ConsultingWorkbench-backed AI security engagements — map, attack, defend, and prove your AI systems.
Scope a Review
aisecurityllc
Log inTake DiagnosticScope a Review
aisecurityllc
Scope a Review
DraftNegotiation draft - fill placeholders before execution
BackRequest Execution

aisecurity.llc

AI SECURITY ENGINEERING

Los Angeles, CA · Athens, GR

aisecurity.llc

hello@aisecurity.llc

Operational Policy · Negotiation Draft

Evidence Handling Policy

Evidence collection, classification, storage, redaction, retention, deletion, and publication boundaries for AI security assessments, red-team work, governance evidence, and public-safe deliverables.

Generated: May 30, 2026Format: Negotiation draftStatus: Fill placeholders before executionVersion: v1.1

Evidence Handling Policy

Effective Date: [EFFECTIVE_DATE]
Version: v1.0
Owner: aisecurity.llc
Applies To: The State of AI Security Engineering 2026 and related client engagements

  1. Purpose

1.1 This Policy defines how evidence is collected, labeled, stored, shared, redacted, retained, and deleted when Provider handles security evidence, assessment artifacts, research references, or client-supplied materials.

1.2 The goal is simple: preserve what is necessary to support the work, and remove what is not.

  1. Scope of Evidence

2.1 Evidence may include:

  • screenshots;
  • request and response logs;
  • configuration snapshots;
  • architecture diagrams;
  • short prompt traces;
  • test notes;
  • remediation artifacts;
  • redacted exports;
  • attestations; and
  • supporting correspondence.

2.2 Evidence does not include credentials, secrets, or raw personal data unless the specific work requires temporary access and the material is protected accordingly.

  1. Evidence Principles

3.1 Evidence collection must be minimum necessary, scope-bound, and tied to a work item, finding, or deliverable.

3.2 Provider will avoid collecting more data than needed to prove the condition, describe the risk, or support remediation.

3.3 Provider will prefer redacted, truncated, or synthetic representations when they convey the issue without exposing unnecessary detail.

3.4 Evidence used in public-safe publications must be reviewed for claim readiness before release.

  1. Classification

4.1 Provider may classify evidence into the following practical categories:

  1. public-safe;
  2. client-confidential;
  3. restricted-access;
  4. legal-hold; and
  5. delete-on-close.

4.2 Classification determines storage location, access controls, and retention requirements.

  1. Storage and Access

5.1 Evidence will be stored in access-controlled systems appropriate to its sensitivity.

5.2 Access will be limited to personnel who need the material to perform the work.

5.3 Evidence with sensitive content will be encrypted at rest and, where feasible, in transit.

5.4 Provider will not store evidence in unmanaged personal storage, consumer chat tools, or unsecured shared folders.

  1. Redaction Standards

6.1 Provider will redact or suppress:

  • personal data;
  • credentials and tokens;
  • raw secrets;
  • internal target lists;
  • private contact details;
  • privileged operational details; and
  • any content that could cause unnecessary exposure if published.

6.2 Redaction must preserve enough context to make the evidence useful and understandable.

6.3 If redaction would remove the evidence value, Provider will use an explanatory summary instead.

  1. Retention

7.1 Evidence will be retained only for the period required to complete the engagement, support retesting, satisfy legal or contractual obligations, or maintain the research record.

7.2 Unless a different schedule is specified in the applicable agreement, evidence should be reviewed for deletion or archival at engagement close.

7.3 Evidence subject to legal hold, dispute hold, or publication review may be retained until the hold is released.

  1. Sharing

8.1 Evidence may be shared internally with personnel who need it for analysis, review, quality assurance, or delivery.

8.2 Client-facing sharing will use the least sensitive version that still supports the point being made.

8.3 Public sharing requires explicit review against claim-readiness and publication rules.

  1. Deletion

9.1 When evidence is no longer needed, Provider will delete it using a commercially reasonable secure-deletion process.

9.2 If the platform does not support verifiable secure deletion, Provider will remove the material from active access and prevent further use to the extent reasonably possible.

9.3 Deletion requests from a client will be honored where they do not conflict with legal obligations, retention requirements, or active disputes.

  1. Incident Response

10.1 If evidence is suspected to be exposed, altered, or mishandled, Provider will investigate, contain, and notify the appropriate internal and external contacts as required.

10.2 The incident record will include what was affected, what evidence was involved, who had access, and what corrective actions were taken.

  1. Exceptions

11.1 Any exception to this Policy must be approved by an authorized manager and documented with the reason, scope, and expiration date.

  1. Review

12.1 This Policy should be reviewed periodically and after any material change in evidence practices, delivery systems, or publication workflows.

aisecurity.llc · AI SECURITY ENGINEERINGhello@davidwolf.org

This document is a negotiation draft. Final terms may vary by scope, jurisdiction, and client requirements. All bracketed placeholders must be completed before execution.