Turn scattered AI usage into an inventory, risk review, control plan, and board/client-ready governance package.
Built for teams that need practical AI oversight, SOC 2 readiness support, HIPAA-aware and GDPR-aware evidence organization, and NIST AI RMF-style or ISO 42001-style crosswalks before a client audit request forces the issue.
Typical first pass
1 week
Core artifacts
6
Primary output
Final report
The same ShadowGuard workflow can support a lean operator, a family office, or a client-facing advisory team without pretending to be a formal certification.
SMB operators
Lean IT, security, compliance, and operations teams.
Employees are already using AI tools, but there is no single inventory or risk-ranked action plan.
A practical readiness view showing current AI use, highest-risk workflows, missing controls, and next actions leadership can approve.
Family offices
Family offices and operators overseeing portfolio companies or operating entities.
AI adoption is happening company by company, but oversight teams need a consistent way to compare exposure and proof.
A board-ready summary of where AI is used, which use cases create exposure, and which evidence is missing.
Board and client proof
Advisory, legal, accounting, healthcare, and security teams that need proof artifacts for clients or leadership.
A verbal policy is not enough when a client, board, auditor, or insurer asks what is actually governed.
A finalized governance snapshot, PDF, and secure delivery link with risk, controls, evidence gaps, and remediation status.
The package is tied to artifacts ShadowGuard already produces, so the promise stays grounded in the product.
AI system inventory across discovered, imported, or manually entered use cases.
Risk-ranked assessment for meaningful AI systems and workflows.
Recommended governance controls with status and ownership tracking.
Evidence gap summary for vendor review, logging, human oversight, and policy proof.
Compliance framework crosswalks for SOC 2 readiness, HIPAA-aware, GDPR-aware, NIST AI RMF-style, ISO 42001-style, and other readiness profiles.
Governance readiness report or organization-wide governance report.
Saved snapshot, client export pack, PDF, and secure delivery link when finalized.
The assessment is built as a delivery path, not a survey. Each step maps to an existing ShadowGuard workflow.
Step 01
Confirm buyer context, departments, AI use cases, data sensitivity, and final deliverable format.
Step 02
Use provider discovery, manual entry, or CSV intake to create a usable AI systems register.
Step 03
Run the ShadowGuard risk scorecard, generate controls, assign owners, and document evidence gaps.
Step 04
Save the report snapshot, complete internal review, finalize the export pack, and deliver the PDF or secure link.
The output is a point-in-time governance package with visible inventory, risk, control, evidence, review, and delivery trails.
AI systems register
Risk scorecard
Control checklist
Evidence binder
Review queue
Remediation owners
Report snapshot
Client export pack
PDF export
Secure delivery link
Clear boundaries make the assessment easier to buy and safer to deliver.
Assessment outputs support readiness review and governance evidence. They are not legal advice, certification, or a guarantee of compliance.
Legal advice or formal certification.
Guaranteed compliance outcome.
New enterprise connector implementation during the assessment.
Automatic remediation without an approved owner and plan.
Short answers for the first sales conversation.
It can start as a service-led assessment using ShadowGuard, then continue as an active subscription for ongoing governance and monitoring.
No. Provider discovery helps, but the assessment can also start with the manual inventory workflow and CSV intake.
Yes. The intended output is a practical governance package with inventory, risk, controls, evidence gaps, and a final report export.
Yes. ShadowGuard helps organize AI inventory, vendor review, control status, logging, evidence gaps, and SOC 2 readiness-style crosswalks. It does not replace your auditor or create a SOC 2 report.
Yes. The assessment identifies AI systems that may touch sensitive or regulated data, flags missing controls, and organizes HIPAA-aware, GDPR-aware, and other regulated-data readiness evidence. It is not legal advice.
It supports readiness-style crosswalks for NIST AI RMF, ISO 42001, EU AI Act, SOC 2, ISO 27001, NIST CSF, and regulated-data profiles. It does not make legal classifications or compliance determinations.
No. The assessment supports readiness and governance evidence; it is not legal advice, certification, or a guarantee of compliance.
Paid assessment intake
Submit the intake, continue to Stripe Checkout, and RLS can begin with your buyer context, timeline, and first governance goal already captured.
1. Intake is saved as an assessment order.
2. Stripe collects the one-time assessment payment.
3. RLS follows up to begin scoping and delivery.
