This project reflects the type of work I support in real-world engagements. The documentation consolidates insights from that experience alongside my ongoing self-directed study. All materials use synthetic data—no client information is reproduced—and the templates are either self-developed or sourced from open-source resources.
Contributed to an AI security audit for a cryptocurrency exchange operating high-risk AI systems (KYC verification, transaction monitoring, sentiment analysis). The assessment evaluated governance, model integrity, data security, and regulatory compliance against ISO/IEC 42001:2023, NIST AI RMF, and Nigeria Data Protection Act requirements to determine AI risk posture and regulatory readiness.
-
Administered a structured AI Security Audit Checklist (sheet 1) covering ten domains, including governance, model lifecycle, adversarial resistance, and supply chain risk, with responses mapped to ISO, NIST, and OWASP frameworks.
-
Generated a detailed Document Evidence Checklist (sheet 2) to track required artefacts across all audit domains, identifying gaps in policies, technical controls, and compliance documentation.
-
Performed evidence-based testing documented in the AI Security Audit Report, including governance framework review, model versioning analysis, data provenance verification, and adversarial testing capability assessment.
-
No AI Governance Framework (Critical): No approved AI policy, ethical principles, or formal roles existed; decisions made ad-hoc. Recommendation: Approve formal AI Governance Policy and establish AI Steering Committee within 30 days.
-
No Adversarial Testing (Critical): Transaction monitoring AI never tested against evasion or poisoning attacks; fraudsters could bypass detection. Recommendation: Implement adversarial robustness testing using dedicated tooling before next deployment cycle.
-
Undocumented Third-Party Models (Critical): Sentiment analysis LLM imported from Hugging Face with no security review or due diligence. Recommendation: Complete third-party model risk assessments and establish formal approval process for all external models.
-
Incomplete Data Provenance (High): External sentiment datasets lacked licensing documentation; poisoning risk unmanaged. Recommendation: Document complete provenance for all training data and establish data integrity verification controls.
-
No AI Incident Response (High): General IR plan existed but lacked AI-specific playbooks for model poisoning or adversarial attacks. Recommendation: Develop and test AI incident response playbooks within 90 days.
The audit revealed a critical disconnect: CryptoVault invested heavily in AI infrastructure but neglected governance and AI-specific security controls. With 43% overall compliance, the organisation faced foreseeable regulatory enforcement from SEC Nigeria, NDPC, and NFIU. The highest risks stemmed from absent governance, risk assessments, and adversarial testing, not technical failures.