Long-form notes from AI security review.
What AI Committees ask for, what regulators read, and what is missing from most threat models. Written for security architects, AI governance leads, and DPOs.
New posts in your inbox,
when they publish.
Threat modeling, governance evidence, and what AI Committees actually need — written for security architects and AI governance leads. No cadence promises.
Scoping an AI security review without boiling the ocean
The most common failure mode in AI security reviews is scope so wide nothing gets finished. This piece walks through how to scope a review to the decision you actually need to make: the system, the deployment context, and the threshold.
Classifying AI incidents — a framework for security teams
AI incidents do not fit cleanly into standard incident classification schemes. A model behaving unexpectedly is not the same as a data breach, but it may become one. This piece defines an AI-specific incident classification framework.
The restricted-pilot pattern for risky AI systems
A restricted pilot is a formal disposition state: the AI system may operate within a defined scope, on the condition that named controls are in place and named triggers will initiate a re-review. This piece defines how to write a restricted-pilot disposition.
AI risk assessment under ISO 42001
ISO 42001 requires a documented AI risk assessment as the foundation of the AI management system. This piece defines what that assessment must cover, how it differs from a generic IT risk assessment, and what a complete record looks like.
AI subprocessor risk in your vendor chain
When a vendor's AI feature is powered by a third-party model provider, the model provider is an AI subprocessor. The data that passes through the model may be subject to additional retention, training, or transfer rules that the original DPA did not contemplate.
Transport security for MCP servers
MCP runs over HTTP (SSE) or stdio. Both transports have distinct security requirements. This piece covers TLS, mutual authentication, and the review questions for MCP server transport configuration.
Indirect prompt injection through retrieved documents
When retrieved documents contain instructions the model executes, the attack surface is anything that ends up in the knowledge base. Indirect prompt injection via documents is harder to detect than direct injection because the attacker is not in the conversation.
Agent memory as an attack surface
Agents that persist memory across sessions carry forward context that can be poisoned. An attacker who controls a past interaction can plant instructions that execute in a future session. This piece maps the memory attack surface and the controls that bound it.
The technical documentation the EU AI Act expects
The EU AI Act requires technical documentation before a high-risk AI system is placed on the market. This piece breaks down what Annex IV requires, what it means in practice, and the gaps that appear most often in documentation we have reviewed.
Sensitive information disclosure in LLM applications
LLM applications disclose sensitive information through three distinct channels: training data memorisation, system prompt leakage, and retrieval boundary failures. Each has different controls and different evidence requirements.
AI security review vs penetration testing — different questions
A penetration test asks: can this system be exploited? An AI security review asks: should this system go to production, and under what conditions? The questions are related but not the same. Running only a pentest leaves most AI risk unaddressed.
Running a DPIA for an AI system
A Data Protection Impact Assessment for an AI system has requirements that standard DPIA templates do not address: model training data, inference data flows, automated decision-making obligations, and re-assessment triggers. This piece fills the gaps.
Free resources
Practical templates for every framework covered here.
AI Security Review Template
Full review pack with threat model, controls, and evidence grading.
OWASP Agentic Top 10 Controls
Each risk mapped to required controls and lifecycle gates.
AI Risk Disposition Memo
Clearance decision template with rationale and sign-off log.
AI Go-Live Security Checklist
Production gate checklist for security architects and CISOs.