Step 01
Classify data and actions
Name prohibited data, approved purposes, consequence levels, and tool authority before implementation.
Rank 07 · Protect privacy, security, and compliance
For security, compliance, enterprise, and risk owners: AI risk includes data residency, retention, tool permissions, vendor access, logs, human approvals, and incident response.
Low-friction diagnostic
Use a real input class and follow it through every model, store, tool, log, reviewer, and vendor.
A concise method
Step 01
Name prohibited data, approved purposes, consequence levels, and tool authority before implementation.
Step 02
Use least privilege, isolation, allowlists, redaction, retention limits, and approvals outside model judgment.
Step 03
Log decisions safely, test kill switches and rollback, assign incident roles, and retain audit evidence.
Honest limits
Continue with evidence
Approved brief 13
Approved brief 14
Approved brief 12
Approved brief 15
The existing twelve-control audit covers kill switches, tool boundaries, audit trails, sandboxing, sensitive-access scope, injection defenses, approvals, evaluation, rollback, and isolation.