Your organisation is adopting AI. Teams are excited. The board wants results. And you — the CISO — need to make sure it doesn't become the next breach headline.
The challenge is that most AI platforms were built for capability first and governance second. Security features are often bolted on as an afterthought, and vendor claims can be difficult to verify without knowing the right questions to ask.
This guide gives you a practical 12-point checklist for evaluating AI governance tools. Each point explains what the capability is, why it matters, and what to look for. No jargon walls. No marketing spin.
The 12-Point Checklist
- Pre-retrieval scope enforcement
- Cryptographic verify-before-reveal
- No plaintext in search index
- Fail-closed behaviour
- Instant key-based revocation
- PII vaulting and rehydration
- Tamper-evident audit trail
- Controlled data release
- Model-agnostic design
- Offline governance capability
- Customer-managed keys (BYOK)
- UK data residency
1. Pre-Retrieval Scope Enforcement
What it means: Before the AI searches for information, the system checks who is asking and restricts the search to only the data that person is allowed to access. Documents outside their scope are never included in the search.
Why it matters: Most AI platforms use post-retrieval filtering — they search everything first, then hide results the user shouldn't see. The problem is the AI has already processed restricted data during the search. It can influence the response without anyone knowing. Pre-retrieval enforcement means restricted data is never part of the search in the first place.
What to ask: "At what point in the retrieval pipeline are access controls enforced? Before or after the search?"
2. Cryptographic Verify-Before-Reveal
What it means: After the AI retrieves results, each piece of data is cryptographically verified to confirm the requesting user has the right to see it. Only verified data is included in the response.
Why it matters: This is your second line of defence. Even if something passes the first gate, cryptographic verification catches it before it reaches the user. Without this, you are relying on software logic alone — which can have bugs, misconfigurations, or edge cases.
What to ask: "Is there a cryptographic check on every retrieved result before it is shown to the user?"
3. No Plaintext in Search Index
What it means: The searchable index that the AI queries does not contain readable plaintext data. Even if an attacker gains access to the index, they cannot read the underlying information.
Why it matters: Search indexes are high-value targets. If your AI vendor stores plaintext in the index, a single breach exposes everything. An encrypted or tokenised index means a breach of the index alone does not expose your data.
What to ask: "If someone gained access to your search index, could they read our data?"
4. Fail-Closed Behaviour
What it means: When something goes wrong — a service is down, a permission check fails, a timeout occurs — the system returns no data rather than returning everything.
Why it matters: Many systems fail open. If the authorisation service is unavailable, they skip the check and return results anyway to avoid disrupting the user experience. This is the opposite of what a security-first system should do. Fail-closed means no data leaks during outages or errors.
What to ask: "What happens to a query if the authorisation service is unreachable? Does the user get results or an error?"
5. Instant Key-Based Revocation
What it means: When you revoke an encryption key, all data encrypted with that key becomes immediately inaccessible — not after a sync delay, not after a cache refresh, but right away.
Why it matters: When an employee leaves, a client relationship ends, or a breach is detected, you need to cut access instantly. If revocation takes hours or requires manual cleanup across multiple systems, your window of exposure is wide open.
What to ask: "If we revoke a key right now, how long until the associated data is completely unsearchable and unreadable?"
6. PII Vaulting and Rehydration
What it means: Personal identifiable information (names, emails, phone numbers, financial data, national ID numbers) is detected automatically, removed from AI-visible content, and stored in a separate encrypted vault. When an authorised user needs the full data, PII is reinserted (rehydrated) under controlled conditions.
Why it matters: AI systems do not need to see PII to be useful. By separating PII from the searchable content, you reduce your data protection risk dramatically. Even if the AI layer is compromised, personal data remains isolated in the vault.
What to ask: "Where is PII stored relative to the AI search index? Are they in the same system or physically separated?"
7. Tamper-Evident Audit Trail
What it means: Every action — every query, every retrieval, every access decision — is logged in a way that cannot be altered after the fact. If anyone tries to modify the logs, the tampering is detectable.
Why it matters: Regulators, auditors, and clients will ask you to prove what happened. Standard application logs can be edited. A tamper-evident trail gives you trustworthy records that hold up under scrutiny.
What to ask: "Can your audit logs be modified after they are written? How would we detect if they were?"
8. Controlled Data Release
What it means: Data is only released to the AI model in controlled portions, based on what is needed for the specific query. The AI does not get access to your entire dataset for every question.
Why it matters: The less data an AI model sees, the smaller your attack surface. Controlled release ensures that a compromised query or a prompt injection attack cannot extract large volumes of data. Each response is scoped to the minimum necessary information.
What to ask: "How much of our data does the AI model see for a typical query? Is it the minimum needed or the full dataset?"
9. Model-Agnostic Design
What it means: The governance layer works with multiple AI models, not just one. You can switch between models without losing your security controls, audit trails, or access policies.
Why it matters: The AI model market is moving fast. The best model today may not be the best model next quarter. If your governance is tied to a single model provider, you are locked in. Model-agnostic design means your security investment is protected regardless of which AI models you use.
What to ask: "If we want to switch AI models next year, do we keep our governance policies and audit history?"
10. Offline Governance Capability
What it means: Security and access controls continue to work even if the AI model provider's service is unavailable. Your governance rules are enforced locally, not dependent on an external API being online.
Why it matters: Cloud AI services experience outages. If your governance depends on an external service being available, an outage could mean either no access (acceptable) or uncontrolled access (not acceptable). Offline governance ensures your rules are always enforced.
What to ask: "If the AI model provider goes offline, what happens to our governance controls? Do they still enforce?"
11. Customer-Managed Keys (BYOK)
What it means: You hold the encryption keys, not the vendor. Bring Your Own Keys (BYOK) means the vendor physically cannot access your data without your key. You can revoke access at any time by rotating or withdrawing the key.
Why it matters: If the vendor holds the keys, they can access your data — and so can anyone who compromises the vendor. BYOK gives you ultimate control. It also simplifies compliance because you can demonstrate to regulators that only your organisation holds the decryption capability.
What to ask: "Who holds the encryption keys? Can your staff access our decrypted data?"
12. UK Data Residency
What it means: All data processing and storage happens within the United Kingdom. Your data does not leave UK borders, and no foreign jurisdiction can compel the vendor to hand it over.
Why it matters: For UK-regulated industries — financial services, legal, healthcare — data residency is often a compliance requirement. Even where it is not strictly mandated, UK data residency simplifies your regulatory position and reduces cross-border data transfer risk.
What to ask: "Where is our data stored and processed? Does any data leave the UK at any point, including for AI model inference?"
How Other Me Scores on This Checklist
Other Me's patent-pending SCRS (Secure Context Retrieval System) was designed around these 12 dimensions from day one. It is not a governance layer added to an existing AI tool. It is an AI platform built on a governance foundation.
The SCRS Dual-Gate architecture delivers pre-retrieval scope enforcement (Gate 1: Block Before Search) and cryptographic verification (Gate 2: Verify Before Showing). Every other point on this checklist — from PII vaulting to BYOK to UK data residency — is a core system capability, not an optional add-on.
Want to evaluate Other Me against your own security requirements? Pro accounts are £24/month. Member accounts are £15/month each. Enterprise pricing is available for organisations needing custom deployment. View pricing
The next time a vendor tells you their AI platform is "secure," run it through these 12 points. The answers will tell you whether you are looking at genuine governance or a marketing checkbox.
Pop Hasta Labs Ltd is registered at UK Companies House (No. 16742039). SCRS is protected under UK Patent Application No. 2602911.6.