Sanitized Report Sample
AI Workflow Security Assessment Report

A fictionalized demonstration of THF AI security reporting for LLM workflows, RAG authorization, prompt injection, tool execution, and cross-tenant data exposure.

This sample is fictionalized and sanitized. It represents the format and level of detail used in THF engagements. It contains no client data.
01 — Executive Summary

AI Workflow Access Boundaries Require Immediate Attention

ObjectiveAssess LLM workflows, RAG retrieval, agent tools, prompt handling and AI-enabled access boundaries.
Overall RiskCritical. Retrieved context crossed workspace boundaries and exposed protected information in AI responses.
Key ObservationThe AI layer trusted retrieval relevance without enforcing tenant ownership at query time.
Business ImpactSensitive context leakage, tool abuse and customer trust risk in AI-enabled workflows.
PriorityBlock production rollout until retrieval authorization, tool permissions and output validation are remediated.
02 — Assessment Scope

AI Security Scope

LLM workflow behavior
Prompt injection exposure
Tool/function calling
RAG data access
Agent permissions
Cross-tenant data access
Sensitive context leakage
Goal hijacking
Output handling
SurfaceCoverageRolesStatus
AI assistantPrompts, retrieval behavior, citations, output handlingStandard / AdminReviewed
RAG and vector storeWorkspace documents, embeddings, retrieval filtersStandard / AdminReviewed
Agent toolingTool calls, permissions, data access actionsStandard / AdminReviewed
Out of scopeModel training, phishing, physical testing, DoSExcluded
03 — AI Architecture Overview

Reviewed AI Workflow Components

ComponentPurposeSecurity FocusStatus
LLM interfaceUser-facing AI assistant workflowPrompt injection, output validationReviewed
RAG pipelineWorkspace document retrievalTenant-scoped retrieval authorizationReviewed
Vector databaseEmbeddings and indexed documentsOwnership validation and isolationReviewed
AI tools / agentsAutomated actions and integrationsTool authorization and permission scopeReviewed
03 — AI Workflow Trust Boundary Map

AI Workflow Trust Boundary Map

The AI review separates model behavior from product authorization boundaries so retrieval, tools, APIs, and customer data are tested as connected trust decisions.

User PromptLLMRetrieval LayerTool CallApplication APICustomer Data
04 — Testing Methodology

Prompt Injection and Tool Abuse Testing

01 Scope Review

Confirm AI workflows, roles, data sources, tools and allowed business goals.

02 AI Workflow Mapping

Map prompts, system instructions, retrieval sources and tool execution paths.

03 Prompt & Context Testing

Test direct and indirect prompt injection against realistic workflow goals.

04 Tool Permission Review

Validate whether tool calls enforce server-side user and workspace permissions.

05 RAG/Data Access Review

Test retrieval filters, vector-store ownership and cross-tenant context exposure.

06 Agent Abuse Testing

Attempt goal hijacking, unsafe function invocation and excessive tool use.

07 Manual Validation

Reproduce findings safely and confirm whether the behavior is exploitable.

08 Risk Analysis

Prioritize findings by workflow impact, data sensitivity and likelihood.

09 Remediation Guidance

Provide practical fixes, control recommendations and retesting criteria.

05 — AI Threat Model

AI Workflow Threat Model

  • Cross-tenant retrieval through weak RAG authorization.
  • Indirect prompt injection through retrieved documents.
  • Missing authorization before AI tool execution.
  • Sensitive context leakage in model responses.
  • Unsafe function invocation and excessive tool permissions.
06 — Severity Distribution

Validated Risk Distribution

1Critical
2High
4Medium
3Low
2Informational
07 — Risk Matrix

Likelihood vs Business Impact

LikelihoodHigh

The behavior could be triggered through ordinary authenticated AI workflow usage.

ImpactHigh

Retrieved context and tool behavior could expose sensitive information or perform unauthorized actions.

Business RiskTool abuse / sensitive context exposure

AI features may leak protected data or act outside the intended product goal.

08 — Validated Findings

AI Workflow Risk Summary

IDFindingSeverityStatus
THF-AI-001Cross-Tenant Retrieval Through RAGCriticalOpen
THF-AI-002Indirect Prompt InjectionCriticalOpen
THF-AI-003Missing Tool AuthorizationCriticalOpen
THF-AI-004Sensitive Context LeakageHighOpen
THF-AI-005Unsafe Function InvocationHighOpen
THF-AI-006LLM Output Trusted Without ValidationMediumOpen
THF-AI-007Vector Store Access Without Ownership ValidationCriticalOpen
THF-AI-008Excessive AI Tool PermissionsMediumOpen
09 — Example Critical Finding

THF-AI-001 — Cross-Tenant Retrieval Through RAG Context

Finding TitleCross-Tenant Retrieval Through RAG Context
SeverityCritical
Affected AreaRetrieval pipeline
CategoryAuthorization / RAG Security
RiskCross-tenant data exposure
Required accessStandard user
Description

The AI assistant retrieved context from a protected resource outside the active workspace because the retrieval layer trusted document relevance without enforcing tenant ownership at query time.

Business Impact

The issue could expose customer records, internal documents, or workspace-specific data through AI-generated answers.

Technical Evidence

retrieval_query:
workspace_id: workspace_a
user_role: standard
prompt: “summarize protected customer record”

observed_context:
source_workspace: workspace_b
authorization_filter: missing

Reproduction Summary

A standard user submitted a query that caused the retrieval pipeline to include context from a protected workspace outside the active authorization boundary.

How This Was Verified

The issue was manually reproduced by manipulating workflow instructions and observing tool execution behavior. The assistant performed actions outside the intended business goal, confirming insufficient goal enforcement and tool permission boundaries.

Recommended Remediation

Enforce tenant-aware retrieval authorization before context reaches the model, validate tool permissions server-side, and treat model output as untrusted.

Retesting Criteria

Cross-tenant retrieval attempts must return no unauthorized context, tool execution must be denied outside the user’s permissions, and valid same-workspace workflows must continue to operate.

10 — Business Impact

Potential Business Exposure

The issue could expose customer records, internal documents, or workspace-specific data through AI-generated answers. In a multi-tenant SaaS product, this creates customer trust risk, incident response burden, contractual exposure, and potential regulatory review depending on the data involved.

11 — Technical Evidence

Illustrative Retrieval Evidence

Expected Behavior

retrieval_query:
  workspace_id: workspace_a
  user_role: standard

result:
  authorized_context_only: true

Observed Behavior

retrieval_query:
  workspace_id: workspace_a
  user_role: standard

result:
  retrieved_context:
    source_workspace: workspace_b
    protected_resource: customer_record
12 — Reproduction Steps

Safe Sanitized Reproduction

  1. Sign in as a standard user in Workspace A.
  2. Open the AI assistant connected to workspace documents.
  3. Submit a query referencing a fictional protected customer record.
  4. Observe the assistant retrieve context from a Workspace B document.
  5. Confirm the answer includes sanitized details from the unauthorized retrieved context.
13 — Remediation Guidance

Recommended Fixes

  • Enforce tenant isolation before retrieval, not after generation.
  • Apply server-side authorization filters to every vector search query.
  • Separate vector database indexes or namespaces by tenant where appropriate.
  • Validate AI tool execution permissions against the current user and workspace.
  • Add prompt injection resistance for retrieved documents and tool outputs.
  • Validate model output before exposing sensitive or action-triggering content.
  • Log retrieval misses, denied lookups, and repeated protected-resource probing.
14 — AI Security Best Practices

AI-Specific Retest Criteria

  • Tenant-aware retrieval authorization is enforced in the data-access layer.
  • Vector store access validates ownership for all documents and chunks.
  • MCP and tool permissions are scoped to least privilege.
  • Agent tool calls require server-side authorization before execution.
  • LLM output is treated as untrusted and validated before downstream use.
15 — Testing Philosophy

Our Testing Philosophy

The Hidden Finds focuses on real-world security testing, not automated vulnerability dumps. Our assessments prioritize exploitability, business impact, access control, API behavior, tenant isolation, and workflow abuse. Every finding is manually validated before being reported.

16 — Deliverables Included

Engineering-Ready Output

  • Executive summary and validated AI risk summary
  • AI architecture and workflow map
  • RAG and tool-permission evidence
  • Business impact analysis
  • Remediation guidance
  • Retesting criteria
Next Step

Secure Your AI Workflows Before They Reach Production

If your team needs SaaS, API, access control, AI workflow, or business logic testing, The Hidden Finds can help scope the right review and deliver practical next steps.

Request a Security ReviewView Resources