CSVF: Cognitive Security Verification Framework for Large Language Systems — From Access Control to Reasoning Boundaries

CSVF, an open-source cognitive security verification framework, fills the gap of traditional security models in the cognitive layer of AI. It provides LLM systems with security capabilities such as reasoning boundary definition, semantic leakage detection, and cross-domain reasoning risk assessment, addressing the problem of indirect leakage of sensitive information caused by reasoning and synthesis capabilities in LLM-driven systems.

Traditional information security models focus on 'who can access which files' and ensure data security through identity authentication, permission management, and other means. However, as a 'cognitive engine' with reasoning and synthesis capabilities, LLM systems may still deduce the meaning of protected information through reasoning, summarization, translation, etc., even if the original sensitive text is not directly exposed. Traditional models are no longer sufficient to address this challenge.

CSVF introduces innovative concepts to govern the cognitive security boundaries of AI:

1. Semantic Leakage: The meaning of protected information is disclosed through rewriting, reasoning, etc., without the original secret text being directly exposed;
2. Cross-Domain Reasoning: Combining information from multiple domains to draw conclusions that are not allowed in any single domain;
3. Reachability and USCs: The set of conclusions a system can reliably generate (Reachability) and the categories of conclusions prohibited by policies (Unreachable Statement Categories, USCs);
4. Domain Inventory and Connection Matrix: Structured records of information domains, clearly defining rules for allowing, prohibiting, or requiring approval for domain combinations.

CSVF proposes draft-stage verification metrics:

• Domain Inference Risk (DIR): Measures the frequency with which a system draws cross-domain conclusions using only intra-domain inputs;
• Leakage Event Rate (LER): Weighted calculation of the frequency of outputting protected information/meaning;
• Crawling Resilience Score (CRS): Evaluates the system's ability to resist long-term, multi-session information extraction. Community contributions and optimizations to the metrics are welcome.

The CSVF repository structure includes core framework documents, glossaries, control catalogs, metric definitions, benchmark mappings, template examples, etc. It is positioned as a supplementary layer to existing frameworks such as OWASP and NIST AI RMF, adding capabilities like reasoning boundary modeling, permitted connection analysis, and semantic leakage testing to form a more complete protection system.

CSVF is applicable to LLM application scenarios such as RAG, intelligent assistants, agent workflows, long-context systems, and memory functions. The target audience includes security engineers, CISOs, auditors, procurement teams, and policy owners, covering the entire chain from technical implementation to management decision-making.

CSVF is in the early public draft stage and uses the CC BY 4.0 open-source license. Community contributions are encouraged: document editing, term definition, control measures, test cases, industry examples, framework benchmarking, metric improvements, etc. It needs to maintain the characteristics of practicality, auditability, framework alignment, precision, and honesty.

CSVF represents a paradigm shift in AI security thinking from 'data confidentiality' to 'cognitive boundaries', which will profoundly impact enterprise AI application governance. As AI capabilities grow, cognitive security will become the core of enterprise security architecture. CSVF provides a conceptual framework and practical guide for this emerging field, and enterprises need to pay attention early to avoid risks.