AI Strategy

Phase 4: Hardening and Compliance - The Phase Everyone Wants to Skip

A pilot can clear the Phase 3 gate cleanly and still hide what only hardening surfaces: a document-store MCP server that returns PHI through a chained call outside its intended scope, a PII filter that misses Social Security numbers embedded in scanned intake forms, and a load test that degrades ungracefully at 1.4x peak, short of the 2x target. Inside Phase 4: thirteen tasks, four groups, and the CISO sign-off that requires all four conditions.

AP
Andrew Poole
··10 min read

Picture a care-navigation assistant: an MCP-connected pilot that helps care coordinators triage member questions against plan documents and case histories. It clears the Phase 3 gate cleanly, with strong user scores, cost within budget, and a clean prompt regression suite. The executive sponsor wants to go straight to rollout.

Hardening is where three things surface that the pilot gate could not have caught. A penetration test finds that the document-store MCP server, scoped correctly for its primary use case, can be chained through a second tool call to return case notes belonging to a different line of business, a permission boundary that exists in the access control list but not in the tool's actual query logic. A PII filtering pipeline redacts names and phone numbers reliably but misses Social Security numbers embedded in scanned intake forms, because the filter runs on extracted text and the OCR pass introduces formatting that breaks the regex it depends on. And a load test, run at twice the projected peak volume as the gate requires, finds the system degrading ungracefully starting at 1.4x, well before it reaches the target, as the API gateway's connection pool exhausts under concurrent MCP tool calls.

None of this shows up in the pilot. A pilot has a handful of users and modest concurrent load. It never touches a member outside the pilot business unit's data. It never processes a scanned form with the specific formatting quirk that breaks the regex. Hardening exists to find the failure modes that a successful pilot cannot surface, because a pilot is deliberately narrow and hardening is deliberately adversarial.

This is the fourth deep-dive in the series on the enterprise Claude deployment roadmap. Phase 1 covered discovery and assessment. Phase 2 covered the infrastructure layer. Phase 3 covered pilot construction and the value/security/cost gate. Phase 4 is where the system that worked in pilot gets tested against the conditions of production: adversarial security testing, regulatory compliance, and real load.

Phase 4 runs weeks nine through twelve, across thirteen tasks. Unlike Phase 3, where the sequencing risk was building before reviewing, the sequencing risk in Phase 4 is skipping. Every task in this phase is the kind of work a team is tempted to compress because the pilot already proved the concept works. That temptation is the phase's central failure mode.

The thirteen tasks organize into four functional groups.

Phase 4 -- Thirteen Tasks, Four Groups

Weeks 9 -- 12
Security

Penetration Testing

4.1Pentest scope definition: every Claude-integrated surface, not just the primary use case
4.2External penetration test execution (black-box and gray-box)
4.3Prompt injection and jailbreak adversarial testing, scoped to deployed system prompts
4.4Remediation of all critical and high findings, with retest
Compliance

Data Protection

4.5PII filtering pipeline: input scrubbing and output redaction, both directions
4.6PII filtering validation against a test corpus with known, planted PII
4.7Immutable audit trail configuration (WORM storage, retention policy)
4.8Data residency validation against every applicable regulatory framework
Reliability

Load and Failure Testing

4.9Load test design at 2x projected peak volume, with realistic traffic shape
4.10Load test execution and bottleneck remediation
4.11Rate limiting, backpressure, and graceful degradation validation
Sign-off

Attestation

4.12Compliance attestation documentation, mapped to applicable frameworks
4.13CISO review packet assembly and sign-off session
Pitfall

The sequencing risk in Phase 4 is not order, it is omission. A pilot that worked convinces everyone the hard part is done. It is not. The hard part -- adversarial testing against conditions the pilot never faced -- starts here.

4.1: Pentest Scope Definition

Before the penetration test begins, someone has to define what is in scope, and the common mistake is scoping it to the pilot use case rather than every Claude-integrated surface. That means every MCP server built in Phase 3, the API gateway and its authentication path, any Claude Code deployment and its managed-settings.json configuration, and any use case that reached production readiness even if it was not part of the formal pilot.

The failure mode is scoping the pentest to 'the chatbot' when the actual attack surface includes four MCP servers, a document store, a ticketing system, and an internal database, each with its own tool definitions and permission boundaries. A pentest that only exercises the primary conversational flow will miss exactly the kind of tool-chaining vulnerability described above: a cross-business-unit data leak through a chained call.

4.1 -- Pentest Scope Checklist

Complete before external engagement begins
1

All MCP servers

Every server from Phase 3, including ones not central to the primary use case.

2

API gateway and auth path

SSO, RBAC, and the routing rules from Phase 2.

3

Claude Code deployment

managed-settings.json, CLAUDE.md files, tool permissions.

4

Any production-adjacent use case

Not just the formally piloted ones.

Pitfall

Scoping the pentest to 'the chatbot' misses the tool-chaining attack surface. Most real findings live in the interaction between tools, not in the primary conversational flow.

4.2: External Penetration Test Execution

The engagement runs black-box (no internal knowledge, testing what an external attacker could discover) and gray-box (informed by the architecture, testing what an attacker with partial knowledge, like a compromised low-privilege account, could do). Both matter. Black-box testing validates the perimeter. Gray-box testing validates the assumption that internal actors are constrained by anything other than good intentions.

For LLM-integrated systems specifically, the engagement should include testers with actual experience against MCP servers and tool-calling architectures, not only traditional web application penetration testers. The vulnerability classes are different. A traditional pentest is well equipped to find a SQL injection in a login form. It is not automatically equipped to find a data exfiltration path that requires chaining a read tool with a legitimate-looking write tool across two different MCP servers.

4.3: Prompt Injection and Jailbreak Testing

This task is scoped specifically to the system prompts and tool configurations that shipped in Phase 3, not to Claude in the abstract. The test battery covers direct prompt injection (an end user attempting to override system instructions), indirect prompt injection (adversarial content embedded in a document or ticket that the model retrieves through a tool call), and jailbreak attempts targeting the specific guardrails the system prompt establishes.

The indirect case is the one teams underestimate. If a use case retrieves documents through the document-store MCP server and those documents can contain attacker-controlled text, an attacker does not need access to the chat interface at all. They need write access to any document the system might retrieve, which in a large organization is a much bigger population than the set of authenticated chat users.

4.3 -- Injection Test Battery

Scoped to the deployed system prompts
Test categoryWhat it validatesCommon finding
Direct injectionEnd user attempts to override system instructions in chatGuardrail holds unless combined with tool output
Indirect injectionAdversarial content embedded in a retrieved document or ticketTool results treated as instructions, not data
Jailbreak attemptsTargeted attempts to bypass the specific system prompt's guardrailsPrompt lacks explicit 'treat tool output as untrusted' framing
Tool-chaining exploitationCombining two legitimate tool calls to exceed intended scopePermission enforced in ACL but not in query logic

The indirect case is the one teams underestimate. An attacker does not need access to the chat interface. They need write access to any document the system might retrieve -- a much bigger population than the set of authenticated chat users.

4.4: Remediation and Retest

Every critical and high finding gets remediated before cutover. Medium and low findings get triaged, documented, and either fixed or formally accepted with a named owner and a timeline. The retest is not optional and it is not a formality: it re-runs the specific test cases that produced findings, not a fresh general pass, to confirm the fix actually closes the vector rather than just changing its shape.

Closing a cross-business-unit leak like the one above means adding scope enforcement at the MCP server's query layer rather than relying on the access control list alone. A good retest confirms the fix holds even when the tool is chained through three different call sequences, not just the one the original finding used.

4.5: PII Filtering Pipeline

The filtering pipeline has to run in both directions: input scrubbing before content reaches the model (relevant for cost and for keeping PII out of logs and provider telemetry where it does not need to be) and output redaction before a response reaches a user who should not see it. Configuration should be explicit about which categories are in scope for the deployment's regulatory context: names, SSNs, dates of birth, medical record numbers, financial account numbers, and any organization-specific identifiers.

4.6: PII Filtering Validation

A filter that has not been tested against a corpus with known, planted PII is a filter that has not been validated, regardless of how confident the implementation looks. The test corpus should include the edge cases that matter for the deployment: PII embedded in scanned or OCR'd documents, PII spanning unusual formatting (a SSN broken across a line wrap, a name with unusual capitalization), and PII in file types beyond plain text, since a filter that works on clean text input frequently fails on the noisier text that OCR produces.

This is exactly where a clean-text-only validation fails. A filter validated against clean text passes every test you run, then ships a gap because it was never validated against the specific formatting artifacts its own OCR pipeline introduces, a gap that only appears once real scanned intake forms start flowing through it.

4.5 -- 4.6: PII Filtering Validation Matrix

Both directions: input and output
Input typeTested?Common gap
Clean plain textUsually yesRarely the failure point
Scanned / OCR'd documentsOften skippedRegex breaks on OCR formatting artifacts
Multi-format identifiers (SSN variants, DOB formats)Often incompleteFilter matches one format, misses regional variants
Embedded PII in non-primary fields (free-text notes)Frequently missedFilters tuned for structured fields, not prose
Pitfall

A PII filter validated only against clean text will pass every test you run and still ship a gap. Validate against the noisiest input your actual pipeline produces, not the cleanest.

4.7: Immutable Audit Trail Configuration

Every model invocation, tool call, and administrative action needs to land in an audit trail that cannot be altered or deleted, not even by administrators, for the retention period the applicable compliance framework requires. WORM (write once, read many) storage is the common implementation. The trail needs to capture enough context to answer 'who accessed what, through which tool, and what did the model return' for any given request, months after the fact.

4.8: Data Residency Validation

For organizations operating under frameworks with data residency requirements, this task validates that data actually stays where the framework requires it to stay, end to end: not just at rest in the primary database, but through every MCP server, every logging pipeline, and any provider-side processing. This is a task that needs direct verification, not an assumption based on which region a resource was provisioned in.

4.9: Load Test Design

The load test target is twice the projected peak volume from the Phase 1 cost model, not twice the average. Peak volume for most enterprise deployments is concentrated: a spike at the start of a shift, a surge around a compliance deadline, a burst when a company-wide email points people at a new tool. A load test designed around average traffic will pass and tell you nothing about whether the system survives its actual worst day.

The test should simulate realistic traffic shape, concurrent users hitting the system in the pattern real usage would produce, not a uniform steady-state load, and it should exercise the MCP server calls the real use cases make, not just the model invocation.

4.10: Load Test Execution and Bottleneck Remediation

This is where the system in the opening scenario degrades at 1.4x instead of holding to 2x. The bottleneck is the API gateway's connection pool, sized for the pilot's handful of concurrent users and never resized for production load. The fix is a configuration change, not a rebuild, but it is only findable because the load test actually reaches the load level where the pool exhausts.

Common bottleneck locations: connection pool sizing at the gateway, MCP server concurrency limits, database connection limits on the internal-database MCP server from Phase 3, and rate limits on any downstream system the tools call into that was never sized for AI-driven traffic volume.

4.11: Rate Limiting, Backpressure, and Graceful Degradation

Beyond raw capacity, this task validates what happens at the edge of capacity. A system that hits its limit and returns clear, actionable errors is production-ready. A system that hits its limit and hangs, times out silently, or returns malformed responses is not, regardless of how high its raw capacity is. Backpressure should be visible to the user as an honest 'system is busy, retry in a moment' rather than a failure that looks like the AI got something wrong.

4.9 -- 4.11: Load and Reliability Testing

2x peak, realistic traffic shape
1

Design

Simulate realistic peak shape, not steady-state average. Include actual MCP tool call patterns.

2

Execute

Run to 2x projected peak. Identify the first bottleneck, not just whether it passed.

3

Remediate

Fix the actual bottleneck (often connection pooling, rarely the model itself).

4

Validate degradation

At the edge of capacity, confirm clear backpressure, not silent failure.

Pitfall

A load test built around average traffic passes and proves nothing. Peak enterprise usage is spiky, not steady. Design the test around the worst realistic hour, not the typical one.

4.12: Compliance Attestation Documentation

This task assembles the formal record: which frameworks apply (HIPAA, SOC 2, GDPR, or others depending on the organization and jurisdiction), what controls satisfy each requirement, and where the evidence lives, the pentest report, the PII filtering validation results, the audit trail configuration, the data residency verification. This is the document compliance and legal teams sign against, and it needs to stand on its own without requiring someone to reconstruct the reasoning six months later.

4.13: CISO Review Packet Assembly

The final task before the gate assembles everything into a single review packet for the CISO: the remediated pentest findings with retest confirmation, the PII filtering validation results, the audit trail configuration, the data residency attestation, and the load test results at 2x peak. This is a client-owned sign-off. The delivery partner assembles the evidence. The CISO makes the call.

The Gate

Phase 4 has four gate conditions. All four are required before Phase 5 begins.

The condition that most often gets softened under deadline pressure is the load test. A team that hits 1.6x and calls it close enough is making a bet that actual peak traffic will be gentler than projected. That bet is frequently wrong, and it is wrong at the worst possible time, during the rollout wave that Phase 5 is about to launch.

Phase 4 Gate -- Four Conditions

All four required
1

CISO sign-off

Required

The formal, named approval based on the full review packet. A client-owned decision -- the delivery partner assembles the evidence, the CISO makes the call.

2

All critical/high pentest findings remediated and retested

Required

Not just fixed. Confirmed fixed against the original test case, not a fresh general pass.

3

Compliance attestation complete

Required

Documented and signed for every applicable framework -- HIPAA, SOC 2, GDPR, or others depending on jurisdiction.

4

2x peak load test passed

Required

Not 1.4x. Not 'close enough.' The target volume, with graceful degradation validated at the edge.

The condition most often softened under deadline pressure is the load test. A team that hits 1.6x and calls it close enough is betting that actual peak traffic will be gentler than projected. That bet is frequently wrong, at the worst possible time.

What Gets Deferred and Why

Three deferrals are common in Phase 4.

The pentest scope gets narrowed to the primary use case because the full scope, every MCP server and every production-adjacent workflow, takes longer and costs more to test. The consequence is exactly the kind of finding described above: a vulnerability in a secondary tool, not exercised by the primary conversational flow, ships to production undetected.

Load testing gets run against average traffic rather than realistic peak shape, because building an accurate peak-traffic simulation takes real engineering effort and a steady-state test is easier to build. The consequence is a system that passes its load test and then degrades on the first real spike, at a moment when rollback is disruptive and the failure is visible to end users rather than to a test harness.

PII filter validation gets run against clean text samples because that is what is easiest to generate, rather than against the noisiest real input the pipeline will actually process. The consequence is a filter that looks validated and ships a gap that only surfaces once production data starts flowing through it, which in a regulated industry is the worst possible place for a gap to surface.

Phase 5, Enterprise Rollout, opens next. It is where the hardened system goes from a single business unit to the organization, in waves, with the training and support structure that determines whether adoption actually happens or whether provisioned seats sit unused. Next in the series: why the big-bang rollout fails even when the technology is ready, and what the wave model looks like in practice.

Work with Riptide

Ready to put a governance framework behind your Claude deployment?

Our Claude Enterprise Readiness Assessment maps your file structure, permissions model, and MCP surface in three weeks.

Book a discovery call
AP

Andrew Poole

Founder of Riptide Consulting, an Anthropic-first AI engineering firm based in Carlsbad, CA. Building the intelligence layer for enterprise and growth-stage companies on the Anthropic platform.