01
The three board-ready assets
- Overall risk score (0–100): your headline number. Show three consecutive runs on the same target to demonstrate improvement or regression trend. A score of 72 means 72% of the tested attack surface is a real exposure.
- Compliance evidence pack: maps each finding to SOC 2 CC controls, NIST AI RMF functions, and EU AI Act articles. Download as a signed JSON from the run page — checksummed and timestamped for auditors.
- Run comparison (A vs. B): findings closed, new findings introduced, score delta, MITRE coverage change. This is your 'what we fixed since last quarter' slide.
02
Frame it for non-technical stakeholders
- Replace attack_exposure with business language: '47% of AI-generated responses can be manipulated by an external user' is more actionable to a board than 'attack_exposure_score: 47'.
- Anchor cost avoidance: a critical LLM01 finding (system-prompt override) can expose all downstream users of a feature. Frame findings in terms of customer data or revenue at risk, not CVSS score.
- Present the remediation arc: show the before/after run comparison with verified patches applied. 'We closed 4 of 6 critical findings in 5 days' is the narrative the board wants to hear.