Agentic AIVSS Risk Scoring

Positioning. SecurityRecipes already produces posture, exposure, control, and trust evidence. The missing reviewer surface was quantitative severity: which agentic risks are critical, who owns them, what SLA applies, and what a runtime gate should do. This pack turns current agentic AI security guidance into generated scoring evidence.

What this adds

The Agentic AIVSS Risk Scoring Pack is the prioritization layer for the Secure Context Layer. It maps emerging agentic risks into:

  • A reproducible 0-10 AIVSS-aligned risk score.
  • Severity bands: critical, high, medium, and low.
  • Runtime default decisions: monitor, guarded receipt, human review, deny pending remediation, or kill-session.
  • Remediation SLA and owner guidance.
  • Evidence keys linking each risk to generated SecurityRecipes packs.
  • Hosted MCP readiness gates that describe the production product surface.

The pack is intentionally conservative: it is AIVSS-aligned, not an official OWASP calculator. The scoring vector is source-controlled so teams can inspect and fork the assumptions.

Generated artifacts

Run the generator after posture, exposure, MCP, skill, approval, action, or incident evidence changes:

Evaluate a runtime event:

Kill an unsafe high-autonomy event:

Risk scenarios

The profile scores nine high-value enterprise scenarios:

  • Agent goal hijack through poisoned context.
  • MCP tool misuse in a lethal session combination.
  • Identity and privilege abuse by an agent.
  • Agentic supply chain or skill compromise.
  • Unexpected code execution through tool or skill paths.
  • Insecure inter-agent handoff or remote agent trust.
  • Cascading failure or runaway agent operation.
  • Human-agent trust exploitation or approval bypass.
  • Rogue agent or shadow MCP server.

Each score includes recommended controls, evidence keys, owner, SLA, and a hosted MCP readiness gate that makes the open evidence operationally useful.

Current industry alignment

This pack tracks the strongest current source signals:

  • OWASP AIVSS v0.8 for AI-specific risk scoring.
  • OWASP Top 10 for Agentic Applications for goal hijack, tool misuse, identity abuse, supply chain, unexpected execution, context poisoning, inter-agent failure, cascading failure, trust exploitation, and rogue agents.
  • OWASP MCP Top 10 for protocol-layer token, scope, tool, command, authorization, telemetry, shadow-server, and context-sharing risks.
  • OWASP Agentic Skills Top 10 for the behavior and execution layer that sits between model intent and real tool authority.
  • NIST AI 600-1 for govern, map, measure, and manage expectations.
  • MCP Authorization for resource indicators, audience binding, token handling, and scope minimization.

MCP surface

The MCP server exposes:

  • recipes_agentic_aivss_risk_scoring_pack

Use the pack tool for reviewer, platform, and remediation-priority review. Use the evaluator before a gateway or agent host allows high-autonomy execution, external writes, untrusted context, shadow MCP servers, unregistered agents, or unpinned skills.

What to look at first

For enterprise or trust review diligence, start with:

  1. severity_summary - critical/high counts and runtime decision mix.
  2. risk_scores - the scored risk scenarios and owners.
  3. remediation_queue - the prioritized critical/high worklist.
  4. source_artifacts - hashes for the evidence used in scoring.
  5. hosted_mcp_wedges - the productizable path from open evidence to production MCP enforcement.