From OpenSAMM to HAIAMM: A Decade in the Making
In 2015, Pravir Chandra—the creator of OpenSAMM v1.0—gave a talk to the OWASP community titled "OpenSAMM Future Directions." In that presentation, he described the conclusions of our discussions regarding the evolution of OpenSAMM. It marked a turning point in how we thought about software security maturity.
The Introduction of Domains
During that presentation, Pravir introduced the concept of Domains—what we used to call OpenSAMM dimensions when we first discussed ideas. The goal was ambitious: make the next version of OpenSAMM more comprehensive while keeping it simple and practical.
This was a difficult goal to achieve. Software security is neither practical nor simple. Back then, we spent long hours reviewing security frameworks, quality assurance models, capability maturity models, and compliance frameworks. We were looking for patterns that could line up to become the most basic and fundamental key areas of building a multi-domain software assurance program.
We thought hard about which domains to cover, how to name them, and how to restructure the practices. Every decision was deliberate, every name chosen with care.
A Vision for Guided Implementation
I saw the evolution of OpenSAMM as more than just a document—I envisioned it as an application that could guide practitioners on their OpenSAMM journey implementation. I remember building a wizard-like tool and sharing it with Pravir. But at the time, we thought the idea wasn't very useful or practical, especially for consultants and auditors who had their own established workflows.
The idea evolved into mobile and tablet apps built in .NET, connecting to Team Foundation Server and other similar build tools and CI/CD pipelines. Then, with the rise of large language models, I built what I called SAMMGPT—an AI-powered guide using OLLAMA and OpenAI to help practitioners navigate the framework. But I never got to release that project. Until now.
The Fork and My Departure
OpenSAMM was forked by OWASP to become OWASP SAMM. However, it was later forked into something different. While the fork did adopt some of the practice names from Pravir's presentation—as agreed upon by the OWASP SAMM contributing group—the overall direction diverged significantly from our original vision.
I did not agree with the directions the forked version took. As a result, I stopped contributing to OWASP altogether. It was a difficult decision, but I believed the new path strayed too far from the principles we had worked so hard to establish.
A New Maturity Model and New Tools
Years passed. The notes, documentation, and discussions from those OpenSAMM sessions stayed with me. And finally, I've been able to apply that accumulated knowledge to something new—not just a new application, but an entirely new maturity model and a suite of tools to support it.
HAIAMM—the Human-Assisted Intelligence Assurance Maturity Model—takes the domain-based approach we developed for OpenSAMM and applies it to building and deploying AI systems. Specifically, it focuses on Human-Assisted Intelligence (HAI) systems: AI systems designed to augment human capabilities in software engineering.
The core insight remains the same: security maturity requires a structured, domain-based approach. But the application has evolved. Where OpenSAMM addressed traditional software development, HAIAMM addresses the unique challenges of AI systems that work alongside humans—systems that can take actions, make decisions, and require careful oversight.
Introducing Verifhai
To bring HAIAMM to life, I built Verifhai—an interactive HAI security mentor. Verifhai is available as a CLI tool and as Claude Skills, similar to how PAI (Personal AI Infrastructure) works, but focused specifically on AI software assurance.
With Verifhai, you can:
- Assess your current HAI security maturity
- Get guided recommendations for improving your security posture
- Work through specific HAIAMM practices with interactive mentoring
- Review your AI system implementations for security gaps
The vision I had back in 2015—a guided, interactive tool for security maturity—has finally become reality. Not for OpenSAMM, but for the next generation of software: AI systems that work alongside us.
Looking Forward
A decade is a long time in technology. But some ideas need that time to mature, to find the right application. HAIAMM is the result of that patience—a maturity model built on hard-won lessons about what works and what doesn't when you're trying to make security practical.
If you're building AI systems that augment human work, HAIAMM provides the framework and Verifhai provides the guidance to do it securely. It's the evolution of ideas that started in 2015, finally finding their proper home.
Acknowledgements
I want to thank Pravir Chandra, a true genius in our space, for having built OpenSAMM and for continuing to share great ideas, thoughts, and feedback.
I also want to thank Dave Monnier for being the first person who really inspired me to smash the stack at earlier stages in my career, and for his continued support and advice.
Thank you to Steve Antoniewicz of Mystic Cyber Partners for being such a great career mentor and supporter.
Lastly, I want to thank Daniel Miessler for creating PAI and Fabric, and for inspiring me with his original blog posts on AI and Human-Assisted Intelligence, and Jason Haddix for all his work on AI security—especially the taxonomies. Hopefully I'll take his class someday soon.
← Back to Blog