Long-form notes from AI security review.
What AI Committees ask for, what regulators read, and what is missing from most threat models. Written for security architects, AI governance leads, and DPOs.
New posts in your inbox,
when they publish.
Threat modeling, governance evidence, and what AI Committees actually need — written for security architects and AI governance leads. No cadence promises.
Conditional approval for AI systems — making conditions stick
Conditional approval is the most common disposition for AI systems that are not ready for unrestricted production. The conditions are the whole point — and most conditional approvals are written in a way that makes the conditions unenforceable.
Model-change notification — the vendor clause procurement teams forget
Vendors change the underlying model in their AI products without notifying customers. The security review that justified the original deployment may no longer be valid. This piece defines the contractual clause and the review trigger that keeps the assessment current.
The MCP authentication boundary, reviewed
MCP servers authenticate the client (the agent) not the end user. When a user-facing agent invokes an MCP server, the server has no way to enforce per-user authorisation unless authentication is layered in explicitly. This piece maps the gap and the controls.
Access control for RAG — keeping retrieval inside the line
RAG pipelines retrieve documents and pass them into a model context that the user then queries. Access control must operate at retrieval time, not just at query time — or users can extract documents they would not be permitted to read directly.
The ISO 42001 Annex A controls, in plain language
ISO 42001 Annex A defines the controls for an AI management system. This walkthrough takes each control domain, explains what it means in practice, and maps the evidence that demonstrates conformance.
Tool-use permissions for agentic AI — least privilege for agents
The tool manifest of an agentic AI system defines what the agent can do in the world. Most manifests are over-provisioned. Least privilege for agents means auditing the tool manifest for each deployment scope and removing capabilities the task does not require.
High-risk AI obligations under the EU AI Act
High-risk AI systems under the EU AI Act face a set of specific obligations: risk management, technical documentation, data governance, transparency, human oversight, and accuracy. This piece maps each obligation to the evidence that satisfies it.
Insecure output handling — the LLM risk teams underrate
Teams spend significant effort hardening the input to an LLM and very little hardening what the LLM outputs. Insecure output handling is how prompt injection becomes code execution, data exfiltration, or stored injection.
When to run an AI security review — the four trigger points
Not every change to an AI system warrants a full review, but some changes that seem minor do. This piece defines the four trigger points that should initiate a review: initial deployment, model change, scope expansion, and incident.
A DPO's guide to AI systems in the organisation
Data Protection Officers are increasingly asked to sign off on AI systems. This guide maps the data-protection risks specific to AI — training data, inference data, model outputs, and retention — and the review questions a DPO should ask.
Govern, Map, Measure, Manage — the NIST AI RMF functions in practice
The four functions of the NIST AI RMF are well defined in the framework document but underspecified in practice. This piece walks through each function with examples from AI security reviews — what evidence each function produces and how they connect.
Assessing the AI feature inside SaaS you already bought
Enterprise SaaS vendors are adding AI features to products organisations already trust. Those features introduce new AI risks that the original vendor assessment did not cover. This piece defines the supplemental review for embedded AI.
Free resources
Practical templates for every framework covered here.
AI Security Review Template
Full review pack with threat model, controls, and evidence grading.
OWASP Agentic Top 10 Controls
Each risk mapped to required controls and lifecycle gates.
AI Risk Disposition Memo
Clearance decision template with rationale and sign-off log.
AI Go-Live Security Checklist
Production gate checklist for security architects and CISOs.