SecEng Map · Labs
AI Trust and Governance public scorecard
AI Trust Scanner
Trust Scanner reviews public trust pages, legal policies, security pages, AI language, and methodology claims — turning visible public signals into a cautious scorecard, evidence checklist, and improvement backlog.
ATG public scorecard
aisecurity.llc
The public trust surface is now comprehensive. Legal, AI-governance, security, SDLC, and contract surfaces are all discoverable, linked, and specifically documented. The remaining gap is a formal third-party security certification or attestation.
91
advanced
Public Surface
Whether trust, legal, security, AI, methodology, and contact surfaces are discoverable and coherent.
95% signal
AI Language
Whether AI claims are specific, bounded, and tied to engineering evidence rather than generic positioning.
93% signal
Legal Clarity
Whether privacy, terms, contract, data-processing, and customer-facing boundaries are clear enough to review.
91% signal
Security Trust
Whether public trust artifacts explain controls, evidence, limitations, and escalation paths without oversharing.
87% signal
Consistency
Whether public claims, caveats, service language, and trust artifacts agree across the site.
89% signal
Remediation Opportunity
Whether the public surface makes the next improvement work obvious, scoped, and evidence-backed.
82% signal
Required caveat
Based on public website signals and observed artifacts, not proof of any organization's internal security maturity.
Product surface
Trust Scanner turns public trust language into reviewable evidence work.
Make public trust claims easier to review, caveat, improve, and convert into evidence-backed engineering work.
Surface clarity, AI language, legal clarity, security trust, consistency, and remediation opportunity.
Each score links to observed artifacts, caveats, and practical improvement guidance.
No raw page dumps, personal data, accusations, or private maturity claims in public output.
Detects AI policy, model-training claims, provider disclosures, output caveats, and human-review signals.
Use case
Customer trust readiness
See whether your public trust story gives enterprise buyers enough evidence to continue review.
Use case
AI claim-readiness
Pressure-test AI security, governance, and safety language before it becomes sales or website copy.
Use case
Vendor trust triage
Create a directional public-signal snapshot before a deeper private assessment or procurement workflow.
Use case
Governance evidence backlog
Translate vague trust gaps into owners, artifacts, approvals, telemetry, remediation, and review evidence.
Positioning
Public signal, private proof
A public scorecard can show whether trust artifacts are visible, coherent, and caveated. It cannot prove internal controls, private security maturity, or operational effectiveness.
Based on public website signals and observed artifacts, not proof of any organization's internal security maturity.
Real targets
Committed fixtures and scanner outputs let the lab page show actual engine results.
These samples are public-safe copies of the scanner inputs and outputs used to exercise the Rust trust-scanner engine. Each card links to the fixture JSON and the generated report JSON so product, engineering, and research can inspect the same data.
OpenAI
openai.com
Security and privacy, enterprise privacy, and business-data pages show AI training boundaries, security posture, and data-use language in public view.
Pages
4
Present
27
Missing
39
Public trust surface scored 4 with 32 positive detectors out of 74 across 4 pages. Higher remediation scores mean more visible work remains.
Cloudflare
cloudflare.com
Trust hub, responsible AI, privacy/data protection, and data localization pages make the public trust surface broad and navigable.
Pages
4
Present
46
Missing
20
Public trust surface scored 8 with 49 positive detectors out of 74 across 4 pages. Higher remediation scores mean more visible work remains.
Microsoft
microsoft.com
Trust center, privacy principles, data access, and data location pages expose residency, access, and subprocessor language in a compact public surface.
Pages
4
Present
35
Missing
31
Public trust surface scored 8 with 38 positive detectors out of 74 across 4 pages. Higher remediation scores mean more visible work remains.
Sample output
The public scorecard is useful without overclaiming.
Observed artifacts
Public review checklist
Legal
legal hub
/legal
privacy policy
/legal/privacy
terms of service
/legal/terms
ai usage policy
/legal/ai-usage-policy
acceptable use policy
/legal/acceptable-use
cookie policy
/legal/cookie-policy
subprocessors list
/legal/subprocessors
data processing addendum
/legal/data-processing-addendum
vulnerability disclosure
/legal/vulnerability-disclosure
AI Governance
ai governance hub
/ai-governance
responsible ai principles
/ai-governance/responsible-ai
customer data training policy
/ai-governance/customer-data-and-model-training
Security
security practices page
/trust-center/security
secure sdlc page
/trust-center/secure-sdlc
security contact
mailto:security@aisecurity.llc
dedicated security whitepaper
third party security certification
Trust & Docs
trust center
/trust-center
contract templates
/trust-center/contracts
methodology
/methodology
public report
/report
legal clarity
Full legal suite is enterprise-reviewable
Privacy, terms, acceptable use, cookie policy, subprocessors, DPA, AI usage policy, and vulnerability disclosure are all separately documented with dedicated routes under a legal hub.
Keep each document directly linkable from the trust center and contract hub. Enterprise buyers often paste URLs into procurement systems rather than reading inline.
ai language
AI governance documentation is specific and bounded
Responsible AI principles, a customer data and model training policy, and an AI usage policy are all individually documented. The customer data policy explicitly states that customer data does not train AI models.
The model-training opt-out language is a high-value signal for enterprise buyers. Surface it on the trust center hero and in the DPA.
security trust
Security practices page is honest about certification scope
The security page covers encryption, access control, MFA, dependency scanning, incident response, and vendor risk. It distinguishes between certifications held and certifications aspired to.
The honest framing on certifications is appropriate — do not overclaim. Consider adding a target date or roadmap note for formal attestation.
security trust
No third-party security certification observed
Controls are disclosed and appear appropriate for the platform's scope, but no SOC 2, ISO 27001, or equivalent third-party attestation is publicly referenced.
A scoped SOC 2 Type I or equivalent readiness assessment would close the gap between disclosed controls and independently verified ones. Surface the roadmap publicly if a timeline exists.
security trust
Vulnerability disclosure program is present and in-scope
A dedicated vulnerability disclosure page covers in-scope systems, the reporting address (security@aisecurity.llc), response process, and researcher protections.
Ensure the security contact email resolves correctly and that response-time expectations are stated so researchers know what to expect.
consistency
Claim-readiness labeling is systematic
Public outputs use consistent claim-readiness labels (public-ready, public with caveat, internal only, do not claim). The methodology and trust center both explain the labeling system.
Apply the same label system to scanner outputs and any product marketing copy so buyers see a coherent evidence story from discovery through procurement.
Improvement guidance
Turn observed gaps into concrete trust artifacts.
Pursue a scoped third-party security attestation
A SOC 2 Type I or equivalent readiness assessment would provide independently verified evidence for the controls already disclosed on the security practices and SDLC pages. Even a scoped readiness letter closes the gap between self-disclosed and verified.
Recommended artifacts
- soc2-readiness-scope.md
- control-evidence-pack.md
- certification-roadmap-note.md
Publish a security overview or whitepaper
A single security overview document that cross-references the security practices page, SDLC controls, DPA, subprocessors, and vulnerability disclosure into a buyer-digestible summary would reduce enterprise review friction significantly.
Recommended artifacts
- security-overview.pdf
- trust-artifact-index.md
- buyer-security-faq.md
Add subprocessor change notification mechanism
The subprocessors page lists current processors clearly. Adding a public changelog or notification mechanism (email or RSS) for subprocessor additions would satisfy enterprise DPA requirements and reduce procurement friction.
Recommended artifacts
- subprocessor-change-log.md
- dpa-notification-clause.md
Workflow
The scanner is a path from public claims to remediation backlog.
Crawl public artifacts
Collect only public pages and metadata needed to evaluate trust, legal, security, AI, and methodology surfaces.
Classify signals
Map observable artifacts into public-surface, AI-language, legal-clarity, security-trust, and consistency dimensions.
Apply public-safety rules
Suppress raw page text, personal data, private payloads, secrets, and accusatory maturity language from public output.
Generate ATG scorecard
Produce a public AI Trust and Governance scorecard with caveats, score bands, observed artifacts, and guidance.
Convert gaps to work
Turn weak signals into trust-center improvements, contract artifacts, security copy, backlog items, and evidence packs.
Public safety
The scanner has to be useful without creating public-risk artifacts.
Required publication rules
- No raw crawled page text in public scorecards.
- No names, emails, phone numbers, personal data, secrets, tokens, or private keys.
- No breach-like framing or company-level maturity accusations.
- No sponsor endorsement language or unsupported product claims.
- Every public scorecard carries the public-signal caveat.
Methodology guardrails
Observable public artifacts are directional signals.
Scores are not proof of internal security maturity.
Private benchmark outputs require explicit scope and approval.
Raw crawl data stays out of public paths.
Claim posture
Public outputs should use public_claim_with_caveat unless a scoped private assessment creates stronger evidence.
How it works
The page is public. The evidence engine stays controlled.
The page is public. The evidence engine stays controlled.
A scan starts with public URLs and visible artifacts. The evidence engine normalizes text, detects trust signals, evaluates six dimensions, and produces a structured scorecard. Only public-safe output appears here: scorecard, findings, caveats, and sample JSON. Private evidence packs, owner maps, and remediation plans are delivered under explicit scope.
Public page input — trust, legal, security, AI-governance, and methodology pages
Signal classification — artifacts mapped to six public dimensions
Public-safe output — scorecard, findings, caveats, and sample JSON only
Private follow-up — evidence backlog, owner map, and remediation plan under scope
Output schema
ATG public scorecard
The JSON contract includes domain, headline score, six dimension scores, observed artifacts, public findings, improvement guidance, and methodology caveat.
Commercial surface
Trust Scanner can become a lab, product, or advisory entry point.
Deliverables
Next step
Use the scanner to turn trust-page ambiguity into evidence work.
Bring a domain, a buyer trust question, or a claim that needs review. The output should be a public-safe scorecard plus a private backlog of artifacts to improve.
Private engagement
Run this against your public trust surface.
Use a private scan to turn public trust-page ambiguity into an evidence backlog, policy updates, and buyer-ready guidance. Bring a domain, a buyer trust question, or a claim that needs review.
New lab
Trust Scanner turns public AI trust language into reviewable evidence for claims and controls