01 / Overview

AI security for model-connected systems.

AI Security is a separate operational service. It focuses on prompts, system instructions, model boundaries, retrieval layers, tools, agents, data exposure, unsafe output, guardrails, workflow escalation, and human-review controls.

OSAI is used here as a scope reference for AI security testing discipline. It is not a public claim of certification, client authorization, or permission to test. The engagement treats the AI model, retrieval layer, tools, agents, deterministic application, data classes, and human review as one connected system, because most real AI failures happen at the boundary between those layers.

AI security work is separate from application security because risk can come from instruction hierarchy, model behavior, retrieval sources, memory, data boundaries, tool calls, agent planning, output handling, review gates, or the software that accepts model output. OCO tests these layers under written scope and produces controlled evidence, remediation guidance, retest proof, and an owner-ready security report.

AI Security Flow

A controlled path for model, prompt, retrieval, tool, agent, and data risk.

02 / Authorization

Authorization

AI security starts with written authorization for the model, application, prompts, datasets, retrieval sources, indexes, tools, agents, accounts, outputs, test environment, stress sets, review contacts, logging rules, evidence handling, and stop conditions. OCO separates model testing, RAG testing, tool testing, agent testing, and application testing so each activity has a clear boundary.

Test scope

Basic scope can cover system instructions, prompt handling, output rules, data classes, retrieval visibility, tool permissions, and human-review points. Advanced scope can authorize prompt-injection pressure, jailbreak resistance checks, retrieval poisoning assumptions, tool misuse, agent overreach, cross-tenant exposure, unsafe output handling, long-context pressure, memory behavior, and workflow escalation around model decisions.

Owner outcome An AI testing boundary with model scope, data rules, prompt limits, tool limits, stress scenarios, review path, and stop authority.

03 / System map

System map

OCO maps the full AI-connected system: model provider, model version, routing, prompts, retrieval sources, embeddings, memory, tools, agents, APIs, deterministic software actions, review queues, logs, user roles, data classes, and output destinations.

Test scope

Basic mapping separates prompt, context, retrieval, output, and user role. Advanced mapping follows data lineage, hidden instructions, memory behavior, tool authorization, retrieval ranking, model fallback, and software actions triggered by model output.

Owner outcome An AI system map tying model, data, tools, agents, software actions, and evidence paths together.

04 / Model boundary

Model boundary

Model-boundary testing examines what the model is allowed to infer, refuse, transform, summarize, classify, recommend, or trigger. It tests policy adherence, instruction hierarchy, role behavior, refusal consistency, unsafe transformation requests, and whether model output can exceed the intended product boundary.

Test scope

Advanced testing repeats the same task through normal, ambiguous, adversarial, long-context, and role-shifted paths. The goal is to show whether behavior changes in a way that creates data, safety, permission, or software-action risk.

Owner outcome Model-behavior findings tied to instruction hierarchy, refusal behavior, role boundaries, and product impact.

05 / Data boundary

Data boundary

Data-boundary testing checks which data classes can enter prompts, retrieval, memory, tool calls, logs, analytics, exports, and outputs. It focuses on sensitive data, client data, regulated records, private prompts, system instructions, and data that should never leave the approved context.

Test scope

Advanced stress combines irrelevant private context, conflicting public context, cross-user records, retrieval edge cases, and output-format pressure to verify that private data, source boundaries, and disclosure rules hold.

Owner outcome Data-risk findings tied to leakage, source handling, retrieval exposure, memory behavior, and output disclosure.

06 / Prompt handling

Prompt handling

Prompt testing examines system prompts, developer prompts, user prompts, hidden instructions, prompt templates, role messages, tool instructions, and how prompts are assembled with retrieved context. It tests direct and indirect prompt-injection pressure without publishing reusable attack strings.

Test scope

Advanced scenarios combine malicious retrieved text, user role confusion, instruction conflicts, output-format manipulation, and prompt-template edge cases to see whether the model obeys the correct authority and preserves source context.

Owner outcome Prompt findings tied to instruction hierarchy, prompt assembly, injection pressure, and downstream software impact.

07 / Retrieval

Retrieval

Retrieval testing reviews source selection, ranking, filters, tenant boundaries, document permissions, embeddings, indexes, cache behavior, chunking, citations, stale records, and whether retrieved content can manipulate model behavior or expose data.

Test scope

Advanced testing uses approved conflicting sources, stale documents, restricted records, poisoned-looking content, and cross-role retrieval cases to test whether the AI system preserves source authority and access rules.

Owner outcome Retrieval findings covering source authority, access boundaries, poisoning assumptions, stale data, and citation reliability.

08 / Tools

Tools

Tool testing checks what the model or agent can call: APIs, databases, file systems, search, email, messaging, payments, admin actions, ticketing, code execution, workflow actions, and external services. The goal is to verify that tool authority is explicit, logged, limited, and reviewable.

Test scope

Advanced scenarios test overbroad permissions, missing confirmation, tool-call injection, argument manipulation, unsafe retries, unreviewed side effects, and whether a model output can trigger an action that should require deterministic approval.

Owner outcome Tool-risk findings tied to permissions, arguments, side effects, logging, confirmation, and deterministic approval.

09 / Agents

Agents

Agent testing examines task planning, memory, delegation, tool chains, goal drift, retry loops, permission inheritance, escalation, and how agent actions are bounded by the application. It tests whether agents remain inside the owner’s intended work order.

Test scope

Advanced stress can combine ambiguous goals, missing context, conflicting instructions, tool failures, repeated attempts, and role changes to measure whether the agent asks for review, stops safely, or takes an unauthorized action.

Owner outcome Agent findings covering task drift, permission inheritance, memory, tool chains, escalation, and safe-stop behavior.

10 / Output safety

Output safety

Output testing checks unsafe content, unsupported certainty, fabricated citations, sensitive disclosure, structured-output validity, downstream parser risk, automated action risk, and whether user-facing language overstates what the model knows.

Test scope

Advanced scenarios test JSON or schema reliability, refusal consistency, source attribution, uncertainty handling, warning behavior, and whether deterministic software accepts model output only after required validation.

Owner outcome Output findings tied to disclosure risk, structured validity, source handling, confidence, and downstream action safety.

11 / Review gates

Review gates

Review-gate testing verifies where humans, deterministic checks, approvals, audit records, and policy controls interrupt risky model behavior. It covers high-risk outputs, tool calls, data exports, account changes, financial or legal actions, and actions that affect another user.

Test scope

Advanced testing checks whether review can be bypassed through prompt wording, tool arguments, role changes, repeated attempts, async workflows, or malformed structured output. The expected behavior must be explicit and auditable.

Owner outcome Review-gate findings tied to approvals, auditability, human oversight, deterministic checks, and bypass resistance.

12 / Stress testing

Stress testing

Controlled AI stress testing uses approved adversarial sets, benign tasks, ambiguous tasks, conflicting sources, long-context pressure, tool-permission changes, repeated attempts, review-gate challenges, malformed structured-output requests, and role-shifted conversations to measure whether the AI system stays stable under abuse pressure.

Test scope

The stress timeline records prompt, context, retrieved source, ranking behavior, model output, tool call, agent action, state change, refusal behavior, escalation behavior, review outcome, and owner impact. The scenario is designed to prove boundary behavior, not to publish reusable bypass strings or create uncontrolled harm.

Owner outcome An AI stress-test timeline with expected behavior, observed behavior, affected layer, evidence, and risk impact.

13 / Evidence

Evidence

AI evidence records prompt, context, retrieved material, model response, tool call, agent action, state change, timing, refusal behavior, review routing, and owner impact. It must be useful enough to fix the issue without exposing sensitive prompts, datasets, or private outputs publicly.

Test scope

Owner-only evidence can include exact prompts, system behavior, logs, and model outputs. Disclosure-safe summaries remove private prompts, sensitive datasets, user records, exact bypass strings, private tool details, and client material.

Owner outcome A controlled AI evidence package tied to affected layer, stress path, impact, remediation, and retest.

14 / Remediation

Remediation

Remediation can adjust prompts, retrieval boundaries, tool permissions, review gates, logging, data separation, memory behavior, model routing, output validation, agent permissions, or deterministic software controls around the model.

Test scope

Advanced fixes can redesign retrieval segmentation, tool authorization, agent task planning, context windows, fallback behavior, source attribution, or how downstream software accepts model output. Each fix must identify the affected layer and retest condition.

Owner outcome An AI remediation plan tied to model, prompt, retrieval, tool, agent, data, review, or software controls.

15 / Retest

Retest

Retest reruns the same abuse path, stress set, prompt class, retrieval source, tool permission, agent task, and review gate that produced the finding. It confirms whether the control changed behavior without creating new model or product risk.

Test scope

Closure compares refusal consistency, data containment, retrieval behavior, tool behavior, source handling, review routing, downstream state, and residual risk before owner acceptance.

Owner outcome Verified AI behavior with retest proof, residual-risk decision, affected-layer notes, and owner acceptance.

16 / AI security report

AI security report

The AI security report documents scope, exclusions, model and software surfaces, data classes, prompt classes, retrieval sources, tools, agents, findings, affected layer, stress timeline, evidence references, remediation guidance, retest proof, residual risk, and disclosure-safe summary. It separates model behavior from product behavior so fixes can happen at the right layer.

Test scope

The owner-only report can include exact prompts, prompt templates, logs, retrieved content, ranking behavior, tool calls, agent actions, model outputs, review decisions, and retest artifacts. Public-safe summaries remove private prompts, sensitive datasets, exact bypass strings, client material, private tool details, and architecture information that would help reproduce the issue outside scope.

Owner outcome An owner-ready AI security report with controlled evidence, affected-layer analysis, remediation, retest proof, and safe disclosure text.