AI Exposure Report

The Scorecard told you what you think.
This tells you what we find.

Five business days. A senior team in your environment, on the phone with your people, in your contracts. A real findings report and a 90-day plan. No fluff. No certifications-as-deliverable. Just the work.

Schedule a call See what you walk away with
Engagement5 business days
PricingFixed-fee
OutputFindings + 90-day plan
What you walk away with

Five concrete deliverables. No mystery.

Every Exposure Report client gets the same five things, customized for their environment. We tell you up-front what's in the box. We won't change the deal halfway through.

01

A complete tool inventory.

Every AI and AI-adjacent tool currently being used by anyone at your company. Including the ones IT doesn't know about. Especially the ones IT doesn't know about.

02

A data flow map.

What customer, employee, and proprietary data is going into which tools, where it's stored, who has access to it, and what the vendors are allowed to do with it.

03

A policy and contract gap analysis.

Where your current AI policy (if any) doesn't match what's actually happening. Where your customer contracts have AI obligations you're not meeting. Where your insurance has exclusions you didn't know about.

04

A risk-prioritized findings list.

Not 47 things sorted alphabetically. The 5–10 things that actually matter, ranked by likelihood and impact, with the reasoning shown. So you know what to fix Monday and what can wait until next quarter.

05

A 90-day action plan.

What to do, in what order, with effort estimates and ownership recommendations. Written so a non-technical operator can hand it to the right people. Not a slide deck full of "consider implementing." A list of actual moves.

The five days

A working engagement, not a long one.

Five business days from kickoff to walkthrough. We move fast because the answer is mostly already there — we just need to do the work to find it.

Day 1

Kickoff and tool scan.

90-minute working session with leadership and IT. Anonymous employee survey goes out. We start the tool inventory and request initial documents — current policies, top customer contracts, cyber insurance policy.

Days 2–3

Deep environment review.

Targeted interviews — typically 5 to 8 — with operators and team leads who actually use AI day-to-day. Document review. Vendor terms-of-service analysis. SaaS spend reconciliation. We don't watch over your shoulder; we get out of your way and do the homework.

Day 4

Findings synthesis.

We synthesize. Draft report goes through internal review — every finding has a "would I stake my reputation on this" check. You get a preview deck to react to before the final session, not surprises in the room.

Day 5

Walkthrough and 90-day plan.

Two-hour working session with your leadership team. We walk through the findings, defend the prioritization, and build the 90-day plan together so it's actually yours when we leave. You get the final report that day.

Who this is for

It's a real engagement. We'd rather you self-select out than waste your money.

It's a fit if you're…

  • A business of roughly 25 to 1,000 employees, where AI is being used (or about to be) and nobody's fully tracking how.
  • Under compliance, contractual, or insurance pressure — a customer questionnaire about AI, an insurer's new AI exclusion, a CMMC or HIPAA review on the calendar.
  • Led by someone who wants to act on what we find, not just file a report. We're at our best with leaders who'll change something on Monday.
  • Willing to have us talk to your people — anonymously, but candidly. The findings come from your team's actual workflows, not from your assumptions about them.

It's not a fit if you're…

  • Just curious. If you want to feel out where you stand, the free Scorecard does that in 90 seconds. Save your money until there's a real reason to spend it.
  • Looking for a checkbox engagement. We don't sell certificates that say you did the thing. The Exposure Report is for people who want the work done, not the artifact.
  • Pre-AI in any meaningful sense. If nobody at your company is using AI tools yet and you have no plans to, there's nothing for us to find. Talk to us when that changes.
  • Only able to send IT to the conversation. AI exposure is a business and risk conversation as much as a technical one. We need a leadership owner in the room.
Investment

Fixed-fee. Quoted on the call. No surprises.

The Exposure Report is a fixed-fee engagement priced based on company size, complexity, and how many people we'll need to interview. We quote it on the first call so you have a real number before you commit to anything.

What's included

  • The full five-day engagement
  • 5–8 stakeholder interviews
  • Tool inventory and data flow map
  • Policy and contract gap analysis
  • Final report and 90-day plan
  • Two-hour walkthrough working session
  • 30 days of email follow-up after delivery

What's not included

  • Implementation work — that's a separate engagement, only if you want it
  • Penetration testing or technical security audits
  • Legal review (we flag issues, your counsel advises)
  • Training programs or rollout support
If we don't find anything material, we refund the engagement. We've never had to. We say it because it makes both of us serious about the work.
FAQ

Things people ask before booking the call.

How is this different from a generic IT or security audit?+
An audit checks systems against a standard. This checks reality against your obligations and your goals. We're looking at what your team is actually doing with AI and where that creates exposure — for your customers, your insurer, your regulator, and you. The output is operator-readable, not auditor-readable.
Do we have to give you access to systems?+
No. We work from interviews, documents, vendor terms, and SaaS spend records. If you want a deeper technical assessment we can run one as a follow-on, but the Exposure Report is intentionally lighter-touch so you can run it without IT bandwidth.
What if leadership disagrees with our findings?+
Good — that's what the Day 5 walkthrough is for. We don't deliver findings as decrees. We defend our reasoning, we listen to context we missed, and we adjust where you're right. Final report reflects the conversation, not just our first draft.
Are you going to sell us a managed service after?+
Maybe. Some clients hire us to implement what we find — that's a separate engagement, on the table only if it makes sense and you ask. Plenty of clients run the Exposure Report and then take the plan to their existing internal team or another vendor. That's also a fine outcome.
What does "no surprises" mean for confidentiality?+
Mutual NDA before kickoff, every time. Anonymous interview summaries, never attributed. Findings reports go to the executive sponsor only, in writing, with explicit retention rules. If something we find rises to "you have a legal obligation to disclose this," we tell you on a call — never via the report.
Ready when you are

Schedule a call. Get a real quote. Decide from there.

First call is 30 minutes, no fee. We'll learn enough about your business to scope the engagement and give you a quote. If it's not a fit, we'll tell you why and what to do instead.

Schedule a call Take the free Scorecard first