Building Secure AI Systems Starts Before the First Prompt: Why AISVS Matters

Every successful technology implementation begins with a sound architecture and design. For years, application security teams have relied on the OWASP Application Security Verification Standard (ASVS) as a structured set of security requirements that architects, developers, and security reviewers use during the design and implementation phases of traditional applications. Rather than waiting until code review or penetration testing uncovers vulnerabilities, organizations use ASVS to validate that security requirements have been considered while the application is being built.

OWASP Artificial Intelligence Security Verification Standard (AISVS) extends the same philosophy that made ASVS successful - structured security verification during design and implementation—but applies it specifically to AI-powered systems. Instead of focusing only on authentication, session management, cryptography, and input validation, AISVS introduces security requirements around model governance, prompt handling, context management, agent permissions, tool integrations, memory protection, AI supply chain security, data privacy, monitoring, and human oversight. It consists of 12 major categories:


 
The value of AISVS is not merely the checklist itself - it is the conversation it creates between architects, developers, business owners, AI engineers, and security teams. When implementation teams receive these questions at the beginning of a project, they are forced to think through decisions that might otherwise be overlooked, as an example

  • How is sensitive business data protected before being sent to an LLM?
  • Can an AI agent invoke privileged tools without sufficient authorization?
  • How are prompts, context, and memory isolated between users?
  • What controls prevent prompt injection or indirect prompt manipulation?
  • How are third-party models, MCP servers/Gateways, plugins, or connectors trusted and governed?
  • What monitoring exists to detect unsafe AI behaviour in production?

Many of these questions cannot be answered after deployment without expensive architectural changes. However, when raised during design reviews, the required controls can be incorporated naturally into the solution architecture.

In our engagements, we have observed that circulating AISVS questionnaires during the implementation or pre-implementation phase significantly improves the quality of AI security discussions. Instead of discovering architectural weaknesses during security reviews, development teams proactively identify security gaps while components are still being designed. The outcome is fewer redesign cycles, reduced remediation effort, and a more consistent security baseline across AI initiatives.
The process is straightforward:

This approach transforms security from a reactive validation exercise into a design assurance activity. The below categories are covered in the assessment:

Each category with multiple sub-categories and respective set of questions like below - 

As AI systems become increasingly autonomous, interconnected, and capable of making business decisions, architectural choices have a far greater impact on organizational risk than individual coding defects. Secure AI implementations therefore require more than traditional application security reviews - they require structured architectural verification against AI-specific security requirements.

AISVS provides that foundation. Much like ASVS became the benchmark for building secure applications, AISVS is emerging as the framework that enables organizations to design, implement, and deploy AI systems with security embedded from the very beginning.

Business wants AI delivered yesterday, but security embedded into the architecture from Day 0 ultimately saves time accelerates delivery by eliminating costly redesigns and late-stage remediation. The most effective AI security programs will not be those that perform the most penetration tests after deployment. They will be the ones that ask the right questions before a single AI component reaches production.

Article by Hemil Shah & Rishita Sarabhai