Folium Systems

AI systems for real operations
Public-facing PDF Review before production Folium Systems

Security and procurement review

Folium Security Procurement Review

This PDF is designed for the people who have to say yes responsibly: security, procurement, IT, counsel, operations, leadership, and process owners. It turns AI review into a staged operating process instead of a trust-me walkthrough.

Audience
Security, procurement, IT, counsel, operations, leadership
Purpose
Prepare buyer-ready review questions, materials, requirements, and owner responsibilities
Updated
June 2026
  • Use it to decide Whether this is an education, audit, first-build, pilot, trust-review, or operations conversation.
  • Keep gated Private data, credentials, customer records, live providers, regulated authority, and production dependency stay outside public review.
  • Bring to the room One workflow, one owner, the systems it touches, the records involved, and the decision leadership needs to make.
  • Access should expand in stages: public review, scoped discovery, sandbox, architecture review, pilot, production plan.
  • AI permissions must separate drafting, retrieval, recommendation, routing, execution, blocking, and escalation.
  • Every serious review should leave behind records, known limits, owners, and a next decision point.

Trust architecture

Security and governance work best when the picture is calm and exact.

Folium turns trust into visible operating structure: data boundaries, permissions, audit trails, and model routing before access grows.

Data boundary map

Public

Education, local planning tools, public PDFs, and sandbox examples.

Scoped

Approved sources, reviewers, retention, and customer-side owners.

Blocked

Secrets, credentials, live-risk actions, and unapproved regulated decisions.

Permission matrix

Action State Record
Explain Allowed Logged
Retrieve Scoped Source checked
Draft Review Owner decides
Execute Blocked Explicit approval

Audit trail flow

  1. 01 Scope
  2. 02 Source
  3. 03 Action
  4. 04 Reviewer
  5. 05 Decision
  6. 06 Record

Model routing layer

Public reviewCloud APIPrivate endpointLocal modelHybrid route

Each workload can be placed by privacy, cost, latency, access, fallback, and owner review instead of forcing every job into one provider.

R

Navigation map

Choose the review route before reading cover to cover.

This packet is meant to support a real decision meeting. Let each reviewer enter through the route that matches their job, then bring the group back to the same controlled next step.

  • Decision route
  • Operating route
  • Trust route

Executive route

Decision first

Start with the cover, visual summary, executive read, controls, first ninety days, and handoff. This route helps leaders decide whether the next move is education, audit, first build, pilot, or operations.

  • Outcome
  • Risk
  • Owner
  • Next gate

Operations route

How the work will run

Read the workflow map, procedures, operating roles, metrics, first sprint, and buyer worksheet. This route shows whether staff can actually use, review, and improve the future process.

  • Workflow
  • Staff
  • Support
  • Improve

Technical and trust route

Where the boundaries live

Focus on records and work products, controls, risk assumptions, reference work products, trusted knowledge, runtime placement, and launch conditions before any private access expands.

  • Source
  • Access
  • Runtime
  • Rollback

Buyer session route

Turn reading into a working session

Use the discovery questions, role review route, buyer worksheet, and engagement fit ladder to prepare one process, one owner, one source map, and one next decision.

  • Process
  • Examples
  • Questions
  • Decision

Best use: read the route that matches your role, mark the questions that still need proof, and leave with one narrow decision instead of a vague AI wishlist.

Folium Systems Navigation map foliumsystems.com

01

Review frame

Security review should begin before the process gets private access.

AI procurement gets cleaner when the buyer can see scope, data flow, runtime placement, permissions, records, support, and customer responsibilities before credentials or sensitive data enter the build.

  • Record
  • Boundary
  • Action

Scope

What is the process?

Name the business process, users, systems, data classes, exclusions, reviewers, assumptions, and success criteria.

Boundary

What can the AI see?

Separate public, internal, customer, regulated, confidential, secret, and blocked data before the build expands.

Runtime

Where will the AI run?

Choose public review, cloud API, private endpoint, local model, hybrid route, or production service based on risk and value.

Authority

What can the AI do?

Define draft, retrieve, recommend, route, execute, block, escalate, and human-approve actions.

Folium Systems Public-facing PDF foliumsystems.com

02

Procurement matrix

The questions buyers should not have to chase.

Folium turns common procurement questions into a review file instead of leaving them scattered across calls, emails, screenshots, and assumptions.

  • Decision grid
  • Review lens
  • Next step
The questions buyers should not have to chase.
QuestionFolium answer patternRecords to prepare
What data is involved?Data classification, approved sources, blocked data, retention, and redaction.Data boundary map, source list, redaction notes, retention stance.
Where does it run?Runtime placement by process and sensitivity.Runtime decision table, cost/privacy rationale, fallback route.
Who can use it?Role-based access and permissioned process steps.User roles, approval chain, blocked actions, owner signoff.
What can it change?Separate draft/recommend from execute/update/send.Tool permission table, human-review points, audit trail plan.
How is quality measured?Evaluate process behavior, not only answer polish.Eval cases, browser checks, known limits, failed-case notes.
What happens on failure?Support path, incident class, rollback, degraded mode, and repair loop.Support guide, severity ladder, rollback trigger, communication path.
Folium Systems Public-facing PDF foliumsystems.com

03

Access ladder

Access should expand only when records support it.

The safest AI implementation does not jump from idea to production. It moves through staged access with explicit reviews.

  • Decision grid
  • Review lens
  • Next step
Access should expand only when records support it.
StageAllowed accessAdvance requirement
Public reviewPublic pages, PDFs, screenshots, public tools, and public-facing examples.Buyer understands value and agrees to scoped discovery.
Scoped discoveryCustomer describes process, systems, risks, users, blockers, and desired outcome.Scope is narrow enough for a safe sandbox build.
Redacted sandboxApproved safe records, synthetic review data, public policies, or redacted documents.Behavior is useful enough for technical architecture review.
Architecture reviewSystem map, runtime plan, provider plan, permissions, logging, and support assumptions.Security, operations, leadership, and owners approve a controlled pilot.
Controlled pilotLimited users, limited data, limited actions, monitoring, support, and rollback.Records show readiness or identify repairs before production.
Production planApproved live access only after legal, security, operational, and owner signoff.Final responsibilities, monitoring, training, and change process are accepted.
Folium Systems Public-facing PDF foliumsystems.com

04

Security controls

The review should cover the whole operating path.

Procurement should not evaluate a model in isolation. The real risk lives across data, software, people, providers, logs, permissions, and change management.

  • Checklist
  • Owner path
  • Release signal
  • Document source systems and destination systems before any integration is approved.
  • Separate public PDFs from customer-specific records that belong in controlled review.
  • Define what gets logged, where logs live, who can access them, and how long they remain.
  • Keep secrets, API keys, customer credentials, provider tokens, and passwords outside public files and prompts.
  • Use least-privilege tokens and service accounts when automation touches external systems.
  • Name who can approve runtime choices, provider choices, data access, production credentials, and launch timing.
  • Prepare fallback behavior for model outage, retrieval failure, tool failure, stale source, and user rejection.
  • Review dependency posture, headers, public file handling, PDF downloads, and privacy-safe analytics before launch.
Folium Systems Public-facing PDF foliumsystems.com

05

AI permission model

Not every AI action belongs in the same permission bucket.

Folium helps customers design permissions so the business can gain speed without giving AI unreviewed authority.

  • Decision grid
  • Review lens
  • Next step
Not every AI action belongs in the same permission bucket.
Action classExamplesReview posture
DraftWrite first-pass emails, FAQs, summaries, work notes, task descriptions.Generally safe in sandbox when sources and limits are visible.
RetrieveFind policy, procedure, product, order, ticket, document, or knowledge-base detail.Requires source boundaries, freshness notes, and access controls.
RecommendSuggest next process step, routing choice, response, escalation, or review file.Needs human accountability for sensitive outcomes.
RouteSend work to queue, owner, reviewer, or next system without changing final records.Needs audit trail and blocked-route rules.
ExecuteUpdate record, send official message, place order, issue refund, approve account, change access.Requires explicit approval, logging, rollback, and human review where impact is material.
Block or escalateRefuse unsafe request, route to human, stop launch, flag missing data.Should be encouraged when the system lacks authority or records.
Folium Systems Public-facing PDF foliumsystems.com

06

Operating ownership

Security review fails when nobody owns the process after launch.

Folium pushes ownership into the review file so the buyer can see who maintains quality, sources, support, and change after the exciting first build ends.

  • Record
  • Boundary
  • Action

Business owner

Owns the process outcome, success criteria, staff adoption, and priority decisions.

Technical owner

Owns integration choices, runtime placement, access, deployment, monitoring, and fallback.

Knowledge owner

Owns source accuracy, document freshness, policy updates, and retrieval boundaries.

Security reviewer

Owns data sensitivity, credentials, access control, logs, retention, and external provider posture.

Support owner

Owns incidents, user questions, rollback, degraded mode, and post-incident improvement.

Executive sponsor

Owns the decision to continue, stop, repair, expand, or move into production planning.

Folium Systems Public-facing PDF foliumsystems.com

07

Red flags

These signs should slow the deal down, not speed it up.

A serious AI partner should welcome these checks. They prevent a buyer from adopting an impressive but ungoverned system.

  • Checklist
  • Owner path
  • Release signal
  • The review build requires private customer data before a data boundary is approved.
  • The vendor cannot explain where prompts, files, outputs, and logs live.
  • The system can take live action without a named approval path.
  • No one can show failed cases, known limits, or repair decisions.
  • The buyer has no owner for source freshness, support, incidents, or rollback.
  • Staff are expected to trust the AI without role clarity or training.
  • Procurement, security, counsel, and operations are introduced after production pressure exists.
  • The proposal assumes one AI vendor, one model, or one cloud can solve every process.
Folium Systems Public-facing PDF foliumsystems.com

08

Review file output

A good review should leave behind useful material.

After a serious review, the buyer should not be left with a vague call recap. The next decision should be supported by clear documents and records.

  • Record
  • Boundary
  • Action

Scope brief

Process, users, systems, exclusions, assumptions, desired outcome, and decision criteria.

Boundary map

Data classes, approved sources, blocked data, provider handoffs, retention, and secrets handling.

Permission table

Draft, retrieve, recommend, route, execute, block, escalate, and human-approve rules.

Review file

Screenshots, browser checks, eval cases, known limits, failed-case notes, and repair plan.

Operations guide

Owners, support, incidents, rollback, degraded mode, monitoring, and improvement cadence.

Decision point

A plain recommendation: stop, repair, continue sandboxing, pilot, production-plan, or move to AI operations.

Folium Systems Public-facing PDF foliumsystems.com

09

Security appendix

Each expanded packet should be readable by procurement without weakening the story.

The richer PDF library should give security reviewers enough structure to ask better questions: what data is involved, where it moves, which actions are allowed, what is blocked, who approves, and how rollback works.

  • Decision grid
  • Review lens
  • Next step
Each expanded packet should be readable by procurement without weakening the story.
Review areaQuestionExpected Folium record
DataWhat data class enters the workflow?Data boundary map and source-custody record.
RuntimeWhere does AI run and why?Runtime placement matrix.
ActionWhat can AI draft, recommend, route, or execute?Authority and permission map.
AuditHow are decisions reviewed?Evaluation log, known limits, and launch room record.
SupportWho responds when behavior drifts?Support guide and rollback triggers.
Folium Systems Public-facing PDF foliumsystems.com

10

Reader route

Use the packet by role, not only from front to back.

The strongest review happens when each stakeholder reads the pages that match their decision rights. This route helps a buyer turn the packet into a working session instead of a passive download.

  • Decision grid
  • Review lens
  • Next step
Use the packet by role, not only from front to back.
ReviewerWhat to inspectQuestion to answer
Owner or CEOValue, risk, first process, launch gates, and next-stage decision.Is this a controlled way to move from AI pressure to capability?
Operations leadWorkflow steps, people affected, support path, and improvement rhythm.Can the team operate this without creating a new hidden burden?
Technical leadSystems, runtime, integrations, logs, fallback, and data boundaries.Can the architecture be supported and secured?
Security or procurementAccess, retention, provider exposure, blocked data, permissions, and rollback.What must be true before private access expands?
Staff managerTraining, role clarity, human review, correction path, and adoption risk.Will this strengthen the people doing the work?
Investor or partnerCategory, repeatability, public boundary, and diligence path.What deeper records should be requested before believing the thesis?
Folium Systems Public-facing PDF foliumsystems.com

11

Working-session worksheet

Bring these answers into the next Folium conversation.

A printable PDF should help the buyer prepare. These prompts keep the conversation attached to real work, real systems, real people, and an honest boundary between public review and private implementation.

  • Checklist
  • Owner path
  • Release signal
  • Name the one workflow that hurts most today and the person who owns it.
  • List every system, file, inbox, store, database, spreadsheet, vendor, or manual handoff the workflow touches.
  • Separate data into public, internal, customer, regulated, confidential, credential, and blocked classes.
  • Identify which steps are slow, duplicated, risky, customer-visible, staff-heavy, or expensive.
  • Write down what AI may draft, retrieve, recommend, route, block, or escalate.
  • Write down what AI must not execute without human approval.
  • Bring examples of good output, bad output, common exceptions, missing data, and escalation moments.
  • Decide what record would justify the next step: audit, first build, architecture review, pilot, or operations.
Folium Systems Public-facing PDF foliumsystems.com

12

Decision matrix

The next step should be earned by the record.

Folium's public packets are built to create a practical decision, not only a favorable impression. Use this matrix to choose the next move after review.

  • Decision grid
  • Review lens
  • Next step
The next step should be earned by the record.
DecisionUse whenExpected next record
StopThe process has no owner, no clear value, or unsafe data pressure.Stop note and conditions that would need to change.
RefineThe pain is real but the workflow, source truth, or approval path is unclear.Revised process map and missing-information list.
AuditThe buyer sees the need but does not know which AI lane should come first.AI systems audit, inventory, scorecard, and first-lane recommendation.
First buildOne safe process, owner, source boundary, and desired output are clear.Working surface, known limits, browser checks, and next-stage blockers.
Architecture reviewA useful build exists but private access, runtime, support, or authority needs review.Data boundary, runtime matrix, permission map, and rollback path.
OperateA pilot has value, owners, support, monitoring, and improvement rhythm.AI operations cadence, source refresh plan, release notes, and issue loop.
Folium Systems Public-facing PDF foliumsystems.com

13

Plain-language glossary

The buyer should not need to speak engineer to read the packet.

Folium uses technical terms when needed, but a public packet should translate them into operating language. The goal is to help the buyer understand the decision, not admire the vocabulary.

  • Decision grid
  • Review lens
  • Next step
The buyer should not need to speak engineer to read the packet.
TermPlain meaningWhy it matters
RAGAI answers from approved company material instead of memory alone.It keeps answers tied to business sources.
AgentA guided AI worker that can follow a task path with tools and limits.It needs permission, logging, and human review.
RuntimeWhere the AI work runs: cloud, private endpoint, local machine, or hybrid path.It affects privacy, cost, speed, control, and support.
EvaluationA test set that checks whether the system behaves correctly on real tasks.It exposes failures before the business depends on the system.
GovernanceThe rules for data, access, authority, logs, review, rollback, and ownership.It keeps AI useful without giving it unmanaged power.
Launch roomThe operating board for owners, support, blockers, training, incidents, and next releases.It turns a build into a system the business can run.
Folium Systems Public-facing PDF foliumsystems.com

14

Next step

A cleaner review creates a faster yes or a safer no.

Use this PDF before private access expands. Folium can help turn one process into a reviewable AI path with boundaries, records, owners, and a launch decision the business can defend.

Bring the process

Name the business process, the systems involved, the people affected, and the decision this PDF should support.

Separate review from production

Keep public examples, sandbox review, pilot access, and production dependency in separate stages with clear owners.

Ask for the record

Request screenshots, browser checks, known limits, launch blockers, support plans, and the next approval path.

Folium Systems Public-facing PDF foliumsystems.com

Common questions

Questions this page answers.

Does Folium replace legal, security, or procurement approval?

No. Folium prepares operating records, review questions, evidence packets, and implementation boundaries so the responsible buyer-side owners can make clearer decisions.

Can procurement review begin before private data is shared?

Yes. Folium can start with public materials, redacted examples, workflow descriptions, and buyer-approved artifacts before any sensitive access is considered.

What makes an AI proposal procurement-ready?

A procurement-ready proposal explains scope, data handling, model or tool routes, evaluation, human review, security posture, support ownership, monitoring, rollback, and launch gates.