PRISM

How risky is the code your AI just wrote?

CI/CD pipelines treat all AI-generated code equally — a one-line docstring edit and a 500-line autonomous refactor get the same review process. PRISM quantifies risk from VIBES audit signals, so your pipeline can tell the difference.

Built on VIBES audit data · Attested via VERIFY · Feeds EVOLVE learning

For a plain-language overview, see PRISM for Users →

Why This Matters

AI-generated code is flooding into production at a pace human reviewers cannot match. But not all AI-generated code carries the same risk. A model adding a docstring is fundamentally different from a model autonomously creating an authentication handler — yet most teams have no way to distinguish between them at review time.

Without quantified risk:

VIBES already captures the signals that risk assessment needs — action types, scope, assurance levels, review status, temperature. PRISM defines how to combine those signals into a single quantified score that your CI/CD pipeline can act on.

What is PRISM?

PRISM (Provenance & Risk Intelligence Scoring Model) is a standalone risk scoring extension built on VIBES audit data. Every annotation in a VIBES audit trail carries contextual signals — what kind of action was taken, how large the change was, what assurance level was configured versus what was actually recorded, whether human review occurred. PRISM combines these signals into a single 0.0–1.0 score.

PRISM is a framework, not a fixed formula. The reference algorithm below uses a weighted average, but implementors are free to substitute their own scoring models as long as the output conforms to the 0.0–1.0 range and the risk_factors array provides transparency into which signals drove the score.

PRISM integrates with VERIFY for attested risk scores and with EVOLVE for agent learning feedback — but operates independently as its own extension.

Severity Bands

PRISM scores map to four severity bands, each with a recommended action for CI/CD pipeline integration.

Band Range Meaning Recommended Action
Low 0.00 – 0.29 Routine change with minimal risk signals Auto-merge permitted
Medium 0.30 – 0.59 Moderate risk — larger scope or assurance gap Flag for review; require approval
High 0.60 – 0.79 Significant risk — complex change or missing review Block merge; require senior review
Critical 0.80 – 1.00 Extreme risk — large unreviewed creation at high temperature Block merge; escalate to security team

PRISM Signal Vocabulary

The following signals are available for PRISM computation. Each signal produces a normalized 0.0–1.0 value and carries an implementor-defined weight.

Reference Algorithm

The reference PRISM computation is a weighted average of available signals. Implementors may substitute any scoring model as long as the output conforms to the 0.0–1.0 range and provides a transparent risk_factors array.

// Reference: weighted-average PRISM computation PRISM = Σ(signal_value × signal_weight) / Σ(signal_weight) // Example with three signals: // action_type = 0.6 (create → high) weight = 0.15 // scope_lines = 0.35 (moderate change) weight = 0.15 // assurance_gap = 0.5 (medium gap) weight = 0.10 // // PRISM = (0.6×0.15 + 0.35×0.15 + 0.5×0.10) / (0.15 + 0.15 + 0.10) // = (0.09 + 0.0525 + 0.05) / 0.40 // = 0.48 → Medium severity band

Storage Format

PRISM data is stored directly on VIBES annotation records using two optional fields: risk_score (the computed 0.0–1.0 value) and risk_factors (an array of signal assessments providing transparency into the score).

// risk_score and risk_factors on a VIBES annotation record { "type": "line", "file_path": "src/routes/auth.py", "line_start": 1, "line_end": 45, "action": "create", "assurance_level": "medium", "risk_score": 0.42, "risk_factors": [ {"signal": "action_type", "value": 0.6, "weight": 0.15}, {"signal": "scope_lines", "value": 0.35, "weight": 0.15}, {"signal": "assurance_gap", "value": 0.5, "weight": 0.10} ] }

Risk-Based CI/CD Gating

PRISM scores are most powerful when they drive automated pipeline decisions. Rather than treating every AI-generated change identically, teams can set thresholds that gate merges based on quantified risk — low-risk changes flow through automatically while high-risk changes require human review.

The vibecheck CLI provides built-in commands for PRISM evaluation. Run these in your CI pipeline to enforce risk-based gating without custom scripting.

Pipeline Integration Steps

Compute risk scores

Run vibecheck risk in your project directory. This scans the .ai-audit/annotations.jsonl file, computes PRISM scores for every annotation that has signal data, and outputs a summary with per-file scores and an aggregate project score.

Set a threshold for CI

Use vibecheck risk --threshold 0.6 --ci to fail the pipeline if any annotation exceeds the threshold. The --ci flag sets the exit code to non-zero on threshold violation, making it compatible with any CI system that checks exit codes.

Inject PR summaries

Use vibecheck risk --format json to produce machine-readable output. Pipe this into your PR bot or GitHub Action to post a risk summary comment on every pull request, giving reviewers immediate visibility into which files carry elevated risk.

Block critical merges

For high-stakes repositories, set a hard gate: vibecheck risk --threshold 0.8 --ci --fail-on critical. Any annotation in the Critical band (PRISM ≥ 0.80) blocks the merge and triggers an escalation notification to the security team.

Example: Pre-Merge Gate

A minimal GitHub Actions step that blocks merges where any annotation exceeds the High severity threshold:

# .github/workflows/vibecheck.yml - name: PRISM Risk Gate run: | vibecheck risk --threshold 0.6 --ci env: CI: true

JSON Output Format

The --format json flag produces structured output suitable for dashboards, PR bots, and downstream analysis tools.

// vibecheck risk --format json { "project_score": 0.38, "band": "medium", "threshold": 0.6, "pass": true, "files": [ { "path": "src/routes/auth.py", "score": 0.42, "band": "medium", "annotations": 3 }, { "path": "src/models/user.py", "score": 0.18, "band": "low", "annotations": 1 } ], "summary": "2 files scored, 0 above threshold" }

Build a custom policy engine. PRISM is a framework, not a fixed formula. If your organization has domain-specific risk factors — compliance requirements, security-sensitive file paths, model allowlists — you can build a custom scoring model that incorporates them. As long as the output conforms to the 0.0–1.0 range and provides transparent risk_factors, your policy engine is a first-class PRISM implementation. See the Implementors Guide for integration details.

Related Standards

PRISM is one of four complementary standards in the VIBES ecosystem.

PRISM computes risk scores from VIBES audit data. Risk scores can be cryptographically attested via VERIFY, and feed into EVOLVE agent learning pipelines as quantitative signal.

VIBES Standard VERIFY Standard EVOLVE Standard vibecheck CLI Implementors Guide

Three Ways to Make an Impact

Whether you want to join the community, build risk infrastructure, or champion adoption — there's a path for you.

Join the Community

Contribute to the PRISM specification, propose new risk signals, and help refine severity band thresholds for real-world pipelines.

Get involved →

Build an Implementation

Integrate PRISM scoring into your CI/CD pipeline, build a custom policy engine with domain-specific risk factors, or add risk visualization to your developer tooling.

Implementation guide →

Champion the Standard

Define risk policies for your organization. Make the case for quantified, automated risk gating on AI-generated code — before a high-risk change slips through unnoticed.

Resources →
Back to Home
© 2025-2026 itsavibe.ai. All rights reserved.