Version History

Methodology Changelog

AXIS never changes scoring silently. Every score-affecting change — question content, weights, thresholds, algorithms — ships as one disclosed methodology release, recorded here. Question banks are immutable and content-hashed; every report prints the exact versions that produced it on its cover.

Methodology 1.7

Current
July 2026

Bank 2026.1 · 37 questions · hash 4d9e8a442e1e… · Scoring Algorithm 2.0

  • Scoring is now provably monotone: impact weights apply per question (fixed Appendix B ratings) instead of per selected answer — improving any answer can never lower any score.
  • The two single-question hybrid domains (CIAM × Data, CIAM × PAM) now fold into the CIAM domain for the overall score, ending their outsized per-question leverage. They remain visible individually on the radar.
  • Formal N/A rules published for the first time — including the guarantee that excluding a foundational (domino) control never silently lifts the score cap: both the exclusion-honored and worst-case scores are always shown.
  • New question AUTH-05: Account Recovery & Identity Verification Resistance — the dominant real-world identity attack vector of 2023–2026, previously unassessed.
  • New question SEC-05: Identity Posture & Attack-Surface Management (ISPM).
  • AI-agent question (CLOUD-05) refreshed for 2026 practice: tool-connection (MCP-style) credentials, IdP-issued agent identities, EU AI Act record-keeping and human-oversight mappings.
  • All regulatory citations modernized via official correspondences: ISO 27001:2013 → 2022, NIST CSF 1.1 → 2.0, NIST SP 800-63 → revision 4, OWASP 2021, current NERC CIP versions.
  • New compliance frameworks: DORA (alignment bar 2.5) and NIS2 (alignment bar 2.0).
  • Compliance thresholds now apply through family-aware citation resolution; under earlier versions the ISO and NIST families were inadvertently evaluated at a default bar, overstating alignment. Reports for assessments taken under 1.6 intentionally keep reproducing their original numbers.
  • Benchmarks moved from threshold-tier blending to empirical-Bayes shrinkage: every consented assessment shifts the blend smoothly; every benchmark displays a 90% credible interval and its evidence composition.
  • One-away sensitivity band on every result: how much the headline score moves if any single answer changes one level, and which answers it rests on.

Comparability: Scores under 1.7 are not directly comparable to 1.6 scores. Every assessment is permanently pinned to the bank and algorithm that produced it, and trend views annotate this boundary.

Methodology 1.6

February 2026

Bank 1.6-legacy · 35 questions · hash e08e7def69b7… · Scoring Algorithm 1.0

  • Consolidated source-of-truth release: privacy-respecting hybrid architecture, 4-tier benchmark system, regional adjustments, insurance premium model, expanded vendor ecosystem, WCAG and security implementation sections.
  • Rubric corrections applied post-release (display-only): CIAM-05 confidence prompt logic; AUTH-02 scoring notes.

Comparability: All assessments taken under 1.6 replay exactly under bank 1.6-legacy and Algorithm 1.0, forever.