The problem this solves
In most companies AI adoption ran ahead of governance: customer data pasted into public chatbots, AI-drafted emails sent without review, vendor terms accepted unread, and no answer to basic questions like which tools are approved, what data may they touch, and who checks the output. Under GDPR and the emerging EU AI regulation, that gap is not just an embarrassment risk; it is a compliance exposure that grows with every new tool the team quietly adopts.
How we work
We map your actual AI usage first, because governing the official tool list while ignoring shadow usage governs nothing. Then we assess the control layer against it: what policies exist and whether anyone follows them, how personal and customer data flows into AI tools, what vendor data processing terms you have actually accepted, and where human review sits in AI-assisted output that reaches customers.
We frame findings as operational risk, ranked by likelihood and consequence, not as legal abstractions. A rep pasting deal context into an unapproved chatbot is a concrete finding with a concrete fix.
The deliverable is a risk register specific to your AI usage, a gap assessment against your regulatory context including GDPR, and a pragmatic governance recommendation: enough control to be defensible, not so much process that teams route around it. Governance that gets bypassed is worse than none, because it creates false confidence.
Deliverables
- Actual AI usage map including unofficial and shadow tools
- Data flow assessment showing what customer and personal data reaches which AI systems
- Vendor terms review covering data processing and retention commitments
- Risk register ranked by likelihood and consequence
- Governance recommendations sized to your company, not enterprise theatre
What buyers ask before scoping.
Is this legal advice?
No. We assess operational governance: how AI is actually used, where data flows, and what controls exist. The output is designed to be useful to your legal counsel, and it identifies where formal legal review is warranted, but it does not replace it. Most of what we find requires operational fixes, not legal opinions.
Do we need this before deploying AI agents that talk to customers?
It is strongly advisable. Customer-facing agents raise the stakes: they act on your data, in your name, at volume. The assessment establishes what context the agent may access, what review gate its output passes, and who is accountable when it errs. Retrofitting those answers after an incident is the expensive order of operations.
How is this different from the AI Data Readiness Assessment?
Data readiness asks whether your data can feed AI effectively; this assessment asks whether it should, under what controls. One is about capability, the other about exposure. Companies moving seriously into AI typically need both, and the findings inform each other: the same data map serves both assessments.
Related modules
AI Tooling & Platform Assessment
AI Tooling & Platform Assessment is a diagnostic engagement that reviews the AI tools you have, the ones you ...
AI Organizational Readiness Assessment
AI Organizational Readiness Assessment is a diagnostic engagement that examines whether your people, skills, ...
AI Data Readiness Assessment
AI Data Readiness Assessment is a diagnostic engagement that tests whether your CRM and connected systems ...
Sounds like your situation?
30 minutes, your calendar, no slide deck. We tell you honestly whether this module fits.
Book discovery call