MindXO Insight | Standard Engagement
Strengthening the AIVSS Formula: Our Contribution to OWASP's Agentic AI Scoring Standard
As part of our standards engagement, MindXO contributed to the revision of the AIVSS Scoring System for OWASP Agentic AI Core Security Risks v1. A sensitivity analysis of the published v0.8 scoring equation revealed that strong mitigations could paradoxically score an agentic system as less risky than its underlying technical vulnerability alone. We proposed an amendment for v1 that restores the CVSS baseline as an inviolable risk floor.
By Myriam Ayada · MindXO · April 2026
Visit the OWASP AIVSS Project
Key takeaways
- The anomaly. The published v0.8 formula applies the Mitigation Factor to the entire score, (CVSS_Base + AARS) × MF, so strong agentic mitigations can push AIVSS below the CVSS Base Score, at odds with the framework's own "baseline risk floor" design principle.
- The amendment. Apply the Mitigation Factor exclusively to the agentic uplift: AIVSS = CVSS_Base + (AARS × MF). Mitigations attenuate agentic amplification; they do not retroactively reduce the severity of the underlying technical vulnerability.
- The guarantees. Under the revised formulation, AIVSS ≥ CVSS_Base for all valid inputs, the 10.0 upper bound is structurally preserved, and behaviour at MF = 1.0 (the default) is identical: all ten scored examples in the framework remain valid.
- Beyond the formula. We also proposed clarifying that the scoring methodology is taxonomy-independent: it applies to any well-defined agentic risk category, decoupled from the OWASP Top 10's update cycle.
Why we proposed amending the v0.8 formula
The published v0.8 formulation computed AIVSS = (CVSS_Base + AARS) × Mitigation_Factor. Because the Mitigation Factor multiplies the full sum, any MF below 1.0 also scales down the CVSS component. It can be shown analytically that AIVSS falls below CVSS whenever CVSS > 10ab / (1 + ab), where a = MF/(1 − MF) and b = (Factor_Sum/10) × ThM.
At MF = 0.67 (Strong Mitigation) with ThM = 0.97, the floor-violation threshold drops as low as CVSS ≈ 1.6 for low-agentic systems (Factor_Sum = 1), meaning nearly any scored vulnerability produces a paradoxical result where stronger agentic mitigations make total risk appear lower than the technical vulnerability alone.
Worked example: a Critical SQL injection (CVSS 9.0) in a minimally agentic system with strong mitigations produces AIVSS ≈ 6.1 (Medium) under the v0.8 formula, implying the agentic deployment somehow made the SQL injection less severe. Under the proposed formula the same system scores 9.1 (Critical), preserving the technical baseline.
The anomaly zone dominates precisely the scenario the framework should handle well: a severe technical vulnerability in a modestly agentic system with strong mitigations in place. The threshold analysis confirms the anomaly is entirely an artifact of the MF being applied to the CVSS component, not an inherent property of the amplification model. At MF = 1.0 both formulas are algebraically identical and the model behaves as designed.
The proposed revision
Published v0.8: AIVSS = (CVSS_Base + AARS) × Mitigation_Factor
Proposed for v1: AIVSS = CVSS_Base + (AARS × Mitigation_Factor)
Where CVSS_Base is the CVSS v4.0 score of the vulnerability, AARS is the agentic uplift, and the Mitigation Factor is applied exclusively to the agentic uplift component.
This formulation preserves the CVSS Base Score as an inviolable risk floor, consistent with the design principle established in Section 3.1 of the framework: CVSS serves as the baseline risk floor upon which agentic amplification is added. Mitigations (such as human-in-the-loop controls, memory isolation, or tool access restrictions) attenuate the agentic amplification but do not retroactively alter the severity of the underlying technical vulnerability, which remains independently assessed under CVSS v4.0.
- CVSS remains an inviolable floor: AIVSS ≥ CVSS_Base, always.
- The 10.0 upper bound is structurally guaranteed, since AARS × MF ≤ (10 − CVSS_Base). No clamping required.
- Mitigation semantics become precise: mitigations constrain the agentic amplification, not the underlying technical severity.
- All ten scored examples in the framework remain valid at MF = 1.0, where both formulas are algebraically identical.
A second contribution: taxonomy independence
We also proposed an addition to the framework's introduction clarifying the relationship between the ten Agentic AI Core Security Risks and the OWASP Top 10 for Agentic Applications: the core risks are informed by, but architecturally independent from, the Top 10; both evolve on their own cadences; and the scoring methodology is taxonomy-agnostic by design, applying to any well-defined agentic risk category regardless of how the risk list is revised, expanded, or reorganized in future versions.
About MindXO
MindXO is a UAE-based research and advisory specializing in AI governance and risk management. Frameworks aligned with ISO 42001, NIST AI RMF, and GCC regulatory requirements.