Shadow AI & Governance Audits

Your employees are already using AI tools you don't know about. We find them before they cause a breach.

A fixed-fee audit that gives your IT and security team visibility into unapproved AI usage and a board-ready governance policy, delivered in 2-3 weeks. No bans, no productivity hit.

Audits mapped to NIST AI RMF EU AI Act CMMC / NIST 800-171 environments
40-60%
of enterprise AI use happens outside IT's visibility
$670K
added breach cost when shadow AI is present (IBM)
71%
of workers keep using AI tools even after IT blocks them (Reco)
2-3 wks
from kickoff to a finished governance policy in hand
The process

How the audit works

Four phases, one fixed fee, agreed before work begins. You keep every deliverable.

1Free · 30 min

Discovery call

Confirm scope, systems in play, and who needs to be involved. No obligation.

2Days 1-5

AI usage scan

Identify which AI tools employees are actually using, sanctioned or not.

3Days 6-15

Risk classification & policy draft

Each tool scored against NIST AI RMF and EU AI Act criteria; policy and DLP recommendations drafted.

4Days 15-21

Readout & handoff

Live walkthrough of findings, plus the final policy document. Yours to keep and use.

Fit

Who this is for

Built for lean IT and security teams carrying governance responsibility without a dedicated function behind them.

You'll recognize yourself if

  • You're at a 200-2,000 employee company
  • There's no dedicated AI governance function yet
  • The board or a compliance framework is asking for one
  • You're doing vCISO-style work, with or without the title

Why this matters now

  • EU AI Act high-risk rules become enforceable August 2026
  • 80% of organizations worry about AI data leaks; 60% have no strategy
  • 86% of IT leaders dealt with an AI-related incident this past year

What you get

  • Full discovery of AI tools actually in use
  • Risk classification per NIST AI RMF and EU AI Act
  • Board-ready AI usage policy + DLP recommendations
  • Live readout call on findings
Pricing

Fixed fees, agreed up front

No hourly billing, no surprise invoices. Pick the depth that matches where you are.

Starter
$1,800
A fast read on your exposure
  • 3-5 day quick scan
  • Top AI tools flagged
  • 1-page executive summary
Start with a free call
Recommended
Core
$6,500
The full audit and policy build
  • 2-3 week full audit
  • Governance policy + DLP recommendations
  • Live readout call
Start with a free call
Premium
$16,000
Audit, rollout, and follow-through
  • Everything in Core
  • Policy rollout support
  • 90 days of monitoring
Start with a free call

Our guarantee: documented findings and a usable governance policy in 3 weeks, or we keep working for free until you have it.

Common questions

What security leaders usually ask

Will this slow my team down or block tools they rely on?

No. The goal is visibility and a usable policy, not a ban. Employees keep working; you get to see what's actually happening and decide what to allow.

Do I need to buy new software first?

No. The audit works with what you already have. If a monitoring tool would help long-term, that's a separate, optional recommendation, never a prerequisite.

How do you handle our data during the audit?

Everything reviewed during the engagement is covered by the confidentiality terms in the engagement agreement, and usage logs or system details are deleted or returned at your request after final delivery.

Start with a free 30-minute AI risk snapshot

No pitch, no obligation. We'll talk through where AI is likely being used in your organization and whether an audit is worth it for you.

Book the call