TKOResearch
Menu

Sample artifacts

See the shape of a decision-ready AI-security review package.

A sanitized, non-client sample of the work product buyers can expect from a scoped AI-security assessment.

What you receive

Concrete outputs for a specific decision.

  • Executive Go/No-Go memo
  • Findings register
  • Trust-boundary map
  • Permission matrix
  • Abuse-case matrix
  • Remediation roadmap
  • Artifact appendix

Work product

Sanitized sample pages

These non-client examples show the level of specificity the review package is meant to provide. Real reports use the actual system boundary, artifacts, and buyer decision.

Go/No-Go memo excerpt

Decision: pilot-only until high-impact tool calls require explicit approval and retrieval filters are retested against tenant-boundary abuse cases.

  • Launch blockers: production write tool, missing approval log, stale metadata filter
  • Acceptable pilot scope: read-only tools, synthetic customer data, named operator
  • Leadership decision: expand pilot after two controls are validated

Findings register row

AB-03: Indirect prompt injection can influence a ticket-update tool through retrieved customer notes.

  • Severity: High
  • Boundary: RAG content to tool call
  • Recommended fix: treat retrieved instructions as data, require operator approval, log rejected actions

Trust-boundary map excerpt

User request -> application gateway -> system prompt -> retrieval layer -> model context -> MCP server -> ticketing API.

  • Crosses from user-controlled text into retrieved content
  • Crosses from model output into write-capable tool path
  • Approval gate missing before customer-visible update

Permission matrix excerpt

Read: tickets and internal notes. Write: draft ticket update. Send: disabled. Execute: disabled. Delete: disabled.

  • Risk note: draft/write boundary depends on UI enforcement
  • Control note: require server-side deny for send and delete actions

Abuse-case matrix excerpt

Stored instruction in retrieved document attempts to override the agent's support workflow and call a ticket-update tool.

  • Expected behavior: quote retrieved text as data only
  • Observed behavior: unsafe draft generated without warning
  • Validation: replay after prompt and tool-gate remediation

Roadmap and appendix excerpt

Pre-launch: narrow tool scope and add approval logging. Post-launch: monitor rejected actions and review monthly prompt changes.

  • Appendix artifacts: sanitized trace, prompt excerpt, tool schema excerpt, config screenshot

01

What the sample demonstrates

Decision memo

A leadership-readable memo that separates launch blockers, pilot-only conditions, accepted residual risk, and immediate next actions.

Findings register

A prioritized list of issues with affected boundary, likely impact, recommended fix, validation method, and owner-ready engineering notes.

Maps and matrices

Trust-boundary map, permission matrix, and abuse-case matrix that make the system's real authority visible.

Appendix

Sanitized supporting artifacts such as transcripts, traces, configuration excerpts, screenshots, and test notes where they clarify the finding.

Limits

Scope and assumptions stay explicit.

  • The sample is sanitized and illustrative; actual deliverables depend on scope, access, system type, and buyer decision.
  • No client names, customer data, secrets, or confidential materials are included.

Next step

Start with the decision and the system boundary.

Request the sample package