Papers
Topics
Authors
Recent
Search
2000 character limit reached

AI Native Asset Intelligence

Published 9 May 2026 in cs.CR and cs.AI | (2605.09115v2)

Abstract: Modern security environments generate fragmented signals across cloud resources, identities, configurations, and third-party security tools. Although AI-native security assistants improve access to this data, they remain largely reactive: users must ask the right questions and interpret disconnected findings. This does not scale in enterprise environments, where signal importance depends on exposure, exploitability, dependencies, and business context. Repeated AI queries may therefore produce unstable prioritization without a structured basis for comparing assets. This paper introduces AI-native asset intelligence, a framework that transforms heterogeneous security data into a structured intelligence layer for consistent, contextual, and proactive asset-level reasoning. The framework combines a modeling layer, representing assets, identities, relationships, controls, attack vectors, and blast-radius patterns, with a scoring layer that converts fragmented signals into a normalized measure of asset importance. The scoring system separates intrinsic exposure, based on misconfigurations and attack-vector evidence, from contextual importance, based on anomaly, blast radius, business criticality, and data criticality. AI contextualization refines severity and business/data classifications, while deterministic aggregation preserves consistency. We evaluate the scoring system on a production snapshot with 131,625 resources across 15 vendors and 178 asset types. Sensitivity analyses and ablations show that severity mappings control finding sensitivity, AI severity adjustment refines prioritization, attack-vector scoring responds to rare exploitability evidence, and contextual modulation selectively modifies exposed resources based on business or data importance. The results support AI-native asset intelligence as a foundation for stable prioritization and proactive security-posture reasoning.

Summary

  • The paper introduces an AI-native framework that integrates asset telemetry, property graphs, and AI-based scoring for proactive security posture reasoning.
  • It employs a two-tier architecture to separate technical exposure from contextual risk, ensuring stable, explainable, and interpretable asset prioritization.
  • Experimental evaluations on heterogeneous production data validate the framework’s deterministic scoring and effective contextual modulation strategy.

AI-Native Asset Intelligence: A Principled Framework for Proactive Security Posture Reasoning

Motivation and Problem Context

Enterprise security environments increasingly generate vast, heterogeneous, and fragmented signals across multi-cloud resources, identities, configurations, and third-party tools. While recent AI-powered assistants improve the accessibility of such data, their paradigm remains fundamentally reactive—requiring users to frame the correct questions and manually correlate disconnected findings. This approach proves inadequate for enterprise-scale environments, where prioritization of security signals depends not only on technical exposure, but also on exploitability, inter-asset relationships, and business context.

The absence of a canonical, structured abstraction over security data leads to unstable and inconsistent asset ranking. This lack of a reliable reasoning substrate constrains AI systems, impeding both reproducibility and the emergence of truly proactive posture management. The work proposes that a dedicated intelligence layer—specifically, an AI-native asset intelligence framework—can address these deficits and enable both reactive and proactive asset-level reasoning.

Prior approaches have dissected security posture management along various axes:

  • Severity and Exposure Metrics: Standards such as CVSS and EPSS focus on vulnerability severity and exploit likelihood but remain vulnerability-centric and largely decoupled from business impact or contextual importance (“CVSS: Ubiquitous and broken” [10], “A Survey on Vulnerability Prioritization” [19]).
  • Graph-Based and Relational Models: Graph mining, reachability analysis (e.g., “GRASP” [12]; “Start Thinking in Graphs” [11]), and IAM model-checking capture dependency and propagation but are tailored to particular verification tasks.
  • Contextual Scoring Models: Efforts to blend severity, exploitability, and context (e.g., “CAVP” [16], “SmartPatch” [17]) typically treat context as metadata, limiting operationalization and consistent automation.
  • Knowledge Graphs and Neuro-Symbolic Reasoning: Cybersecurity knowledge graphs furnish structural integration but do not yield reusable, interpretable asset criticality abstractions suitable for direct AI reasoning (“Cybersecurity Knowledge Graphs” [20], “CtiNexus” [23]).

The literature’s central gap is the absence of a formal, reusable intelligence layer that supports systematic AI-based asset prioritization in enterprise environments.

Architectural Overview

The AI-native asset intelligence framework introduces a two-tiered architecture:

Modeling Layer

  • Heterogeneous Ingestion and Normalization: Ingests and normalizes telemetry, configurations, entitlements, and controls from disparate providers (cloud APIs, IDPs, third-party tools) into vendor-agnostic tabular formats.
  • Property Graph Construction: Lifts tabular records into a unified, typed property graph where nodes (assets) and edges (relations) encode multi-vendor resource dependencies, privilege relations, and control attachments.
  • Knowledge Overlays: Maintains overlays encoding security controls, attack vectors (as parameterized traversals), and blast-radius patterns for on-demand, executable queries.
  • Agentic Researcher and Human-in-the-Loop: Automated agents synthesize candidate patterns and controls using empirical schema sampling, external knowledge grounding (e.g., MITRE ATT&CK, CWE, CAPEC), and structured graph tool calls. All overlays are human-validated to ensure correctness and semantic fidelity.

Scoring Layer

  • Feature Extraction: Normalizes heterogeneous signals (failed controls, attack-path counts, blast radius metrics) to a structured evidence vector in [0,1]d[0,1]^d per asset.
  • AI-Based Contextualization: Agentic components refine finding severities and classify business or data criticality, leveraging structured and semi-structured evidence. This pipeline ensures context-sensitive adjustment while preserving auditability.
  • Deterministic Aggregation: Evidence and context signals are aggregated using bounded, monotone, and saturating functions, enforcing stable and interpretable prioritization. The model ensures evidence-preserving, context-aware, and monotonic transformations.

Context-Aware Asset Scoring

The core scoring mechanism explicitly separates intrinsic exposure from contextual importance:

  • Base Exposure (B(a))(B(a)): Computed as the max\max of misconfiguration-based and attack-vector-based exposure, regulated by a channel cap and a floor parameter. The design avoids double-counting and ensures that severe misconfigurations or concrete exploitability dominate.
    • Misconfiguration Channel: Uses a non-linear weighted, multiplicative union of finding severities, tightly controlling the impact of accumulation and ensuring diminishing returns.
    • Attack-Vector Channel: Maps attack-path counts to exposure via an exponential saturating function, emphasizing the qualitative shift from the absence to the presence of exploit paths.
  • Contextual Vector (v(a))(v(a)): Aggregates normalized measures for configuration anomaly, blast radius, business-function criticality, and data criticality. These dimensions operationalize the difference in asset significance that cannot be captured by technical exposure alone.
  • Context Modulation: The aggregated context index scales the base exposure through a bounded multiplier, enabling context to amplify or attenuate—but not override—evidence.
  • Final Score (s(a))(s(a)): s(a)=min(1,B(a)m(a))s(a) = \min(1, B(a) m(a)), ensuring scores are interpretable, bounded, evidence-preserving, and monotone.

This formulation guarantees that assets are only prioritized as critical if both technical evidence and contextual signals align.

Experimental Evaluation

The evaluation leverages a production organizational snapshot:

  • Dataset: 131,625 resources, 15 vendors, 178 asset types; AWS accounts for 78.6%. About 30% of resources exhibited at least one risk signal.
  • Sensitivity Experiments: Systematically vary severity-weight mapping, attack-vector saturation parameter, and context multiplier strength. Results demonstrate:
    • Misconfiguration Channel: Nonlinear mappings with strong severity gaps and capped aggregation yield intuitive prioritization—severe findings dominate, and accumulation displays sharply diminishing returns.
    • AI-Based Severity Adjustment: Primarily downgrades low-severity findings to INFO, sharpening prioritization and decreasing false positives without broad inflation of high/critical scores.
    • Attack-Vector Channel: Attack-path evidence is rare but exerts maximal effect when present; tuning the saturation parameter allows calibration without oversensitivity.
    • Contextual Modulation: Controlled amplification of resource priority where contextual signals are strong. Only contextually and technically exposed assets reach the highest risk bins. The effect is consistently monotone and auditable.
  • Stability and Consistency: The separation of evidence and context, and deterministic scoring, ensure stable and reproducible asset rankings, mitigating prompt sensitivity and inference variance highlighted in recent LLM-based security studies (“PROSA” [32]).

Theoretical and Practical Implications

The framework’s explicit separation of technical exposure and contextual risk, combined with deterministic, bounded aggregation, represents a significant advance beyond vulnerability-centric or ad hoc AI agent approaches for asset prioritization. By grounding agentic contextualization within a controlled reasoning pipeline, the architecture provides both explainability and operational trust—both prerequisites for practical integration into enterprise SOC and posture management workflows.

The approach creates the necessary substrate for proactive AI-driven insight generation, enabling:

  • Consistent, automated identification of mission-critical risk concentrations
  • Continuous, organization-wide posture assessment without reliance on ad hoc user queries
  • Calibration and transparency suitable for regulated or high-assurance settings

The model’s auditing and tuning points (severity mapping, attack-path sensitivity, context multiplier) allow adaptation to operational requirements while preventing pathological prioritization behaviors.

Limitations and Future Directions

  • Single-Organization Evaluation: Deployment and validation occurred on a single, albeit heterogeneous, production snapshot. Broader empirical confirmation is required across other cloud architectures, organizational models, and business-criticality definitions.
  • Absence of Incident Ground Truth: Analysis focuses on behavioral sensitivity and consistency; correlation to real-world breach likelihood or incident data remains unproven.
  • Manual Contextual Criteria: Contextual weights and rubrics rely on domain expertise. Learning-based or organization-adaptive calibration could further enhance fit and resilience.

Future research should pursue cross-organizational validation, expert-led calibration studies, and integration of incident-driven feedback for further automation and effectiveness.

Conclusion

AI-native asset intelligence as formalized in this framework provides a necessary and robust foundation for stable, consistent, and proactive security posture reasoning. By introducing a modeling/knowledge layer that expresses complex asset relationships and a context-aware, deterministic scoring system, the framework enables trustworthy AI-driven prioritization and insight generation. The separation of evidence and context, auditability of agentic adjustments, and monotonic, bounded aggregation together ensure explainability and operational reliability. As organizations seek to unlock proactive security management at enterprise scale, such an approach offers a principled and adaptable path forward.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.