Your employees are already using AI tools you don't know about. We find them before they cause a breach.
A fixed-fee audit that gives your IT and security team visibility into unapproved AI usage and a board-ready governance policy, delivered in 2-3 weeks. No bans, no productivity hit.
How the audit works
Four phases, one fixed fee, agreed before work begins. You keep every deliverable.
Discovery call
Confirm scope, systems in play, and who needs to be involved. No obligation.
AI usage scan
Identify which AI tools employees are actually using, sanctioned or not.
Risk classification & policy draft
Each tool scored against NIST AI RMF and EU AI Act criteria; policy and DLP recommendations drafted.
Readout & handoff
Live walkthrough of findings, plus the final policy document. Yours to keep and use.
Who this is for
Built for lean IT and security teams carrying governance responsibility without a dedicated function behind them.
You'll recognize yourself if
- You're at a 200-2,000 employee company
- There's no dedicated AI governance function yet
- The board or a compliance framework is asking for one
- You're doing vCISO-style work, with or without the title
Why this matters now
- EU AI Act high-risk rules become enforceable August 2026
- 80% of organizations worry about AI data leaks; 60% have no strategy
- 86% of IT leaders dealt with an AI-related incident this past year
What you get
- Full discovery of AI tools actually in use
- Risk classification per NIST AI RMF and EU AI Act
- Board-ready AI usage policy + DLP recommendations
- Live readout call on findings
Fixed fees, agreed up front
No hourly billing, no surprise invoices. Pick the depth that matches where you are.
- 3-5 day quick scan
- Top AI tools flagged
- 1-page executive summary
- 2-3 week full audit
- Governance policy + DLP recommendations
- Live readout call
- Everything in Core
- Policy rollout support
- 90 days of monitoring
Our guarantee: documented findings and a usable governance policy in 3 weeks, or we keep working for free until you have it.
What security leaders usually ask
No. The goal is visibility and a usable policy, not a ban. Employees keep working; you get to see what's actually happening and decide what to allow.
No. The audit works with what you already have. If a monitoring tool would help long-term, that's a separate, optional recommendation, never a prerequisite.
Everything reviewed during the engagement is covered by the confidentiality terms in the engagement agreement, and usage logs or system details are deleted or returned at your request after final delivery.
Start with a free 30-minute AI risk snapshot
No pitch, no obligation. We'll talk through where AI is likely being used in your organization and whether an audit is worth it for you.
Book the call