← Back to enterprise readiness

Technical review artifact

Technical review boundary mapping

A scope-capture worksheet for mapping which AI execution paths need governed authorization, which paths remain outside the guarantee, and what evidence a pilot must produce.

Download Markdown

Review context

Organization

Capture during technical review.

Review date

Capture during technical review.

Primary reviewer

Capture during technical review.

Security reviewer

Capture during technical review.

Platform owner

Capture during technical review.

Audit, risk, or compliance stakeholder

Capture during technical review.

Trigger for review

Capture during technical review.

Step 1

Highest-Scrutiny AI-Driven Action

Identify the action that would create the most scrutiny if it had to be explained three months from now.

Workflow name

AI-driven action

Business system affected

Customer, transaction, record, or operational impact

Why this action is high scrutiny

Existing control owner

Existing evidence source

Can the current system prove why this action was allowed before it ran?

Step 2

Execution Path Inventory

List every system that can initiate, transform, approve, or execute the action, then classify which paths are inside the governed boundary.

System or actor

Action

Execution-capable?

Current evidence

Inside governed boundary?

Required change

The enforcement guarantee applies only where execution-capable paths route through the governed boundary.

Step 3

Identity And Authorization

Capture the OIDC/JWT claims and role mappings required for a controlled pilot.

Identity provider

OIDC issuer

JWT audience

JWKS URL ownership

Required role claim

control_owner mapping

policy_author mapping

operator mapping

Execution control is not reviewable without a defined identity boundary.

Step 4

Policy Ownership

Document which policy authorizes the action, who owns it, and what evidence must prove evaluation before execution.

Policy or control

Accountable owner

Author

Approver

Review cadence

Evidence required

What happens if policy evaluation fails, and what denial record is preserved?

Step 5

Approval, Escalation, And Timeout Rules

Define which actions require approval, who can approve, how escalation works, and what happens on timeout.

Action class

Approval required?

Approver role

Escalation path

Timeout behavior

Self-approval blocked?

The approver cannot be the actor requesting the action. If approval, escalation, or evidence capture fails, execution must not proceed.

Step 6

Required Evidence Artifacts

Mark the artifacts required for audit, incident review, procurement review, or pilot acceptance.

Intent or request record

Policy decision record

Approval request record

Approval envelope or authorization record

Pre-execution evidence record

Execution record

Parameter comparison record

Denial record

Checkpoint or replay record

Hash or integrity evidence

Can a reviewer reconstruct request -> policy -> decision -> outcome without operator interpretation?

Step 7

Recovery, Retention, And Data Durability

Capture the durability standard for execution records and the restore validation expected by the buyer.

Backup interval

Restore validation cadence

Retention period for execution records

Retention period for denied actions

Evidence export format

Database ownership

Disaster recovery objective

Execution records only matter if they survive failure and can be restored without operator interpretation.

Step 8

CI, Security, And Procurement Evidence

List the evidence required by procurement or security before a pilot can be approved.

Enforcement test results

Auth test results

PostgreSQL integration test results

Backup and restore validation

SBOM

SAST output

Secret scanning output

Container scan output

Provenance or signing evidence

Threat model

Do not imply the current package proves more than the artifacts show.

Step 9

Pilot Scope

Convert the review into a deployment scope with explicit in-scope paths, out-of-boundary systems, and blockers.

In-scope workflow

Explicitly out-of-scope workflows

In-scope execution systems

Out-of-boundary systems

Required identity integration

Required policy definitions

Required evidence exports

Success criteria

Pilot blocker

The review output should state whether the selected path can prove control: yes, no, or partial.

Review output

The completed worksheet should state whether the selected execution path can prove control, what gaps remain in the current stack, and whether the pilot should proceed, revise scope, or wait.

Schedule technical review