Risk Assessment
| Field | Value |
|---|---|
| Document ID | ASCEND-GOV-007 |
| Version | 1.0.0 |
| Last Updated | December 19, 2025 |
| Author | Ascend Engineering Team |
| Publisher | OW-KAI Technologies Inc. |
| Classification | Enterprise Client Documentation |
| Compliance | SOC 2 CC6.1/CC6.2, PCI-DSS 7.1/8.3, HIPAA 164.312, NIST 800-53 AC-2/SI-4 |
Reading Time: 12 minutes | Skill Level: Advanced
Overview
ASCEND's risk assessment engine calculates dynamic risk scores (0-100) for every AI agent action. The score determines whether actions are auto-approved, require human approval, or are escalated.
Risk Calculation Formula
┌─────────────────────────────────────────────────────────────────────────────────────┐
│ RISK SCORE CALCULATION │
├─────────────────────────────────────────────────────────────────────────────────────┤
│ │
│ Risk Score = (Environment × 35%) + (Data Sensitivity × 33%) │
│ + (Action Type × 25%) + (Operational Context × 7%) │
│ │
│ ┌──────────────────────────────────────────────────────────────────────────────┐ │
│ │ │ │
│ │ ENVIRONMENT DATA SENSITIVITY ACTION TYPE CONTEXT │ │
│ │ Weight: 35% Weight: 33% Weight: 25% Weight: 7% │ │
│ │ │ │
│ │ production: 35 high_pii: 30 delete: 25 peak: +10 │ │
│ │ staging: 20 medium_pii: 20 write: 20 night: +5 │ │
│ │ development: 5 low_pii: 10 read: 10 normal: 0 │ │
│ │ none: 0 describe: 5 │ │
│ │ │ │
│ │ × Resource Multiplier (0.8 - 1.2) │ │
│ │ • database: 1.2x │ │
│ │ • secrets: 1.2x │ │
│ │ • storage: 1.1x │ │
│ │ • compute: 0.9x │ │
│ │ │ │
│ └──────────────────────────────────────────────────────────────────────────────┘ │
│ │
│ Example: DELETE on PRODUCTION DATABASE with PII │
│ = (35 × 0.35) + (30 × 0.33) + (25 × 0.25) + (0 × 0.07) × 1.2 │
│ = (12.25 + 9.9 + 6.25 + 0) × 1.2 │
│ = 28.4 × 1.2 = 34.08 → Risk Score: 34 │
│ │
└─────────────────────────────────────────────────────────────────────────────────────┘
Configuration API
Get Active Configuration
curl "https://pilot.owkai.app/api/risk-scoring/config" \
-H "Authorization: Bearer owkai_..."
Response:
{
"id": 1,
"config_version": "1.2.0",
"algorithm_version": "2.0.0",
"environment_weights": {
"production": 35,
"staging": 20,
"development": 5
},
"action_weights": {
"delete": 25,
"write": 20,
"read": 10,
"describe": 5,
"list": 8
},
"resource_multipliers": {
"rds": 1.2,
"dynamodb": 1.2,
"s3": 1.1,
"lambda": 0.9,
"ec2": 1.0,
"iam": 1.2,
"secretsmanager": 1.2,
"kms": 1.2
},
"pii_weights": {
"high_sensitivity": 30,
"medium_sensitivity": 20,
"low_sensitivity": 10,
"none": 0
},
"component_percentages": {
"environment": 35,
"data_sensitivity": 33,
"action_type": 25,
"operational_context": 7
},
"is_active": true,
"created_at": "2025-12-01T10:00:00Z",
"activated_at": "2025-12-01T10:30:00Z"
}
Create New Configuration
curl -X POST "https://pilot.owkai.app/api/risk-scoring/config" \
-H "Authorization: Bearer owkai_..." \
-H "Content-Type: application/json" \
-d '{
"config_version": "1.3.0",
"algorithm_version": "2.0.0",
"description": "Updated weights for financial compliance",
"environment_weights": {
"production": 40,
"staging": 25,
"development": 5
},
"action_weights": {
"delete": 30,
"write": 25,
"read": 15,
"describe": 5,
"list": 10
},
"resource_multipliers": {
"rds": 1.3,
"dynamodb": 1.2,
"s3": 1.1,
"lambda": 0.8,
"ec2": 1.0,
"iam": 1.3,
"secretsmanager": 1.3,
"kms": 1.3
},
"pii_weights": {
"high_sensitivity": 35,
"medium_sensitivity": 25,
"low_sensitivity": 10,
"none": 0
},
"component_percentages": {
"environment": 35,
"data_sensitivity": 35,
"action_type": 23,
"operational_context": 7
}
}'
Validate Configuration
curl -X POST "https://pilot.owkai.app/api/risk-scoring/config/validate" \
-H "Authorization: Bearer owkai_..." \
-H "Content-Type: application/json" \
-d '{
"config_version": "1.3.0",
"component_percentages": {
"environment": 35,
"data_sensitivity": 35,
"action_type": 25,
"operational_context": 10
}
}'
Response:
{
"valid": false,
"errors": [
"Component percentages must sum to 100 (currently 105)"
],
"warnings": [
"High production weight (40) may cause excessive approvals"
]
}
Activate Configuration
curl -X PUT "https://pilot.owkai.app/api/risk-scoring/config/5/activate" \
-H "Authorization: Bearer owkai_..."
Response:
{
"id": 5,
"config_version": "1.3.0",
"is_active": true,
"activated_at": "2025-12-15T10:30:00Z",
"activated_by": "admin@company.com",
"previous_config_id": 4
}
Weight Configuration
Environment Weights (0-100)
| Environment | Default | Description |
|---|---|---|
production | 35 | Live customer data |
staging | 20 | Pre-production testing |
development | 5 | Developer environments |
Action Weights (0-100)
| Action | Default | Description |
|---|---|---|
delete | 25 | Data destruction |
write | 20 | Data modification |
read | 10 | Data access |
list | 8 | Resource enumeration |
describe | 5 | Metadata access |
Resource Multipliers (0.8-1.2)
| Resource | Multiplier | Rationale |
|---|---|---|
rds | 1.2 | Relational databases |
dynamodb | 1.2 | NoSQL databases |
secretsmanager | 1.2 | Credentials |
kms | 1.2 | Encryption keys |
iam | 1.2 | Identity management |
s3 | 1.1 | Object storage |
ec2 | 1.0 | Compute (neutral) |
lambda | 0.9 | Functions (lower risk) |
PII Weights (0-100)
| Classification | Default | Examples |
|---|---|---|
high_sensitivity | 30 | SSN, health records, financial data |
medium_sensitivity | 20 | Email, phone, address |
low_sensitivity | 10 | Name, general PII |
none | 0 | Non-PII data |
Risk Score Interpretation
Risk Levels
| Score Range | Level | Typical Workflow |
|---|---|---|
| 0-30 | Low | Auto-approve |
| 30-60 | Medium | Single approval |
| 60-80 | High | Multi-approval |
| 80-100 | Critical | Security escalation |
Example Calculations
Low Risk Action
# Read from S3 in development
action = {
"action_type": "read",
"environment": "development",
"resource": "s3",
"data_classification": "none"
}
# Calculation:
# Environment: 5 × 0.35 = 1.75
# Data: 0 × 0.33 = 0
# Action: 10 × 0.25 = 2.5
# Context: 0 × 0.07 = 0
# Subtotal: 4.25
# × Multiplier: 4.25 × 1.1 = 4.68
# Risk Score: 5 (LOW)
High Risk Action
# Delete from production database with PII
action = {
"action_type": "delete",
"environment": "production",
"resource": "rds",
"data_classification": "high_sensitivity"
}
# Calculation:
# Environment: 35 × 0.35 = 12.25
# Data: 30 × 0.33 = 9.9
# Action: 25 × 0.25 = 6.25
# Context: 0 × 0.07 = 0
# Subtotal: 28.4
# × Multiplier: 28.4 × 1.2 = 34.08
# Risk Score: 34 (MEDIUM)
# Note: Would be higher with peak hours context
CVSS Integration
CVSS 3.1 Mapping
ASCEND can map risk scores to CVSS severity levels:
| CVSS Severity | CVSS Score | ASCEND Risk |
|---|---|---|
| None | 0.0 | 0-10 |
| Low | 0.1-3.9 | 10-30 |
| Medium | 4.0-6.9 | 30-60 |
| High | 7.0-8.9 | 60-80 |
| Critical | 9.0-10.0 | 80-100 |
Enable CVSS Mapping
{
"cvss_mapping_enabled": true,
"cvss_thresholds": {
"low": 10,
"medium": 30,
"high": 60,
"critical": 80
}
}
Configuration History
List Configuration History
curl "https://pilot.owkai.app/api/risk-scoring/config/history?limit=10" \
-H "Authorization: Bearer owkai_..."
Response:
{
"configs": [
{
"id": 5,
"config_version": "1.3.0",
"is_active": true,
"created_at": "2025-12-15T10:00:00Z",
"created_by": "admin@company.com",
"activated_at": "2025-12-15T10:30:00Z"
},
{
"id": 4,
"config_version": "1.2.0",
"is_active": false,
"created_at": "2025-12-01T10:00:00Z",
"created_by": "admin@company.com",
"activated_at": "2025-12-01T10:30:00Z"
}
]
}
Rollback to Default
curl -X POST "https://pilot.owkai.app/api/risk-scoring/config/rollback-to-default" \
-H "Authorization: Bearer owkai_..."
Factory Default
New organizations receive a factory default configuration:
# Source: routes/risk_scoring_config_routes.py:47
factory_default = {
"config_version": "1.0.0-default",
"algorithm_version": "2.0.0",
"environment_weights": {
"production": 35,
"staging": 20,
"development": 5
},
"action_weights": {
"delete": 25,
"write": 20,
"read": 10,
"describe": 5,
"list": 8
},
"resource_multipliers": {
"rds": 1.2,
"dynamodb": 1.2,
"s3": 1.1,
"lambda": 0.9,
"ec2": 1.0,
"iam": 1.2,
"secretsmanager": 1.2,
"kms": 1.2
},
"pii_weights": {
"high_sensitivity": 30,
"medium_sensitivity": 20,
"low_sensitivity": 10,
"none": 0
},
"component_percentages": {
"environment": 35,
"data_sensitivity": 33,
"action_type": 25,
"operational_context": 7
}
}
SDK Integration
Get Risk Breakdown
from ascend import AscendClient
client = AscendClient(api_key="owkai_...")
result = client.evaluate_action(
action_type="database.delete",
resource="customers",
parameters={"table": "users"},
context={
"environment": "production",
"data_classification": "pii"
}
)
# Access risk breakdown
print(f"Risk Score: {result.risk_score}")
print(f"Risk Level: {result.risk_level}")
print(f"Factors:")
for factor, contribution in result.risk_factors.items():
print(f" {factor}: {contribution}")
Custom Risk Indicators
result = client.evaluate_action(
action_type="financial.transfer",
resource="wire_transfer",
parameters={"amount": 50000},
risk_indicators={
"risk_level": "high",
"data_classification": "financial",
"requires_approval": True
}
)
Audit Trail
All configuration changes are logged:
{
"event_type": "CONFIG_CHANGE",
"actor_id": "admin@company.com",
"resource_type": "RISK_CONFIG",
"action": "ACTIVATE",
"event_data": {
"config_id": 5,
"config_version": "1.3.0",
"previous_config_id": 4
},
"risk_level": "HIGH",
"compliance_tags": ["SOX", "CONFIG_MANAGEMENT", "CRITICAL_CHANGE"]
}
Best Practices
1. Start with Defaults
# Use factory defaults initially
# Monitor and tune based on your patterns
2. Validate Before Activating
# Always validate configuration
validation = client.validate_risk_config(new_config)
if validation.errors:
print("Cannot activate - fix errors first")
else:
client.activate_risk_config(new_config.id)
3. Version Configurations
# Use semantic versioning
{
"config_version": "1.3.0" # MAJOR.MINOR.PATCH
}
# MAJOR: Breaking changes
# MINOR: New weights/resources
# PATCH: Threshold adjustments
4. Document Changes
{
"description": "JIRA-1234: Increased production weight per security audit"
}
5. Test in Staging
# Create config without activating
POST /api/risk-scoring/config
# Test with dry-run
POST /api/risk-scoring/config/validate
# Review in staging before production activation
Next Steps
- Policies — Configure governance policies
- Audit Logging — Track changes
- Compliance — Meet regulatory requirements
Document Version: 1.0.0 | Last Updated: December 2025