AI Security Severity Index (AISSI)

Traditional severity scoring systems such as CVSS were designed for software vulnerabilities, not for AI-specific failure modes like prompt injection, agent goal hijack, or memory poisoning. AISSI fills that gap by combining technical severity with realized business impact, emphasizing observed evidence over hypothetical worst-case outcomes.

AISSI combines five 0-10 metrics, each with a weighted contribution to the final score:

• Criticality (25%): Importance and sensitivity of the affected assets, data, and systems.
• Propagation (20%): How easily the issue spreads across APIs, models, agents, or integrations.
• Exploitability (15%): Maturity of the threat, from theoretical weakness to active in-the-wild exploitation.
• Supply Chain (15%): Degree of third-party, vendor, or open-source dependency in the affected risk.
• Business Impact (25%): Realized operational, financial, regulatory, and reputational harm at time of report.

AISSI scores are calculated by weighting each metric and summing the result, producing a single comparable number (for example 7.4 out of 10) that security teams can use to prioritize response, communicate severity to executives, and benchmark incidents across vendors, products, and AI deployment patterns.

How PointGuard AI Helps

AISSI is the scoring framework that powers the PointGuard AI Security Incident Tracker, with every published incident scored across the five metrics. Customers can use the same framework internally through AI Security Posture Management to benchmark their own incidents against industry events and align response prioritization with PointGuard research.

Learn More

PointGuard AI Security Incident Tracker (AISSI applied)

FIRST CVSS v3.1 Specification (traditional severity scoring reference)

OWASP GenAI Security Project (AIVSS and related AI risk scoring)