Priority Quota — quantitative aggregation
By scoring the current "As-Is" MIL and determining the required "To-Be" MIL for each risk-control pair, the study quantitatively identifies capability gaps. The gap is calculated and weighted using a Priority Quota matrix:
Priority Quota = Capability Gap × Urgency Level
where Capability Gap = Target MIL − Current MIL (range 0–3), and Urgency Level is rated 1–5 by the severity of the direct consequence established in Stage 1.
The resulting Priority Quota is the objective metric that drives the gap analysis heatmap. Aggregation can be performed at multiple granularities: per scenario-control pair, per risk-archetype pair, per control domain, or at the organization level.
Priority bands
| Score range | Priority level | Description |
|---|---|---|
> 8.0 |
Critical Action | Severe deficit in the technical control architecture against LLM risks. Requires immediate engineering intervention or operational telemetry updates. |
6.1 – 8.0 |
High Priority | Significant control blind spot. Requires fast-tracked technical adaptation to safely secure the LLM integration. |
4.1 – 6.0 |
Moderate Priority | Control is partially insufficient. Requires scheduled operational updates to the control baseline to achieve dynamic resilience. |
0 – 4.0 |
Low Priority | Existing controls provide adequate localized coverage, or the risk urgency is sufficiently low to be monitored under standard cycles. |
With Capability Gap capped at 3 (MIL 0–3 means max gap is 3) and Urgency Level capped at 5, the raw product ranges
0–15 in integer steps. The threshold table specifies decimal precision (> 8.0, 6.1,
4.1), which implies the Priority Quota is a weighted aggregate of the four evaluation criteria, not a
simple integer product. A worked example resolving this ambiguity would strengthen the module — see the
critical evaluation.
Gap types — qualitative complement
To complement the quantitative Priority Quota, the framework qualitatively categorizes each uncovered deficit into one of four gap types. This typology distinguishes why a control is insufficient, which in turn dictates the type of remediation required (engineering build, control redesign, telemetry expansion, or organizational accountability mapping).
1. Design Gap
No meaningful technical control exists within the ISO 27002 baseline to mitigate the specific LLM risk. This is the most consequential gap type — it indicates the baseline is structurally incomplete for the deployment context, and remediation requires inventing or importing new controls (e.g., from ISO/IEC 42001 or NIST AI RMF).
2. Applicability Gap
A control exists, but its deterministic logic translates poorly into prompt-driven or probabilistic AI environments. The control is present in policy and tooling, but its operating model assumes determinism that LLM workflows do not provide.
3. Visibility Gap
The organization cannot operationally observe the behavior needed to detect LLM misuse, failure, or drift. The control may be well-designed and well-applicable, but the telemetry required to operate it does not exist or is not collected in a usable form.
4. Accountability Gap
Operational ownership for residual risk in ambiguous edge cases (e.g., cross-functional workflows triggered by AI agents) is fragmented at the control level. A control may be designed, applicable, and observable — but no one is accountable for acting on its signal, because the workflow crosses organizational boundaries that the control was not authored for.
The Priority Quota tells an organization which gaps to address first. The gap typology tells the organization how to address them. A High-Priority Design Gap demands a different intervention than a High-Priority Visibility Gap; conflating the two leads to misallocated remediation budgets — a common pathology in AI security spending observed in practice.