Private AI only solves the right problem when the deployment model, retrieval boundaries, access patterns, and operating controls are handled deliberately — and reviewed by people who care about the answers.
The control surface
Every engagement touches each of these. Depth and rigor scale with the sensitivity of the use case.
Design choices based on whether the environment must be on-premises, private cloud, or tightly controlled hosted infrastructure — with explicit data-flow documentation.
Role-based access patterns, admin separation, retrieval-aware permissions, and defined access paths for users, maintainers, and reviewers.
Intentional decisions about what is logged, who can review it, how long it is retained, redaction rules, and how sensitive content is excluded from telemetry.
Assessment of prompt injection exposure, retrieval leakage, configuration drift, jailbreak surface, and unsafe operational assumptions.
Change control, approval steps, and documented operating expectations so the environment remains supportable and reviewable after go-live.
Acceptance criteria, evaluation harness, ongoing review cadence, and rollback paths so behavior change after a model or prompt update does not go unnoticed.
“Good deployments are explainable, supportable, and reviewable. That is the standard.”
Threat model
The deliverable is a written threat model with named risks, the design decisions that address each, and how to verify the mitigation actually holds.
An attacker plants instructions inside a document the system will later retrieve. The model treats the instructions as legitimate user intent.
Trusted-source policy for retrieval, system prompt hardening, output filters tied to policy, and red-team prompts during evaluation.
A user receives summarized content from documents they would not be allowed to read directly. Access design ends at the application, not the index.
Per-user retrieval filters, document-level ACL enforcement in the vector store, and explicit "no fall-through to broader corpus" rules.
Queries or retrieved snippets containing regulated material end up in telemetry, monitoring tools, or vendor dashboards.
Redaction at the logging boundary, tiered logging policies, retention limits, and explicit exclusion lists for high-sensitivity workflows.
A model upgrade or prompt edit changes behavior in a way that quietly degrades safety, accuracy, or compliance posture.
Versioned prompts, evaluation suite run on every change, regression criteria, and a documented rollback path.
A retrieval source, plugin, or tool integration calls out to a third party that is not on the approved data-flow list.
Egress allow-listing, network segmentation around the model runtime, and a documented inventory of every outbound connection.
An administrator or maintainer queries the system in a way that bypasses end-user controls or exfiltrates content.
Admin separation, audit logging of privileged actions, two-person rules for sensitive changes, and explicit acceptable-use documentation.
A deeper walkthrough of how to build a threat model for a private AI environment is on the insights page.
Compliance alignment
The work produces evidence and design artifacts that map to common audit frameworks. It does not produce certification — that conversation stays with your auditor and counsel.
Engagements produce control documentation, change records, access reviews, and logging design that map cleanly to common SOC 2 control families. Certification stays with your auditor.
For teams handling PHI or PHI-adjacent material, the deployment model and BAA chain are designed deliberately. The work supports — but does not replace — your compliance counsel.
Cardholder data does not belong in unbounded LLM context. Architectural decisions around scoping, tokenization, and segmentation are explicit, and the AI environment is kept out of CDE where possible.
Region-bound deployments, data-flow inventory, and retention controls are part of the design. Legal interpretation of data subject rights stays with your privacy team.
Risk assessment, asset inventory, access control, and operations documentation produced during delivery slot into an existing ISMS rather than running in parallel.
Discovery includes an early take on threat model, data-flow constraints, and where the control work will concentrate. Bring your security team if you want.
Book discovery