PRISM: A Progressive Risk-Informed System for Adaptive Maintenance of Phishing Detection Models

Phishing remains one of the most persistent and adaptive threats in the cybersecurity landscape. As attackers continuously evolve their methods, conventional static and periodically retrained detection models struggle to maintain performance in the face of adversarial drift, concept volatility, and varied threat severity. This paper introduces PRISM (Progressive Risk-Informed System for Maintenance), a novel framework for adaptive phishing detection model upkeep that integrates severity-aware decision-making into the model maintenance lifecycle. Unlike traditional retraining pipelines, PRISM employs a real-time threat profiling engine that computes composite risk scores based on syntactic entropy, domain reputation, and semantic content deception. Based on this score, threats are classified into severity bands which inform triage-driven update strategies. A hybrid drift detection module—leveraging KL-divergence and SHAP attribution volatility —activates feature-specific or full retraining only when high-risk drift is confirmed. Experimental validation using datasets from PhishTank, OpenPhish, and adversarially crafted samples demonstrates that PRISM reduces false negatives on high-severity threats by 61% and improves update efficiency by 28% over baseline drift-aware methods. The framework also introduces an explainable risk-logging mechanism for compliance with AI assurance frameworks such as NIST AI RMF.