04  ·  Project Based

AI Governance & Third-Party Vendor Risk Assessment

Secure your AI adoption, protect sensitive data, and ensure regulatory compliance — without slowing down innovation.

Book a Free Scoping Call →See Pricing ↓
73%
of orgs have employees using unauthorized AI tools — Gartner, 2024
#1
OWASP LLM risk: Prompt Injection — OWASP Top 10 for LLMs, 2025
$4.9M
Avg cost of an AI-related data breach — IBM Cost of a Data Breach, 2024

The Silent Proliferation of Shadow AI

Employees are adopting GenAI tools faster than IT can review them. One unvetted browser plugin, one exposed training file, one prompt containing PHI — and a helpful AI assistant becomes a critical security incident.

Without proper governance, GenAI introduces attack surfaces that traditional security frameworks weren't designed to address: prompt injections, model inversion, training data poisoning, and the silent leakage of sensitive data into unknown third-party systems.

What My AI Governance Assessment Includes

Visibility, structure, and enterprise-grade security for your entire AI footprint.

AI Risk & Impact Assessments

In-depth evaluation of model bias, data leakage, adversarial input attacks, and privacy implications. Includes a mitigation roadmap tied to your business objectives and compliance requirements.

Third-Party & Vendor AI Risk Management

I assess and manage third-party AI exposure — reviewing vendor practices, interrogating AI-powered services, and building AI-specific requirements into your procurement and onboarding processes.

AI Governance Framework Development

Customized frameworks aligned to ISO/IEC 42001, NIST AI RMF, and OWASP Top 10 for LLMs — tailored to your environment and integrated with your existing GRC program.

AI Compliance Readiness & Gap Analysis

Benchmarking against current and emerging regulations — EU AI Act, HIPAA AI implications. Gaps identified and remediation prioritized by business impact and likelihood of enforcement.

Responsible AI Policy & Ethics Program

Define your organization's ethical principles for AI — fairness, transparency, accountability, human oversight — translated into actionable policies and controls your team can implement.

Not sure where to start?

Book a free 30-minute scoping call. I'll identify your highest-risk AI exposure in the first conversation.

Book a Scoping Call →

Frameworks I Work With

I don't apply a one-size-fits-all approach. I tailor industry-leading frameworks — including the OWASP Top 10 for LLMs — to your specific environment, regulatory obligations, and risk tolerance. The result is an AI governance program that is defensible, practical, and built to last.

NIST AI RMF ISO/IEC 42001 OWASP LLM Top 10 EU AI Act HIPAA AI Guidance

Five Phases. Structured Methodology.

Every engagement follows the same rigorous framework — so you always know exactly where we are and what comes next.

1
Phase 01
Discovery & Inventory
Stakeholder interviews, Shadow AI discovery, and vendor tool inventory across your entire organization
2
Phase 02
Technical & Vendor Review
Assessing data flows, BAA coverage, model security risks, and third-party AI integrations
3
Phase 03
Gap Analysis
Mapping against NIST AI RMF, ISO/IEC 42001, and OWASP Top 10 for LLMs — covering governance posture and LLM-specific attack surfaces
4
Phase 04
Executive Briefing
60-minute leadership readout with findings, risk ratings, and compliance implications
5
Phase 05
Written Report & Roadmap
Comprehensive written report plus a prioritized 30/60/90-day remediation roadmap your team can act on immediately
Real-World Experience

The AI Scribe Risk Nobody Saw Coming

A multi-location specialty practice had deployed an AI ambient documentation tool across all providers. No BAA. The tool was transmitting ePHI to a third-party model training environment. I identified the exposure during a routine assessment intake — before it became a reportable breach. Remediated in 30 days. No breach notification required.

This is the kind of risk that doesn't show up in a traditional vulnerability scan. It requires someone who understands both the clinical workflow and the security implications of AI adoption in a regulated environment.

Fixed Fees. No Scope Creep.

I publish my pricing because it filters out the wrong engagements and respects your time.

Targeted Assessment
AI Risk Assessment
$5K starting
Shadow AI discovery, current tool assessment, initial policy development. Fixed fee, 3–4 weeks.
Get a Proposal →
Most Comprehensive
Full Governance Build
AI Governance Program
$15K starting
Full framework development, vendor risk integration, executive reporting. 6–8 weeks.
Get a Proposal →
Ongoing Leadership
Fractional vCISO Retainer
$5K /mo
Continuous AI governance, vendor oversight, and policy management as part of overall security leadership.
Learn More →

Frequently Asked Questions

Do I need an AI governance program if we're only using tools like ChatGPT or Microsoft Copilot?
Yes — especially in healthcare. Even commercial AI tools can create HIPAA exposure if employees use them with patient data. An AI governance program establishes the policies, controls, and oversight needed to use these tools safely and compliantly.
What is Shadow AI and why does it matter for my organization?
Shadow AI refers to AI tools and applications being used by employees without IT or security oversight. It matters because these tools often process sensitive data — including PHI — without proper security controls, BAAs, or data processing agreements in place.
How is this different from a standard vendor risk assessment?
Traditional vendor risk assessments weren't designed for AI. My AI governance assessment specifically addresses model security risks, training data exposure, LLM-specific attack vectors (like prompt injection), and the regulatory implications of AI adoption — areas that standard vendor questionnaires don't cover.
What frameworks do you use?
I tailor my approach to each organization, drawing on NIST AI RMF, ISO/IEC 42001, and OWASP Top 10 for LLMs as the primary frameworks. For healthcare organizations, I also incorporate HIPAA AI guidance and emerging state-level AI regulations.
How long does an AI governance engagement take?
A targeted AI Risk Assessment typically takes 3–4 weeks. A full AI Governance Program build runs 6–8 weeks. Both include a written deliverable and executive briefing at the end.
Can you help us prepare for the EU AI Act even if we're a US-based healthcare organization?
Yes. If you work with EU-based patients, partners, or vendors — or if you use AI systems developed by EU-regulated companies — the EU AI Act may apply to you. I can assess your exposure and help you understand what compliance obligations, if any, apply to your situation.

Ready to Secure Your AI Adoption?

Schedule a free, no-obligation scoping call. I'll identify your highest-risk AI exposure in the first conversation.

Book a Free Scoping Call →