The AI security review checklist, by lifecycle gate

A gate-based checklist does two things a flat checklist cannot. First, it sequences review activities to match when information becomes available. You cannot assess data governance controls before the data flows are specified. Second, it ties review evidence to decisions — at each gate, there is a specific go/no-go question the review must answer.

The gates below follow the standard AI system lifecycle. Not every system passes through every gate — a vendor-provided AI system may skip the architecture gate if the architecture is not disclosed — but any gate that is skipped should be explicitly flagged as an evidence gap in the disposition.

The intake gate establishes the minimum information needed to scope the review. It should produce a system description that everyone on the review team can work from.

• What does the system do? What is its stated purpose and its actual use case?
• Who uses it, and in what context?
• What data does it process? What are the data classifications?
• Is it a new system, a model update to an existing system, or a scope expansion?
• What is the target deployment date? (This scopes the time available for the review.)
• Who is the system owner and who will accept the risk disposition?

The architecture review maps the system's components and data flows. This is the foundation of the threat model.

• What model or models does the system use? Base models, fine-tuned models, or both?
• What is the system architecture? How does data flow in and out?
• What tools or integrations are connected? (APIs, MCP servers, databases, external services.)
• What human oversight mechanisms are in place? Where are the human-in-the-loop boundaries?
• What data does the system have access to? What data does it store or retain?
• What authentication and authorisation controls govern access to the system and to the tools it uses?

The threat model applies the architecture to a structured set of threat categories. For AI systems, the relevant threat catalogues are OWASP LLM Top 10, OWASP Agentic Top 10, and NIST AI RMF.

• Which OWASP LLM Top 10 threats apply to this system?
• If the system is agentic, which OWASP Agentic Top 10 threats apply?
• What are the highest-impact threats given the system's data access and integration scope?
• What is the blast radius if the system behaves unexpectedly?
• What are the data-protection risks specific to the personal data the system processes?

The control plan maps each identified threat to the controls that address it, grouped by lifecycle gate, with an owner and a verification method.

• What control addresses each identified threat?
• Which controls must be in place before pilot? Before production? Which are ongoing?
• Who owns each control? (Role, not person.)
• How will each control be verified? What evidence demonstrates it is in place?
• What residual risk remains after controls are applied?

The disposition is the decision record. It synthesises the threat model and control plan into a formal decision about whether the system may proceed.

• Decision: proceed / conditional / restricted pilot / hold / decline.
• Rationale: why, in two to three sentences naming the headline risk and mitigation.
• Required controls: the control plan, with gates and owners.
• Residual risk acceptance: what is being accepted, by whom, under what condition.
• Evidence gaps: what is not yet known and the plan to close it.
• Re-assessment triggers: the conditions under which this decision must be revisited.
• Sign-off log: role, status, date, and any caveats.

Before a pilot expands, the before-pilot controls must be verified. The pilot gate is not an additional review — it is a check that the commitments from the disposition have been honoured.

• Are all before-pilot controls in place and verified against their stated verification methods?
• Is the pilot scope consistent with the restricted scope in the disposition?
• Has anything changed since the disposition was issued that triggers a re-review?

• Are all before-production controls in place and verified?
• Is the production deployment consistent with the scope in the disposition?
• Are ongoing controls documented, owned, and scheduled?
• Has the sign-off log been updated to reflect production approval?

The re-assessment phase is not a scheduled review — it is triggered by the conditions named in the disposition. The ongoing checklist is: has any re-assessment trigger fired?

• Has the underlying model changed?
• Has the system's scope, data access, or tool manifest expanded?
• Has there been an incident involving the system?
• Have the regulatory obligations for this system type changed?

See the Drel AI security review hub for the full framework alignment and the demo dossier for a complete worked example.