Framework: how the assurance review is structured
Enterprise buyers need to know what will be reviewed, in what order, and what will be produced before they buy. The framework is the documented structure for benchmark-backed, evidence-based buyer-side implementation assurance: phases, stakeholder coverage, gates, severity and evidence expectations, deliverable shapes, categories, and deployment-pattern-aware overlays. It exists so reviews are inspectable and repeatable under real deployment conditions, not improvised from slide decks.
The Mayhem Shield Framework publishes core methodology structure and public-safe templates. Commercial engagement mechanics and client-specific delivery detail stay out of the public repo. Public materials show how the methodology is organized; maintained control content, internal scoping logic, and operating guidance remain part of the internal review repository and engagement process.
Budget bands and overlay economics: Pricing. Packaged services: Services.
By the numbers
Framework methodology
Classification
Tool, overlay, and deployment category set before scoping. Determines review depth and applicable control set.
Classification is fixed before scoping so review depth and the applicable control set are explicit, not negotiated mid-stream to match a vendor timeline.
Evidence rules
Documentation, interviews, artifacts specified up front. Findings require evidence, not assertion.
Evidence rules mean findings require proof from documentation, interviews, and artifacts you already use; assertions without evidence do not clear a gate.
Severity calibration
Critical, high, medium, advisory tied to production risk, not vendor marketing language.
Severity stays tied to production risk so approvers can compare findings across teams without reinterpreting vendor language.
Gate conditions
POC, pilot, production outputs distinguish what must close before advancing.
Gate outputs distinguish what must close before POC, pilot, or production so approval forums see the same criteria at each stage.
Assurance workflow
End-to-end view of how buyer-side inputs move through classification, evidence, findings, and gate-ready outputs. Detailed sections below expand each layer.
Inputs
Intake & classification
Deployment category, overlays, and trust boundaries fixed before depth is negotiated.
Evidence plan
Review areas, stakeholder roles, and evidence rules mapped to the scoped gates.
Architecture & controls
Diagrams, interviews, and structured control identification against the live pattern.
Findings & severity
Calibrated findings with traceable proof and remediation hooks.
Gate-ready handoff
Written position, conditions, and artifacts forums can file and defend.
Templates and drafting aids accelerate consistency; reviewers validate every finding, severity call, and gate condition before delivery.
Informed by NIST AI RMF, NIST CSF, OWASP LLM / GenAI guidance, and ISO/IEC 27001, with sector-specific references (EU AI Act, SOC 2 Type II, SR 11-7, HIPAA, PCI-DSS, state-level AI regulations) applied per engagement.
What the public materials demonstrate
The Mayhem Shield Framework the inspectable record of how the review model is decomposed: what is assessed, in what order, with what evidence, and through which gates, without relying on unstated consultant judgment.
- Documented methodology: named review phases and progression criteria
- Implementation categories and capability overlays (same assurance logic, different deployment shapes)
- Benchmark-backed control-gap taxonomy: 17 groupings and 84 structured categories, with control outcomes, severity calibration, and evidence prompts; applicability depends on deployment pattern and overlays
- Stakeholder model: up to 15 groups mapped to typical enterprise forums
- Approval gates: POC, pilot, and production with explicit decision logic
- Standard deliverable shapes: six diagram types (required and conditional) aligned to architecture and data-flow evidence
- Public-safe templates suitable for independent review outside a live engagement
What the review evaluates
Control themes are applied to the specific tool, data flows, and operating context, not a static spreadsheet exercise divorced from your environment. Evidence matters, not stated control claims alone.
- Identity and access enforcement
- Network and path control
- Data handling, retention, and training-use boundaries
- Endpoint security and admin surface controls
- Supply chain integrity and model/provider dependency risk
- SDLC, CI/CD, and change control
- RAG, agentic, self-hosted, and connector-heavy deployment patterns
- Regulatory and high-sensitivity data handling
- Monitoring, audit, incident response, human approval points, and output liability
Implementation categories
Every tool is classified into one of six implementation categories. Category sets typical base review scope and duration before capability overlays expand structured coverage. Final depth depends on architecture and implementation conditions.
Capability overlays
Overlays extend the base category when the deployment includes specific capabilities. Each adds structured review areas, evidence expectations, and additional review depth. Budget impact for overlays is listed on the . Pricing page.
Sample deliverables
Redacted register excerpts, diagram tabs, and packaging patterns used in stakeholder review, not a live engagement. Open the full interactive sample for severity filtering, diagram zoom, and additional RAG and agentic diagram sets.
View sample deliverables →Discovery calls take twenty minutes.
We confirm deployment fit, outline review scope, and match you to the right packaged offer. No engagement starts until you decide to proceed.