Sample deliverables
Redacted examples of how findings, evidence, and diagrams are packaged for stakeholder review. Figures represent typical enterprise control patterns, not a live engagement. Additional diagram sets below cover RAG and agentic patterns, plus extended developer-tooling context.
← Back to FrameworkIllustrative outputs from a structured review
Redacted examples showing how findings, evidence, and diagrams are packaged for stakeholder review. The findings register uses the Rapid Readiness layout (ID, Category, Description, Severity, Status, with Finding, Evidence Collected, and Remediation Action on expand). Figures represent typical enterprise control patterns, not a live engagement.
Critical and high findings: post-review state
| ID | Category | Description | Severity | Status |
|---|---|---|---|---|
| RAG-001 | Access control | Access control: Retrieval index ACLs do not enforce user data classification when building query filters. | critical | Open |
| RAG-002 | Data handling | Data handling: Ingestion pipeline has no PII detection before chunking for internal policy corpus. | critical | Open |
| RAG-003 | Logging and audit | Logging and audit: Prompt and retrieval audit logs retained 14 days; policy requires 365 days for regulated queries. | high | Open |
| RAG-004 | Third-party AI | Third-party AI: Vendor subprocessors for embedding model not listed in current DPA addendum. | high | Open |
| RAG-005 | Resilience | Resilience: No graceful degradation when vector store is unavailable; UI returns stack traces to analysts. | high | Closed |
| RAG-006 | Model risk | Model risk: No documented evaluation for retrieval quality after corpus refresh. | medium | Open |
RAG pipeline: enterprise knowledge base
Retrieval-augmented generation: logical layers, end-to-end query flow, failure handling, and document lifecycle with content governance. Use the same tabs as Sample deliverable 1 to move between views.
Critical and high findings: post-review state
| ID | Category | Description | Severity | Status |
|---|---|---|---|---|
| RAG-001 | Access control | Access control: Retrieval index ACLs do not enforce user data classification when building query filters. | critical | Open |
| RAG-002 | Data handling | Data handling: Ingestion pipeline has no PII detection before chunking for internal policy corpus. | critical | Open |
| RAG-003 | Logging and audit | Logging and audit: Prompt and retrieval audit logs retained 14 days; policy requires 365 days for regulated queries. | high | Open |
| RAG-004 | Third-party AI | Third-party AI: Vendor subprocessors for embedding model not listed in current DPA addendum. | high | Open |
| RAG-005 | Resilience | Resilience: No graceful degradation when vector store is unavailable; UI returns stack traces to analysts. | high | Closed |
| RAG-006 | Model risk | Model risk: No documented evaluation for retrieval quality after corpus refresh. | medium | Open |
Agentic AI: workflow automation
Agent flows with CRM, email, and ticketing: architecture, approval-gated actions, failure paths, and governance. Tabs mirror Sample deliverable 1 for a consistent review layout.
Findings register: post-review state
| ID | Category | Description | Severity | Status |
|---|---|---|---|---|
| AGT-001 | Human approval | Human approval: CRM write actions do not require re-approval when ticket priority changes after initial human sign-off. | critical | Open |
| AGT-002 | Injection | Injection: User-supplied ticket text passed to agent prompt without structured delimiting. | critical | Open |
| AGT-003 | Scope | Scope: Agent tool manifest lists 14 actions; governance pack approves 9. | high | Open |
| AGT-004 | Identity | Identity: Service account for email send lacks step-up when mailbox is executive tier. | high | Open |
| AGT-005 | Audit | Audit: Agent action logs do not include correlation ID to CRM record in 12% of paths. | medium | Open |
| AGT-006 | Compensation | Compensation: Partial failure in ticketing leaves ticket open but CRM shows updated; no saga. | high | Closed |
| AGT-007 | Data minimization | Data minimization: Full email thread sent to model for summarization including external recipients. | high | Open |
| AGT-008 | Rate limits | Rate limits: No per-user throttle on agent runs; risk of API cost spike. | medium | Open |
| AGT-009 | Secrets | Secrets: Connector refresh token stored in app config vault without rotation schedule. | critical | Open |
| AGT-010 | Monitoring | Monitoring: SIEM rules do not alert on tool-call failures grouped by agent version. | medium | Open |
| AGT-011 | Governance | Governance: Prompt version for production not pinned; canary and prod drift possible. | high | Open |
| AGT-012 | Residency | Residency: LLM route defaults to US region; EU customer data may transit US for summarization. | critical | Open |
| AGT-013 | Testing | Testing: No automated regression for tool permission changes. | medium | Closed |
| AGT-014 | Vendor | Vendor: Subprocessor list for CRM connector not reviewed in 14 months. | medium | Open |
RAG Pipeline: Enterprise Knowledge Base
Representative output from a Rapid Readiness Review of an enterprise RAG deployment used for internal policy and compliance Q&A. Critical and high severity only. Client details removed.
POC approved with conditions. Pilot gate blocked pending two critical closures.
Conditions for pilot approval
- Close RAG-001 and RAG-002 with evidence on file before expanding pilot user group beyond 50 seats.
- Complete DPA or routing remediation for RAG-004 before production customer data is indexed in EU-West embeddings.
- Attach automated golden-set results to the next weekly corpus refresh (RAG-006) before pilot exit review.
Critical and high findings: post-review state
| ID | Category | Description | Severity | Status |
|---|---|---|---|---|
| RAG-001 | Access control | Access control: Retrieval index ACLs do not enforce user data classification when building query filters. | critical | Open |
| RAG-002 | Data handling | Data handling: Ingestion pipeline has no PII detection before chunking for internal policy corpus. | critical | Open |
| RAG-003 | Logging and audit | Logging and audit: Prompt and retrieval audit logs retained 14 days; policy requires 365 days for regulated queries. | high | Open |
| RAG-004 | Third-party AI | Third-party AI: Vendor subprocessors for embedding model not listed in current DPA addendum. | high | Open |
| RAG-005 | Resilience | Resilience: No graceful degradation when vector store is unavailable; UI returns stack traces to analysts. | high | Closed |
| RAG-006 | Model risk | Model risk: No documented evaluation for retrieval quality after corpus refresh. | medium | Open |
Evidence checklist: approval stakeholders
Items required for pilot gate sign-off. Delivered to security, privacy, and architecture review board.
RAG-001 closure: classification-aware retrieval filters deployed and tested
Signed test report + prod change ticket
RAG-002 closure: PII classifier before chunk for all connectors
Connector config screenshots + DLP scan logs
RAG-003 closure: HR/legal workspace logs at 365-day retention
SIEM policy diff + sample log line
RAG-004 closure: DPA addendum or routing change for embeddings
Executed addendum or network diagram v2
RAG-005 verified closed in pilot environment
Error page capture + chaos re-run attestation
Pilot readiness sign-off from security architecture lead
Email approval in ticket RAG-PILOT-14
Discovery calls take twenty minutes.
We confirm deployment fit, outline review scope, and match you to the right packaged offer. No engagement starts until you decide to proceed.