Beyond automated scanning, the Technical SME conducts manual security code review for security-critical components. Automated tools catch known vulnerability patterns but miss logic flaws and design-level vulnerabilities. Manual review provides the human judgement needed to assess whether the code’s logic is correct, whether the security boundaries are properly enforced, and whether the architecture’s trust assumptions are sound.

Security-critical components requiring manual review include the authentication and authorisation logic, the model serving and API gateway code, the data validation and sanitisation logic, the logging and audit trail implementation, and any custom cryptographic implementations. The review should follow a structured checklist that includes the AI-specific concerns from the threat model.

Manual security code review findings are tracked alongside automated findings in the vulnerability management register, with the same severity classification and remediation SLAs. The review is conducted at least annually for the security-critical components and additionally when those components are modified. Review records are retained as Module 9 evidence.

Key outputs

• Manual security code review for security-critical components
• Structured review checklist including AI-specific concerns
• Findings tracked in the vulnerability management register
• Module 9 AISDP evidence