AI security review for security architects

AI systems require a different kind of security review than traditional software. The attack surfaces are different — prompt injection, retrieval poisoning, tool misuse, delegation chain exploits — and the evidence requirements for a clearance decision don't map to a standard pentest report or threat model template.

Most security architects run the first few AI reviews on a spreadsheet or in a Confluence page, then hit the same problems: the record doesn't survive an audit, the evidence trail is loose, and when something changes in the AI system six months later, there's no clear record of what was assessed and what was accepted.

Drel is the workspace where you run a structured AI security review from start to signed clearance. You describe the system — architecture, tools, data flows, deployment context — and Drel produces a threat model, a required-controls list, an evidence gap analysis, and a risk disposition memo.

The output is designed for a security architect working alone. No committee required to start. You run the review, sign it as the responsible engineer, and export an audit-ready evidence pack. When your organisation later wants committee sign-off, you invite them — the record upgrades without starting over.

A complete AI security review in Drel runs in four phases:

1. System intake. Describe the AI system: architecture, components, tools, data flows, hosting model, and deployment context. Drel accepts a written description, a spec document, or a code repo.
2. Threat model. Drel generates a threat model specific to the system — not a generic checklist. Threats are mapped to OWASP LLM Top 10, OWASP Agentic Top 10, MITRE ATLAS, and applicable framework controls.
3. Control plan. Each threat maps to required controls, with lifecycle gates (before pilot, before production) and evidence requirements. Control gaps — missing or unevidenced controls — are listed explicitly.
4. Clearance decision. You review the control plan and evidence gaps, make any manual adjustments, and record the disposition. The signed record exports as a structured markdown and PDF evidence pack.

Drel is worth using when you need a record that survives external scrutiny — an auditor, a regulator, a customer security questionnaire, or a future version of you trying to understand what was assessed eighteen months ago.

It is especially useful for organisations running multiple AI systems in parallel, where the same architect is responsible for reviewing all of them and the portfolio starts to blur without a structured record per system.

If you're reviewing a single internal prototype that will never face external scrutiny, a spreadsheet is probably enough. Drel pays back when the stakes are higher than that.

Drel is a design-time review tool. It works from documentation and architectural descriptions — it does not connect to production systems, scan running workloads, ingest live telemetry, or perform runtime testing. It is not a penetration test, a runtime firewall, or a compliance certification service.

For AI systems that need runtime monitoring, runtime firewalls, or posture management of deployed workloads, those are separate tools that sit alongside a design-time clearance record.