Framework
Framework: how the assurance review is structured
Enterprise buyers need to know what will be reviewed, in what order, and what will be produced before they buy. The framework is the documented structure for benchmark-backed, evidence-based buyer-side implementation assurance: phases, stakeholder coverage, gates, severity and evidence expectations, deliverable shapes, categories, and deployment-pattern-aware overlays. It exists so reviews are inspectable and repeatable under real deployment conditions, not improvised from slide decks.
The Mayhem Shield Framework publishes core methodology structure and public-safe templates. Commercial engagement mechanics and client-specific delivery detail stay out of the public repo. Public materials show how the methodology is organized; maintained control content, internal scoping logic, and operating guidance remain part of the internal review repository and engagement process.
Budget bands and overlay economics: Pricing. Packaged services: Services.
What the public materials demonstrate
The Mayhem Shield Framework is the inspectable record of how the review model is decomposed: what is assessed, in what order, with what evidence, and through which gates, without relying on unstated consultant judgment.
- Documented methodology: named review phases and progression criteria
- Implementation categories and capability overlays (same assurance logic, different deployment shapes)
- Benchmark-backed control-gap taxonomy: 17 groupings and 84 structured categories, with control outcomes, severity calibration, and evidence prompts; applicability depends on deployment pattern and overlays
- Stakeholder model: up to 15 groups mapped to typical enterprise forums
- Approval gates: POC, pilot, and production with explicit decision logic
- Standard deliverable shapes: six diagram types (required and conditional) aligned to architecture and data-flow evidence
- Public-safe templates suitable for independent review outside a live engagement
What the review evaluates
Control themes are applied to the specific tool, data flows, and operating context, not a static spreadsheet exercise divorced from your environment. Evidence matters, not stated control claims alone.
- Identity and access enforcement
- Network and path control
- Data handling, retention, and training-use boundaries
- Endpoint security and admin surface controls
- Supply chain integrity and model/provider dependency risk
- SDLC, CI/CD, and change control
- RAG, agentic, self-hosted, and connector-heavy deployment patterns
- Regulatory and high-sensitivity data handling
- Monitoring, audit, incident response, human approval points, and output liability
Implementation categories
Every tool is classified into one of six implementation categories. Category sets typical base review scope and duration before capability overlays expand structured coverage. Final depth depends on architecture and implementation conditions.
| Category | Typical base scope | Typical timeline |
|---|---|---|
| Pure AI Services | ~42 review areas (typical) | 3 to 4 weeks |
| AI-Native SaaS | ~53 review areas (typical) | 4 to 5 weeks |
| Traditional SaaS + AI | ~38 review areas (typical) | 2 to 3 weeks |
| SaaS with AI Enhancement | ~28 review areas (typical) | 1 to 2 weeks |
| Infrastructure with AI | ~22 review areas (typical) | 2 to 3 weeks |
| AI-Native Content Generation | ~45 review areas (typical) | 3 to 4 weeks |
Capability overlays
Overlays extend the base category when the deployment includes specific capabilities. Each adds structured review areas, evidence expectations, and additional review depth. Budget impact for overlays is listed on the Pricing page.
Frameworks and references we use
Mayhem Shield implementation reviews are informed by established security and AI-risk references, then tailored to the actual deployment, sector, and data sensitivity involved.
NIST AI RMF 1.0
Used to structure AI risk thinking across governance, context, measurement, and management decisions for enterprise AI deployments.
NIST CSF 2.0
Used to anchor broader cybersecurity outcomes, governance expectations, and enterprise control discussions around AI implementation decisions.
OWASP LLM / GenAI guidance
Used to inform application-layer AI security issues such as prompt injection, insecure output handling, dependency risk, and misuse pathways.
ISO/IEC 42001
Used where organizations require an AI management system lens for governance, risk treatment, and documented operating controls aligned to international expectations.
Mayhem Shield Framework (public) and operational artifacts
Public. The Mayhem Shield Framework on GitHub publishes the core methodology structure: how the control-gap taxonomy is organized, how categories and overlays apply, and public-safe template material that shows what a structured implementation assurance review looks like. That openness supports procurement, architecture, and risk forums that want to inspect the model before engaging.
Private to engagements. Internal scoping rules, pricing mechanics, commercial templates, delivery playbooks, and detailed evidence heuristics for live environments remain outside the public repo. That split is standard practice: it protects client context, preserves commercial terms, and keeps the public artifact focused on methodology, not proprietary delivery IP. It signals operational discipline, not concealment of the review approach itself.
Illustrative outputs
Sample deliverables
Redacted register excerpts, diagram tabs, and packaging patterns used in stakeholder review, not a live engagement. Open the full interactive sample for severity filtering, diagram zoom, and additional RAG and agentic diagram sets.
View sample deliverables →Next step: a short discovery call
We use it to confirm deployment fit, outline review scope, and match you to the right packaged offer. No engagement starts until you decide to proceed.