OWASP AISVS
AI Application Security Verification Standard at L1, L2, and L3

OWASP AISVS: a verification standard for AI applications, not just a risk list

The OWASP Artificial Intelligence Security Verification Standard (AISVS) is the open standard that defines what a verified secure AI application looks like, control by control. Where the OWASP Top 10 for LLM Applications ranks the most common LLM-specific risks (and the companion LLM Top 10 explainer walks each risk in plain language), AISVS describes which controls have to be in place and which tests have to pass for an AI application to be considered verified at a given level. AISVS is published by the Open Worldwide Application Security Project, sits in the same family of verification standards as OWASP ASVS for web and API applications and OWASP MASVS for mobile applications, and is structured so the verification claim is comparable across providers and over time.

For internal AppSec teams running an AI-application verification programme, product security teams owning a generative AI feature surface, AI and ML engineering teams shipping LLM and agent applications, AI safety and red-team functions, GRC and compliance teams mapping to the ISO/IEC 42001 AI management system, the NIST AI Risk Management Framework, or the EU AI Act, and CISOs carrying the audit-committee read against the AI programme, AISVS is the verification standard the technical evidence reads against. The standard is dense; the value is the control-level traceability that turns AI security from a one-off red team into a continuous operating record.

This page covers the AISVS verification levels, the AISVS control chapters, the verification reporting expectations, where AISVS sits next to OWASP ASVS, the OWASP LLM Top 10, NIST AI RMF, ISO/IEC 42001, the EU AI Act, and OWASP MASVS, the buyer and operator read for AppSec teams and AI engineering, and how SecPortal operates an AISVS verification engagement as one structured record.

AISVS verification levels: pick the level on purpose

AISVS defines three verification levels. The level is a contractual decision: a Level 1 engagement reported as Level 2 is a scope breach, and a Level 2 engagement reported as Level 1 is a value gap. Decide the level during pre-engagement, name it in the rules of engagement, and reflect it on every page of the verification report. The level decision is typically anchored in the EU AI Act risk classification (if applicable), the data sensitivity, the agentic depth, and the decision impact.

For a longer treatment of the operating model that runs the AI security programme around an AISVS engagement, see the MLSecOps implementation guide and the AI security posture management explainer, which together cover the wider AI security operating layer the AISVS verification fits inside.

The AISVS control chapters: what gets verified

AISVS is organised into control chapters covering training data through to governance, with explicit applicability for Level 1, Level 2, and Level 3 against each control. The verification report references those chapter identifiers directly, which is what makes AISVS engagements comparable across providers and over time. The chapter list below reflects the AISVS structure at the time of writing; the live standard is published on the OWASP project page and refreshed by the contributing community.

The control set is broad on purpose. A verification claim that exercises only input handling (C3) and output handling (C4) is a partial verification, not a full AISVS engagement at the declared level. When scoping an AISVS test, write down the chapters in scope and the chapters explicitly out of scope, so the report cannot be read as a stronger claim than was tested. For the LLM-Top-10-specific finding shape that flows into the C3 and C4 chapters, see the prompt injection vulnerability page, the indirect prompt injection via RAG vulnerability page, the improper output handling in LLM vulnerability page, the excessive agency in LLM applications vulnerability page, the system prompt leakage vulnerability page, and the data and model poisoning vulnerability page. Each maps to one or more AISVS controls and feeds the verification report as evidence.

AISVS reporting expectations: the deliverable, not an export

An AISVS verification report is a structured deliverable, not a wrap-up. The report is the artefact the buyer pays for, the assessor reviews, and the auditor cites, so its structure and evidence density determine whether the verification was actually useful. The expectation list below covers the minimum the verification claim needs to carry to read defensibly.

For deeper context on how to structure a security verification report end to end, see how to write a pentest report and the matching penetration testing report template. The AI report generation feature composes the executive summary, technical body, safety evaluation summary, and remediation roadmap from the underlying engagement and findings, citing the AISVS controls that were exercised rather than starting from a blank template.

How AISVS sits next to ASVS, the LLM Top 10, NIST AI RMF, ISO 42001, and the EU AI Act

AISVS is rarely used in isolation. It is the requirement set that other documents cite, run against, or wrap. The contrast below is a working view, not a buyer comparison: the practitioner question is which standards to pair AISVS with, not which to pick instead of it.

Buyers procuring an AI engagement under a regulated framework should pair AISVS with OWASP ASVS for the wider backend tier of the same application, with ISO/IEC 42001 for the AI management system the verification operates inside, with NIST AI RMF for the framework-level outcome model, with NIST SSDF for the secure-development practices the AI application is built under, and with CISA Secure by Design for the default-secure commitment the AI application makes to its users.

Adjacent OWASP and CISA references

AISVS reads alongside several OWASP and CISA references. Each one covers a different slice of the AI security operating model; AISVS is the verification companion that converts the risk and outcome statements into control-level requirements.

AISVS for AppSec teams, AI engineering, product security, and AI governance

AISVS is read differently depending on which side of the engagement you sit on. AppSec teams use AISVS as the internal bar that the AI engineering team builds against, and as the structure that triages findings from prompt-injection evaluations, output-handling reviews, agent-action audits, and code-and-dependency scanning into one comparable picture. Product security teams use AISVS as the verification standard their AI feature ships under, with the verification report driving the feature go-live decision and the residual-risk position. AI engineering teams use AISVS as the requirements specification their model and prompt infrastructure satisfies, especially C1 training data governance, C2 model lineage, C6 RAG, and C7 agent action boundaries. AI governance committees use AISVS as the technical evidence layer their high-impact AI decisions read against under ISO/IEC 42001 and the EU AI Act.

The persona-specific entry points are SecPortal for AppSec teams, SecPortal for product security teams, SecPortal for application security programme leads, SecPortal for security engineering teams, and SecPortal for GRC and compliance teams. Each anchors a different view of the same AISVS engagement record.

For firms that specialise in AI and ML security assessments rather than running AI as one of several practices, the SecPortal for AI and ML security consultancies page covers the operating model that fits a specialist AI security practice, including finding evidence fields tuned to AISVS controls and the retest workflow that pairs verification to the original finding across each new model release.

Where AISVS sits next to other framework pages

AISVS is the AI-application verification standard; the adjacent framework pages cover the regimes the AISVS engagement reads alongside. The pages below are the ones AISVS programmes most often read together.

• The OWASP ASVS framework page covers the verification standard for the wider web and API surface the AI application sits inside. ASVS and AISVS read together on most AI engagements.
• The OWASP MASVS framework page covers the mobile verification standard. Consumer-facing AI assistants are typically scoped under MASVS for the mobile binary and AISVS for the AI tier.
• The ISO/IEC 42001 framework page covers the AI management system standard. AISVS verification supplies the technical evidence the ISO 42001 Annex A controls reference.
• The NIST AI RMF framework page covers the AI Risk Management Framework. AISVS reads beneath the MEASURE function as the control-level verification standard.
• The NIST SSDF framework page covers the secure-development practices. AISVS reads as the verification companion for AI-specific code paths the SSDF Verify practice category expects to exercise.
• The CISA Secure by Design framework page covers the default-secure software commitment. AISVS reads beneath as the verification standard the secure-by-design AI commitments are evidenced through.
• The EU Cyber Resilience Act framework page covers the EU product cybersecurity regulation for products with digital elements. AISVS reads as the technical verification companion for AI features inside CRA-in-scope products.
• The OWASP Web Security Testing Guide framework page covers the testing technique reference for web applications. AISVS reads alongside as the AI-specific verification standard, with the WSTG supplying the test technique for the non-AI tiers and AISVS supplying the AI-tier requirements.

Where SecPortal fits in an AISVS verification engagement

SecPortal is the operating layer for an AISVS verification engagement. The platform handles scope, level claim, control coverage, backend authenticated DAST evidence, AI application codebase SAST and SCA evidence, prompt-injection and indirect-injection evaluation results, agent-action audit findings, output-handling findings, finding triage, retests, and the final deliverable, so the engagement runs as a single workflow rather than a long email thread with attachments and screenshot zips. For consultancies running AI security engagements on behalf of multiple clients, the AI and ML security consultancies workspace bundles that with branded client portals.

What SecPortal does not do

AISVS is a verification standard for AI applications and depends on the organisation operating AI engineering, AI safety, AppSec, product security, GRC and compliance, and AI governance as coordinated functions. SecPortal is the operating record for the AISVS verification engagement, not the AI development platform, not the model-evaluation framework, not the AI red team service provider, and not the third-party AI audit firm. The honest scope below reads against the AISVS boundary so the platform commitment is unambiguous.

The operational workstreams the AISVS programme reads against already exist as named use cases on SecPortal. The security onboarding for new applications workflow covers the per-application onboarding that the AISVS verification engagement attaches to. The code review use case covers the SAST and SCA evidence the C11 supply chain control reads against. The cross-framework control mapping workflow reads the same AISVS evidence pack across OWASP ASVS, ISO/IEC 42001, NIST AI RMF, EU AI Act, and CISA Secure by Design so the cross-regime read is reconcilable rather than reconciled per audit.

For deeper reading on the disciplines this standard reads against, the OWASP Top 10 for LLM Applications explainer covers the ranked LLM risk list that AISVS controls map into. The AI bill of materials guide covers the supply-chain artefact AISVS C11 expects. The secure code review for AI-generated code guide covers the developer-facing review discipline that flows into AISVS evidence on the code path. The MLSecOps implementation guide covers the operating model around the verification engagement.