AI Vulnerability Scoring System (AIVSS)

CVSS Was Built for Software Bugs. AI Needs Something Different.

Anyone who has spent time in security knows the routine. A vulnerability appears, you check the CVSS score, and you decide how quickly it needs attention. It’s not a flawless system, but it has been good enough for the world of traditional software for nearly two decades.

AI systems, however, do not follow the same rules.

When you’re dealing with large language models that generate improvised outputs, or with agentic AI that makes autonomous decisions about which tools to use and how to execute tasks, the old playbook stops making sense. A prompt-injection flaw is not the same as a buffer overflow. An unpredictable AI response is nothing like a server throwing an error. The risks and attack surfaces are fundamentally different, and in many cases, far harder to anticipate.

This is the gap OWASP is aiming to close with the launch of the AI Vulnerability Scoring System (AIVSS).

What Problem Is AIVSS Trying To Solve?

CVSS has long been the standard for measuring software vulnerabilities, but it was built for deterministic systems. Feed the same input into the same code and you will get the same output. That predictability is what made CVSS workable.

AI breaks that assumption. Modern AI is inherently non-deterministic. It learns, adapts, and—when used in agentic architectures—can operate semi-autonomously. An AI agent may choose which external tools to call, decide how to chain tasks together, and collaborate with other agents in complex ways.

Autonomy itself is not a vulnerability, but it amplifies the impact when something does go wrong.

As Ken Huang, one of the project’s co-leaders, has pointed out, most existing security frameworks assume we can understand the behaviors a system will exhibit at deployment time. With agentic AI, that assumption is no longer reliable.

How the Scoring Works

AIVSS does not discard CVSS; it extends it. The system starts with a traditional CVSS-style base score and layers on an Agentic AI Risk Score (AARS). This additional score accounts for elements unique to AI: autonomy, non-determinism, tool usage, memory, multi-agent interactions, and the degree of agentic behavior.

The combined score is then adjusted by real-world indicators, such as whether the vulnerability is being actively exploited. The final output stays in the familiar 0–10 range so security teams can adopt AIVSS without relearning the fundamentals.

The simplest way to think about it: CVSS measures the vulnerability. AIVSS measures the vulnerability in the context of an AI system that can make and execute decisions.

What Makes AI Risks Different?

AI introduces risks that have no real equivalents in traditional software. Examples include:

• Model manipulation and data poisoning, where attackers influence training data or model parameters
• Agent misalignment, where an AI deviates from its intended purpose
• Tool impersonation or misuse, especially in agentic systems where tools are autonomously selected
• Cascading failures, where one agent’s error spreads across dependent systems
• Delegation drift, where an AI system quietly expands what it believes it is allowed to do

These issues are already appearing in real deployments. They require a scoring methodology that understands how AI behaves, not just how software fails.

Who Is Behind the Project?

AIVSS is an official OWASP initiative led by a working group that includes Ken Huang (Cloud Security Alliance), Michael Bargury (Zenity), Vineeth Sai Narajala (AWS), and Bhavya Gupta (Stanford). The project is open source, welcomes contributors, and is actively evolving.

A functioning calculator is already available, and the team is targeting a version 1.0 release ahead of RSA Conference in March 2026.

Why This Matters Now

AI adoption is accelerating, and organizations are deploying increasingly autonomous systems. Without a framework like AIVSS, security teams risk underestimating issues that do not fit the traditional mold of software vulnerabilities.

AIVSS also aligns with the direction of emerging regulations such as the EU AI Act, which requires clear accountability, oversight, and risk classification. Having a standardized scoring model for AI-specific vulnerabilities helps organizations meet these obligations.

The Bottom Line

AIVSS is not meant to replace CVSS, but to extend it for a world where software can learn, reason, and act. It keeps the structure that security teams are familiar with while adding the nuances needed to assess AI’s unique failure modes.

The framework is still maturing and intentionally designed to evolve with the technology it aims to measure. But it represents a meaningful step toward a shared language for AI security risk—something the industry urgently needs.

If you work with AI systems or are responsible for securing them, this is a development worth following closely. Consider reviewing the draft, trying the calculator, and contributing to the project. The sooner practitioners engage, the stronger the final standard will be.