Assessing third-party AI vendors — the questions procurement skips
Third-party AI vendor assessments typically cover data processing agreements and SOC 2. They miss model governance, incident notification for model updates, and the evidence required to re-assess when the vendor changes the underlying model.
OWASP Agentic Top 10 mapped to required controls
The OWASP Agentic Top 10 names the threats. This piece maps each one to the controls that close it, the lifecycle gate where each control must be in place, and the evidence required to verify it — so your AI Committee has a working checklist, not just a threat list.
An MCP server security review checklist
A structured checklist for reviewing an MCP server before connecting it to a production agent. Covers transport, authentication, tool manifest, context injection surface, third-party dependencies, and evidence requirements.
The OWASP Agentic Top 10, explained for security reviewers
The OWASP Agentic Top 10 identifies the ten highest-risk threat categories for agentic AI systems. This walkthrough explains each one in terms a security reviewer can act on, with the controls and evidence requirements for each.
NIST AI RMF vs ISO 42001 — choosing a governance backbone
The NIST AI RMF and ISO 42001 are the two most widely adopted AI governance frameworks. This piece compares them across five dimensions — structure, audience, certification, integration, and evidence — to help organisations choose a starting point.
The ISO 42001 evidence checklist for security reviews
An ISO 42001 audit will ask for specific evidence across each control domain. This checklist maps the evidence required for conformance and aligns it with the artefacts an AI security review already produces.
Vetting a third-party MCP server before you connect it
Every third-party MCP server connected to an agent extends that agent's attack surface. This piece defines the vetting process: source review, tool manifest audit, permission scope, and the evidence required for a security review.
AI risk assessment under ISO 42001
ISO 42001 requires a documented AI risk assessment as the foundation of the AI management system. This piece defines what that assessment must cover, how it differs from a generic IT risk assessment, and what a complete record looks like.
The ISO 42001 Annex A controls, in plain language
ISO 42001 Annex A defines the controls for an AI management system. This walkthrough takes each control domain, explains what it means in practice, and maps the evidence that demonstrates conformance.
Govern, Map, Measure, Manage — the NIST AI RMF functions in practice
The four functions of the NIST AI RMF are well defined in the framework document but underspecified in practice. This piece walks through each function with examples from AI security reviews — what evidence each function produces and how they connect.
Assessing the AI feature inside SaaS you already bought
Enterprise SaaS vendors are adding AI features to products organisations already trust. Those features introduce new AI risks that the original vendor assessment did not cover. This piece defines the supplemental review for embedded AI.
ISO 42001 vs ISO 27001 — what is new for AI
Organisations that already hold ISO 27001 certification often ask how much ISO 42001 adds. The answer depends on how much AI the organisation operates. This piece maps the new requirements and the areas where 27001 controls can be extended rather than replaced.
The AI security review checklist, by lifecycle gate
A checklist that follows the lifecycle of an AI system — intake, architecture, threat model, control plan, disposition, pilot, production. Each gate has different review questions and different evidence requirements.
The NIST AI RMF, explained for practitioners
The NIST AI Risk Management Framework gives organisations a structure for managing AI risk across four functions: Govern, Map, Measure, and Manage. This piece explains each function in terms a security practitioner can act on.
The AI section your vendor security questionnaire is missing
Standard vendor security questionnaires cover data processing agreements, SOC 2, and encryption. They do not cover model governance, re-assessment triggers, or incident notification for model updates. This piece fills the gap.
ISO 42001, explained for security teams
ISO/IEC 42001 is the international standard for AI management systems. This piece explains what it requires, how it differs from ISO 27001, and what a security team needs to know to support an AIMS implementation or certification.
The OWASP LLM Top 10, mapped to controls
The OWASP LLM Top 10 names the threats. This walkthrough maps each one to the controls that close it, the lifecycle gate where each control must be in place, and the evidence required to verify it.