Who it's for · Enterprise & procurement
A standard way to say yes to AI, vendor or in-house.
Procurement, security, and governance teams are fielding AI approvals with tools built for conventional software. AetherLab adds the missing step: adversarial assessment of what the system actually does, documented in a record your committee can defend.
AI review is stuck between two bad options.
Rubber-stamp the vendor questionnaire, or block everything and watch the business route around you. Both fail for the same reason: nobody measured the system.
Questionnaires measure claims
SIG and DDQ answers describe intended controls. They say nothing about what the model does under adversarial pressure.
Pentests miss the model
Traditional security testing covers the infrastructure around the AI. The failure modes that make headlines live in the model's behavior itself.
Committees need records
When an approval is questioned later, by an auditor, a regulator, or a board, "we reviewed it" needs a document behind it.
Intake to approval, with evidence in between.
Define
Break-goals derived from your policies: data handling, prohibited outputs, brand and regulatory red lines.
Assess
AdversarialScan attacks the system across text, conversation, and image, then scores each finding by severity and exposure.
Decide & monitor
The Evidence Pack documents the decision; Guardrails enforce the conditions in production where you control the deployment.
Evidence your frameworks can consume.
Findings, controls, and decisions are structured for reuse: referenced against NIST AI RMF functions, EU AI Act obligations, and your internal standards: assembled once, cited in every subsequent review.
For the AI governance committee
One artifact format across every AI system: comparable severity scales, consistent impact language, versioned decisions.
For audit season
The approval record shows what was tested, what was found, what was fixed, and who signed, before anyone asks.
Common questions from enterprise teams.
- How does this fit an existing third-party risk management (TPRM) program?
- As the AI-specific evidence step. Your intake, tiering, and decision workflow stay the same; AetherLab adds measured behavior, adversarial testing of the vendor's AI system against your break-goals, where today the file relies on questionnaires. The Evidence Pack becomes a standard artifact in the vendor record.
- Does it work for internal AI deployments as well as vendors?
- Yes. Internal builds go through the same loop: define break-goals with the owning team, assess, remediate with guardrails, and document the approval. It gives AI governance committees one consistent record for build and buy alike.
- How does this relate to NIST AI RMF and the EU AI Act?
- Assessments are structured so findings, controls, and decisions can be referenced against NIST AI RMF functions and EU AI Act risk-management and documentation obligations. AetherLab provides the testing evidence; your compliance function draws the conclusions.
- What happens when a vendor updates their model?
- Material change is a trigger: the original break-goals re-run against the updated system and the Evidence Pack is versioned, so your record shows the posture before and after, not just at onboarding.
Give your AI reviews a spine.
Start with one vendor or one internal system. If the Evidence Pack earns its place in the file, scale the program from there.
Ask about the Evidence Pack
Leave your email and we'll walk you through what an Evidence Pack contains for your use case: severity-scored findings, business-impact mapping, and the approval record.