Security review evidence pack

InfoSec (OWASP LLM Top 10) reviews ask for proof that controls exist, not assertions that the team is responsible.

The AI security controls guide (controls guide) defines what to implement. This guide packages what to submit so reviewers can trace control to artefact quickly.

Treat the pack as a living folder updated each release, not a one-off PowerPoint before production readiness conversation go-live.

Sponsors should know which artefacts gate production promotion in the steering committee (AI council guide).

Reviewers will ask about data flows, subprocessors, authentication, logging, prompt injection (OpenAI mitigations), tool abuse, model change management, and incident response.

Prepare short written answers with diagrams attached. Verbal assurances do not survive turnover in security teams.

Procurement (production readiness conversation) may join with contract questions on training use and retention. Align answers with the executed DPA (Microsoft Copilot data protection).

Schedule a dry run with your internal security partner before external review to catch missing artefacts early—use the evidence pack checklist as a script.

Provide a data-flow diagram (Microsoft Copilot data protection), network diagram where applicable, IAM matrix (OWASP LLM Top 10), and list of third-party APIs.

Link each control on the diagram to an OWASP LLM control or redacted log sample from your pilot environment.

Show trust boundaries between user browser, application, model API, search index, and approval queue (OpenAI safety best practices).

Version diagrams when you add tools or change regions. Reviewers compare submissions across releases.

Demonstrate SSO (Entra conditional access) with Entra ID (conditional access) or your corporate IdP, least-privilege app roles, and no shared admin keys in application code.

Export a redacted sample of authentication logs showing user identity on each model call where applicable.

Document break-glass access for engineers and how it is time boxed and reviewed.

Search indexes must respect the same entitlements as source systems per RAG ACL guidance. Include a test case in the pack.

State which data classes may enter prompts and which are prohibited, with examples HR and legal agree on.

Attach retention schedules for prompts, outputs, logs, embeddings (OpenAI embeddings guide), and approval records.

Describe deletion and export procedures for subject rights requests.

If you redact before model call, show before and after samples in the pack with fields removed—reference Azure Content Safety.

Document input and output filtering, rate limits, and tool allow lists.

Run a lightweight penetration test (OWASP LLM Top 10) on tool endpoints, not only the chat user interface.

Include prompt injection (OpenAI mitigations) test results and what changed after remediation.

Show human approval samples for write actions with audit trail exports from OpenAI safety best practices.

Attach one primary artefact per control so reviewers do not chase scattered Confluence pages.

Use a spreadsheet or table with columns for control ID, owner, artefact link, and test date.

Mark partial controls honestly with compensating measures and target dates.

Steering committees promote pilots when critical controls are green or accepted as risk with owner per NIST AI RMF Govern process.

Show which events are logged: prompt hash, model version (production readiness conversation), retrieval IDs, tool proposals, approvals, and errors.

Connect logs to your SIEM or observability (AI SDK telemetry) platform with retention matching policy.

Include an incident runbook for model outage, data leak suspicion, and unsafe tool execution.

Record the date of the last tabletop exercise in the pack cover sheet.

Prompts and indexes are code. Show version control, peer review, and CI eval gates before promotion.

Attach the latest golden set (OpenAI evals) eval report with pass/fail thresholds defined upfront.

Document how you roll back prompt or index changes within one business day.

model version (production readiness conversation) changes should trigger regression evals (OpenAI evals) even when prompts are unchanged.

Include executed contracts or order forms with data processing terms.

List subprocessors, regions, and training use flags in a table aligned to your architecture diagram.

Note marketplace purchases versus direct enterprise agreements to avoid wrong support contacts.

Update the table when you add gateway routes or new model providers.

Examples in vendor documentation (Azure AI Foundry documentation) include implementation paths, environment variable lists, and architecture diagrams.

Use them as reference patterns to accelerate workshops. Your production configuration and IAM must still be reviewed on their own merits.

Cite example slugs in the pack index so reviewers can reproduce demos in a sandbox—start with OWASP LLM Top 10.

Clearly label which controls are demonstrated versus planned for phase two.

Good looks like a reviewer opening one folder and finding diagrams, matrices, logs, and evals without a chase thread.

Good looks like sponsors signing promotion when critical controls are evidenced, not when demos felt impressive.

Good looks like the pack updating within five business days of each production release.

Good looks like alignment between legal answers and engineering configuration per Microsoft Copilot data protection.