The Project 

A multi-sprint AI security engagement with a FTSE 100 insurance group. BSS was embedded within the client’s agile delivery to provide security assurance across a portfolio of AI initiatives, from design review and threat modelling through penetration test scoping to LLM testing, with the scope of each sprint agreed jointly and formalised through the client’s change control process.

 

The challenge:

The client was developing AI capabilities across its business: categorising inbound SMS messages, summarising and analysing calls, supporting total loss assessment, and an LLM-based chatbot. Systems like these introduce security risks that conventional testing approaches do not neatly cover, and they were being delivered at sprint pace, so security assurance had to keep up without slowing innovation.

Not every AI system warrants the same treatment either: the client needed informed judgement on where penetration testing was feasible and required, and where other forms of assurance were more appropriate.

 

The Solution 

BSS worked sprint by sprint inside the client’s delivery model, alongside the client’s appointed AI consultants. For the SMS categorisation system, BSS reviewed the design documentation and delivery approach, assessed the existing threat model and draft risk assessment, agreed the principal security concerns with the client, and produced a formal penetration testing scope in the client’s own template, coordinating the testing prerequisites with stakeholders across the business.

Across the client’s wider AI platform, including the call summarisation and total loss use cases, BSS reviewed design documents, provided feedback and completed test scoping, in each case determining whether penetration testing was feasible and required and formally documenting its recommendations.
The engagement also extended to LLM testing of the chatbot. Scope for each sprint was agreed at the close of the previous one, allowing both parties to adapt to the most critical business needs.

 

The Outcome 

Security assurance was built into the client’s AI delivery rather than bolted on at the end. Each AI system gained documented security recommendations and an agreed testing scope, or a clear, justified position on whether testing was required.

The engagement concluded with a structured handover: completion of the outstanding scoping and testing activities, knowledge transfer sessions with the client’s permanent team through walkthroughs, documentation handover and Q&A, and the closure of all work items in line with the client’s ways of working, leaving the client equipped to own the security of its AI estate over the long term.

Looking for more?

Contact us

What we think

  • Dr Robert Coles joins the BSS Advisory Board.
  • Meet the Team: Chris Meehan, BSS advisory board
  • Digital skills shortage opens doors for HM Armed Forces veterans