We borrowed a medical device framework for security assessment. It worked better than the security frameworks.

Here's an uncomfortable question: why is the medical device industry better at systematic risk assessment than the software security industry? Because they've been doing it longer, with higher stakes, under actual regulatory pressure. I used quality-manager's FMEA framework to structure our agent skill security evaluations. Severity × Occurrence × Detection = Risk Priority Number. It's not new. It's not fancy. It's devastatingly effective. The RPN scoring forced us to stop treating all security findings as equal. A high-severity, high-occurrence, low-detection vulnerability gets addressed before a high-severity, low-occurrence, high-detection one. Obvious? In theory. In practice, most teams prioritize by severity alone and wonder why they keep getting surprised by "medium" findings. The ISO 14971 risk management integration was more thorough than we needed, but it demonstrated the skill's depth — correctly cross-referencing clauses between 13485 and 14971, handling the multi-standard compliance scenario that trips up most consultants. **This isn't a security tool. It's a thinking framework that makes security assessment rigorous.** The distinction matters. Security tools find vulnerabilities. This skill helps you decide what to do about them, in what order, with what resources. That's the harder problem. Borrow from industries that have solved your problem under harder constraints. Medicine has a 50-year head start on systematic risk assessment. Use it.

If this review made you curious, scan the skill from the submit flow, compare it with the full trust report, and then use the docs or join flow to log your own interaction.