§ Safe AI & Security Foundation·the AI front door

Find where your data is leaking into AI. Lock it down.

A fixed-fee, fixed-scope sprint that finds where your company data is leaking into public AI tools, and locks it down without slowing your team. Most organizations have already adopted AI. They just have not governed it. We map the exposure, set a governing policy, classify the data, and give the team a safe path to keep using AI.

NIST AI RMF ISO 42001 EU AI Act aware IAM & least-privilege
Start with a free 30-minute AI Risk Exposure Check See the five deliverables → for mid-market companies and funded startups across the United States

If that is the week you are having, this is the fix.

Mid-market companies (roughly 50 to 500 employees) and funded startups that are watching employees paste client data, financials, or source code into ChatGPT, Claude, and other public tools with no policy governing it. Heading into a SOC 2, HIPAA, ISO 27001, or cyber insurance renewal and needing a defensible AI and security posture on the record. Under pressure from a board, an investor, or a banking partner to show they have AI governance in place. Adopting AI fast and wanting to enable it safely rather than ban it.

5 to 10
business days from kickoff to delivery, depending on tier and environment size. Kickoff call, mid-sprint check-in, and a final readout are included. The reflex is to block everything, which fails because employees route around it. The right move is to map the exposure and give the team a safe path.
§ What we deliver·five named deliverables a third party can operate
01 · Exposure
Shadow AI Exposure Assessment

A structured review of where data is actually moving, ending in a ranked map of where proprietary data is most exposed and why.

  • Inventory of connected third-party apps and OAuth grants across your Google Workspace or Microsoft 365 tenant
  • SaaS inventory and spend review, plus interviews with a small set of team leads about real workflows
  • Review of available proxy, DNS, or gateway logs
a governance and access assessment · we are explicit about what is observable in your environment and what is not. Not a guarantee that every instance of tool use is detected.
02 · Policy
AI Acceptable Use Policy

A customized AI and data acceptable-use policy, aligned to the NIST AI Risk Management Framework and ISO 42001, written so your team can actually follow it. Built for adoption, not a binder nobody reads.

  • Framework-aligned and counsel-ready
  • Written for the people who have to follow it
  • We recommend your legal counsel review it before formal adoption
counsel-ready · your attorney owns final sign-off. We do not provide legal advice.
03 · Classification
Data Classification Matrix

A clear, role-readable matrix defining what is safe for public LLMs, what requires an enterprise or private AI tool, and what should never be uploaded. This is the operational backbone your policy points to.

  • Safe for public LLMs
  • Requires an enterprise or private AI tool
  • Never be uploaded
role-readable · the operational backbone your policy points to.
04 · Baseline
Security Baseline Check

A focused review of the controls that cause most breaches, with prioritized remediation, not just a list of problems.

  • MFA coverage and gaps
  • Identity and access hygiene, with a least-privilege review
  • Endpoint protection and third-party vendor and supply-chain risk
prioritized remediation · draws on direct IAM and least-privilege architecture experience.
05 · Roadmap
90-Day Roadmap

A prioritized, phased plan of what to build, buy, or fix next, sequenced by risk and effort. The document that turns the assessment into action and tells leadership exactly where to spend next.

  • Sequenced by risk and effort
  • Tells leadership exactly where to spend next
  • Sets up the path beyond the sprint
phased plan · turns the assessment into action.
Method & credibility
Senior judgment, not a checklist

Delivered by a senior Solutions Architect with deep experience in regulated financial services and federal environments, where safe AI deployment under a framework and an audit clock is the daily job. You are buying senior judgment, not a junior analyst running a checklist.

  • Anchored to NIST AI RMF, ISO 42001, and EU AI Act where relevant
  • Access review draws on direct IAM and least-privilege architecture experience
  • Federal and regulated experience framed as capability, never named client work
principal-led · the person who scopes the work does the work.
§ Pricing·an approvable expense, not a procurement event
Fixed fee, no time-and-materials. 50% on kickoff, 50% on delivery.
TierScopeInvestment
Essentials Single environment (one Workspace or M365 tenant), team under ~75. All five deliverables. Final readout document. $2,500
Foundation Up to ~250 employees. Adds deeper vendor and supply-chain review, expanded interviews, and a live readout presentation to leadership. $3,750
Foundation+ Up to ~500 employees, or organizations with a data platform. Adds a platform-level data-flow review (where a warehouse, lake, or pipeline exists), a board-ready deck, and a 30-day post-delivery check-in. $5,000

Priced as an approvable expense, not a procurement event.

§ The path beyond the sprint·from free door to ongoing ownership
Free door
30-min AI Risk Exposure Check
No slides. We diagnose where your AI exposure sits today and whether this is something to act on now.
Free
The sprint
Safe AI & Security Foundation
The fixed-fee sprint above. All five deliverables. You own everything at the end.
$2,500 to $5,000
Execute
Remediation engagement
Most clients do not have the senior capacity to execute the roadmap. We do the work the 90-day plan names.
scoped off findings
Ongoing
Fractional AI & security lead
An embedded fractional leader, typically 10 to 20 hours per week, owning the roadmap, governance program, and board reporting.
retainer
§ What is out of scope·boundaries keep the engagement clean

An assessment and foundation, not a full audit.

§ Two front doors·AI help or cybersecurity help

Looking for cybersecurity help, not just AI?

This page is the AI front door. If your week is more about phishing, ransomware, backups, and vendor access than about AI exposure, start at the security hub instead. The Secure AI Use Review is the deliberate crossover point between the two paths, so wherever you start, you can reach it.

DSE Security: Cyber Risk & Resilience →

Are your employees putting client data into ChatGPT? Let's spend 30 minutes mapping it.

If you are clean, you get peace of mind. If you are exposed, we show you exactly where, and how to lock it down without slowing your team. No pitch, just a read on where you stand.

Book a free 30-minute AI Risk Exposure Check Scope a call →