AI systems need to be tested, not just documented.
DDAI helps organisations assess the security, governance, and operational risk of AI systems before they are deployed, procured, or presented to enterprise and public-sector buyers. We review Large Language Model applications, Retrieval-Augmented Generation systems, agentic workflows, model-provider dependencies, data flows, human oversight, guardrails, and evidence gaps.
The assessment gap
AI governance without adversarial testing is incomplete.
Policies, inventories, and risk registers are necessary, but they do not prove that an AI system behaves safely under pressure. AI systems can fail through prompt injection, unsupported answers, insecure output handling, sensitive information disclosure, weak retrieval controls, excessive agency, unsafe tool access, poor escalation design, and unclear human oversight. DDAI helps teams move from assumed control to tested control.
What we assess
Large Language Model applications
We assess how the application handles prompts, outputs, system instructions, user inputs, sensitive data, error states, and policy boundaries.
Retrieval-Augmented Generation systems
We review retrieval quality, source handling, grounding, citation behaviour, data leakage risk, and whether answers remain tied to approved knowledge sources.
Agentic AI workflows
We assess tool permissions, workflow states, delegated tasks, memory, approval points, escalation paths, and whether the agent can act beyond its intended authority.
AI guardrails and policy checks
We test whether configured guardrails, policy rules, moderation layers, and runtime controls operate as intended.
Model and provider dependencies
We review model selection, provider routing, data residency assumptions, logging behaviour, fallback paths, and operational dependencies.
Governance evidence
We identify which records are missing, weak, stale, or unsuitable for procurement, audit, or internal governance review.
Assessment areas
AI system scope and intended use
AI model and provider dependency review
Prompt and system-instruction exposure
Retrieval-Augmented Generation grounding and source control
Prompt injection and indirect prompt injection exposure
Sensitive information disclosure risk
Insecure output handling
Tool and plugin permission review
Excessive agency and autonomous action risk
Human oversight and escalation design
Runtime guardrail validation
Logging, monitoring, and evidence capture
Article 50 transparency control review
Supplier and procurement evidence quality
Remediation and retest planning
Delivery model
1. Scope and authorisation
We define the system boundary, authorised test environment, excluded actions, data handling requirements, emergency stop route, and reporting process before any assessment begins.
2. Architecture and evidence review
We review the AI workflow, model dependencies, data sources, retrieval layer, tool permissions, policies, and existing governance evidence.
3. Controlled adversarial testing
We test the system using authorised defensive techniques designed to identify realistic weaknesses within the agreed scope.
4. Findings and remediation
We provide severity-rated findings, business impact, recommended remediation, evidence gaps, and prioritised next steps.
5. Retest and evidence packaging
Where required, we retest remediated issues and prepare outputs for Evidary-ready Evidence Bundles, procurement packs, or internal governance review.
Deliverables
AI Security Assessment Report
A structured report covering scope, methodology, findings, risk ratings, remediation guidance, limitations, and residual risk.
AI Governance Evidence Gap Report
A review of the evidence needed to support internal governance, buyer assurance, and regulatory readiness.
Remediation Roadmap
A prioritised plan covering technical fixes, governance controls, documentation, human oversight, and monitoring.
Procurement-Ready Summary
A buyer-facing summary suitable for enterprise or public-sector procurement conversations.
Evidary-Ready Evidence Pack
Where Evidary is used, assessment scope, findings, remediation, retest results, and governance records can be prepared for signed Evidence Bundles and offline verification.
Best fit
AI product companies preparing for enterprise procurement
Public-sector suppliers using AI systems
Organisations deploying Retrieval-Augmented Generation systems
Teams building agentic AI workflows
Consultancies delivering AI systems to clients
Regulated organisations that need clearer AI assurance evidence
Companies preparing for EU AI Act and ISO/IEC 42001 readiness work
Test the system before a buyer, auditor, or incident does.
DDAI can help you assess the security, governance, and evidence posture of your AI system before it becomes a procurement blocker, audit issue, or operational risk.
Start an AI security assessment