- The paper introduces an AI-native framework that integrates asset telemetry, property graphs, and AI-based scoring for proactive security posture reasoning.
- It employs a two-tier architecture to separate technical exposure from contextual risk, ensuring stable, explainable, and interpretable asset prioritization.
- Experimental evaluations on heterogeneous production data validate the framework’s deterministic scoring and effective contextual modulation strategy.
AI-Native Asset Intelligence: A Principled Framework for Proactive Security Posture Reasoning
Motivation and Problem Context
Enterprise security environments increasingly generate vast, heterogeneous, and fragmented signals across multi-cloud resources, identities, configurations, and third-party tools. While recent AI-powered assistants improve the accessibility of such data, their paradigm remains fundamentally reactive—requiring users to frame the correct questions and manually correlate disconnected findings. This approach proves inadequate for enterprise-scale environments, where prioritization of security signals depends not only on technical exposure, but also on exploitability, inter-asset relationships, and business context.
The absence of a canonical, structured abstraction over security data leads to unstable and inconsistent asset ranking. This lack of a reliable reasoning substrate constrains AI systems, impeding both reproducibility and the emergence of truly proactive posture management. The work proposes that a dedicated intelligence layer—specifically, an AI-native asset intelligence framework—can address these deficits and enable both reactive and proactive asset-level reasoning.
Prior approaches have dissected security posture management along various axes:
- Severity and Exposure Metrics: Standards such as CVSS and EPSS focus on vulnerability severity and exploit likelihood but remain vulnerability-centric and largely decoupled from business impact or contextual importance (“CVSS: Ubiquitous and broken” [10], “A Survey on Vulnerability Prioritization” [19]).
- Graph-Based and Relational Models: Graph mining, reachability analysis (e.g., “GRASP” [12]; “Start Thinking in Graphs” [11]), and IAM model-checking capture dependency and propagation but are tailored to particular verification tasks.
- Contextual Scoring Models: Efforts to blend severity, exploitability, and context (e.g., “CAVP” [16], “SmartPatch” [17]) typically treat context as metadata, limiting operationalization and consistent automation.
- Knowledge Graphs and Neuro-Symbolic Reasoning: Cybersecurity knowledge graphs furnish structural integration but do not yield reusable, interpretable asset criticality abstractions suitable for direct AI reasoning (“Cybersecurity Knowledge Graphs” [20], “CtiNexus” [23]).
The literature’s central gap is the absence of a formal, reusable intelligence layer that supports systematic AI-based asset prioritization in enterprise environments.
Architectural Overview
The AI-native asset intelligence framework introduces a two-tiered architecture:
Modeling Layer
- Heterogeneous Ingestion and Normalization: Ingests and normalizes telemetry, configurations, entitlements, and controls from disparate providers (cloud APIs, IDPs, third-party tools) into vendor-agnostic tabular formats.
- Property Graph Construction: Lifts tabular records into a unified, typed property graph where nodes (assets) and edges (relations) encode multi-vendor resource dependencies, privilege relations, and control attachments.
- Knowledge Overlays: Maintains overlays encoding security controls, attack vectors (as parameterized traversals), and blast-radius patterns for on-demand, executable queries.
- Agentic Researcher and Human-in-the-Loop: Automated agents synthesize candidate patterns and controls using empirical schema sampling, external knowledge grounding (e.g., MITRE ATT&CK, CWE, CAPEC), and structured graph tool calls. All overlays are human-validated to ensure correctness and semantic fidelity.
Scoring Layer
- Feature Extraction: Normalizes heterogeneous signals (failed controls, attack-path counts, blast radius metrics) to a structured evidence vector in [0,1]d per asset.
- AI-Based Contextualization: Agentic components refine finding severities and classify business or data criticality, leveraging structured and semi-structured evidence. This pipeline ensures context-sensitive adjustment while preserving auditability.
- Deterministic Aggregation: Evidence and context signals are aggregated using bounded, monotone, and saturating functions, enforcing stable and interpretable prioritization. The model ensures evidence-preserving, context-aware, and monotonic transformations.
Context-Aware Asset Scoring
The core scoring mechanism explicitly separates intrinsic exposure from contextual importance:
- Base Exposure (B(a)): Computed as the max of misconfiguration-based and attack-vector-based exposure, regulated by a channel cap and a floor parameter. The design avoids double-counting and ensures that severe misconfigurations or concrete exploitability dominate.
- Misconfiguration Channel: Uses a non-linear weighted, multiplicative union of finding severities, tightly controlling the impact of accumulation and ensuring diminishing returns.
- Attack-Vector Channel: Maps attack-path counts to exposure via an exponential saturating function, emphasizing the qualitative shift from the absence to the presence of exploit paths.
- Contextual Vector (v(a)): Aggregates normalized measures for configuration anomaly, blast radius, business-function criticality, and data criticality. These dimensions operationalize the difference in asset significance that cannot be captured by technical exposure alone.
- Context Modulation: The aggregated context index scales the base exposure through a bounded multiplier, enabling context to amplify or attenuate—but not override—evidence.
- Final Score (s(a)): s(a)=min(1,B(a)m(a)), ensuring scores are interpretable, bounded, evidence-preserving, and monotone.
This formulation guarantees that assets are only prioritized as critical if both technical evidence and contextual signals align.
Experimental Evaluation
The evaluation leverages a production organizational snapshot:
- Dataset: 131,625 resources, 15 vendors, 178 asset types; AWS accounts for 78.6%. About 30% of resources exhibited at least one risk signal.
- Sensitivity Experiments: Systematically vary severity-weight mapping, attack-vector saturation parameter, and context multiplier strength. Results demonstrate:
- Misconfiguration Channel: Nonlinear mappings with strong severity gaps and capped aggregation yield intuitive prioritization—severe findings dominate, and accumulation displays sharply diminishing returns.
- AI-Based Severity Adjustment: Primarily downgrades low-severity findings to INFO, sharpening prioritization and decreasing false positives without broad inflation of high/critical scores.
- Attack-Vector Channel: Attack-path evidence is rare but exerts maximal effect when present; tuning the saturation parameter allows calibration without oversensitivity.
- Contextual Modulation: Controlled amplification of resource priority where contextual signals are strong. Only contextually and technically exposed assets reach the highest risk bins. The effect is consistently monotone and auditable.
- Stability and Consistency: The separation of evidence and context, and deterministic scoring, ensure stable and reproducible asset rankings, mitigating prompt sensitivity and inference variance highlighted in recent LLM-based security studies (“PROSA” [32]).
Theoretical and Practical Implications
The framework’s explicit separation of technical exposure and contextual risk, combined with deterministic, bounded aggregation, represents a significant advance beyond vulnerability-centric or ad hoc AI agent approaches for asset prioritization. By grounding agentic contextualization within a controlled reasoning pipeline, the architecture provides both explainability and operational trust—both prerequisites for practical integration into enterprise SOC and posture management workflows.
The approach creates the necessary substrate for proactive AI-driven insight generation, enabling:
- Consistent, automated identification of mission-critical risk concentrations
- Continuous, organization-wide posture assessment without reliance on ad hoc user queries
- Calibration and transparency suitable for regulated or high-assurance settings
The model’s auditing and tuning points (severity mapping, attack-path sensitivity, context multiplier) allow adaptation to operational requirements while preventing pathological prioritization behaviors.
Limitations and Future Directions
- Single-Organization Evaluation: Deployment and validation occurred on a single, albeit heterogeneous, production snapshot. Broader empirical confirmation is required across other cloud architectures, organizational models, and business-criticality definitions.
- Absence of Incident Ground Truth: Analysis focuses on behavioral sensitivity and consistency; correlation to real-world breach likelihood or incident data remains unproven.
- Manual Contextual Criteria: Contextual weights and rubrics rely on domain expertise. Learning-based or organization-adaptive calibration could further enhance fit and resilience.
Future research should pursue cross-organizational validation, expert-led calibration studies, and integration of incident-driven feedback for further automation and effectiveness.
Conclusion
AI-native asset intelligence as formalized in this framework provides a necessary and robust foundation for stable, consistent, and proactive security posture reasoning. By introducing a modeling/knowledge layer that expresses complex asset relationships and a context-aware, deterministic scoring system, the framework enables trustworthy AI-driven prioritization and insight generation. The separation of evidence and context, auditability of agentic adjustments, and monotonic, bounded aggregation together ensure explainability and operational reliability. As organizations seek to unlock proactive security management at enterprise scale, such an approach offers a principled and adaptable path forward.