AI Security Scoring Your Auditor Can Verify

AISS (Ayliea AI Security Standard) is the open methodology behind every assessment on the platform — 10 control domains, 56 sub-controls, 9 framework crosswalks, published under CC-BY-4.0 at github.com/Ayliea/aiss. Most compliance scoring is opaque because opacity is where vendor pricing leverage lives. We took the opposite position: practitioners, auditors, and forks have full access to the methodology. Your auditor can reproduce any score using only the published spec and the answers your team provides.

Vanta and Drata are general compliance automation platforms with proprietary scoring algorithms — auditors can’t verify the math, only the result. Ayliea publishes the scoring methodology under CC-BY-4.0. We cover the same compliance frameworks (SOC 2, ISO 27001, NIST CSF, HIPAA, PCI DSS, NIST 800-53, CIS Controls v8.1) plus AI-specific control domains and threat-informed scoring (MITRE ATLAS). Glass-Box scoring is structural, not marketing — VC-funded competitors can’t follow because their pricing model depends on opacity.

Glass-Box Score is visual proof that every score is reproducible. On the results page, you can expand any AC-1 through AC-10 control domain to see exactly which questions, weights, framework citations, and MITRE ATLAS technique mappings produced its score. Any auditor can reproduce the math from the published JSON spec at github.com/Ayliea/aiss using only your answers and the spec. No proprietary algorithm, no vendor magic.

A vertical bundle is AISS applied to a regulated industry. Healthcare (HIPAA + FDA SaMD + BAA framing) and Financial Services (NYDFS Part 500, EU DORA, SR 11-7, FINRA, SEC Marketing Rule) ship today. Each bundle includes the curated MITRE ATLAS threat profile for that vertical, a cyber-insurance underwriting crosswalk you can submit alongside a carrier application, and the eight priority AISS sub-controls that matter most for that vertical. Legal threat profile shipped; full Legal bundle in progress.

Click ‘Start free’ or ‘Read AISS’ anywhere on the site. The self-serve signup flow is live as of the 2026-05-12 PLG pricing pivot. Tier definitions: Free runs your first AISS assessment (no credit card). Pro at $1,200/yr adds 1 paid framework + AI recommendations + PDF export. Business at $3,600/yr unlocks all 7 compliance frameworks + continuous monitoring + advanced trust center. Enterprise (from $15,000/yr, published floor) is inbound only for custom integrations.

Yes. AISS is CC-BY-4.0 — attribution required, but commercial use, modification, and redistribution are all permitted. You can run the standard against your AI surface using nothing but the published spec, fork it for internal extension, or use it as the methodology in an external audit you’re delivering to a client. The Ayliea platform is for organizations that want the scoring + audit-trail + AI-personalized remediation done for them; the standard itself stays free forever.

Network discovery is still in the platform — it’s evidence input that powers your Trust Gap (the difference between what you self-report and what’s actually in your environment). But it’s positioned as evidence input now, not a standalone flagship feature. Category is saturated (Sola ships network-level free; Credo, Portal26, Reco, LayerX, Microsoft Purview saturate SaaS-API discovery). Our differentiator is the open standard you score against, not the discovery surface.

Yes. The discovery surface reads DNS queries and TLS handshake metadata only — 99% of traffic is discarded locally before anything leaves your network. All data encrypted in transit and at rest. We don’t sell data, we don’t train models on it, and we never will. The full Trust Center at /trust shows our security posture and policies in detail.