The problem this solves
In most companies AI adoption ran ahead of governance: customer data pasted into public chatbots, AI-drafted emails sent without review, vendor terms accepted unread, and no answer to basic questions like which tools are approved, what data may they touch, and who checks the output. Under GDPR and the emerging EU AI regulation, that gap is not just an embarrassment risk; it is a compliance exposure that grows with every new tool the team quietly adopts.
How we work
We map your actual AI usage first, because governing the official tool list while ignoring shadow usage governs nothing. Then we assess the control layer against it: what policies exist and whether anyone follows them, how personal and customer data flows into AI tools, what vendor data processing terms you have actually accepted, and where human review sits in AI-assisted output that reaches customers.
We frame findings as operational risk, ranked by likelihood and consequence, not as legal abstractions. A rep pasting deal context into an unapproved chatbot is a concrete finding with a concrete fix.
The deliverable is a risk register specific to your AI usage, a gap assessment against your regulatory context including GDPR, and a pragmatic governance recommendation: enough control to be defensible, not so much process that teams route around it. Governance that gets bypassed is worse than none, because it creates false confidence.
Deliverables
- Actual AI usage map including unofficial and shadow tools
- Data flow assessment showing what customer and personal data reaches which AI systems
- Vendor terms review covering data processing and retention commitments
- Risk register ranked by likelihood and consequence
- Governance recommendations sized to your company, not enterprise theatre