Mercury Security

Evidence Pack Contents
(v1.0, 2025)

The Evidence Pack is the backbone of our 4-Week Audit → Governance Sprint. It contains the artifacts you’ll use to demonstrate compliance readiness to boards, regulators, and auditors. All items are delivered in portable formats (PDF/DOCX/CSV/JSON where applicable).

1. Logs & Records

  • Conversation Logs (Redacted): 20–200 sampled interactions, anonymized and annotated for audit criteria (e.g., refusal handling, source citations).
  • System Event Logs: Authentication, access role, and system change records (where available).
  • Tamper Evidence: Hash or WORM proofs confirming log integrity.

2. Testing Results

  • Bias & Safety Test Scenarios: Results across sensitive prompts (PII requests, prohibited topics, refusal behavior).
  • Transparency Checks: % of responses with valid source links or “no source” disclaimers.
  • Consistency / Drift Metrics: Side-by-side runs over time, highlighting anomalies.

3. Configuration Artifacts

  • Guardrail Rules: Allow/deny lists, sensitive topic decline patterns.
  • Human-in-the-Loop Rules: Escalation thresholds, routing to human queues.
  • Redaction Patterns: Pre-processing and post-processing of PII or sensitive data.
  • Access Controls: RBAC matrix, connector scopes, SSO/OIDC screenshots.

4. Governance Templates

  • Purpose & Scope Statement: Declared use cases, in-scope/out-of-scope notes.
  • User Notices & Consent Texts: Screenshots and language provided to end-users.
  • Retention Schedule: Policy for how long logs, prompts, and outputs are stored.
  • Change Log: Version history of model or config updates, rollback notes.

5. Framework Crosswalk

  • EU AI Act: Mapping to transparency, oversight, post-market monitoring.
  • NIST AI RMF: Evidence tied to Govern–Map–Measure–Manage functions.
  • GDPR: Lawful basis candidates, minimization, export/delete hooks.
  • ISO/IEC 42001: Policy alignment, control design, measurement cycle.

Delivered as both CSV (for internal tracking) and PDF (for board/regulator use).

6. Board-Ready Deliverables

  • Audit Report: Executive summary + technical appendix.
  • Board Roadmap: 90-day plan with named owners and deadlines.
  • Remediation Tracker: Items flagged during the Sprint, severity, and due dates.

7. Delivery Formats

  • PDF (formal record, board/regulator sharing)
  • DOCX (editable for internal tailoring)
  • CSV/JSON (logs, crosswalks, metrics)

✅ The Evidence Pack ensures your governance posture is not just documented — it’s portable, verifiable, and mapped to recognized frameworks.

linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram