AIVSS is the OWASP standard for scoring vulnerabilities in AI systems — the AI counterpart to CVSS. aiegis authored the race-test fixture for the enforcement-effectiveness dimension. This page explains what AIVSS measures, where the spec lives, and how to apply it to your own AI agents.
The AI Vulnerability Scoring System (AIVSS) is an OWASP project that gives security teams a standardised, vendor-neutral way to score vulnerabilities specific to AI systems — prompt-injection, training-data poisoning, multi-agent governance gaps, time-to-enforce, model-supply-chain integrity. It is the AI counterpart to CVSS.
Unlike CVSS, AIVSS has to account for risks that don't exist in traditional software: a vulnerability in a base model propagates to every fine-tune; a prompt-injection becomes a privilege escalation; an agent's autonomy means the time between detection and enforcement is itself a scorable dimension.
The OWASP project page is at github.com/OWASP/www-project-artificial-intelligence-vulnerability-scoring-system.
aiegis authored the audit-pack-signing v0.5 race-test fixture for the AIVSS enforcement-effectiveness dimension. The fixture was merged into the OWASP working text on 2026-05-09. It is not a vendor claim — it is a public GitHub artifact with a deterministic SHA-256.
Verify the cite yourself:
aiegis participates in two open AIVSS working-group threads at the canonical OWASP project repo:
Both issues are public. Read, comment, or submit fixtures of your own.
The enforcement-effectiveness dimension of AIVSS rewards architectures that emit signed, layer-attributed decisions with a measurable time-to-enforce. aiegis' /api/protect endpoint maps directly to that contract:
Decisions persist to an append-only ledger with a 5-year retention floor (SQL-enforced via BEFORE DELETE / BEFORE UPDATE triggers; verify at /grid/ledger/retention). That ledger is the AIVSS evidence chain.
AIVSS (AI Vulnerability Scoring System) is an OWASP project that provides a standardised scoring methodology for security vulnerabilities in AI systems, analogous to how CVSS scores traditional software vulnerabilities. It evaluates AI-specific risk dimensions such as prompt-injection susceptibility, training-data poisoning impact, multi-agent governance gaps, and time-to-enforce.
CVSS scores traditional software vulnerabilities along dimensions like attack vector, privileges required, and impact on confidentiality / integrity / availability. AIVSS adds AI-specific dimensions: how a vulnerability propagates across fine-tunes of a base model, how an agent's autonomy widens the blast radius, and how quickly a runtime layer can detect and enforce against the exploit (time-to-enforce).
aiegis authored the audit-pack-signing v0.5 race-test fixture for the AIVSS enforcement-effectiveness dimension. It was merged into OWASP's working text on 2026-05-09 in commit 9c72ca06. The fixture spec has SHA-256 c5f62c9fce6e08b5… and is byte-for-byte cited in the working text. aiegis also participates in AIVSS Issue #31 (Runtime Enforcement Effectiveness) and #32 (Multi-Agent Governance Gaps).
Route every agent action through a runtime governance layer that emits signed evidence — for example, POST /api/protect on aiegis.ie, which returns layer-attributed decisions with a decision_ms field that maps directly to the AIVSS time-to-enforce dimension. Persist the decisions to an append-only audit log with a 5-year retention floor to satisfy the enforcement-effectiveness evaluation.
No — AIVSS is an active OWASP project. The dimensions, fixtures, and scoring rubrics are still being shaped through open issues. aiegis' contribution is to one specific dimension (enforcement-effectiveness) via the race-test fixture; the full spec is iterating in public.
AIVSS scores an AI vulnerability across dimensions that traditional CVSS does not capture. Each dimension is a sub-score; the composite is the AIVSS base score. The dimensions below reflect the working text as of the 2026-05-15 review cadence at the OWASP project repository — aiegis' contribution sits inside the enforcement-effectiveness dimension specifically.
The composite AIVSS score is then modified by environmental and temporal metrics — deployment context, agent autonomy level, exploit maturity — familiar in shape to CVSS users but recomputed for the AI risk geometry.
CVSS v4.0 is the canonical scoring system for traditional software vulnerabilities. It works because traditional software has well-defined privilege boundaries, deterministic state transitions, and a clear notion of "exploit". None of those primitives map cleanly to a non-deterministic, autonomy-bearing AI agent. AIVSS exists to fill the gap, not to replace CVSS.
Procurement teams should expect to see both scores on a future AI-system vulnerability disclosure: a CVSS base-score for the surrounding software stack, and an AIVSS base-score for the AI-specific dimensions. The two are complementary, not competing.
Every decision emitted by aiegis' /api/protect endpoint carries a structured reason code. The reason-code namespace is engineered to map directly onto the AIVSS scoring dimensions so that an auditor can read a single decision row and locate the corresponding AIVSS sub-score without translation.
L01_* identity & authentication failures. Mapped to the privileges-required input of the AIVSS attack-vector dimension. Includes missing passport, expired Ed25519 signature, revoked agent ID.L04_PROMPT_* prompt-class refusals. Mapped to the prompt-injection-susceptibility dimension. The suffix names the injection class detected (jailbreak, system-prompt-override, context-overflow, indirect-via-retrieval).L07_DELEGATION_* delegation-chain refusals. Mapped to the multi-agent governance gaps dimension. Carries the delegation depth and the upstream agent's policy version.L11_RATE_* rate-class refusals. Mapped to the availability-impact metric. Distinguishes per-agent, per-tenant, per-tool quotas.L15_AUDIT_* audit-trail failures. Mapped to the enforcement-effectiveness dimension. A decision that cannot be persisted to the append-only ledger fails closed and surfaces as an L15_AUDIT_FAIL_CLOSED reason code.This taxonomy is published, not proprietary. Reason codes are stable across versions; new codes are added in working-group review with backward-compatible prefixes. The full reason-code reference is available at /developer for integrators.
The audit-pack-signing v0.5 race-test fixture is not a paper deliverable. It is an executable adversarial test that any implementor of the AIVSS enforcement-effectiveness dimension can run against their own platform to produce a comparable score. The fixture sits at race-test-fixtures/audit-pack-signing-v0.5/ in github.com/aeoess/aivss-enforcement-effectiveness.
What the fixture exercises. The fixture spawns N concurrent agents each emitting a stream of decisions that must be signed, sequenced, and persisted to an append-only ledger with no missed indices, no out-of-order sequence numbers, and no signature gaps under load. The test passes only when every decision row carries a verifiable signature chained to its predecessor.
Why the race-test framing matters. Many enforcement layers look correct at single-agent throughput and degrade silently under concurrency — a missed sequence, a duplicated row, a signed-but-unanchored decision. The race-test fixture is engineered to force that failure into the open, with deterministic seeds, reproducible across implementations.
Sub-paragraph-of-spec ownership. Inside the OWASP AIVSS working text, aiegis' specific authorship sits at the enforcement-effectiveness sub-paragraph that defines the contract the fixture exercises. The author attribution is in the merge commit; the fixture's spec.md is the byte-for-byte primary reference. Ownership is recorded, not implied.
To produce an enforcement-effectiveness sub-score that survives external review, the methodology must be reproducible by an auditor who has only the published fixture and the platform under test. The AIVSS race-test fixture defines that path.
POST /api/protect.decision_ms, the 99th-percentile decision_ms, and the fail-closed integrity of the ledger walk. The sub-score feeds the composite AIVSS base score.The methodology is deliberately strict on the ledger walk: a single broken signature chain collapses the enforcement-effectiveness sub-score to zero, regardless of latency. The reasoning is that an audit chain that does not verify is not, in the AIVSS framing, an enforcement chain at all — it is a logging chain, and logging without integrity is not enforcement.
For a CISO or procurement lead evaluating an AI platform, AIVSS does three concrete things that CVSS alone cannot.
For aiegis specifically: our authorship of the race-test fixture means the platform we ship is, by definition, the reference implementation against which other platforms compute their enforcement-effectiveness sub-score. That is not a marketing claim — it is a public artifact, with a verifiable SHA, hosted on a public OWASP-adjacent repository.
AIVSS adoption in 2026 looks similar in shape to CVSS adoption in the mid-2000s — first the maintainers of the scoring system itself, then a small set of security-vendor reference implementations, then the regulated-industry CISOs who need a number to put on a procurement spreadsheet. aiegis sits squarely in the second tier: a reference implementation whose authorship inside the working group is recorded, not asserted, and whose enforcement-effectiveness sub-score can be reproduced by anyone with the public fixture.
What to watch for next. The AIVSS working group is moving toward a v0.6 release of the audit-pack-signing fixture, with extended adversarial cases for delegation-chain integrity. Public comment on AIVSS Issues #31 and #32 is the canonical surface; the working text is the canonical artifact. aiegis' role is to keep the fixture executable, the SHA verifiable, and the implementation runnable end-to-end — not to define what the score ultimately should mean. That definition belongs to the open OWASP process.
If you are evaluating AI vendors and want to ask the AIVSS questions properly — what is your enforcement-effectiveness sub-score, what fixture version did you run against, what is the median and 99th-percentile decision_ms, can you produce a signed ledger walk — the conversation begins by pointing at the public artifact. The public artifact is the floor of the conversation; everything above it is vendor evidence.