Xabier Muruaga
All Case Studies
Security & Assurance
Case Study

AI Security Evaluation & Assurance

Independent assessment of production AI systems — adversarial testing, privacy review, severity-rated findings, and fix verification criteria that produce decision-grade evidence for audit and governance.

AIUC-1 Consortium whitepaper: The End of Vibe Adoption (co-author)
AI Security Evaluation & Assurance

Executive Outcome

01

Severity-rated assessment of security, reliability, grounding, privacy, and responsible AI — backed by reproducible test cases and evidence.

02

Prioritized remediation plan mapping findings to controls, owners, and fix verification criteria.

03

Reusable assessment methodology with versioned test packs and evidence formats, reducing setup time for subsequent systems.

Engagement focus

Reusable assessment methodology for production AI — adversarial testing, privacy review, severity-rated findings, and evidence formats designed for audit sampling across multiple systems.

What this covers
  • Adversarial testing (prompt injection, exfiltration, tool misuse, denial-of-wallet)
  • Privacy, data boundaries, and retrieval permission enforcement
  • Gateway and runtime controls (tool permissions, identity scope, traceability, rollback readiness)

Context

Production AI systems introduce a combined risk surface across model behavior, retrieval, tool execution, and operational controls. In regulated environments, stakeholders need more than design intent — they need an independent assessment that validates what the system actually does under real usage, adversarial pressure, and change over time. The output has to be decision-grade: what can ship, under which constraints, with what residual risk, and how fixes are verified. Because these assessments had to be repeatable across multiple systems and teams, the methodology itself needed to be reusable — versioned test packs, consistent severity models, and evidence formats that work for audit sampling without being rebuilt each time.

The Challenge

  • 01Security exposure not fully understood across key abuse cases: prompt injection, data exfiltration, unauthorized retrieval, and tool misuse under realistic adversarial inputs.
  • 02Privacy and data handling controls unclear in practice — sensitive data detection, retention, and whether logs and traces introduced new exposure.
  • 03Grounding quality and reliability varied across scenarios, with inconsistent citations and non-repeatable behavior.
  • 04Responsible AI controls documented but not consistently testable, versioned, or evidenced.
  • 05Change introduced silent regressions across model, prompt, retrieval, and policies without a repeatable way to quantify impact and prove fixes.

Approach

  • Threat modeling across system boundaries, data flows, identities, tools, and trust boundaries — then an assessment plan with test categories and evidence requirements.
  • Severity model and risk rating criteria aligned to enterprise risk appetite and change impact.
  • Adversarial security testing: prompt injection, jailbreak, data exfiltration, unauthorized retrieval, privilege escalation via tools, and denial-of-wallet.
  • Retrieval and data boundary assessment: eligibility enforcement, sensitive source handling, citation requirements, and traceability from query to retrieved chunks.
  • Privacy review in runtime and observability: PII/secrets exposure, redaction controls, retention rules, trace joinability for investigations without over-collection.
  • Evaluation plan and test suites (offline + regression) for reliability, grounding, and safety — versioned datasets, thresholds, and drift tracking.
  • Tool use correctness and side-effect controls: schema validity, scope boundaries, approval paths, and safe failure behavior.
  • Severity-rated findings report with evidence, reproduction steps, and remediation criteria — then fix re-testing to confirm closure and residual risk.

Key Considerations

  • Assessment credibility depends on reproducibility — test cases, datasets, and scoring must be versioned so results remain comparable.
  • LLM-assisted scoring improves consistency but must be calibrated, monitored for drift, and paired with deterministic controls.
  • Traces must support investigation and audit sampling while respecting privacy, retention, and access restrictions.
  • A single assessment provides a defensible baseline, not a governance program — ongoing controls for change are a separate concern.

Alternatives Considered

  • Checklist-only review: rejected — does not validate runtime behavior under adversarial pressure.
  • Production-only discovery: rejected — unacceptable risk exposure and weak evidentiary defensibility.
  • Manual QA only: rejected — does not scale to non-determinism, variance across contexts, or evolving threat models.
Representative Artifacts
01Assessment Plan and System Boundary Definition
02Threat Model and Attack Surface Map
03Adversarial Security Test Report (attack catalog, test cases, evidence, severity ratings)
04Privacy and Data Handling Review
05Reliability and Grounding Validation Suite (scenarios, scoring, thresholds, drift tracking)
06Tool Use and Side-Effect Controls Review
07Findings Register and Remediation Plan (owners, timelines, verification criteria, residual risk)
08Assessment Dossier for Audit Sampling (evidence index, traces, decision records)
Acceptance Criteria

Severity-rated findings register with evidence, reproduction steps, and recommended remediation per finding.

Threat model exists and adversarial test coverage maps to identified abuse cases and trust boundary risks.

Critical and high findings have owners, target dates, and verification criteria; fixes re-tested with closure evidence.

Adversarial testing demonstrates that unauthorized retrieval, exfiltration, and tool misuse are prevented or detected.

Privacy controls validated for runtime behavior, logging retention, and observability access.

Reliability and safety meet defined thresholds; regression coverage established for high-risk change classes.

Assessment dossier complete and sampling-ready with consistent evidence index and control mapping.

Assessment Packs
DatasetKindTarget
RAG Grounding & Citation PackbaselineMeasure faithfulness, grounding quality, and citation coverage.
Policy Compliance & Refusal Packrelease regressionVerify refusal behavior for restricted intents and policy constraints.
Tool-Use Correctness PackbaselineValidate tool selection, argument correctness, and permission boundaries.
Adversarial Prompt Injection Packred teamDetect susceptibility to prompt injection and jailbreak attempts.
Voice Interaction PackvoiceEvaluate call flows, intent detection, and safety behavior.
Sensitive Data Exposure Packred teamDetect PII, secrets leakage, and redaction failures across inputs, retrieval, and outputs.
Observability and Trace Joinability Packaudit evidenceVerify traces support investigation and sampling without over collection or broken joins.