Risk
Missing Documented Evidence of Red Teaming/Risk Assessment
Description
Test findings, attack data, and replay steps not centrally stored; compliance cannot be demonstrated.
Example
Critical vuln discussed in Slack but never logged.
Assets Affected
App Usage log
Mitigation
- Store all engagements in version-controlled repo
- Tag with model/date/tester
- Enforce retention policy
Standards Mapping
- ISO 42001: A.5.3, A.6.2.7
- NIST AI RMF: MEASURE 2.1, GOVERN 4.2