Client Communication & Difficult Conversations
Managing client relationships during AI red team engagements: presenting critical findings, handling pushback, setting expectations, and navigating difficult conversations.
Client Communication & Difficult Conversations
Technical skill gets you the findings. Communication skill gets them fixed. Client relationships require careful management throughout the engagement -- from setting expectations during scoping to delivering difficult news about critical vulnerabilities.
Setting Expectations Up Front
Most client friction comes from misaligned expectations. Address these during scoping, not during report delivery.
Define Success Criteria Together
Ask: "What would a successful engagement look like to you?" Some clients want to validate their defenses. Others want to find everything that is broken. These require different approaches.
Explain What Red Teaming Is (and Is Not)
Red Teaming Is Red Teaming Is Not A point-in-time assessment A guarantee of security An adversarial simulation A compliance audit Scoped to defined targets Comprehensive coverage of all risks A tool for improvement A judgment of the team's competence Agree on Communication Cadence
Establish when and how you will communicate: daily email updates, weekly calls, immediate escalation for critical findings.
Clarify the Escalation Policy
Define what constitutes an immediate escalation vs. a finding documented in the final report. Example: "If we discover active data exfiltration or evidence of prior compromise, we will notify [contact] within 1 hour by [method]."
Presenting Critical Findings
The SCRA Framework
Use SCRA (Situation, Consequence, Recommendation, Action) to structure critical finding presentations:
| Component | Purpose | Example |
|---|---|---|
| Situation | What you found, stated factually | "We found that the chatbot discloses customer PII when asked through a role-play scenario" |
| Consequence | Business impact if not addressed | "This exposes approximately 50,000 customer records and triggers GDPR breach notification requirements" |
| Recommendation | What to do about it | "Deploy an output filter that screens for PII patterns before response delivery" |
| Action | Specific next step | "We recommend scheduling a remediation planning meeting this week with the ML engineering team" |
Delivery Tone
| Do | Do Not |
|---|---|
| State findings as facts | Assign blame to individuals |
| Use neutral, professional language | Use alarming or inflammatory language |
| Acknowledge what works well | Present only negative findings |
| Offer solutions alongside problems | Drop a critical finding and leave |
| Give the client time to process | Rush to the next finding after a critical one |
Handling Pushback
Pushback is normal. The team that built the system is emotionally invested in it. Anticipate these responses and prepare.
Common Pushback Patterns
Client says: "No real attacker would do this."
Response: "You're right that this specific payload is artificial. The underlying vulnerability -- that the model's safety controls can be bypassed through role-play -- has been exploited in production by non-technical users who discovered it accidentally. We've documented three public incidents with similar root causes."
Key principle: Validate their concern, then provide real-world evidence.
Client says: "That's a problem with the base model, not our implementation."
Response: "The base model's behavior is one factor, but the system prompt and deployment architecture determine whether that behavior is exploitable. Our recommendations focus on the deployment-level controls that are within your team's control, regardless of base model behavior."
Key principle: Redirect to what they can control.
Client says: "Your testing conditions aren't realistic."
Response: "Let's review the specific conditions you're concerned about. Our testing used [conditions]. If there are production constraints we didn't simulate -- rate limiting, authentication requirements, monitoring -- we can note those as mitigating factors in the report and adjust severity ratings accordingly."
Key principle: Be open to adjusting, but document the reasoning.
Client says: "We'll just add 'don't do that' to the system prompt."
Response: "Prompt-level instructions are a good first step, but our testing showed that they can be overridden by the same techniques that bypassed the existing instructions. We recommend a defense-in-depth approach that includes output filtering and a safety classifier layer, which are harder to bypass than prompt-level controls alone."
Key principle: Acknowledge the partial solution, explain why it is insufficient.
Difficult Conversation Scenarios
Scenario 1: The System Is Worse Than Expected
When the overall posture is much worse than the client anticipated:
- Lead with context. "AI security is a rapidly evolving field, and most organizations at your stage have similar findings."
- Prioritize ruthlessly. "Of the 15 findings, these 3 are the ones that need immediate attention."
- Provide a clear path forward. "Here is a 90-day remediation plan that addresses the critical issues first."
- Offer perspective. "The fact that you commissioned this assessment puts you ahead of most organizations."
Scenario 2: A Finding Is Disputed
When the client believes a finding is invalid:
- Reproduce it live if possible and if the client consents.
- Provide the evidence package with full chain of custody.
- Offer to re-test under conditions the client considers more realistic.
- If still disputed, document the disagreement in the report: "The red team maintains this finding. The client considers it non-exploitable under production conditions due to [their reasoning]."
Scenario 3: Findings Implicate a Person
When a vulnerability was clearly introduced by a specific person's decision:
- Never name individuals in findings.
- Frame as systemic: "The system prompt design pattern used here is common but creates vulnerability to [attack type]."
- Recommend process changes, not personnel changes.
Communication Templates
Critical Finding Notification (Email)
Subject: [ENGAGEMENT-ID] Critical Finding Notification
[Client contact],
During our assessment of [target system], we identified a critical
vulnerability that requires immediate attention.
Summary: [1-2 sentences describing the finding in business terms]
Risk: [Business impact if exploited]
Recommendation: [Immediate action to take]
We recommend discussing this finding at your earliest convenience.
We are available for a call today between [times].
Full details and evidence will be included in the final report.
Regards,
[Red team lead]Weekly Status Update
Subject: [ENGAGEMENT-ID] Weekly Status - Week [N]
Summary: Testing is [X]% complete. [N] findings identified to date.
No critical findings requiring immediate escalation this week.
Key activities:
- Completed testing of [attack surface areas]
- Began testing [next areas]
Findings update: [N new findings: breakdown by severity]
Blockers: [Any access issues or questions]
Next week: [Planned activities]Related Topics
- Writing Executive Summaries -- the written artifact of your findings presentation
- Red Team Reporting Masterclass -- the full reporting framework
- Engagement Tracking & Project Management -- status reporting that builds client confidence
References
- "Crucial Conversations: Tools for Talking When Stakes Are High" - Patterson et al. (2012) - Communication framework applicable to presenting critical security findings
- "CREST Guidelines for Client Communication in Penetration Testing" - CREST International (2024) - Professional standards for stakeholder communication during security engagements
- "Managing Difficult Conversations in Security Assessments" - SANS Institute (2024) - Practical techniques for handling pushback and resistance to security findings
How should you respond when a client says 'No real attacker would do this' about a finding?