Clarify first
- Which environments, applications, repositories, pipelines, or cloud accounts are included in the review.
- The business concern behind the assessment: risk, reliability, cost, audit readiness, delivery speed, or an incident follow-up.
- The stakeholder questions the final report must answer and the decision deadline it supports.