- Ten checks cover the security surface of an AI brain tool: retrieval scoping, no-training terms, encryption, audit integrity, retention, residency, model keys, offboarding, redaction, and incident evidence.
- The single highest-value check is whether retrieval is filtered before the model reads, not after it answers.
- IBM's Cost of a Data Breach Report 2025 put the global average breach cost at $4.44 million, and found organizations with high levels of shadow AI incurred about $670,000 more.
- Certifications like SOC 2 and ISO 27001 tell you a vendor has a control process, not that its retrieval layer is permission-aware. Ask for both, separately.
- A vendor that cannot show you its audit schema is telling you the audit was designed for a slide, not for an investigation.
A secure AI brain tool must filter retrieval by the asker's permissions before any document reaches the model, encrypt data in transit and at rest, keep an audit trail whose integrity you can verify, commit in writing that your content trains no model, and let you control where data lives and which model key is used. Certifications are separate from controls, and you should ask for both.
1. Is retrieval scoped to the asker before the model reads?
Ask the vendor to describe the enforcement point. The correct answer names the moment a query is scoped to the asker's permissions, before any document text enters the model's context. The wrong answer describes filtering the generated answer afterwards, which cannot survive a request to summarize rather than quote a file.
Nothing else on this list compensates for failing here. A tool that reads everything and edits the output is one prompt away from paraphrasing a document it should never have opened. Preventing AI oversharing covers the ways this fails in practice.
2. Is there a written commitment that your content trains no model?
Get it in writing from whoever runs the model, not only from the tool vendor. The major providers now say this plainly, and the wording is worth quoting back to a vendor who hedges. Anthropic's commercial terms read: "Anthropic may not train models on Customer Content from Services."
OpenAI's API documentation states that "data sent to the OpenAI API is not used to train or improve OpenAI models (unless you explicitly opt in to share data with us)." Read the version that applies to the plan you are on: retention and training terms differ between consumer, enterprise, and API surfaces at nearly every provider.
3. Is data encrypted in transit and at rest?
Require TLS 1.2 as a floor and TLS 1.3 where available, plus encryption at rest. NIST Special Publication 800-52 Revision 2 requires support for TLS 1.2 and mandates support for TLS 1.3, which makes 1.2 the lowest defensible baseline in 2026. This is table stakes, and a vendor who fumbles it has told you something about the rest.
Ask a sharper follow-up: who holds the keys? Amazon Bedrock, Azure OpenAI, and Google Vertex AI all support customer-managed encryption keys. Whether your AI brain tool passes that capability through to you is a different question, and usually the answer is no.
4. Can you verify the audit trail has not been altered?
An audit log is a security control only if it resists the administrator. Ask whether entries can be edited or deleted after the fact, and if the vendor says no, ask how you would independently confirm that. Most cannot answer the second question, and the answer to the first is usually a policy rather than a mechanism.
AIVM Brain writes each access as a linked entry in a tamper-evident hash chain. A standalone verifier re-checks the chain offline and proves its integrity, meaning no entry was altered after it was written. It does not prove that every access was captured; a witness for that is on our roadmap and is not built. We would rather draw that line here than have you discover it during an investigation.
5. What exactly does the audit record, and for how long?
Ask for the schema, field by field, and the retention period. A vendor who answers 'we log everything' has not answered. Microsoft is a good benchmark of specificity: Purview audit records "include references to files, sites, or other resources Copilot and AI applications accessed to generate responses to user prompts," retained for 180 days. Notion offers audit logs on Enterprise, retained up to 365 days.
Be precise about the phrase content-blind, because it is easy to hear as something it is not. AIVM Brain's audit is content-blind in that it stores the actor, the object identifier, and the sensitivity label that applied, rather than the text of the document retrieved. It is blind to your document content, not to identity. By design it records who asked and what they reached.
6. Where does the data live, and can you choose?
Separate storage location from inference location, then ask about each. Microsoft's Advanced Data Residency add-on provides "committed data residency for local country/region datacenter regions" and explicitly covers Microsoft 365 Copilot. Glean will run single-tenant in your own AWS, Azure, or GCP account. Onyx you can host yourself under an MIT licence.
AIVM Brain is hosted only. Tenants are isolated at the database level with per-tenant Postgres row-level security, and there is no regional or on-premises deployment option today. If your regulator requires data to stay inside a specific country, a self-hosted tool is the correct answer.
7. Can you bring your own model key, and revoke it?
Bring-your-own-key moves the model provider's data commitment onto your contract, and gives you a kill switch that does not depend on your vendor's cooperation. Ask whether keys are sealed at rest, who inside the vendor can read them, and what happens to in-flight requests when you rotate one.
Ask about the reverse case too. If the vendor supplies the model, ask which provider, on which plan, and under which retention terms. Notion is unusually clear here: "By default our LLM providers utilize zero data retention for Enterprise plan workspaces," with 30 days or fewer on other plans. That is a materially different posture per plan, and most vendors do not volunteer it.
8. What happens the moment someone is offboarded?
Ask for the propagation window in seconds, and ask it about agents as well as people. A departing employee's account is usually handled. The API key their autonomous agent has been using for six months is frequently not, and it does not appear on any offboarding checklist because nobody remembers it exists.
Require SCIM so deprovisioning is driven by the directory rather than by memory. Then require that agent credentials inherit the human's clearance and die with it. AIVM Brain revokes access in near-real-time, about sixty seconds, because a permissions cache spans two application instances.
9. Can it withhold one field instead of a whole document?
Whole-document blocking is the reason governed knowledge bases fail in practice: a single salary column makes an entire useful spreadsheet unreachable, so people copy the useful part somewhere ungoverned. Field-level redaction lets the brain return the document with the sensitive field withheld, which keeps the knowledge in the system.
Ask what the model sees, not what the user sees. If redaction happens in the interface while the model received the full row, the withheld field is one clever prompt away from the answer, and your audit will show a compliant retrieval.
10. Does the vendor hold the certifications, or just describe them?
A SOC 2 report rests on five Trust Services Criteria, Security, Availability, Processing Integrity, Confidentiality, and Privacy, of which only Security is mandatory. So the phrase 'SOC 2 certified' is an incomplete sentence. Ask which criteria were in scope, whether it is Type I or Type II, and to see the report itself rather than the badge.
ISO/IEC 42001:2023 is the newer AI management system standard, and the NIST AI Risk Management Framework, published in January 2023, gives you the vocabulary for the whole conversation. Its four functions, Govern, Map, Measure, and Manage, map cleanly onto the checks above.
Applying the rule to ourselves: AIVM Brain does not hold SOC 2, ISO 27001, or ISO/IEC 42001 today, and does not offer a data processing agreement, a business associate agreement, or a service level agreement. Those are on our roadmap. What the product does have is permission-aware retrieval, SSO, SCIM, per-tenant isolation, field-level redaction, a tamper-evident audit, bring-your-own-key, and no model training on your content. Ask any vendor, including us, to separate what they hold from what they plan. The reasoning behind these controls is in governed access, end to end and how a secure AI brain handles company knowledge. The team behind the product is AIVM.
One more check that costs nothing: run the whole list against the ranked roundup of AI brain tools before the first sales call, score the answers in writing, and weigh them with the seven criteria for choosing an AI brain tool.