AI Workflow
Safety Review
You've launched a chatbot, an agent or a Copilot rollout. It's helpful. It's also wired to your data, your customers and your bank. We audit the lot and tell you what's one bad prompt from the front page of the FT.
10 risks
OWASP LLM TOP 10, 2025
78%
OF AI USERS BRING THEIR OWN TO WORK
Days
FROM KICK-OFF TO REPORT
You launched the AI. Nobody reviewed it.
The PR is up, the demo went well, the customer testimonial's on LinkedIn. Then someone in legal asks who owns the output, the data team asks what's being sent to OpenAI, and your insurer asks if you've done a DPIA. The answers, in order: probably us, no idea, not yet.
Most AI features get reviewed the way web apps were in 2003. Build is fast, launch is faster, and the review (if it happens) is a junior engineer reading a Notion doc the day before launch.
A safety review is what you do before a regulator, a journalist, or a teenager with a Discord account does it for you.
WHAT YOU'VE GOT
- A chatbot taking customer questions
- Agents that send email, file invoices, edit your CRM
- RAG over docs nobody's checked for PII
- Copilot turned on across the company
- Staff using ChatGPT on personal accounts
- No eval suite, no logs, no kill switch
WHAT YOU NEED
- A written threat model per workflow
- Agents scoped to least-privilege tools
- Retrieval sources classified and reviewed
- Tenant boundaries enforced in the model layer
- Shadow AI named, tooled and policied
- Evals, traces, alerts and a way to switch it off
The five things that bite AI features first.
OWASP Top 10 for LLM Applications 2025 as the spine, NIST AI RMF for risk treatment, ICO guidance for the UK data-protection bit. These five are where almost every report starts.
Prompt injection
A customer email, a PDF, a webpage, a calendar invite. Any text your model reads is a possible instruction. EchoLeak (CVE-2025-32711) did this to Microsoft 365 Copilot with one email and no clicks.
Data leakage
Source code, customer lists, board decks. Pasted into ChatGPT by a developer in a hurry. Samsung lost semiconductor source three times in twenty days before they banned it.
Excessive agency
Your agent can send email, refund a customer, edit the database. It also believes the last thing it was told. A Chevrolet dealer's bot agreed to sell a 2024 Tahoe for one dollar. The internet noticed.
Confident wrong answers
In Moffatt v Air Canada the airline's chatbot invented a refund policy. The tribunal held the airline liable anyway. If your bot says it, you said it.
The AI you don't know about
Microsoft's 2024 Work Trend Index found 78% of AI users bring their own tools to work. Cyberhaven measured 73.8% of workplace ChatGPT use going through personal accounts. You can't review what you can't see.
Where we come in.
One report, fixed price. We talk to the people running the workflows, read the prompts and the code, run the attacks ourselves, then write it up in plain English with a ranked list of fixes.
No twelve-week consulting engagement, no 80-page PDF. You get a document your developer can act on by Monday morning.
BOOK A REVIEWMap the workflows
Every AI touchpoint in the business. The live features, the agent behind the scenes, the Copilot licences, the Custom GPT a head of marketing built last Thursday. We name them all, with owners, models, data sources and tools.
Read it, then attack it
System prompts, retrieval pipelines, tool definitions, model configs. Then we try to break them: direct and indirect prompt injection, tool abuse, tenant escape, output rendering tricks, data exfiltration via markdown images. The OWASP LLM Top 10, run for real against your stack.
Check the regulator angle
UK GDPR and ICO guidance on AI. DPIA gaps. EU AI Act exposure if you operate in the EU (general-purpose AI obligations kicked in 2 August 2025). Alignment with NIST AI RMF and ISO/IEC 42001 if you're going for certification. We tell you what applies, not the full library.
Hand over a ranked fix list
One document. Findings ranked by impact and effort, each with the evidence, the OWASP or RMF reference, and the fix written so a developer can apply it. A page on shadow AI with the tools you ought to be giving people instead. Optional follow-up if you'd like us to do the fixes.
Four stories your board will recognise.
None of these companies thought their AI was the problem. Then it was. All four are the kind of failure a review catches before launch.
Air Canada owns the chatbot.
Moffatt v Air Canada, BC Civil Resolution Tribunal. Chatbot invented a bereavement-fare refund. The airline argued the bot was a separate legal entity. The tribunal disagreed and ordered the refund.
Tahoe for one dollar.
Chevrolet of Watsonville's GPT-backed bot, instructed to be agreeable, agreed to sell a 2024 Tahoe for $1 with "no takesies backsies". A textbook excessive-agency failure.
Copilot, with one email.
EchoLeak, CVE-2025-32711, disclosed by Aim Security. A zero-click indirect prompt injection in Microsoft 365 Copilot. One crafted email exfiltrated tenant data without anyone touching it.
Samsung's twenty-day leak.
Three separate incidents of engineers pasting source code, defect-detection algorithms and meeting notes into ChatGPT. Samsung banned external generative AI on company devices the following month.
Sources: BC Civil Resolution Tribunal 2024 BCCRT 149; GM Authority; Aim Security via NVD; Bloomberg.
The ones we get asked first.
Isn't this just a pen test?
Overlapping but different. A pen test looks at your app the way an attacker hits the perimeter. An AI safety review looks at the prompts, the retrieval, the tools, the model behaviour, and the people using it. Most pen testers don't read system prompts. We do little else.
Does the EU AI Act apply to us?
If you put AI on the EU market, or its output reaches users in the EU, probably yes. General-purpose AI obligations have applied since 2 August 2025. High-risk system obligations were due August 2026, with the Commission's Digital Omnibus now proposing a deferral to December 2027. We'll tell you what catches you and what doesn't.
What about the UK? There's no AI Act here.
Correct. The UK government has signalled targeted measures rather than a single AI bill, and the AI Safety Institute was rebranded the AI Security Institute in early 2025. Day-to-day, the ICO's published strategic approach to regulating AI sits on top of UK GDPR. That's where most of our regulator findings land.
We're going for ISO 42001. Does this help?
Yes. ISO/IEC 42001:2023 wants an AI management system with risk treatment, controls and evidence. The review gives you the risk register and the control gaps; a certifier wants both. We don't issue the certificate, but the report does most of the homework for the body that does.
What do you actually need from us?
Read access to the repo, the prompt store, the retrieval indexes, the model dashboards and the tool definitions. Half an hour each with the people who built the features and the people who use them. An NDA if you want one. That's it.
How much does it cost?
Fixed price, scoped against the number of workflows. We tell you the number before we start. If the right answer is "you don't need us yet", we'll say so on the first call.
Can you fix what you find?
Yes, but only if you want us to. The review stands on its own and the fixes are written so your developer can apply them. If you'd rather we did the work, we'll quote it separately once the report is in your hand.
Find out before someone else does.
Send us a list of the AI workflows running in your business. Half an hour on a call, and you'll have a clear answer on which one we'd review first and what we'd be looking for. No fear-selling.