drel
Blog

Long-form notes from AI security review.

What AI Committees ask for, what regulators read, and what is missing from most threat models. Written for security architects, AI governance leads, and DPOs.

Latest

Technical13 min read

Why your existing threat modeling tool doesn't model agents

STRIDE, attack trees, and most commercial threat modeling tools were designed for deterministic software. Agentic AI has five properties those tools cannot represent — and each one is an attack surface.

Drel Research
Read
Newsletter

New posts in your inbox,
when they publish.

Threat modeling, governance evidence, and what AI Committees actually need — written for security architects and AI governance leads. No cadence promises.

No spam. Unsubscribe anytime.

Reference10 min

Assessing third-party AI vendors — the questions procurement skips

Third-party AI vendor assessments typically cover data processing agreements and SOC 2. They miss model governance, incident notification for model updates, and the evidence required to re-assess when the vendor changes the underlying model.

Drel Research·
Worked example12 min

A worked example: AI Risk Disposition for a Copilot Studio procurement agent

Every section of the disposition filled in with real content — decision, rationale, required controls, residual risk acceptance, evidence gaps, re-assessment triggers, and sign-off log. The same system used in the Drel demo dossier.

Drel Research·
Technical11 min

Threat modeling an MCP server — the parts AppSec tools miss

MCP servers have four distinct attack surfaces: transport, tool surface, prompt context injection, and auth boundary. Traditional threat modeling tools model the first and miss the other three. Here is the full threat model with controls.

Drel Research·
Regulation13 min

EU AI Act Article 9 risk management — what evidence is required

Article 9 of the EU AI Act requires a risk management system for high-risk AI. This piece translates each of its six requirements into specific evidence artefacts — what an auditor will ask for, and the gaps that appear most often when organisations try to produce it.

Drel Research·
Reference14 min

OWASP Agentic Top 10 mapped to required controls

The OWASP Agentic Top 10 names the threats. This piece maps each one to the controls that close it, the lifecycle gate where each control must be in place, and the evidence required to verify it — so your AI Committee has a working checklist, not just a threat list.

Drel Research·
Foundations11 min

What an AI Risk Disposition actually contains

AI Committees keep approving systems they can't defend later. The Risk Disposition memo is the artifact that fixes this — here is what goes into one, section by section, with examples from a real assessed system.

Drel Research·

Free resources

Practical templates for every framework covered here.

All 12 templates →
Free template

AI Security Review Template

Full review pack with threat model, controls, and evidence grading.

Free template

OWASP Agentic Top 10 Controls

Each risk mapped to required controls and lifecycle gates.

Free template

AI Risk Disposition Memo

Clearance decision template with rationale and sign-off log.

Free template

AI Go-Live Security Checklist

Production gate checklist for security architects and CISOs.