NEW

Start with the pressure: sales, launch, abuse, agents, data, or guardrails

Use the engagement router
aisecurityllc
Sign inStart AI Security Assessment
aisecurityllc
Start AI Security Assessment

Evidence

aisecurity.llc

AI Security Attestation.

Technical Attestation for AI Security Reviews.

An AI Security Attestation is a practitioner-authored, structured evidence document produced after a technical review. It is not a certification for people and not a compliance audit. It is buyer-ready proof that your AI product was reviewed, findings were documented, and controls were assessed.

Request an AttestationEvidence pillar overview

Not all AI security documents are the same

Attestation vs. Certification vs. Compliance Audit

Attestation

A practitioner-authored technical review document covering AI product surfaces, findings, controls, and a signed statement. Produced after a scoped engagement. Buyer-ready. Not a credential.

Certification

An AIPSA credential earned by a person through scored examination. Demonstrates that the individual understands AI security assessment methodology. Lives in Academy.

Compliance Audit

A formal third-party or internal audit against a specific standard (SOC 2, ISO 42001, EU AI Act). Produces an audit report or certificate of conformance. Requires a certified auditor and formal scope.

Attestation types

Six types of AI security attestation.

Security Review Attestation

Comprehensive review of your AI product's security posture — threat model, control gaps, and remediation status — formatted for procurement review.

Controls Attestation

Formal statement of which AI security controls are implemented, tested, and maintained, mapped to OWASP LLM Top 10, NIST AI RMF, or ISO 42001.

Remediation Attestation

Documented evidence that identified findings from a prior assessment have been addressed, validated, and closed — ideal for re-scoping or release gates.

RAG & Data Boundary Attestation

Review of retrieval pipeline architecture, data access boundaries, and authorization controls — for products with LLM-backed retrieval or knowledge bases.

Agentic Workflow Attestation

Review of delegated action surfaces, tool permissions, approval paths, and authority escalation risk in agentic AI products.

Buyer Evidence Letter

Practitioner-signed summary letter covering scope, methodology, key findings, and controls status — ready for enterprise procurement or legal review.

What every attestation includes

A structured, audit-ready document.

Every attestation follows a defined structure. Buyers and auditors know exactly what to expect — and what is not covered.

  • Scope of review — systems, components, and surfaces examined
  • Methodology — frameworks applied (OWASP LLM Top 10, NIST AI RMF, MITRE ATLAS, ISO 42001)
  • Key findings — severity-ranked observations with status (open, mitigated, accepted)
  • Controls inventory — implemented, tested, and in-progress controls
  • Practitioner statement — signed attestation from the reviewing engineer
  • Caveats and limitations — what is and is not covered by the review

When to use attestation

Five common use cases.

Enterprise procurement

Buyer's security team requests evidence before contract or API access approval.

SOC 2 / ISO 42001 vendor review

Auditor needs third-party AI security assessment of a supplier product.

Pre-release gate

Internal security gate requires evidence that AI surfaces were reviewed and controls are in place.

Investor or board due diligence

Risk committee needs practitioner-authored summary of AI product security posture.

Post-remediation sign-off

Following a red-team or assessment, a follow-up attestation documents that findings were addressed.

Process

Five steps from scope to signed document.

01

Scoping call

Define the AI product surfaces, integration points, and review objectives. Agree on attestation type.

02

Technical review

Practitioner-led review using the SecEng Workbench — threat canvas, surface scanner, adversarial range, and evidence instruments.

03

Findings synthesis

Findings scored, mapped to controls, and compiled with evidence references. Draft delivered for accuracy review.

04

Attestation document

Final attestation artifact issued — structured PDF with signed practitioner statement, findings table, controls inventory, and caveats.

05

Verification

Attestation reference ID issued. Buyers and auditors can verify the attestation status via the Evidence pillar.

What an attestation is not

An AI Security Attestation is a practitioner-authored point-in-time review document. It does not constitute a formal compliance certification, does not replace a SOC 2 or ISO 42001 audit, and does not provide legal indemnity. It represents the professional opinion of the reviewing engineer based on the scope and information available at the time of the review. Scope limitations are explicitly documented in every attestation.

Ready to proceed?

Request an Attestation

Scope a review, define the attestation type, and receive a practitioner-authored evidence document ready for procurement, legal, or investor review.

Start hereView Evidence Packs