AI security advisory
Your AI is deployed. Do you know where your risk exposure actually is?
Most organizations rushed AI into production without a formal model risk framework, a governing AI policy, or visibility into third-party AI vendor controls. Regulators are noticing. This assessment gives you a structured, board-ready view of where you stand — and a prioritized path forward before an audit finds the gaps first.
Delivered by security practitioners who have assessed AI model risk and AI governance for regulated enterprises — not a compliance checklist vendor.
Risk rating system
Every finding gets a severity rating — with clear consequences
Our assessment uses a five-tier severity scale aligned to NIST CSF 2.0 and sector-specific regulatory frameworks. Each rating carries explicit criteria and an assessment response requirement, so your team knows exactly what to do with every finding.
Direct risk of patient harm, regulatory enforcement, or material financial exposure. Clear violation of applicable law or framework requirement.
Deployment halted · Executive sign-off required · Automatic legal escalation
Demonstrable risk of clinical harm, regulatory non-compliance, or vendor contract liability. Error rate exceeds acceptable threshold for the use case.
30–60 day remediation maximum · Vendor corrective action plan required
Indirect or conditional risk if controls fail. Missing documentation or contractual gap not rising to enforcement threshold.
90-day remediation window · Documented risk acceptance acceptable if met
Workflow inefficiency or degraded user experience. Minor documentation deficiency with no current regulatory or legal exposure.
Remediate at next contract renewal · Include in annual vendor review
No current risk. Improvement opportunity in documentation clarity, reporting, or process design.
Log as advisory finding · No mandatory response required
The assessment — 8 domains
A structured look at where AI risk actually lives
Each domain maps to NIST CSF 2.0 functions and includes specific interview questions used during vendor due diligence. These are the areas your assessment will cover — no boilerplate, no filler.
Clinical Safety & Efficacy
Clinical safety is the primary gate for any AI tool that touches patient care. We evaluate whether the tool is legally marketed and performs reliably across the patient populations you serve — not just in a controlled validation environment.
“What is the FDA regulatory classification of this tool, and can you provide the clearance or approval documentation with submission number?”
“Please walk us through the clinical validation study design: sample size, patient demographics, clinical setting, comparator, and primary/secondary outcome metrics.”
Regulatory & Legal
HIPAA, FDA device regulation, and state-level AI laws create overlapping obligations. We map your AI posture to the specific standards that apply — and identify where vendor contracts create or close liability exposure.
“Is your organization willing to execute a Business Associate Agreement, and what is your standard BAA template — can you share it for legal review?”
“What is your breach notification procedure and SLA, and how does it map to the HIPAA 60-day requirement? Describe your liability model for AI-assisted decisions.”
Bias, Fairness & Equity
AI systems trained on non-representative data produce disparate clinical outcomes. We assess training data demographics, disaggregated performance metrics stratified by protected groups, and your vendor's bias testing cadence.
“Can you provide a demographic summary of the training dataset — race, ethnicity, sex, age, language, and clinical setting?”
“Please share disaggregated performance metrics stratified by demographic groups.”
Explainability & Trust
Clinicians cannot meaningfully override what they cannot understand. We evaluate whether your AI tool provides actionable explanations for its recommendations — not just a confidence score — and whether those explanations are appropriate for your specialty.
“Can you demonstrate how the tool explains a recommendation to a clinician in our specialty? Please walk through a realistic clinical scenario.”
Data Privacy & Security
Patient data leaves your environment every time an AI tool is queried. We trace the complete data flow — what leaves, where it goes, who processes it — and evaluate SOC 2 Type II scope, subprocessor coverage, BAA adequacy, and post-contract deletion verification.
“Walk us through the complete data flow: what patient data leaves our environment, where does it go, and who processes it?”
“When our contract ends, what data is retained, what is deleted, and how do you verify deletion? Provide your complete subprocessor list.”
Vendor & Governance
AI vendors fail, get acquired, or change business models. We assess vendor financial stability, customer concentration risk, and whether your AI governance policy provides the oversight structure needed to manage a deployed AI tool over its full lifecycle.
“Describe your current funding, revenue trajectory, and customer concentration.”
Workflow & Integration
The safest AI tool fails if it buries clinicians in alert fatigue or breaks when the inference service drops. We evaluate EHR integration architecture, alert volume per clinician per shift, failover procedures, training plans, and post-deployment metric reporting.
“What is your integration architecture with our specific EHR system — and can you provide a technical integration diagram?”
“What is your failover procedure when your inference service is unavailable, and how much additional time does the fallback add to our workflow?”
Cost & Value
AI vendor pricing often obscures implementation, training, integration, and governance costs. We build a full three-year total cost of ownership model — so you can make a procurement decision based on actual cost, not the initial quote.
“Please provide a full three-year total cost of ownership projection, including all implementation, training, integration, and governance costs.”
Assessment basis
Mapped to NIST CSF 2.0 — the standard regulators reference
Every evaluation domain in this assessment maps to at least one NIST Cybersecurity Framework 2.0 function and category. This dual-reference structure means findings travel from a governance committee to a board presentation without re-authoring.
Establish organizational context · Risk management strategy · Supply chain risk · Roles & responsibilities
Identity management · Platform configuration · Data security · Awareness training · Technology resilience
Continuous monitoring · Anomaly detection · Continuous improvement
Incident management · Incident analysis · Incident response reporting · Incident mitigation
Incident recovery plan · Recovery communication · Recovery improvements
This assessment is built for a Tier 3 engagement — AI/LLM Security Assessment with NIST CSF 2.0 alignment and sector-specific regulatory cross-references. It is purpose-built for organizations in healthcare, financial services, and government.
Why this is different
Built by practitioners, not platform vendors
Hands-on AI model risk assessment experience — not a compliance checklist
AI governance policy review and drafting for regulated industries
NIST AI RMF 1.0 and CSF 2.0 alignment and implementation guidance
AI risk quantified in dollar terms for board and executive reporting
The process
From first call to board-ready findings in four steps
- 01
Discovery call
Step 0145-minute call to understand your AI deployment posture, current vendor landscape, regulatory environment, and specific concerns. We scope the assessment to your environment, not a generic checklist.
- 02
Vendor due diligence
Step 02We conduct structured interviews with your AI vendors using the 8-domain framework. Each vendor answers the same questions. You receive the raw transcript and our scoring summary.
- 03
Structured findings
Step 03Findings are documented by domain with severity ratings, regulatory cross-references, and explicit remediation requirements. No vague "recommendations" — every finding has a response requirement.
- 04
Roadmap & board brief
Step 04Prioritized remediation roadmap, board-level risk brief in dollar terms using FAIR methodology, and a policy framework you own — not a vendor lock-in document.
The organizations that deployed AI fastest without a governance framework are now the ones spending the most on remediation. The organizations that invested in the assessment first are the ones with the clearest path forward.
Questions
What you asked before the call
How long does the assessment take?
The discovery call is 45 minutes. Vendor due diligence typically spans 2–4 weeks depending on the number of AI tools in scope. The findings report is delivered within 10 business days of the final vendor session.
Do we need to involve our legal team?
We coordinate directly with your legal team on BAA review, vendor contract review, and regulatory cross-references. We provide the specific questions — your legal team provides the vendor responses for review.
What's the deliverable format?
Findings are delivered as a structured report by domain, a prioritized remediation roadmap, and a board-level brief — including FAIR-quantified risk in dollar terms where applicable. All documents are in your name.
Is this specific to healthcare?
The framework is healthcare-origin but maps to NIST CSF 2.0 with sector-specific regulatory cross-references for financial services, government, and technology. We scope the regulatory section to your sector.
What if we don't have any AI deployed yet?
Pre-deployment assessment is where this framework delivers the most value. Evaluating AI vendors before procurement costs less than remediating a bad deployment post-production. We can start at the evaluation stage.
Is the assessment confidential?
Yes. All findings, vendor responses, and assessments are treated as confidential and proprietary to your organization. We do not share findings across clients. NDAs are available upon request.
Ready to start
See where your AI risk exposure actually is
Request your AI security assessment. We'll scope it to your environment, not a generic checklist — and deliver findings your board can act on.
Minutes — initial discovery call
Assessment domains covered
Business days to findings
In your name — no vendor lock-in
Explore