drel
Public demo · ungated

What Drel ships for an AI Committee.

A real example of the Risk Disposition memo Drel builds for an enterprise procurement agent with RAG, tools and MCP. Required controls, evidence gaps, residual risk and re-assessment triggers — in one regulator-facing artifact. Read it, share the URL, or download the Markdown for your AI Committee.

Request early accessSee pricing
System
Enterprise Procurement Agent
Type
Agentic system with RAG, tools and MCP
Lifecycle stage
Restricted pilot
Decision
Restricted pilot only
Risk Disposition
Restricted pilotRestricted pilotInferred

ProcureAssist can drive measurable value for procurement, but it ingests untrusted supplier content, holds over-scoped tool access, and lacks an immutable audit trail and a deterministic policy enforcement point. A restricted pilot inside the procurement department is acceptable with mandatory human assessment on every contract recommendation. Full production is blocked until policy enforcement, immutable tool-call logging, MCP descriptor signing and on-behalf-of delegation are evidenced.

Top blockers to production
  • Per-action authorisation for supplier_lookup scoped to current opportunity
    Security Architecture · 2026-06-15
  • Deterministic policy enforcement point before email_send and contract_recommend
    Security Architecture · 2026-07-01
  • RAG ingestion validation and supplier proposal quarantine
    AI Governance · 2026-06-30
Required controls · 8
  • Per-action authorisation for supplier_lookup scoped to current opportunity
    Security Architecture · Required
  • Deterministic policy enforcement point before email_send and contract_recommend
    Security Architecture · Required
  • RAG ingestion validation and supplier proposal quarantine
    AI Governance · Planned
  • +5 more
Evidence gaps · 5
  • Audit logging design for tool calls and reasoning traces is not documented.
    Architecture proposal due 2026-06-15; sample logs by 2026-07-01.
  • MCP server identity delegation model is not specified.
    Identity flow specification under Security Architecture lead by 2026-06-30.
  • Approval boundary logic is not implemented in code.
    Policy engine implementation in front of email_send and contract_recommend.
6 active re-assessment triggers8 controls on the plan5 evidence gaps tracked
Decided 2026-05-02
Required before pilot expansion4 controls
C-1
Per-action authorisation for supplier_lookup scoped to current opportunity
Required
Missing evidenceOWASP Agentic Top 10
Owner
Security Architecture
Deadline
2026-06-15
Verification

Code assessment of authorisation middleware, plus test cases that attempt cross-opportunity reads and expect denial.

Pilot gate
C-3
RAG ingestion validation and supplier proposal quarantine
Planned
AssumedOWASP LLM Top 10
Owner
AI Governance
Deadline
2026-06-30
Verification

Ingestion test suite with adversarial proposal corpus; manual assessment of quarantine queue weekly during pilot.

Pilot gate
C-4
Mandatory human-in-the-loop on every contract recommendation
Planned
InferredEU AI Act
Owner
Business Owner
Deadline
2026-05-30
Verification

Workflow audit confirming no contract_recommend output is finalised without two named human reviewers.

Pilot gate
C-6
Strict per-analyst memory isolation and lifetime caps
Required
UnknownOWASP Agentic Top 10
Owner
Security Architecture
Deadline
2026-06-20
Verification

Penetration test attempting cross-session retrieval; assessment of memory store data model.

Pilot gate
Required before full production4 controls
C-2
Deterministic policy enforcement point before email_send and contract_recommend
Required
Missing evidenceEU AI Act
Owner
Security Architecture
Deadline
2026-07-01
Verification

Threat-driven test suite covering deal-value bypass, sensitive recipient class, and out-of-scope analyst combinations; expected denials are logged and reviewed.

Production gate
C-5
Tamper-evident audit log of tool calls and reasoning traces
Required
Missing evidenceISO/IEC 42001
Owner
Security Architecture
Deadline
2026-07-15
Verification

Audit log integrity test; sample reconstruction of a procurement flow end-to-end without source-system access.

Production gate
C-7
Tool manifest signing and version pinning for MCP tools
Required
Missing evidenceOWASP Agentic Top 10
Owner
Security Architecture
Deadline
2026-07-10
Verification

Signature validation test on agent startup; tampering attempt simulated and rejected.

Production gate
C-8
On-behalf-of delegation with scoped tokens to MCP tools
Required
Missing evidenceOWASP Agentic Top 10
Owner
Security Architecture
Deadline
2026-07-15
Verification

Identity flow assessment; trace inspection showing scoped tokens on all MCP calls.

Production gate
Residual risk3 items
  • RR-1
    Indirect prompt injection through supplier proposals can still influence email drafts during the pilot, even with quarantine.
    Inferred
    Acceptance owner
    AI Governance
    Condition
    Acceptable only while every email_draft is reviewed by an analyst before send.
  • RR-2
    Cross-supplier visibility in supplier_lookup remains until per-action authorisation ships.
    Assumed
    Acceptance owner
    Business Owner
    Condition
    Acceptable only inside the pilot scope; revoked on first exception.
  • RR-3
    Audit reconstruction of agent reasoning is not yet possible.
    Missing evidence
    Acceptance owner
    CISO delegate
    Condition
    Acceptable only until audit log control C-5 is verified, with monthly assessment.
Evidence gaps5 gaps
  • EG-1
    Audit logging design for tool calls and reasoning traces is not documented.
    Closure plan: Architecture proposal due 2026-06-15; sample logs by 2026-07-01.
    Missing evidence
  • EG-2
    MCP server identity delegation model is not specified.
    Closure plan: Identity flow specification under Security Architecture lead by 2026-06-30.
    Missing evidence
  • EG-3
    Approval boundary logic is not implemented in code.
    Closure plan: Policy engine implementation in front of email_send and contract_recommend.
    Missing evidence
  • EG-4
    Cross-tenant policy isolation in the vector index is not validated.
    Closure plan: Tenant isolation validation report from platform team.
    Unknown
  • EG-5
    Cross-session memory isolation is not verified.
    Closure plan: Pen test scheduled with security testing partner.
    Unknown
Re-assessment triggers6 active
  • TR-1Move from restricted pilot to general availability.
    active
  • TR-2Add a new tool to ProcureAssist.
    active
  • TR-3Change of underlying model (e.g., Azure OpenAI version upgrade).
    active
  • TR-4Expand to additional business units or geographies.
    active
  • TR-5Vendor change for the internal-procurement MCP server.
    active
  • TR-6Increase autonomy (auto-send emails without analyst assessment).
    active
Sign-off block2/5 approved
  • SA
    Security ArchitectureRequires changes
    L. Bauer · 2026-04-29
    Approves restricted pilot only. Production gate blocked until C-2, C-5, C-7, C-8 verified.
  • AG
    AI GovernanceApproved
    M. Janssen · 2026-04-30
    Pilot scope acceptable. Re-assessment on any tool, model or scope change.
  • D
    DPOAssessment required
    S. Vermeer · 2026-04-30
    Awaits cross-tenant policy isolation evidence and email content assessment process.
  • BO
    Business OwnerApproved
    K. Roth · 2026-04-29
    Accepts pilot conditions and mandatory HITL on contract recommendations.
  • CD
    CISO delegatePending
    J. Halász
    Pending evidence on audit logging and policy enforcement before sign-off.
Included in the audit pack

This memo, required controls, residual risk, evidence gaps, re-assessment triggers and sign-off log are versioned in the audit bundle.

How to read this: the disposition reflects the assessed system and documented assumptions at the time of review. Drel does not ingest live telemetry — re-assessment triggers above describe when the disposition must be revisited.

Want this for your AI Committee?

Drel is in early access. Get in touch to be among the first teams to use it.

Request early accessSee pricing