MODEL ACCESS GRAPH REVIEW (60-MIN TEMPLATE) Goal: Produce a single, shared map of (1) where AI enters your company, (2) what it can read, (3) what it can write, and (4) who is accountable for each permission. Attendees (keep it small): CTO/VP Eng (chair), Security lead, IT/Identity owner, and 1 owner for each major system (GitHub, Jira/Confluence or Notion, Slack/Teams, data warehouse, support platform). Pre-work (15 minutes each owner): - Open your admin console. - List any AI features that are enabled by default (copilots, assistants, “AI summarize,” etc.). - List connectors/integrations to other systems. - Export or screenshot audit log settings (if available). AGENDA 1) Inventory AI entry points (10 min) - IDE: GitHub Copilot / JetBrains AI? Who has access? - Chat: ChatGPT Enterprise/Team? Microsoft Copilot? Gemini for Workspace? - Embedded SaaS AI: Atlassian Intelligence, Notion AI, Slack AI, Salesforce Einstein, ServiceNow Now Assist. - Custom agents: Any internal tools using OpenAI API / Bedrock / Vertex AI / LangChain. 2) Map READ permissions (15 min) For each AI entry point, write down: - Systems it can read (repos, docs, tickets, CRM, support cases, warehouse). - Scope controls (per repo/project/space/team) or “all users/all content.” - Explicit “never index” areas (incident channels, secrets stores, specific customer datasets). 3) Map WRITE permissions (15 min) For each entry point, list actions it can take: - Create PRs? Comment on PRs? Merge? - Create/edit tickets? Close tickets? - Send messages/emails? Post to customer-facing channels? - Update CRM fields? Trigger refunds/credits? - Toggle feature flags? Trigger deployments? 4) Decide the gating rule (10 min) Default rule: AI can draft; humans approve. - Identify 3–5 “safe writes” you will allow (example: create PR, open Jira issue). - Identify “high-risk writes” that require explicit approval + logging (example: merge to main, feature-flag toggle, customer comms send). - Identify “prohibited writes” (example: direct DB updates, permission changes). 5) Logging + accountability (10 min) - Where do logs go (vendor audit log, SIEM, both)? - For each AI entry point, name an owner accountable for: access reviews, connector scope, and incident response. OUTPUTS (leave meeting with these) - One-page map: Entry point → Read scope → Write scope → Owner. - A change list: what you will disable, rescope, or gate in the next 7 days. - A calendar invite: monthly “permission review” (30 minutes). 7-DAY FOLLOW-THROUGH CHECKLIST - Enforce SSO/SCIM on every AI tool that supports it. - Remove shared API keys; move agents to scoped service identities. - Turn on audit logs everywhere they exist; document gaps where they don’t. - Add branch protections / required reviews for AI-created PRs. - Block indexing of known high-sensitivity zones (secrets, incident comms, certain support artifacts). Question to end with: “If an AI agent did something harmful tomorrow, could we prove who granted the permissions and who approved the action?”