Internal
AI Tools
Audit
Your team's been using AI for months. You don't know which tools, on which data, paid by whom. We find every one, score the risk and hand back the inventory, policy and controls before the ICO, your insurer or a customer asks.
78%
OF AI USERS BRING THEIR OWN TOOLS TO WORK
27.4%
OF DATA PUT INTO AI IS SENSITIVE
2 Aug 2026
MOST AI ACT RULES APPLY
Sources: Microsoft & LinkedIn Work Trend Index 2024; Cyberhaven AI Adoption and Risk Report 2024; Regulation (EU) 2024/1689.
You don't have an AI policy. You have an AI guess.
Microsoft and LinkedIn found 78% of AI users bring their own AI tools to work. Cyberhaven measured a 485% jump in corporate data flowing into AI tools from March 2023 to March 2024, with 73.8% of workplace ChatGPT use going through non-corporate accounts.
Meanwhile finance is paying for one ChatGPT seat, marketing has expensed a Claude subscription on a personal card, someone in ops has wired Zapier into a Notion AI workflow, and a junior dev has pasted client data into Cursor.
You can't govern what you can't name. The audit names it.
WHAT YOU THINK YOU HAVE
- "A few people using ChatGPT"
- An email saying "don't paste client data"
- Copilot "switched off in the tenant"
- A vendor list that ends at SaaS
- Nothing the board could sign off on
WHAT YOU'LL HAVE AFTER
- Named inventory of every tool, plugin and agent
- Acceptable-use policy your team will actually read
- Tenant settings reviewed, training opt-outs set
- Vendor due-diligence pack on every AI supplier
- Audit trail mapped to NIST AI RMF and ISO 42001
Five ways shadow AI bites a UK business.
The sectors vary. The exposures repeat. So do the fixes.
Personal-account paste
Staff using ChatGPT Free or Plus on personal logins. OpenAI says consumer ChatGPT content may be used to improve its models unless the user opts out. Cyberhaven measured 73.8% of workplace ChatGPT use through non-corporate accounts.
Copilot oversharing
Microsoft 365 Copilot inherits the permissions you already have. Over-permissioned SharePoint sites that nobody noticed for years now surface in natural language to anyone who asks.
Browser extensions
Chrome extensions that "summarise this page" or "rewrite this email". The audit checks browser permissions, vendor terms, DPA status and who you would name in a breach notice.
SaaS AI switched on
Slack AI, Notion AI, Atlassian Intelligence, Zoom AI Companion, HubSpot Breeze. Each has its own admin controls, data terms and opt-out path. Someone has to read them before the feature becomes normal work.
Agents and custom GPTs
Someone built a custom GPT for sales. It reads from a Google Drive folder. Nobody documented which folder, who can use the GPT, or what it returns. Now it's part of the workflow.
What ends up in the AI register.
Everything that touches a model, not just the obvious chat apps. If it sends a prompt or reads an output, it's in the register, with an owner, a data class and a risk tier next to it.
Chat assistants
ChatGPT, Claude, Gemini, Copilot, Perplexity, Mistral. Per account: free or paid, personal or corporate, training opt-out status.
Coding tools
Cursor, GitHub Copilot, Claude Code, Windsurf, Replit, Lovable, Bolt.new. Which repos they touch, what code they've pushed, who's been pasting in secrets.
Browser extensions
Page summarisers, meeting note-takers, email rewriters, sales copilots. Per extension: vendor, permissions, data leaving the browser.
SaaS AI features
M365 Copilot, Google Workspace Gemini, Slack AI, Notion AI, Atlassian Intelligence, HubSpot Breeze, Zoom AI Companion. Status, scope, training defaults.
Custom GPTs & agents
Internal GPTs, n8n / Zapier / Make automations, Claude Projects, anything your team has wired together. Owner, data sources, who can run it.
Meeting recorders
Otter, Fireflies, Granola, Read.ai, Tactiq. What gets recorded, where it's stored, which clients have given consent.
Image, audio & video
Midjourney, Runway, ElevenLabs, Suno, Veo, Sora. Per tool: licence terms, commercial use rights, who's paying.
API calls in your own apps
OpenAI, Anthropic, OpenRouter, Bedrock, Vertex calls baked into your products. Spend, models, system prompts, logged inputs.
Where we come in.
Four phases, fixed scope, fixed price per phase. The first three get you the register, the policy and the immediate fixes. The fourth is an optional quarterly sweep.
We do the discovery, the interviews, the tenant review and the write-up. You get a document the board can sign and your IT lead can act on by Monday.
BOOK AN AUDIT CALLDiscover
SSO logs, expense reports, browser extensions, SaaS admin consoles, repo histories, the corporate card statement. Short interviews with the people actually using the tools. You see what's been bought, what's free, and what nobody's mentioned in a stand-up.
Classify and tier
Every tool gets a data class (public, internal, confidential, special category) and a risk tier modelled on the EU AI Act categories. We flag the prohibited, high-risk, limited-risk and minimal-risk cases, with the reasoning written down so it survives the next staff change.
Fix and document
Training opt-outs flipped, free-tier accounts moved to corporate plans where it matters, dangerous extensions removed, Copilot oversharing reviewed, vendor DPAs collected. You leave with an acceptable-use policy, an AI register, a vendor pack, and a one-page risk note for the board.
Keep it current (optional, quarterly)
Your team will adopt more tools and your SaaS vendors will keep adding AI features. We do a quarterly sweep, update the register, and refresh the policy. Optional retainer; cancel any quarter.
Mapped to the frameworks your auditor will ask about.
We don't write fresh principles. We map the work to recognised standards so the output can be reused in an ISO certification, a SOC 2 review, a buyer's security questionnaire, or an ICO conversation.
AI Management Systems
The first international standard for managing AI as a system. Published December 2023, certifiable. The register, policy and risk process we build map to Annex A controls.
Govern, Map, Measure, Manage
NIST's AI Risk Management Framework (January 2023) plus the Generative AI Profile (NIST AI 600-1, July 2024). The structure our audit report follows so the work is recognisable to security teams that already use NIST.
Regulation (EU) 2024/1689
Chapters I and II, including AI literacy and prohibited-practices rules, applied 2 February 2025. General-purpose AI model rules applied 2 August 2025. Most remaining rules apply 2 August 2026, with Article 6(1) high-risk obligations from 2 August 2027.
ICO Guidance on AI & data protection
The ICO's AI and data protection guidance, AI audit toolkit, and lawful-basis, transparency and DPIA expectations that already apply to anything touching personal data. We flag where you owe a DPIA and draft the first one.
Prompt injection, supply chain, leakage
The 2025 edition of the OWASP Top 10 for LLM Applications. We use it as the technical checklist for any tool that takes prompts or runs agents inside your business.
Adversarial threat models
MITRE ATLAS for adversary tactics and techniques against AI systems, and Google's Secure AI Framework for practical controls. Used where the audit touches your own products, not just employee tooling.
When the AI bites the brand.
Four public incidents from the last three years. Different industries, same governance problem: a tool was live before anyone had decided what it was allowed to do.
Samsung's source code leak.
Within 20 days of allowing ChatGPT, Samsung Semiconductor engineers pasted proprietary source code and confidential meeting notes across three separate incidents. Samsung then restricted generative AI use on company devices and internal networks. Reported by Bloomberg.
Air Canada pays for its bot.
The BC Civil Resolution Tribunal held Air Canada liable in Moffatt v. Air Canada for misleading bereavement-fare advice its chatbot had given. The airline's argument that the bot was a "separate legal entity" failed. The advice still came from Air Canada's website.
DPD swears at the customer.
After a system update, DPD's customer-service chatbot called the company "the worst delivery firm in the world" and swore at a user. DPD told TIME the AI element was immediately disabled and updated.
NYC's bot tells you to break the law.
The Markup found New York City's official MyCity chatbot, built on Microsoft technology, telling small business owners they could take staff tips, fire whistleblowers and refuse Section 8 tenants. All illegal under NYC law. The mayor kept it online.
Sources: Bloomberg, BC Civil Resolution Tribunal, TIME, The Markup.
The ones we get asked first.
We're not a regulated business. Do we really need this?
If you process anyone's personal data, UK GDPR is already on you. If you provide or deploy AI systems used in the EU, the AI Act may be on you too. If your customers are enterprises, their next security questionnaire is likely to ask. The audit gets you the answers before the questionnaire arrives.
Aren't you just going to ban everything?
No. The goal is a list of what's allowed, on what data, by whom. Most tools come through unchanged. A few get moved to corporate plans. A small number get switched off, with a sanctioned replacement.
How long does it take?
Days for the core audit: discovery, then classification, then fixes and the write-up. If your team is bigger than 150 people we extend discovery, everything else runs the same way.
What do you need from us?
Read access to your SSO logs, Microsoft 365 or Google Workspace admin, expense reports, your SaaS admin consoles and your endpoint management. Time with 6 to 10 people, an hour each. An honest answer when we ask "what are you actually using".
Will the team actually tell you?
Mostly, yes. We run interviews on a "nobody's in trouble" basis and cross-check against logs and expenses. The combination catches tools people forget to mention.
What about Microsoft Copilot? We've already paid for it.
Copilot is fine. The risk isn't the model, it's the permissions Copilot inherits. We review your SharePoint and OneDrive sharing, restrict the over-permissioned sites, and document what Copilot can see for each role before the first uncomfortable result appears in a search.
Are you lawyers?
No. We're the engineering and operations team. We map the technical reality, fix the controls and draft the policy. Where you need a solicitor to sign off the wording, we work with yours, or introduce one. Cleaner and cheaper than going to a law firm cold.
How much does it cost?
Fixed-fee per phase for the core audit. The optional quarterly retainer is a fraction of that. We tell you the number on the first call, in writing, before anything is signed.
Find out what your company is actually doing with AI.
Thirty-minute call. You'll come away with the questions to ask your team this week and a clear view of what we'd expect to find given your size and sector.