Add operational README sections, governance files, and practitioner templates

[requie]

Motivation

• Convert the previously advisory recommendations into actionable, operational artifacts teams can adopt immediately.
• Provide repeatable templates and governance to reduce onboarding friction and ensure ongoing validation of external references.
• Surface prescriptive architecture and testing patterns that bridge red-team findings to Secure SDLC and detection workflows.

Description

• Expanded README.md with implementation-focused sections and updated the table of contents to include: Implementation Quickstart (30/60/90), Evaluation Harness, Agentic AI Attack Trees + Controls Mapping, AI Harm Severity and Triage Model, Secure SDLC Integration Artifacts, Defensive Architecture Patterns, Multilingual & Cultural Safety Playbook, Data Governance for Red Teaming, Metrics That Matter, Purple Team Operations, Common Implementation Pitfalls, Case Study Quality Bar, Model & System Cards, Source Hygiene & Update Governance, and Practitioner Appendices.
• Added practitioner templates under templates/: threat-modeling-workshop.md, ai-security-pr-checklist.md, rules-of-engagement-template.md, vulnerability-report-template.md, test-case-library-starter.md, stakeholder-readout-outline.md, model-system-security-card.md, and case-study-template.md to standardize workshops, PR checks, findings, and reporting.
• Introduced governance artifacts: CHANGELOG.md for versioned change tracking and resources-validation.md to record and refresh external reference validation and evidence tags.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: b1476087cd

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Fail workflow when baseline security scan errors

The scan step appends || true, so this job reports success even when garak fails (e.g., missing OPENAI_API_KEY on fork-based pull_request runs, CLI/runtime errors, or scanner failures). Since the workflow remains green and upload-artifact can still pass with no report files, contributors can merge changes without an actual regression scan, which defeats this workflow’s purpose as a security regression check.

Useful? React with 👍 / 👎.