Attack surface • Procurement‑grade map

ATTACK SURFACE

Where GenAI breaks — and what evidence closes it.

Infrastructure. Supply chain. Interfaces. A procurement‑grade map of where GenAI fails — and what reviewers can verify offline.

Get procurement kit Download the map (PDF)
See why now Jump to the three surfaces Procurement translation Two‑minute reviewer flow

No proof, no action. Missing proof defaults to HOLD.

EVIDENCE SPINE

Verify → Permit → Gate → Receipts

Different surfaces fail in different ways. The control pattern stays the same: verify scope and authenticity, permit only what is allowed, gate every side effect, and emit replayable receipts.

VerifyPolicy pinned. Freshness and continuity proven.
PermitShort‑lived, scoped authority for each side effect.
GateNon‑bypassable control points: egress, dispatch, promotion.
ReceiptsReplayable artifacts with stable reason codes.

THE THREE SURFACES

Most GenAI failures cluster in three places.

The execution environment (infrastructure), the artifacts you pull in (supply chain), and the user + API entry ramps (interfaces).

Surface 1Infrastructure

Infrastructure

Execution environment

  • Over‑privileged IAM + weak auth/authz/logging on new AI resources (RAG/MCP/tool runners).
  • Secret sprawl in pipelines (keys, PII, code).

MVG enforces

  • Gate side effects at egress, dispatch, promotion.
  • Short‑lived scoped permits + replayable receipts.

If infrastructure proof is weak, side effects stay blocked.

Reviewer checklist →
Surface 2Supply chain

Supply chain

Artifacts you pull in

  • Poisoned models/data/dependencies pulled from registries or mirrors.
  • Unverified orgs/accounts and unsafe artifacts evading scanners.

MVG enforces

  • Pin + sign artifacts (digest + provenance) before promotion.
  • Receipts bind policy version + artifact identity + outcome.

No provenance, no promotion.

Reviewer checklist →
Surface 3Interfaces

Interfaces

User + API entry ramps

  • Direct/indirect prompt injection driving tool misuse.
  • Data exfiltration via overly broad tool/data access.

MVG enforces

  • Capability‑scoped tools/data + deny on uncertainty.
  • Reason‑coded PASS / FAIL / HOLD for reviewers.

No permit, no action.

Reviewer checklist →
Most vendors observe. MVG proves and blocks.

Deterministic verifier, portable conformance pack, and stable reason codes — so reviewers can replay decisions offline.

DEEP DIVE

Turn the attack surface into reviewer checklists and evidence requirements.

Each surface below maps common failure modes to MVG control points and what reviewers can verify offline.

Surface 1Infrastructure — egress / dispatch / promotion

What fails

  • Over‑privileged IAM roles; weak auth/authz/logging on new AI resources.
  • Long‑lived credentials and exposed secrets inside clusters and pipelines.
  • Misconfigurations that open initial access and discovery paths.

What MVG enforces

  • Verify component identity + policy freshness/continuity before execution.
  • Permit short‑lived, scoped permits for each side effect (tool call, write, egress).
  • Gate non‑bypassable control points (dispatch, egress, promotion).
  • Receipt canonical bytes + stable reason codes.

Reviewer checklist

  • Inventory MCP servers, RAG stores, endpoints, and connectors.
  • Least privilege by default; short‑lived credentials; deny on uncertainty.
  • Immutable receipts; offline replay without vendor access.
  • Deterministic PASS / FAIL / HOLD vectors for initial access and credential misuse.
INF-AUTH-001INF-SECRET-002INF-GATE-003
Surface 2Supply chain — provenance / pinning / promotion

What fails

  • Poisoned models, data, prompts, or dependencies pulled from registries or mirrors.
  • Unverified organizations/accounts and unsafe artifacts evading scanners.
  • Risky serialization formats and dependency tricks.

What MVG enforces

  • Policy pinned allowlist for registries, orgs, versions, hashes.
  • Signed artifacts digest + provenance before promotion.
  • Promotion gate FAIL unless provenance checks and policy evaluation PASS.
  • Receipts bind artifact identity, policy version, inputs, and outcome.

Reviewer checklist

  • Show registry + org + digest and who signed it.
  • Deny floating tags; require explicit versions and hashes.
  • Attach SBOM/model metadata + verification outputs.
  • Revoke + re‑verify drill to prove compromised artifacts fail closed.
SUP-PROV-001SUP-PIN-002SUP-GATE-003
Surface 3Interfaces — tool misuse / injection / exfil

What fails

  • Direct and indirect prompt injection that hijacks tool use.
  • Harmful code execution embedded in artifacts or retrieved context.
  • Data exfiltration when tool/data access is too broad.

What MVG enforces

  • Capability scoping explicit, least‑privilege tool + data access.
  • Non‑bypassable gates all side effects require a valid permit.
  • Deterministic outcomes model outputs are not actions.
  • Receipts tool calls logged with stable reason codes.

Reviewer checklist

  • Enumerate tools + connectors; show allowed operations and denial modes.
  • Red‑team prompts with expected HOLD / FAIL outcomes.
  • Exfil guard: sensitive sources cannot be retrieved without permit.
  • Replay verification offline and reproduce outcomes.
IFACE-CAP-001IFACE-INJ-002IFACE-EXFIL-003

REVIEWER FLOW

Two minutes to a defensible first pass.

Download the artifact. Verify it offline. Resolve to PASS / HOLD / FAIL with stable reason codes. Spot-check the highest-risk surface before action.

  1. 01

    Download

    Get the portable conformance pack with receipts, policy pins, and expected outputs.

  2. 02

    Verify

    Replay receipts and deterministic test vectors offline, without vendor access.

  3. 03

    Decide

    Resolve to PASS / HOLD / FAIL with stable reason codes tied to the evidence.

  4. 04

    Spot-check

    Inspect egress, dispatch, promotion, and the highest-risk surface before any side effect.

Fail-closed operating law HOLD on missing proof

Enterprise corroborationSecondary signal

Enterprise trust is shifting from narrative assurance to quantified reliability.

Production evaluation loops and portable evidence are becoming part of how buyers judge agentic systems.

Additional corroboration: Snowflake AI + Data Predictions 2026.

PROCUREMENT TRANSLATION

Turn narrative assurances into evidence your reviewers can replay.

If evidence is missing, stale, or unverifiable: HOLD — and side effects remain blocked.

Your RFP question
How do you prevent side effects when the model is uncertain?
Evidence artifact
Fail‑closed gate + scoped, expiring permits. No permit, no action.
Can our team verify without vendor access?
Offline verifier + deterministic replay of receipts and test vectors.
How do you control model and dependency updates?
Signed promotion receipts; pinned versions/hashes; provenance checks.
How do you prove prompt‑injection resistance?
Red‑team vectors with expected PASS/FAIL/HOLD + stable reason codes.

EVIDENCE LEDGER

The page closes on inspectable proof.

Primary evidence defines the attack surfaces. External corroboration supports the framing. Utilities let reviewers replay the claim without narrative dependence.

Primary evidenceDefines the surfaces

Closing law: missing proof defaults to HOLD. The ledger ends on inspectable artifacts, not narrative assurances.