The 5 questions before any AI security audit

Before a laptop opens or a document is read, a good AI audit starts with five simple questions. Not technical — basic: What does this system actually do? Who gets the output? What happens if it's wrong?

"I don't know" is a finding

The first 30 minutes, before any document appears, tell you almost everything that matters. When a client can't say whether their AI stores personal data, that's logged as a prioritized gap — right there. "I don't know" isn't failure; it's information. It means something is missing: process, training, or accountability.

The five categories

• System — what goes in, what comes out, who sees it, what breaks if it's wrong.
• Accountability — who built it, when, last review, who's responsible today.
• Data governance — personal/medical/financial data, anonymization, GDPR.
• Impact — how errors get caught, is there a human in the loop before decisions.
• History — has anything unexpected ever happened.

One question per category surfaces a compliance gap no document review would catch — because the document doesn't exist yet. If a client says "only human oversight exists" and can't name another safeguard, that's the starting point: AI disclosure (Article 50), data policies, incident logs.

The interview is the foundation — then it becomes audit-ready documentation.