AI Workflow
Safety Review
A live AI workflow can pass a demo while its permissions, failure handling and human oversight remain unclear. We review the system in use and give technology and risk owners a ranked set of fixes.
10 risks
OWASP LLM TOP 10, 2025
78%
OF AI USERS BRING THEIR OWN TO WORK
Evidence
KEPT WITH EACH FINDING
Live AI workflows often miss an independent review
The PR is up, the demo went well, the customer testimonial's on LinkedIn. Then someone in legal asks who owns the output, the data team asks what's being sent to OpenAI, and your insurer asks if you've done a DPIA. The answers, in order: probably us, no idea, not yet.
Most AI features get reviewed the way web apps were in 2003. Build is fast, launch is faster, and the review (if it happens) is a junior engineer reading a Notion doc the day before launch.
A safety review is what you do before a regulator, a journalist, or a teenager with a Discord account does it for you.
WHAT YOU'VE GOT
- A chatbot taking customer questions
- Agents that send email, file invoices, edit your CRM
- RAG over docs nobody's checked for PII
- Copilot turned on across the company
- Staff using ChatGPT on personal accounts
- No eval suite, no logs, no kill switch
WHAT YOU NEED
- A written threat model per workflow
- Agents scoped to least-privilege tools
- Retrieval sources classified and reviewed
- Tenant boundaries enforced in the model layer
- Shadow AI named, tooled and policied
- Evals, traces, alerts and a way to switch it off
What we test first
OWASP Top 10 for LLM Applications 2025 as the spine, NIST AI RMF for risk treatment, ICO guidance for the UK data-protection bit. These five are where almost every report starts.
Prompt injection
A customer email, a PDF, a webpage, a calendar invite. Any text your model reads is a possible instruction. EchoLeak (CVE-2025-32711) did this to Microsoft 365 Copilot with one email and no clicks.
Data leakage
Source code, customer lists, board decks. Pasted into ChatGPT by a developer in a hurry. Samsung lost semiconductor source three times in twenty days before they banned it.
Excessive agency
Your agent can send email, refund a customer, edit the database. It also believes the last thing it was told. A Chevrolet dealer's bot agreed to sell a 2024 Tahoe for one dollar. The internet noticed.
Confident wrong answers
In Moffatt v Air Canada the airline's chatbot invented a refund policy. The tribunal held the airline liable anyway. If your bot says it, you said it.
The AI you don't know about
Microsoft's 2024 Work Trend Index found 78% of AI users bring their own tools to work. Cyberhaven measured 73.8% of workplace ChatGPT use going through personal accounts. You can't review what you can't see.
What the review gives you
One report, fixed price. We talk to the people running the workflows, read the prompts and the code, run the attacks ourselves, then write it up in plain English with a ranked list of fixes.
The report gives the operational owner and developers evidence, priority, recommended controls and a clear route to verification.
BOOK A REVIEWMap the workflows
Every AI touchpoint in the business. The live features, the agent behind the scenes, the Copilot licences, the Custom GPT a head of marketing built last Thursday. We name them all, with owners, models, data sources and tools.
Read it, then attack it
System prompts, retrieval pipelines, tool definitions, model configs. Then we try to break them: direct and indirect prompt injection, tool abuse, tenant escape, output rendering tricks, data exfiltration via markdown images. The OWASP LLM Top 10, run for real against your stack.
Check the regulator angle
UK GDPR and ICO guidance on AI. DPIA gaps. EU AI Act exposure if you operate in the EU (general-purpose AI obligations kicked in 2 August 2025). Alignment with NIST AI RMF and ISO/IEC 42001 if you're going for certification. We tell you what applies, not the full library.
Hand over a ranked fix list
One document. Findings ranked by impact and effort, each with the evidence, the OWASP or RMF reference, and the fix written so a developer can apply it. A page on shadow AI with the tools you ought to be giving people instead. Optional follow-up if you'd like us to do the fixes.
Published AI failures
None of these companies thought their AI was the problem. Then it was. All four are the kind of failure a review catches before launch.
Air Canada owns the chatbot.
Moffatt v Air Canada, BC Civil Resolution Tribunal. Chatbot invented a bereavement-fare refund. The airline argued the bot was a separate legal entity. The tribunal disagreed and ordered the refund.
Tahoe for one dollar.
Chevrolet of Watsonville's GPT-backed bot, instructed to be agreeable, agreed to sell a 2024 Tahoe for $1 with "no takesies backsies". A textbook excessive-agency failure.
Copilot, with one email.
EchoLeak, CVE-2025-32711, disclosed by Aim Security. A zero-click indirect prompt injection in Microsoft 365 Copilot. One crafted email exfiltrated tenant data without anyone touching it.
Samsung's twenty-day leak.
Three separate incidents of engineers pasting source code, defect-detection algorithms and meeting notes into ChatGPT. Samsung banned external generative AI on company devices the following month.
Sources: BC Civil Resolution Tribunal 2024 BCCRT 149; GM Authority; Aim Security via NVD; Bloomberg.
We apply these controls to software we operate
Our own AI systems use scoped access, human approval, logs, cost controls and recurring security review. A client review uses the same engineering questions against the workflow that is live in their business.
When this is worth discussing
We work best when there is a real operating problem, enough volume to measure and people from the affected teams who can make decisions.
Usually a good fit
- An established UK business, usually with annual revenue above £10m
- A repeated process with a known cost, delay, error rate or capacity problem
- A senior sponsor and a day-to-day owner who understand the work
- Access to the relevant staff, systems, sample records and security requirements
We may point you elsewhere
- A standard product already covers the process well
- The requirement is a one-off small build with no wider operating case
- There is no owner or access to the people and data needed to test the result
- The plan relies on AI making high-impact decisions with nobody responsible for review
Questions from IT, legal and compliance
Isn't this just a pen test?
Overlapping but different. A pen test looks at your app the way an attacker hits the perimeter. An AI safety review looks at the prompts, the retrieval, the tools, the model behaviour, and the people using it. Most pen testers don't read system prompts. We do little else.
Does the EU AI Act apply to us?
If you put AI on the EU market, or its output is used in the EU, the Act may apply. General-purpose model obligations have applied since 2 August 2025 and Article 50 transparency duties apply from 2 August 2026. The European Commission's current timeline puts Annex III high-risk areas on 2 December 2027 and product-embedded high-risk systems on 2 August 2028. We map the system and your role before stating which duties apply.
What about the UK? There's no AI Act here.
Correct. The UK government has signalled targeted measures rather than a single AI bill, and the AI Safety Institute was rebranded the AI Security Institute in early 2025. Day-to-day, the ICO's published strategic approach to regulating AI sits on top of UK GDPR. That's where most of our regulator findings land.
We're going for ISO 42001. Does this help?
Yes. ISO/IEC 42001:2023 wants an AI management system with risk treatment, controls and evidence. The review gives you the risk register and the control gaps; a certifier wants both. We don't issue the certificate, but the report does most of the homework for the body that does.
What do you need from us?
Read access to the repo, the prompt store, the retrieval indexes, the model dashboards and the tool definitions. Half an hour each with the people who built the features and the people who use them. An NDA if you want one. That's it.
How much does it cost?
Fixed price, scoped against the number of workflows. We tell you the number before we start. If the right answer is "you don't need us yet", we'll say so on the first call.
Can you fix what you find?
Yes, but only if you want us to. The review stands on its own and the fixes are written so your developer can apply them. If you'd rather we did the work, we'll quote it separately once the report is in your hand.
Book an AI workflow safety review
Send us the current workflow list, owners and connected systems. We will identify which one carries the highest operational or data risk and define the scope of an independent review.