drel
Blog

Long-form notes from AI security review.

What AI Committees ask for, what regulators read, and what is missing from most threat models. Written for security architects, AI governance leads, and DPOs.

Newsletter

New posts in your inbox,
when they publish.

Threat modeling, governance evidence, and what AI Committees actually need — written for security architects and AI governance leads. No cadence promises.

No spam. Unsubscribe anytime.

AllTechnical36Governance21Regulation18Reference17Foundations10Worked example1
Reference12 min

ISO 42001, explained for security teams

ISO/IEC 42001 is the international standard for AI management systems. This piece explains what it requires, how it differs from ISO 27001, and what a security team needs to know to support an AIMS implementation or certification.

Technical10 min

RAG security — the three boundaries that matter

Retrieval-augmented generation adds a retrieval layer between the user and the model. That layer has three security boundaries — the data boundary, the retrieval boundary, and the context boundary — and each has distinct failure modes.

Regulation11 min

EU AI Act risk tiers, explained for engineers

The EU AI Act classifies AI systems into four risk tiers: unacceptable, high, limited, and minimal. The classification determines the obligations. This piece explains how to classify a system and what each tier requires.

Technical11 min

Agentic AI security — the surfaces deterministic software does not have

Agentic AI systems have attack surfaces that do not exist in deterministic software: a reasoning loop that can be hijacked, a tool manifest that defines what the agent can do, memory that persists across sessions, and goals that drift. Security review must address all four.

Reference14 min

The OWASP LLM Top 10, mapped to controls

The OWASP LLM Top 10 names the threats. This walkthrough maps each one to the controls that close it, the lifecycle gate where each control must be in place, and the evidence required to verify it.

Foundations10 min

What an AI security review actually is (and what it is not)

AI security review is not a pentest, not a compliance audit, and not continuous monitoring. This piece defines what it is — a design-time assessment that produces a defensible record of how an AI system was evaluated, what risks were identified, and what controls were required.

Free resources

Practical templates for every framework covered here.

All 12 templates →
Free template

AI Security Review Template

Full review pack with threat model, controls, and evidence grading.

Free template

OWASP Agentic Top 10 Controls

Each risk mapped to required controls and lifecycle gates.

Free template

AI Risk Disposition Memo

Clearance decision template with rationale and sign-off log.

Free template

AI Go-Live Security Checklist

Production gate checklist for security architects and CISOs.