Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

AIVSS for agentic AI: what should security teams change?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9271
Topic starter  

TL;DR: CVSS alone does not capture how agentic systems amplify risk once autonomy, tool use, and multi-agent coordination are involved, according to Lakera’s analysis of OWASP’s AIVSS. The practical shift is to score vulnerability severity in the context of agent behaviour, not just code weakness, because access, memory, and runtime action can turn moderate issues into material exposure.

NHIMG editorial — based on content published by Lakera: Why We Need OWASP’s AIVSS, Extending CVSS for the Agentic AI Era

Questions worth separating out

Q: How should security teams score vulnerabilities in agentic AI systems?

A: Security teams should start with CVSS, then adjust for agent behaviour that can amplify harm at runtime.

Q: Why do agentic systems complicate traditional vulnerability prioritisation?

A: They complicate prioritisation because the same defect can produce very different outcomes depending on what the agent can access and how independently it can act.

Q: What do security teams get wrong about AI agent risk scoring?

A: Teams often score the software flaw and stop there.

Practitioner guidance

  • Map agentic workflows to real privilege boundaries List every tool, data source, and downstream system an agent can reach, then document where runtime choices can expand beyond the original task scope.
  • Score runtime amplification alongside base vulnerability severity Use CVSS as the starting point, then add agent-specific factors such as autonomy, memory, multi-agent interaction, and live exploit context when prioritising remediation.
  • Constrain tool use and delegation paths Require explicit approval boundaries for high-impact tools, and review whether one agent can trigger another without a control gate.

What's in the full article

Lakera's full opinion piece covers the technical rationale this post intentionally leaves at a higher level:

  • AIVSS scoring mechanics, including how CVSS and the agentic amplification factors are combined
  • Lakera's explanation of autonomy, memory, and multi-agent interaction as risk multipliers
  • Examples of agentic AI tool misuse and cascading failure patterns from red team practice
  • The article's framing of why CVSS-style scoring remains familiar while becoming incomplete for agents

👉 Read Lakera's opinion on why OWASP needs AIVSS for agentic AI →

AIVSS for agentic AI: what should security teams change?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8712
 

AIVSS is a recognition that vulnerability severity is no longer enough once software can act like an identity. CVSS assumes a defect sits inside a bounded system. Agentic AI breaks that assumption because the runtime actor can select tools, combine steps, and amplify harm beyond the original flaw. The implication is that risk scoring must account for behaviour, not only weakness.

A few things that frame the scale:

  • 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so, according to AI Agents: The New Attack Surface.
  • Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to AI Agents: The New Attack Surface.

A question worth separating out:

Q: Who should own governance for agentic AI vulnerability scoring?

A: Ownership should sit jointly with security, IAM, and the teams operating the agentic workflow. If one group owns the score but another owns the privileges, the programme will miss the actual failure path. Accountability has to follow the access and the execution model, not the org chart alone.

👉 Read our full editorial: Why OWASP's AIVSS changes risk scoring for agentic AI



   
ReplyQuote
Share: