After identifying a set of vulnerabilities, the critical next step is deciding what to fix first. Not all findings carry the same weight. A purely technical scoring system like CVSS can be a starting point but often fails to capture the unique business and operational risks associated with AI systems. A vulnerability that allows for subtle output manipulation might have a low technical severity but could cause catastrophic reputational damage.
To address this, you need a prioritization framework that blends technical exploitability with AI-specific system impact and overarching business context. This section provides a customizable framework, the AI Threat & Impact Prioritization (ATIP) model, to help you rank findings effectively.
The AI Threat & Impact Prioritization (ATIP) Framework
The ATIP framework is built on three core pillars: Exploitability, System Impact, and Business Context. By evaluating each finding against these pillars, you can generate a more holistic and actionable priority score.
Framework Goal: To move beyond generic severity ratings and create a risk score that reflects the actual threat an AI vulnerability poses to your organization’s mission, operations, and reputation.
Core Components & Scoring
The following table breaks down each component. We suggest a 1-10 scoring scale for simplicity, where 1 is minimal risk and 10 is critical. You should adapt the scale and weighting to your organization’s specific risk appetite.
| Factor | Metric | Description | Example Scoring (1-10) |
|---|---|---|---|
| Exploitability (E) | Access Vector | How an attacker can reach the vulnerable component. | 1: Physical access needed 5: Authenticated user 10: Public, unauthenticated API |
| Attack Complexity | The technical skill and effort required to execute the attack. | 1: Requires massive compute & novel research 5: Requires custom scripts & domain knowledge 10: Simple prompt or API call |
|
| Resources Required | The external resources (data, models, etc.) needed for the attack. | 1: Needs a massive, proprietary dataset 5: Requires a moderately sized open-source dataset 10: No external resources needed |
|
| System Impact (I) | Model Integrity | Corruption of the model’s weights, logic, or training data. | 1: Minor, temporary performance dip 5: Targeted skill degradation (e.g., “forgetting” a language) 10: Complete model poisoning or backdooring |
| Output Reliability | Generation of harmful, biased, false, or unintended content. | 1: Minor stylistic deviations 5: Consistent generation of biased or inaccurate information 10: Generation of illegal, dangerous, or malicious content |
|
| Service Availability | Denial of service or resource exhaustion affecting the AI system. | 1: Slowed inference by a few milliseconds 5: Significant service degradation for a subset of users 10: Complete system outage |
|
| Data Confidentiality | Unauthorized disclosure of sensitive data. | 1: Exposure of non-sensitive metadata 5: Extraction of general training data patterns 10: Extraction of PII or proprietary secrets from training data |
|
| Business Context (B) | Reputational Damage | Potential harm to brand image, public trust, and customer loyalty. | 1: Internal discovery with no public impact 5: Negative press in niche publications 10: Major international news headline |
| Financial Loss | Direct or indirect monetary costs from the exploit. | 1: Negligible cost 5: Cost of remediation and minor customer churn 10: Major fines, lawsuits, and loss of key contracts |
|
| Regulatory & Compliance | Violation of laws, regulations, or industry standards. | 1: Minor internal policy breach 5: Violation of a specific industry standard (e.g., HIPAA) 10: Breach of major data protection laws (e.g., GDPR) |
Calculating the Priority Score
Once you have scored each metric, you can calculate a final priority score. A simple, effective method is to average the scores within each pillar and then multiply them together. You can add weights to prioritize one pillar over another.
A sample formula could be:
Priority Score = (Average Exploitability) × (Average System Impact) × (Average Business Context)
# Pseudocode for calculating a priority score for a single vulnerability vulnerability_finding = { "access_vector": 10, # Public API "attack_complexity": 8, # Easy to craft prompt "resources_required": 9, # None needed "model_integrity": 2, # No impact on the model itself "output_reliability": 10, # Can generate harmful content "service_availability": 1, # No impact "data_confidentiality": 1, # No impact "reputational_damage": 9, # High potential for bad press "financial_loss": 4, # Moderate potential "regulatory_risk": 3 # Low potential } avg_exploitability = (10 + 8 + 9) / 3 # = 9.0 avg_impact = (2 + 10 + 1 + 1) / 4 # = 3.5 avg_business = (9 + 4 + 3) / 3 # = 5.33 priority_score = avg_exploitability * avg_impact * avg_business # priority_score = 9.0 * 3.5 * 5.33 = 167.895
This score (e.g., 167.9) provides a quantitative basis for ranking this finding against others. A jailbreak that generates harmful content but doesn’t compromise the model or data can now be compared directly with a complex data poisoning attack.
Visualizing Priorities with a Risk Matrix
For high-level reporting and quick decision-making, you can plot your findings on a risk matrix. This visual tool helps stakeholders immediately grasp the urgency of different issues. The axes typically represent Likelihood (derived from Exploitability) and Impact (a combination of System and Business impacts).
- Monitor (Low Likelihood, Low Impact): These are minor issues that are hard to exploit. Keep an eye on them, but they don’t require immediate action. They may be resolved during routine maintenance cycles.
- Schedule Fix (High Likelihood, Low Impact): These are often easy-to-find but low-impact bugs. They should be addressed to maintain security hygiene but can be scheduled for the next development sprint.
- Address Promptly (Low Likelihood, High Impact): These are the “ticking time bomb” vulnerabilities. While hard to exploit now, a change in attacker capability or system architecture could make them critical. Plan to mitigate these proactively.
- Act Immediately (High Likelihood, High Impact): These are your top priorities. They represent clear and present dangers to the system and business. Resources should be allocated immediately for remediation.