AI projects often start as support tools, copilots, search, or workflow assistants. Before launch, focus on access, approval, and failure handling.
AI risk used to be treated as a model problem. That is no longer enough. Once the system can retrieve internal information, call tools, or trigger workflow steps, the risk moves beyond the model itself.
The review checks whether suggestions become actions.
Start with what the system can access.
Start with what the assistant can see: internal search results, uploaded files, connector content, cached prompts, chat history, and past decisions.
A low-risk demo can become riskier once it can access policy documents, customer records, pricing notes, contract history, or engineering runbooks.
A serious review treats the feature as a trust boundary: what it can retrieve, who authorises it, and what filtering applies. If any of that is unclear, the review is incomplete.
Retrieval changes the risk profile.
Once retrieval is involved, the review looks at document boundaries, record access, stale indexes, and over-broad embeddings. Summaries can leak beyond what the user sees. Retrieval often relies on loose permissions.
AI can make weak access control look stronger than it is. A person would rarely search five systems for a sensitive answer. An assistant can do it in seconds.
Access and exposure differ. Even when a user can see several source documents, the assistant can remove friction and context. Review what it can infer or repeat.
Tool access raises the stakes.
A system that can call tools is doing business work. It can create tickets, move data, update records, draft responses, or change state.
The moment an AI system can affect state, the review has to examine the workflow around the action, not the words that triggered it.
Check available actions, inherited authority, approver evidence, and what happens when the model is wrong. Ask whether it can chain actions in unintended ways.
At scale, blast radius becomes the main concern. That pulls the conversation away from AI novelty and back toward operational consequences.
Meaningful approval
Teams say, “a human is in the loop,” but that can hide a weak control. If the reviewer has limited context or cannot challenge it, the control exists only on paper.
The reviewer needs the retrieved material and a way to reject or interrupt the action. Otherwise it becomes an unreviewed queue.
A reviewer who sees source evidence, intended action, destination, and business consequence has enough context. A summary and two buttons do not.
Memory, prompts, and connectors.
Not every risk comes from a dramatic exploit. Sometimes the system prompt is too broad, memory resurfaces stale information, or a connector keeps exposing material after it should stop.
AI review is new for teams used to cleaner boundaries. It depends on configuration, prompts, retrieval, tools, and workflow design. Review the whole system, not one layer.
Deliberate logging
Teams define an audit trail for prompts, retrieved content, tool calls, approvals, and state changes. If nobody can reconstruct what happened, incident response gets much harder.
Logging preserves enough evidence to reconstruct what happened and answer questions about the suggestion, source documents, the approval, and whether the behaviour was isolated or systemic.
What the review includes
The exact test plan depends on the workflow. A modern review goes beyond prompt abuse alone and includes technical and operating checks:
- Prompt abuse and instruction-conflict handling
- Retrieval boundaries, permissions, and data access checks
- Tool permissions and action side effects
- Approval checkpoints and operator oversight
- Logging and investigation readiness
- Rollout constraints for higher-risk workflows
AI review goes beyond a narrow feature check. It asks whether the system stays trustworthy under pressure.
Why organisations ask for this review
AI reviews often start with engineering curiosity, launch readiness, procurement, or a consequential AI feature.
The same questions apply: access, approval, evidence, and how the business explains the outcome.
If the AI can access business data, call tools, or influence outcomes, an AI security review is the right starting point. If the AI is embedded in a customer-facing product, pair it with an apps review.
Live system review
If your assistant can access internal documents, call tools, or influence approvals, request a quote.