OUR APPROACH
A Rigorous, Repeatable Methodology
Our assessment framework is built on industry-standard security frameworks extended with AI-specific control domains. Every engagement follows the same structured methodology to ensure consistency, completeness, and actionable results.
Built on Established Standards
The Ayliea AI Security Assessment Framework is built on NIST AI Risk Management Framework (AI RMF), NIST Cybersecurity Framework (CSF) 2.0, CIS Controls v8, and ISO/IEC 27001:2022. We extend these with 10 AI-specific control domains that address the unique threat landscape of organizational AI adoption.
| Domain ID | Domain Name | NIST AI RMF | NIST CSF | CIS v8 | ISO 27001 |
|---|---|---|---|---|---|
| AC-1 | AI Governance & Policy | ✓ | ✓ | — | ✓ |
| AC-2 | AI Asset Management | — | ✓ | ✓ | ✓ |
| AC-3 | Data Protection in AI | ✓ | ✓ | ✓ | ✓ |
| AC-4 | Access Control for AI | — | ✓ | ✓ | ✓ |
| AC-5 | AI Supply Chain Security | ✓ | ✓ | — | ✓ |
| AC-6 | AI Output Validation | ✓ | — | — | — |
| AC-7 | AI Incident Response | — | ✓ | ✓ | ✓ |
| AC-8 | AI Monitoring & Logging | — | ✓ | ✓ | ✓ |
| AC-9 | AI Training & Awareness | ✓ | — | ✓ | ✓ |
| AC-10 | Model Security | ✓ | — | — | — |
The Assessment Lifecycle
Scoping & Kickoff
Scoping & Kickoff
Phase 1- Kickoff meeting with project sponsors
- Scoping questionnaire review
- Define assessment boundaries and compliance targets
- Establish communication channels and schedule
Client involvement: High — key stakeholders participate in kickoff
Discovery
Discovery
Phase 2- AI asset discovery (network, endpoint, interview-based)
- Data flow mapping and classification
- Stakeholder interviews across departments
- Documentation and policy review
Client involvement: Medium — IT and department leads provide access and context
Assessment
Assessment
Phase 3- Control evaluation across 10 AI security domains
- Compliance gap analysis against selected frameworks
- Technical testing (API security, access controls, data handling)
- Evidence collection and documentation
Client involvement: Low — assessment team works independently
Analysis & Reporting
Analysis & Reporting
Phase 4- Risk scoring using composite methodology
- Finding prioritization and remediation planning
- Report drafting (executive summary, technical report, appendices)
- Quality assurance review
Client involvement: None — internal analysis phase
Delivery & Briefing
Delivery & Briefing
Phase 5- Executive briefing presentation
- Technical team walkthrough of findings and remediation roadmap
- Q&A and clarification sessions
- Follow-up advisory engagement begins (if included)
Client involvement: High — executive and technical teams attend briefings
Composite Risk Scoring
Risk Score = (Likelihood × Impact × Data Sensitivity) / Control Effectiveness
Each factor is scored 1–4. Higher scores indicate greater risk exposure. Control effectiveness reduces the composite score.
Likelihood
1–4Probability the threat is exploited, based on exposure and attack surface
Impact
1–4Business consequence if the risk materializes — financial, reputational, operational
Data Sensitivity
1–4Classification of data exposed — public, internal, confidential, regulated
Control Effectiveness
1–4Strength of existing mitigations — divides the composite score to reflect controls
| Severity | Score Range | Response |
|---|---|---|
| Critical | 48 - 64 | Immediate action required. 48-hour remediation plan. |
| High | 24 - 47 | Priority remediation within 30 days. |
| Medium | 8 - 23 | Planned remediation within 90 days. |
| Low | 1 - 7 | Best practice improvement. Next planning cycle. |
See the Methodology in Action
Every assessment starts with a free 30-minute scoping call. We'll show you exactly how this methodology applies to your organization — and what it will cost.