Skip to content

AIVSS Agentic Impact Level

The Agentic Impact Level (AIL) is...

Agentic Impact Level supports the AIVSS framework

The Agentic Impact Level (AIL) is one of the decision points used in the AIVSS framework to help organizations prioritize AI-related vulnerabilities. The AIL describes the degree of autonomy and influence the AI system has in its operational environment, which can impact the potential risk associated with vulnerabilities in the system.

Assessing Agentic Impact Level

The Agentic Impact Level (AIL) is not intended to be assessed for every individual vulnerability reported. Instead, it is intended to be assessed for the system as a whole, or for significant changes to the system that may affect the AIL. Because of this, we recommend that organizations assess the AIL periodically, such as during major system updates or architecture changes.

Outcome

The outcome set for AIVSS Agentic Impact Level describes the degree of autonomy and influence the AI system has in its operational environment.

Agentic Impact Level (x_org.owasp#aivss:AIL:1.0.0)

Determines the agentic impact level of a vulnerability based on its characteristics and potential effects.

Value Key Definition
Copilot C The agent is primarily a copilot or assistant. Its actions are heavily constrained, requiring human oversight. The agent explicitly does not have rights to execute code.
Specialist S The agent is a specialist with significant autonomy within a defined domain.It can use powerful tools and may learn from interactions.
Prime Mover P The agent is a prime mover with broad autonomy. It can orchestrate other systems, modify its own logic, and interact with critical infrastructure.
Agentic Impact Level (x_org.owasp#aivss:AIL:1.0.0) JSON Example 
{
  "namespace": "x_org.owasp#aivss",
  "key": "AIL",
  "version": "1.0.0",
  "name": "Agentic Impact Level",
  "definition": "Determines the agentic impact level of a vulnerability based on its characteristics and potential effects.",
  "schemaVersion": "2.0.0",
  "values": [
    {
      "key": "C",
      "name": "Copilot",
      "definition": "The agent is primarily a copilot or assistant. Its actions are heavily constrained, requiring human oversight. The agent explicitly does not have rights to execute code."
    },
    {
      "key": "S",
      "name": "Specialist",
      "definition": "The agent is a specialist with significant autonomy within a defined domain.It can use powerful tools and may learn from interactions."
    },
    {
      "key": "P",
      "name": "Prime Mover",
      "definition": "The agent is a prime mover with broad autonomy. It can orchestrate other systems, modify its own logic, and interact with critical infrastructure."
    }
  ]
}

Decision Points

The Decision Points for AIVSS Agentic Impact Level are divided into three supporting decision tables. The examples below show the outcomes for each of those decision tables that are used to determine the overall Agentic Impact Level.

Execution Power (x_org.owasp#aivss:EP:1.0.0)

Determines the level of execution power granted to an AI agent, influencing its ability to perform actions autonomously and interact with external systems.

Value Key Definition
Constrained C The AI agent has limited execution power, restricting its ability to perform actions autonomously or interact with external systems.
Capable CA The AI agent has moderate execution power, allowing it to perform certain actions autonomously and interact with external systems under supervision.
High Leverage H The AI agent has extensive execution power, enabling it to perform actions autonomously and interact with external systems with minimal supervision.
Execution Power (x_org.owasp#aivss:EP:1.0.0) JSON Example 
{
  "namespace": "x_org.owasp#aivss",
  "key": "EP",
  "version": "1.0.0",
  "name": "Execution Power",
  "definition": "Determines the level of execution power granted to an AI agent, influencing its ability to perform actions autonomously and interact with external systems.",
  "schemaVersion": "2.0.0",
  "values": [
    {
      "key": "C",
      "name": "Constrained",
      "definition": "The AI agent has limited execution power, restricting its ability to perform actions autonomously or interact with external systems."
    },
    {
      "key": "CA",
      "name": "Capable",
      "definition": "The AI agent has moderate execution power, allowing it to perform certain actions autonomously and interact with external systems under supervision."
    },
    {
      "key": "H",
      "name": "High Leverage",
      "definition": "The AI agent has extensive execution power, enabling it to perform actions autonomously and interact with external systems with minimal supervision."
    }
  ]
}

Environment & Adaptation (x_org.owasp#aivss:EA:1.0.0)

Determines the environment and adaptation level of an AI system based on its context awareness and adaptability.

Value Key Definition
Isolated I Operates in a narrow, stable context with no meaningful external awareness. No cross-session memory, multi-agent behavior, or identity changes. Environmental shifts don’t affect behavior unless a human explicitly updates inputs.
Connected C Uses curated signals, scoped identity roles, or predefined multi-agent patterns to adapt. Environmental changes can influence behavior, but only within controlled, auditable bounds.
Pervasive P Continuously adapts to broad, dynamic environmental inputs and multi-agent activity. Identity, memory, and context can shift fluidly, creating emergent behavior. Environmental variation can substantially redirect or amplify its actions.
Environment & Adaptation (x_org.owasp#aivss:EA:1.0.0) JSON Example 
{
  "namespace": "x_org.owasp#aivss",
  "key": "EA",
  "version": "1.0.0",
  "name": "Environment & Adaptation",
  "definition": "Determines the environment and adaptation level of an AI system based on its context awareness and adaptability.",
  "schemaVersion": "2.0.0",
  "values": [
    {
      "key": "I",
      "name": "Isolated",
      "definition": "Operates in a narrow, stable context with no meaningful external awareness. No cross-session memory, multi-agent behavior, or identity changes. Environmental shifts don’t affect behavior unless a human explicitly updates inputs."
    },
    {
      "key": "C",
      "name": "Connected",
      "definition": "Uses curated signals, scoped identity roles, or predefined multi-agent patterns to adapt. Environmental changes can influence behavior, but only within controlled, auditable bounds."
    },
    {
      "key": "P",
      "name": "Pervasive",
      "definition": "Continuously adapts to broad, dynamic environmental inputs and multi-agent activity. Identity, memory, and context can shift fluidly, creating emergent behavior. Environmental variation can substantially redirect or amplify its actions."
    }
  ]
}

Predictability and Influence (x_org.owasp#aivss:PI:1.0.0)

TODO writeme

Value Key Definition
Verifiable V Behavior is traceable, reproducible, and backed by strong logging or proofs. Outputs align with clear rules, and any action can be independently checked. Unexpected deviations are rare and easy to diagnose.
Uncertain U Behavior is generally well-structured but can deviate within known bounds. Some reasoning steps or interactions lack full visibility, making verification partial. Issues may be diagnosable but require effort or contextual reconstruction.
Opaque O Behavior is highly variable, difficult to trace, and resistant to verification. Key reasoning paths, external influences, or interactions are hidden or unpredictable. Actions may appear coherent but cannot be reliably reproduced or audited.
Predictability and Influence (x_org.owasp#aivss:PI:1.0.0) JSON Example 
{
  "namespace": "x_org.owasp#aivss",
  "key": "PI",
  "version": "1.0.0",
  "name": "Predictability and Influence",
  "definition": "TODO writeme",
  "schemaVersion": "2.0.0",
  "values": [
    {
      "key": "V",
      "name": "Verifiable",
      "definition": "Behavior is traceable, reproducible, and backed by strong logging or proofs. Outputs align with clear rules, and any action can be independently checked. Unexpected deviations are rare and easy to diagnose."
    },
    {
      "key": "U",
      "name": "Uncertain",
      "definition": "Behavior is generally well-structured but can deviate within known bounds. Some reasoning steps or interactions lack full visibility, making verification partial. Issues may be diagnosable but require effort or contextual reconstruction."
    },
    {
      "key": "O",
      "name": "Opaque",
      "definition": "Behavior is highly variable, difficult to trace, and resistant to verification. Key reasoning paths, external influences, or interactions are hidden or unpredictable. Actions may appear coherent but cannot be reliably reproduced or audited."
    }
  ]
}

See documentation for the supporting decision tables

Although the Agentic Impact Level (AIL) can be assessed directly, we recommend it be assessed by combining the results of a few supporting decision tables. See the documentation for Execution Power, Environment & Adaptation, and Predictability & Influence for more details.

Decision Table

Decision Model Visualization

---
title: Agentic Impact Level Decision Table (x_org.owasp#aivss:DT_AIL:1.0.0)
---
graph LR
subgraph inputs[Inputs]
n1(( ))
subgraph s1["x_org.owasp<br/>#aivss<br/>EP:1.0.0"]
C_L0([C])
CA_L0([CA])
H_L0([H])
end
subgraph s2["x_org.owasp<br/>#aivss<br/>EA:1.0.0"]
C_I_L1([I])
C_C_L1([C])
C_P_L1([P])
CA_I_L1([I])
CA_C_L1([C])
CA_P_L1([P])
H_I_L1([I])
H_C_L1([C])
H_P_L1([P])
end
subgraph s3["x_org.owasp<br/>#aivss<br/>PI:1.0.0"]
C_I_V_L2([V])
C_I_U_L2([U])
C_I_O_L2([O])
C_C_V_L2([V])
C_C_U_L2([U])
C_C_O_L2([O])
C_P_V_L2([V])
C_P_U_L2([U])
C_P_O_L2([O])
CA_I_V_L2([V])
CA_I_U_L2([U])
CA_I_O_L2([O])
CA_C_V_L2([V])
CA_C_U_L2([U])
CA_C_O_L2([O])
CA_P_V_L2([V])
CA_P_U_L2([U])
CA_P_O_L2([O])
H_I_V_L2([V])
H_I_U_L2([U])
H_I_O_L2([O])
H_C_V_L2([V])
H_C_U_L2([U])
H_C_O_L2([O])
H_P_V_L2([V])
H_P_U_L2([U])
H_P_O_L2([O])
end
end
subgraph outputs[Outcome]
subgraph s4["x_org.owasp<br/>#aivss<br/>AIL:1.0.0"]
C_I_V_C_L3([C])
C_I_U_C_L3([C])
C_I_O_S_L3([S])
C_C_V_C_L3([C])
C_C_U_S_L3([S])
C_C_O_S_L3([S])
C_P_V_S_L3([S])
C_P_U_S_L3([S])
C_P_O_P_L3([P])
CA_I_V_C_L3([C])
CA_I_U_S_L3([S])
CA_I_O_S_L3([S])
CA_C_V_S_L3([S])
CA_C_U_S_L3([S])
CA_C_O_S_L3([S])
CA_P_V_S_L3([S])
CA_P_U_S_L3([S])
CA_P_O_P_L3([P])
H_I_V_S_L3([S])
H_I_U_S_L3([S])
H_I_O_P_L3([P])
H_C_V_S_L3([S])
H_C_U_S_L3([S])
H_C_O_P_L3([P])
H_P_V_P_L3([P])
H_P_U_P_L3([P])
H_P_O_P_L3([P])
end
end
n1 --- C_L0
n1 --- CA_L0
n1 --- H_L0
C_L0 --- C_I_L1
C_I_L1 --- C_I_V_L2
C_I_V_L2 --- C_I_V_C_L3
C_I_L1 --- C_I_U_L2
C_I_U_L2 --- C_I_U_C_L3
C_I_L1 --- C_I_O_L2
C_I_O_L2 --- C_I_O_S_L3
C_L0 --- C_C_L1
C_C_L1 --- C_C_V_L2
C_C_V_L2 --- C_C_V_C_L3
C_C_L1 --- C_C_U_L2
C_C_U_L2 --- C_C_U_S_L3
C_C_L1 --- C_C_O_L2
C_C_O_L2 --- C_C_O_S_L3
C_L0 --- C_P_L1
C_P_L1 --- C_P_V_L2
C_P_V_L2 --- C_P_V_S_L3
C_P_L1 --- C_P_U_L2
C_P_U_L2 --- C_P_U_S_L3
C_P_L1 --- C_P_O_L2
C_P_O_L2 --- C_P_O_P_L3
CA_L0 --- CA_I_L1
CA_I_L1 --- CA_I_V_L2
CA_I_V_L2 --- CA_I_V_C_L3
CA_I_L1 --- CA_I_U_L2
CA_I_U_L2 --- CA_I_U_S_L3
CA_I_L1 --- CA_I_O_L2
CA_I_O_L2 --- CA_I_O_S_L3
CA_L0 --- CA_C_L1
CA_C_L1 --- CA_C_V_L2
CA_C_V_L2 --- CA_C_V_S_L3
CA_C_L1 --- CA_C_U_L2
CA_C_U_L2 --- CA_C_U_S_L3
CA_C_L1 --- CA_C_O_L2
CA_C_O_L2 --- CA_C_O_S_L3
CA_L0 --- CA_P_L1
CA_P_L1 --- CA_P_V_L2
CA_P_V_L2 --- CA_P_V_S_L3
CA_P_L1 --- CA_P_U_L2
CA_P_U_L2 --- CA_P_U_S_L3
CA_P_L1 --- CA_P_O_L2
CA_P_O_L2 --- CA_P_O_P_L3
H_L0 --- H_I_L1
H_I_L1 --- H_I_V_L2
H_I_V_L2 --- H_I_V_S_L3
H_I_L1 --- H_I_U_L2
H_I_U_L2 --- H_I_U_S_L3
H_I_L1 --- H_I_O_L2
H_I_O_L2 --- H_I_O_P_L3
H_L0 --- H_C_L1
H_C_L1 --- H_C_V_L2
H_C_V_L2 --- H_C_V_S_L3
H_C_L1 --- H_C_U_L2
H_C_U_L2 --- H_C_U_S_L3
H_C_L1 --- H_C_O_L2
H_C_O_L2 --- H_C_O_P_L3
H_L0 --- H_P_L1
H_P_L1 --- H_P_V_L2
H_P_V_L2 --- H_P_V_P_L3
H_P_L1 --- H_P_U_L2
H_P_U_L2 --- H_P_U_P_L3
H_P_L1 --- H_P_O_L2
H_P_O_L2 --- H_P_O_P_L3

Table of Values

The table below shows the values for the decision model. Each row of the table corresponds to a path through the decision model diagram above.

Row Execution Power v1.0.0 (x_org.owasp#aivss) Environment & Adaptation v1.0.0 (x_org.owasp#aivss) Predictability and Influence v1.0.0 (x_org.owasp#aivss) Agentic Impact Level v1.0.0 (x_org.owasp#aivss)
0 constrained isolated verifiable copilot
1 constrained isolated uncertain copilot
2 constrained isolated opaque specialist
3 constrained connected verifiable copilot
4 constrained connected uncertain specialist
5 constrained connected opaque specialist
6 constrained pervasive verifiable specialist
7 constrained pervasive uncertain specialist
8 constrained pervasive opaque prime mover
9 capable isolated verifiable copilot
10 capable isolated uncertain specialist
11 capable isolated opaque specialist
12 capable connected verifiable specialist
13 capable connected uncertain specialist
14 capable connected opaque specialist
15 capable pervasive verifiable specialist
16 capable pervasive uncertain specialist
17 capable pervasive opaque prime mover
18 high leverage isolated verifiable specialist
19 high leverage isolated uncertain specialist
20 high leverage isolated opaque prime mover
21 high leverage connected verifiable specialist
22 high leverage connected uncertain specialist
23 high leverage connected opaque prime mover
24 high leverage pervasive verifiable prime mover
25 high leverage pervasive uncertain prime mover
26 high leverage pervasive opaque prime mover