PRISM-C is a risk signal intelligence methodology and software system. It takes in data from your environment, classifies it against a formal signal taxonomy, and delivers 16 structured outputs across your departments — continuously, not once a year.
PRISM-C is both a formal methodology and a working software system. It reads input data from your environment, applies a structured signal taxonomy, and produces 16 distinct outputs that serve departments across your organisation. It runs continuously, feeding your teams with current signal intelligence rather than a snapshot assessment once a year.
PRISM-C sits at the centre of your risk and security ecosystem like the hub of a spider web. It accepts inputs from any existing data source in your environment and feeds 16 structured outputs to every function that needs them — security, risk, compliance, legal, audit, procurement, and the board. It does not replace your cyber defence capability or your risk management function. It gives both of them something they currently do not have: a structured, continuous, deterministic read of the signal environment around them.
Where AI risk tools generate probabilistic outputs from pattern matching, PRISM-C produces deterministic scores grounded in a formal signal taxonomy. PRISM-C is also the first methodology to formally define how AI signals should be read and how they propagate and move through a system. Every classification is traceable, every score is reproducible, and every output is designed to survive scrutiny in a boardroom, a regulatory review, or a post-incident investigation.
Structured outputs delivered across departments including security, compliance, legal, audit, procurement, and executive leadership.
Formally defined signal categories, including strategic signal ambiguity — an environment deliberately constructed to resist classification.
Temporal layers covering before, during, and after an event so PRISM-C operates across the full lifecycle of a risk signal — not only after something has gone wrong.
Most risk frameworks ask what went wrong. PRISM-C asks what the signal environment looks like right now and what its shape tells us. The signal taxonomy is what makes that question answerable. It is the first formal taxonomy designed specifically to classify how signals behave in AI systems and how they move and propagate before, during, and after a risk event.
Observable indicators that have shifted from a prior baseline — access anomalies, configuration drift, log gaps. The conventional focus of most monitoring tools. PRISM-C captures these and situates them within the full signal picture rather than treating them in isolation.
Systems, scores, and metrics that look unusually tidy. PRISM-C treats these as a distinct signal category because a perfectly quiet environment immediately before an incident is a signal, not a baseline. This is the category that most tools do not capture at all.
The dog that does not bark. Missing telemetry, suppressed logs, processes that should exist and do not. Absence is not neutrality. It carries information weight in the PRISM-C scoring model and is treated as evidence in the evidence preservation layer.
The formally defined fourth category. Environments or AI systems that have been structured to resist classification. Deliberate ambiguity is itself a signal, and PRISM-C scores and records it as such. This category does not exist in any other risk methodology.
PRISM-C does not produce a single score for a single team. It delivers 16 structured outputs, each matched to a specific purpose and a primary consumer. Security operations, risk quantification, compliance, legal, audit, and executive leadership each receive the signal intelligence relevant to their role, in a format they can act on immediately.
| Output | Primary Consumer |
|---|---|
| Overall Score and Rating | Executive and board reporting |
| Events Triggered | First-line and second-line risk teams |
| Chain Analysis | Operational risk and incident response |
| Kill-Chain Pattern Detection | SOC and threat intelligence |
| Taxonomy Mapping | Threat intelligence and compliance |
| Control Failure Analysis | Control owners and internal audit |
| Regulatory Resilience Assessment | Regulatory compliance |
| FAIR-Style Risk Indices | Risk quantification functions |
| Invisibility Score | SOC, monitoring teams, and governance |
| Toxic Signal Assessment | Risk governance and executive leadership |
| Strategic Mitigants | CISO, risk owners, business continuity |
| Environmental Module Summary | Second-line risk and governance |
| Third-Party Risk Summary | Vendor management and third-party oversight |
| Intelligence Layer | Board, audit committee, senior management |
| Evidence Preservation Guidance | Legal, compliance, and regulatory functions |
| CIA+A+NR Impact Assessment | Compliance, control owners, governance, and regulatory functions |
PRISM-C does not require replacing existing infrastructure. It calibrates to the specific threat profile of each environment and processes the signals that environment is already generating. Implementation is structured, not disruptive, and the system runs continuously once deployed.
Implementation begins with a formal mapping of the environment's threat surface — the actors, vectors, and conditions relevant to this specific organisation. This input module determines which signals are structurally significant and what their baseline should look like. The calibration at this stage is what makes PRISM-C's outputs relevant rather than generic.
Signals are collected from existing sources — logs, telemetry, governance documentation, access records, vendor outputs — and classified against the four-category taxonomy. No new monitoring infrastructure is required. PRISM-C reads the signals your environment is already producing and classifies them in a way your current tools do not.
Classified signals are processed through PRISM-C's transformation logic, which applies structured weighting to produce composite risk scores. The scoring is deterministic. The same input produces the same output every time, and every step in the calculation is traceable. This is what makes PRISM-C auditable where AI-generated risk scores are not.
PRISM-C's weighting model is calibrated to the specific sector, regulatory context, and risk appetite of the organisation. A financial institution and a healthcare provider face different signal environments. The calibration layer ensures the output is relevant to each, without requiring a bespoke methodology build for each deployment.
PRISM-C delivers its 16 structured outputs on a continuous basis. Departments receive current signal intelligence, not a report from last quarter. When the signal environment changes, the outputs reflect that change in real time. This is the operating model that AI risk governance actually requires but has not previously had available.
All signal classifications and scoring outputs are retained in an evidence layer that is independent of the systems being assessed. When an incident occurs, PRISM-C can reconstruct the signal environment at any point in the record. Signal suppression attempts are captured rather than lost. Post-mortems become evidence-based rather than reconstructed from memory.
PRISM's domain-agnostic architecture means the core methodology can be instantiated across different risk environments. The primary application currently available is PRISM-C, the cyber and AI risk instantiation, given the urgency and regulatory pressure in that space.
The structured signal intelligence layer that your AI governance framework is missing. PRISM-C assesses AI systems the way AI systems cannot assess themselves — through deterministic, reproducible, human-interpretable methodology.
Built for organisations deploying or procuring AI systems in regulated environments, where "the model said so" is not a risk management position and regulatory scrutiny is already active.
Signal mapping for financial crime environments, identifying degrading, absent, and ambiguous signals in transaction monitoring and customer due diligence processes.
PRISM-D applies the signal taxonomy to interpersonal and organisational relationship risk, relevant to HR, compliance, and safeguarding contexts.
The domain-agnostic core framework, calibrated to any operational environment where continuous signal-based risk intelligence delivers value.
If you are accountable for AI risk in a regulated environment — or if you procure, govern, or audit systems where AI is involved — PRISM-C gives you the analytical foundation that model cards and vendor assurances do not provide. It serves the people who have to sign off on something, not only the people who built it.
Responsible for the security posture of environments that now include AI systems. PRISM-C provides a structured, continuous read of AI-specific risk signals that conventional security tooling does not produce. It supports your existing capability without requiring you to replace it.
Under increasing pressure from regulators who are asking, in specific and enforceable terms, what AI governance looks like in practice. PRISM-C produces outputs that answer that question in defensible, auditable, and continuously updated terms.
Evaluating AI vendors requires more than reading their documentation. PRISM-C provides a structured due diligence framework for assessing the signal environment of third-party AI systems before and after deployment, with outputs your legal and compliance teams can use.
PRISM-C's deterministic outputs and evidence preservation layer are designed for audit use from the ground up. The methodology produces findings that are traceable, reproducible, and structurally independent of the system under review — which is the standard that AI audit actually requires.
Reaction time to risk signals has become a competitive and regulatory variable. Attacks are faster, AI systems are being deployed without adequate assessment frameworks, and the gap between what regulations require and what organisations can demonstrate is widening. PRISM-C exists because waiting for an annual assessment cycle is no longer a viable approach to AI and cyber risk.
The EU AI Act, DORA, and sector-specific AI guidance from financial and healthcare regulators are not approaching deadlines. They are active requirements. Organisations need to demonstrate structured AI risk governance with continuous evidence, not point-in-time reports.
AI systems do not come with a structured account of how they produce signals, how those signals propagate, or how they connect to risk. PRISM-C is the first methodology to formally map that process — making AI system behaviour visible, linkable to risk taxonomy, and interpretable by the governance functions responsible for it.
PRISM-C's signal taxonomy formally captures anomalously positive signals — the environments that look clean immediately before something goes wrong. This is the pattern that precedes most significant incidents and the category that conventional monitoring does not catch.
Without a structured signal record, organisations cannot reconstruct what the risk environment looked like before an incident. PRISM-C's evidence preservation layer creates that record continuously, so when something happens, the picture exists. Building it retrospectively is not possible.
Threat actors do not wait for your annual risk review. A methodology that delivers signal intelligence once a year is not a risk management tool — it is a compliance document. PRISM-C operates continuously because that is the tempo at which the signal environment actually changes.
PRISM-C is the first methodology to formally define how AI signals should be read and how they propagate through a system. The 16-output architecture and the four-category signal taxonomy do not exist in any other framework. The window in which early adoption is a competitive advantage will not remain open indefinitely.
PRISM-C is available for advisory engagements, methodology briefings, and implementation projects. If you are evaluating AI risk governance approaches or need a structured assessment of a specific AI or cyber environment, reach out directly.
The full PRISM methodology paper is in preparation for formal publication. A Zenodo preprint with DOI will be available shortly. Soon
PRISM-C is the cyber and AI risk instantiation of a domain-agnostic framework. The complete methodology — including formal signal taxonomy definitions, transformation logic, and architectural specification — will be referenced here once the publication is live.
If you are a researcher, standards body, or regulator interested in the methodology prior to publication, please get in touch directly.