01 / Overview
AI security for model-connected systems.
AI Security is a separate operational service. It focuses on prompts, system instructions, model boundaries, retrieval layers, tools, agents, data exposure, unsafe output, guardrails, workflow escalation, and human-review controls.
OSAI is used here as a scope reference for AI security testing discipline. It is not a public claim of certification, client authorization, or permission to test. The engagement treats the AI model, retrieval layer, tools, agents, deterministic application, data classes, and human review as one connected system, because most real AI failures happen at the boundary between those layers.
AI security work is separate from application security because risk can come from instruction hierarchy, model behavior, retrieval sources, memory, data boundaries, tool calls, agent planning, output handling, review gates, or the software that accepts model output. OCO tests these layers under written scope and produces controlled evidence, remediation guidance, retest proof, and an owner-ready security report.
AI Security Flow
A controlled path for model, prompt, retrieval, tool, agent, and data risk.
03 / System map
System map
OCO maps the full AI-connected system: model provider, model version, routing, prompts, retrieval sources, embeddings, memory, tools, agents, APIs, deterministic software actions, review queues, logs, user roles, data classes, and output destinations.
Basic mapping separates prompt, context, retrieval, output, and user role. Advanced mapping follows data lineage, hidden instructions, memory behavior, tool authorization, retrieval ranking, model fallback, and software actions triggered by model output.
04 / Model boundary
Model boundary
Model-boundary testing examines what the model is allowed to infer, refuse, transform, summarize, classify, recommend, or trigger. It tests policy adherence, instruction hierarchy, role behavior, refusal consistency, unsafe transformation requests, and whether model output can exceed the intended product boundary.
Advanced testing repeats the same task through normal, ambiguous, adversarial, long-context, and role-shifted paths. The goal is to show whether behavior changes in a way that creates data, safety, permission, or software-action risk.
05 / Data boundary
Data boundary
Data-boundary testing checks which data classes can enter prompts, retrieval, memory, tool calls, logs, analytics, exports, and outputs. It focuses on sensitive data, client data, regulated records, private prompts, system instructions, and data that should never leave the approved context.
Advanced stress combines irrelevant private context, conflicting public context, cross-user records, retrieval edge cases, and output-format pressure to verify that private data, source boundaries, and disclosure rules hold.
06 / Prompt handling
Prompt handling
Prompt testing examines system prompts, developer prompts, user prompts, hidden instructions, prompt templates, role messages, tool instructions, and how prompts are assembled with retrieved context. It tests direct and indirect prompt-injection pressure without publishing reusable attack strings.
Advanced scenarios combine malicious retrieved text, user role confusion, instruction conflicts, output-format manipulation, and prompt-template edge cases to see whether the model obeys the correct authority and preserves source context.
07 / Retrieval
Retrieval
Retrieval testing reviews source selection, ranking, filters, tenant boundaries, document permissions, embeddings, indexes, cache behavior, chunking, citations, stale records, and whether retrieved content can manipulate model behavior or expose data.
Advanced testing uses approved conflicting sources, stale documents, restricted records, poisoned-looking content, and cross-role retrieval cases to test whether the AI system preserves source authority and access rules.
08 / Tools
Tools
Tool testing checks what the model or agent can call: APIs, databases, file systems, search, email, messaging, payments, admin actions, ticketing, code execution, workflow actions, and external services. The goal is to verify that tool authority is explicit, logged, limited, and reviewable.
Advanced scenarios test overbroad permissions, missing confirmation, tool-call injection, argument manipulation, unsafe retries, unreviewed side effects, and whether a model output can trigger an action that should require deterministic approval.
09 / Agents
Agents
Agent testing examines task planning, memory, delegation, tool chains, goal drift, retry loops, permission inheritance, escalation, and how agent actions are bounded by the application. It tests whether agents remain inside the owner’s intended work order.
Advanced stress can combine ambiguous goals, missing context, conflicting instructions, tool failures, repeated attempts, and role changes to measure whether the agent asks for review, stops safely, or takes an unauthorized action.
10 / Output safety
Output safety
Output testing checks unsafe content, unsupported certainty, fabricated citations, sensitive disclosure, structured-output validity, downstream parser risk, automated action risk, and whether user-facing language overstates what the model knows.
Advanced scenarios test JSON or schema reliability, refusal consistency, source attribution, uncertainty handling, warning behavior, and whether deterministic software accepts model output only after required validation.
11 / Review gates
Review gates
Review-gate testing verifies where humans, deterministic checks, approvals, audit records, and policy controls interrupt risky model behavior. It covers high-risk outputs, tool calls, data exports, account changes, financial or legal actions, and actions that affect another user.
Advanced testing checks whether review can be bypassed through prompt wording, tool arguments, role changes, repeated attempts, async workflows, or malformed structured output. The expected behavior must be explicit and auditable.
12 / Stress testing
Stress testing
Controlled AI stress testing uses approved adversarial sets, benign tasks, ambiguous tasks, conflicting sources, long-context pressure, tool-permission changes, repeated attempts, review-gate challenges, malformed structured-output requests, and role-shifted conversations to measure whether the AI system stays stable under abuse pressure.
The stress timeline records prompt, context, retrieved source, ranking behavior, model output, tool call, agent action, state change, refusal behavior, escalation behavior, review outcome, and owner impact. The scenario is designed to prove boundary behavior, not to publish reusable bypass strings or create uncontrolled harm.
13 / Evidence
Evidence
AI evidence records prompt, context, retrieved material, model response, tool call, agent action, state change, timing, refusal behavior, review routing, and owner impact. It must be useful enough to fix the issue without exposing sensitive prompts, datasets, or private outputs publicly.
Owner-only evidence can include exact prompts, system behavior, logs, and model outputs. Disclosure-safe summaries remove private prompts, sensitive datasets, user records, exact bypass strings, private tool details, and client material.
14 / Remediation
Remediation
Remediation can adjust prompts, retrieval boundaries, tool permissions, review gates, logging, data separation, memory behavior, model routing, output validation, agent permissions, or deterministic software controls around the model.
Advanced fixes can redesign retrieval segmentation, tool authorization, agent task planning, context windows, fallback behavior, source attribution, or how downstream software accepts model output. Each fix must identify the affected layer and retest condition.
15 / Retest
Retest
Retest reruns the same abuse path, stress set, prompt class, retrieval source, tool permission, agent task, and review gate that produced the finding. It confirms whether the control changed behavior without creating new model or product risk.
Closure compares refusal consistency, data containment, retrieval behavior, tool behavior, source handling, review routing, downstream state, and residual risk before owner acceptance.
16 / AI security report
AI security report
The AI security report documents scope, exclusions, model and software surfaces, data classes, prompt classes, retrieval sources, tools, agents, findings, affected layer, stress timeline, evidence references, remediation guidance, retest proof, residual risk, and disclosure-safe summary. It separates model behavior from product behavior so fixes can happen at the right layer.
The owner-only report can include exact prompts, prompt templates, logs, retrieved content, ranking behavior, tool calls, agent actions, model outputs, review decisions, and retest artifacts. Public-safe summaries remove private prompts, sensitive datasets, exact bypass strings, client material, private tool details, and architecture information that would help reproduce the issue outside scope.