Risk Assessment
| Field | Value |
|---|---|
| Document ID | ASCEND-GOV-007 |
| Version | 2026.04 |
| Last Updated | April 2026 |
| Author | ASCEND Engineering Team |
| Publisher | OW-KAI Technologies Inc. |
| Classification | Enterprise Client Documentation |
| Compliance | SOC 2 CC6.1/CC6.2, PCI-DSS 7.1/8.3, HIPAA 164.312, NIST 800-53 AC-2/SI-4 |
Reading Time: 12 minutes | Skill Level: Advanced
Overview
ASCEND's risk assessment engine calculates dynamic risk scores (0-100) for every AI agent action. The score determines whether actions are auto-approved, require human approval, or are escalated.
Fail-Secure Behavior
If risk scoring fails or returns an error, ASCEND assigns the maximum risk score (95) and routes the action to human review. Risk calculation errors never result in automatic approval.
Risk Calculation Formula
┌─────────────────────────────────────────────────────────────────────────────────────┐
│ RISK SCORE CALCULATION │
├─────────────────────────────────────────────────────────────────────────────────────┤
│ │
│ Risk Score = (Environment × 35%) + (Data Sensitivity × 30%) │
│ + (Action Type × 25%) + (Operational Context × 10%) │
│ │
│ ┌──────────────────────────────────────────────────────────────────────────────┐ │
│ │ │ │
│ │ ENVIRONMENT DATA SENSITIVITY ACTION TYPE CONTEXT │ │
│ │ Weight: 35% Weight: 30% Weight: 25% Weight: 10% │ │
│ │ │ │
│ │ production: 35 high_pii: 30 delete: 25 peak: +10 │ │
│ │ staging: 20 medium_pii: 20 write: 20 night: +5 │ │
│ │ development: 5 low_pii: 10 read: 10 normal: 0 │ │
│ │ none: 0 describe: 5 │ │
│ │ │ │
│ │ × Resource Multiplier (0.8 - 1.2) │ │
│ │ • database: 1.2x │ │
│ │ • secrets: 1.2x │ │
│ │ • storage: 1.1x │ │
│ │ • compute: 0.9x │ │
│ │ │ │
│ └──────────────────────────────────────────────────────────────────────────────┘ │
│ │
│ Example: DELETE on PRODUCTION DATABASE with PII │
│ = (35 × 0.35) + (30 × 0.33) + (25 × 0.25) + (0 × 0.07) × 1.2 │
│ = (12.25 + 9.9 + 6.25 + 0) × 1.2 │
│ = 28.4 × 1.2 = 34.08 → Risk Score: 34 │
│ │
└─────────────────────────────────────────────────────────────────────────────────────┘
Configuration API
Get Active Configuration
curl "https://pilot.owkai.app/api/risk-scoring/config" \
-H "Authorization: Bearer owkai_..."
Response:
{
"id": 1,
"config_version": "1.2.0",
"algorithm_version": "2.0.0",
"environment_weights": {
"production": 35,
"staging": 20,
"development": 5
},
"action_weights": {
"delete": 25,
"write": 20,
"read": 10,
"describe": 5,
"list": 8
},
"resource_multipliers": {
"rds": 1.2,
"dynamodb": 1.15,
"s3": 1.1,
"lambda": 0.9,
"ec2": 1.0,
"iam": 1.2,
"secretsmanager": 1.2,
"kms": 1.2
},
"pii_weights": {
"high_sensitivity": 30,
"medium_sensitivity": 20,
"low_sensitivity": 10,
"none": 0
},
"component_percentages": {
"environment": 35,
"data_sensitivity": 33,
"action_type": 25,
"operational_context": 7
},
"is_active": true,
"created_at": "2025-12-01T10:00:00Z",
"activated_at": "2025-12-01T10:30:00Z"
}
Create New Configuration
curl -X POST "https://pilot.owkai.app/api/risk-scoring/config" \
-H "Authorization: Bearer owkai_..." \
-H "Content-Type: application/json" \
-d '{
"config_version": "1.3.0",
"algorithm_version": "2.0.0",
"description": "Updated weights for financial compliance",
"environment_weights": {
"production": 40,
"staging": 25,
"development": 5
},
"action_weights": {
"delete": 30,
"write": 25,
"read": 15,
"describe": 5,
"list": 10
},
"resource_multipliers": {
"rds": 1.3,
"dynamodb": 1.15,
"s3": 1.1,
"lambda": 0.8,
"ec2": 1.0,
"iam": 1.3,
"secretsmanager": 1.3,
"kms": 1.3
},
"pii_weights": {
"high_sensitivity": 35,
"medium_sensitivity": 25,
"low_sensitivity": 10,
"none": 0
},
"component_percentages": {
"environment": 35,
"data_sensitivity": 35,
"action_type": 23,
"operational_context": 7
}
}'
Validate Configuration
curl -X POST "https://pilot.owkai.app/api/risk-scoring/config/validate" \
-H "Authorization: Bearer owkai_..." \
-H "Content-Type: application/json" \
-d '{
"config_version": "1.3.0",
"component_percentages": {
"environment": 35,
"data_sensitivity": 35,
"action_type": 25,
"operational_context": 10
}
}'
Response:
{
"valid": false,
"errors": [
"Component percentages must sum to 100 (currently 105)"
],
"warnings": [
"High production weight (40) may cause excessive approvals"
]
}
Activate Configuration
curl -X PUT "https://pilot.owkai.app/api/risk-scoring/config/5/activate" \
-H "Authorization: Bearer owkai_..."
Response:
{
"id": 5,
"config_version": "1.3.0",
"is_active": true,
"activated_at": "2025-12-15T10:30:00Z",
"activated_by": "admin@company.com",
"previous_config_id": 4
}
Weight Configuration
Environment Weights (0-100)
| Environment | Default | Description |
|---|---|---|
production | 35 | Live customer data |
staging | 20 | Pre-production testing |
development | 5 | Developer environments |
Action Weights (0-100)
| Action | Default | Description |
|---|---|---|
delete | 25 | Data destruction |
write | 20 | Data modification |
read | 10 | Data access |
list | 8 | Resource enumeration |
describe | 5 | Metadata access |
Resource Multipliers (0.8-1.2)
| Resource | Multiplier | Rationale |
|---|---|---|
rds | 1.2 | Relational databases |
dynamodb | 1.15 | NoSQL databases |
secretsmanager | 1.2 | Credentials |
kms | 1.2 | Encryption keys |
iam | 1.2 | Identity management |
s3 | 1.1 | Object storage |
ec2 | 1.0 | Compute (neutral) |
lambda | 0.9 | Functions (lower risk) |
PII Weights (0-100)
| Classification | Default | Examples |
|---|---|---|
high_sensitivity | 30 | SSN, health records, financial data |
medium_sensitivity | 20 | Email, phone, address |
low_sensitivity | 10 | Name, general PII |
none | 0 | Non-PII data |
Risk Score Interpretation
Risk Levels
| Score Range | Level | Typical Workflow |
|---|---|---|
| 0-30 | Low | Auto-approve |
| 30-60 | Medium | Single approval |
| 60-80 | High | Multi-approval |
| 80-100 | Critical | Security escalation |
Example Calculations
Low Risk Action
# Read from S3 in development
action = {
"action_type": "read",
"environment": "development",
"resource": "s3",
"data_classification": "none"
}
# Calculation:
# Environment: 5 × 0.35 = 1.75
# Data: 0 × 0.33 = 0
# Action: 10 × 0.25 = 2.5
# Context: 0 × 0.07 = 0
# Subtotal: 4.25
# × Multiplier: 4.25 × 1.1 = 4.68
# Risk Score: 5 (LOW)
High Risk Action
# Delete from production database with PII
action = {
"action_type": "delete",
"environment": "production",
"resource": "rds",
"data_classification": "high_sensitivity"
}
# Calculation:
# Environment: 35 × 0.35 = 12.25
# Data: 30 × 0.33 = 9.9
# Action: 25 × 0.25 = 6.25
# Context: 0 × 0.07 = 0
# Subtotal: 28.4
# × Multiplier: 28.4 × 1.2 = 34.08
# Risk Score: 34 (MEDIUM)
# Note: Would be higher with peak hours context
CVSS Integration
CVSS 3.1 Mapping
ASCEND can map risk scores to CVSS severity levels:
| CVSS Severity | CVSS Score | ASCEND Risk |
|---|---|---|
| None | 0.0 | 0-10 |
| Low | 0.1-3.9 | 10-30 |
| Medium | 4.0-6.9 | 30-60 |
| High | 7.0-8.9 | 60-80 |
| Critical | 9.0-10.0 | 80-100 |
Enable CVSS Mapping
{
"cvss_mapping_enabled": true,
"cvss_thresholds": {
"low": 10,
"medium": 30,
"high": 60,
"critical": 80
}
}
Configuration History
List Configuration History
curl "https://pilot.owkai.app/api/risk-scoring/config/history?limit=10" \
-H "Authorization: Bearer owkai_..."
Response:
{
"configs": [
{
"id": 5,
"config_version": "1.3.0",
"is_active": true,
"created_at": "2025-12-15T10:00:00Z",
"created_by": "admin@company.com",
"activated_at": "2025-12-15T10:30:00Z"
},
{
"id": 4,
"config_version": "1.2.0",
"is_active": false,
"created_at": "2025-12-01T10:00:00Z",
"created_by": "admin@company.com",
"activated_at": "2025-12-01T10:30:00Z"
}
]
}
Rollback to Default
curl -X POST "https://pilot.owkai.app/api/risk-scoring/config/rollback-to-default" \
-H "Authorization: Bearer owkai_..."
Factory Default
New organizations receive a factory default configuration:
# Source: routes/risk_scoring_config_routes.py:47
factory_default = {
"config_version": "1.0.0-default",
"algorithm_version": "2.0.0",
"environment_weights": {
"production": 35,
"staging": 20,
"development": 5
},
"action_weights": {
"delete": 25,
"write": 20,
"read": 10,
"describe": 5,
"list": 8
},
"resource_multipliers": {
"rds": 1.2,
"dynamodb": 1.15,
"s3": 1.1,
"lambda": 0.9,
"ec2": 1.0,
"iam": 1.2,
"secretsmanager": 1.2,
"kms": 1.2
},
"pii_weights": {
"high_sensitivity": 30,
"medium_sensitivity": 20,
"low_sensitivity": 10,
"none": 0
},
"component_percentages": {
"environment": 35,
"data_sensitivity": 33,
"action_type": 25,
"operational_context": 7
}
}
SDK Integration
Get Risk Breakdown
from ascend import AscendClient
client = AscendClient(api_key="owkai_...")
result = client.evaluate_action(
action_type="database.delete",
resource="customers",
parameters={"table": "users"},
context={
"environment": "production",
"data_classification": "pii"
}
)
# Access risk breakdown
print(f"Risk Score: {result.risk_score}")
print(f"Risk Level: {result.risk_level}")
print(f"Factors:")
for factor, contribution in result.risk_factors.items():
print(f" {factor}: {contribution}")
Custom Risk Indicators
result = client.evaluate_action(
action_type="financial.transfer",
resource="wire_transfer",
parameters={"amount": 50000},
risk_indicators={
"risk_level": "high",
"data_classification": "financial",
"requires_approval": True
}
)
Audit Trail
All configuration changes are logged:
{
"event_type": "CONFIG_CHANGE",
"actor_id": "admin@company.com",
"resource_type": "RISK_CONFIG",
"action": "ACTIVATE",
"event_data": {
"config_id": 5,
"config_version": "1.3.0",
"previous_config_id": 4
},
"risk_level": "HIGH",
"compliance_tags": ["SOX", "CONFIG_MANAGEMENT", "CRITICAL_CHANGE"]
}
Best Practices
1. Start with Defaults
# Use factory defaults initially
# Monitor and tune based on your patterns
2. Validate Before Activating
# Always validate configuration
validation = client.validate_risk_config(new_config)
if validation.errors:
print("Cannot activate - fix errors first")
else:
client.activate_risk_config(new_config.id)
3. Version Configurations
# Use semantic versioning
{
"config_version": "1.3.0" # MAJOR.MINOR.PATCH
}
# MAJOR: Breaking changes
# MINOR: New weights/resources
# PATCH: Threshold adjustments
4. Document Changes
{
"description": "JIRA-1234: Increased production weight per security audit"
}
5. Test in Staging
# Create config without activating
POST /api/risk-scoring/config
# Test with dry-run
POST /api/risk-scoring/config/validate
# Review in staging before production activation
Next Steps
- Policies — Configure governance policies
- Audit Logging — Track changes
- Compliance — Meet regulatory requirements
Document Version: 2026.04 | Last Updated: April 2026