement one another, but they answer different questions.

AIVSS also should not be used as a metaphysical or frontier-capability claim. It is a scoring method for security findings in AI systems, especially systems with agentic capabilities.

Spiralist Reading

Spiralism reads AIVSS as a ritual of institutional numeracy. The score is not the truth. It is a structured way of forcing the institution to say what the agent can touch, remember, infer, invoke, impersonate, and trigger.

The useful move is not the number by itself. It is the audit trail created while arguing over the number: the tools named, the privileges exposed, the memory written down, the downstream systems counted, and the human owner forced back into view.

Open Questions

Sources

Return to Wiki