-
Notifications
You must be signed in to change notification settings - Fork 0
Textbook 10 AISPM Guide
AISPM means AI Security Posture Management. In CAVRA, AISPM converts runtime governance evidence into posture, findings, reports, and readiness decisions.
AISPM helps teams answer:
- Which agents are active?
- Which repositories and workflows are covered?
- Which MCP tools are trusted or risky?
- Which controls are enforced, shadowed, or missing?
- Which findings are open?
- Which approvals, exceptions, or break-glass events occurred?
- Which report packets are ready?
- Which blockers remain before trial, pilot, or production?
AISPM is not a separate spreadsheet exercise. It is built from the evidence produced by runtime control paths:
- Agents attempt actions.
- CAVRA evaluates actions.
- Decisions, approvals, registry checks, and evidence references are recorded.
- Evidence is indexed and mapped to control coverage.
- Findings, gaps, exceptions, and report readiness are calculated.
- Operators review posture and remediate blockers.
This matters because posture should be anchored to real behavior. A dashboard that is not connected to runtime evidence can show confidence without control.
Community AISPM is public-safe. It includes static samples, schemas, public contracts, and the sandbox AI Posture route. It helps teams learn the data model without exposing private tenant data or Enterprise code.

Community references:
- AI Security Posture Dashboard Contract
- AISPM Dashboard Roadmap
- AISPM CSO Report Center
- AISPM Report Center Enterprise Readiness
Enterprise AISPM uses live tenant data. It depends on production-grade validation:
- Real production connectors.
- Real tenant isolation.
- Real SMTP or report provider settings.
- Real runtime agent and tool workflows.
- Live ingestion and streaming.
- Audit evidence for report delivery.
- Final production readiness packet.
The gate is complete only when the final validator returns ready_for_aispm_production: true with no blockers.
When reading an AISPM view, look at five layers:
| Layer | Question | Healthy signal |
|---|---|---|
| Coverage | Which agents, repos, tools, and workflows are governed? | Coverage is explicit and current. |
| Control state | Are controls enforced, shadowed, missing, or blocked? | High-risk actions are enforced or approval-routed. |
| Findings | What remains open? | Critical findings have owners and due dates. |
| Evidence | Can the posture be proven? | Evidence is fresh, signed, searchable, and tied to decisions. |
| Reports | Can the posture be communicated? | Report packets are generated, delivered, and audited. |
Do not treat a green score as sufficient by itself. A useful AISPM view should let an operator drill from a score into the evidence that created it.
The Report Center turns posture into reader-ready material for executives and operators:
- CSO reports.
- CISO reports.
- Board KPI packs.
- SOC 2-style evidence packets.
- Incident and closure reports.
- Trial evaluator handoff packets.
- Pilot launch board packs.
- Production readiness packets.

Use this conceptual path for any AISPM report:
- Select tenant or public-safe sample scope.
- Select report type: CSO, CISO, board KPI, SOC 2-style evidence, incident closure, trial handoff, pilot launch, or production readiness.
- Confirm evidence freshness and trust roots.
- Resolve blocking findings or mark accepted risk with owner and expiry.
- Generate the report packet.
- Deliver through SMTP/provider or public-safe export.
- Capture delivery audit evidence.
- Feed delivery state back into AISPM.
Enterprise report delivery is not complete until real provider settings and real recipients have been validated.
AISPM supports a trial-to-pilot journey:
- Trial access is approved.
- Evaluators run guided labs.
- Trial evidence is collected.
- Report delivery is validated.
- Pilot scope is proposed.
- Pilot control readiness is reviewed.
- Production evidence room is prepared.
- Final production readiness is validated.
AISPM should be reviewed on a recurring cadence:
- Daily: new blockers, failed connectors, critical findings.
- Weekly: control coverage, open findings, approval trends, report readiness.
- Monthly: executive report, tenant posture, exception aging, policy drift.
- Quarterly: advisory drill, production readiness archive, customer operating review.
| Blocker | Meaning | Resolution |
|---|---|---|
| Missing live connector evidence | A report or posture source was not validated against a real provider. | Run connector validation and attach delivery audit evidence. |
| Tenant isolation not proven | Evidence, policy, or reports may cross tenant boundaries. | Run tenant isolation tests with real tenants and rerun readiness gate. |
| Report delivery unverified | SMTP/provider settings were configured but not proven end to end. | Send a validation report to approved recipients and capture audit output. |
| Runtime workflow synthetic only | Validators used fixtures but not real agent/tool workflows. | Run a real agent scenario through file, command, Git, and MCP paths. |
| Evidence stale | The packet is older than the release or pilot decision window. | Regenerate evidence and rerun the production readiness validator. |
- Why should a green posture score still be traceable to source evidence?
- Which blocker means validators used fixtures instead of real agent workflows?
- What must happen before
ready_for_aispm_production: trueis trustworthy?
Read Policies, Approvals, Evidence, And Attestations to connect AISPM posture back to the decision and evidence mechanics.
Before the agent acts, CAVRA asks: who is acting, what will change, what policy applies, and what evidence will prove it?
| Start | Build | Operate | Assure |
|---|---|---|---|
| Quick Start | CLI | Enterprise Guide | AISPM |
| Reader Paths | Policy Syntax | Deployments | Evidence |
| Community | GUI | Troubleshooting | Conclusion |
- Foreword And Reader Paths
- Why CAVRA Exists
- Runtime Authority Model
- Architecture
- Editions
- Install And Deploy
- Community Guide
- Enterprise Guide
- CLI Reference
- GUI And Sandbox
- AISPM Guide
- Policy And Evidence
- Operations And Integrations
- Labs And Use Cases
- Appendices And FAQ
- Policy Language Reference
- Troubleshooting Playbook
- Conclusion