Governance & guardrails
AI risk assessment services
AI risk assessment services exist for a specific moment: AI is already in the building, and someone (a board member, an auditor, a big customer) has asked who checked the risk. If the honest answer is "nobody, formally," this is the fix.
What the assessment covers
- Inventory. Every AI system in use: built, bought, and the unofficial ones your teams adopted on their own. The unofficial list is usually the longer one.
- Risk tiering. Each system rated for likelihood and impact, mapped to the NIST AI RMF and, where you touch the EU, the AI Act's risk categories.
- Gap report. The controls the risk calls for versus the controls you have: access rules, data boundaries, human review, monitoring, documentation.
- First-90-days plan. A prioritized, costed sequence of fixes written so your own people can run it without hiring us again.
Scope, timeline, and price
3–6 weeks. $20,000 to $80,000; where in that range depends on scope: how many systems and teams we assess, company size, and regulatory exposure. We looked at every service page ranking for this search before writing this one, and none of them state a price. We think that's a bad habit the industry picked up, so the number is here, above the fold, where it belongs.
How we run it
The first week is discovery: interviews with system owners, IT, legal or compliance, and the teams using AI day to day, plus read access to the tools themselves. We work from what we can see, not what the org chart says should exist. The middle weeks are the tiering and gap analysis. The last week is the report and a working session to walk your team through it, so the findings survive our departure. Everything is written to be shown to an auditor, a board, or an enterprise customer as-is.
Where this fits
The assessment is the front door. If it finds gaps worth closing, the follow-on is AI governance consulting: building and running the policies and controls the report calls for. If your question is about adopting AI rather than the risk of what's deployed, start with a readiness assessment instead. And if you want to see how the frameworks we tier against fit together, the NIST vs ISO 42001 vs EU AI Act crosswalk is free and ungated.
Who does the work
A senior person, personally. Our senior people are an engineer and an operator, and the person who scopes your assessment is the person who does it. No handoff, no bench.
Questions people ask
- What does an AI risk assessment include?
- Ours covers four things: a full inventory of the AI in use (including what teams adopted without asking), risk tiering of each system mapped to the NIST AI RMF and the EU AI Act's categories, a gap report comparing your current controls to what the risk calls for, and a prioritized first-90-days plan.
- How long does an AI risk assessment take?
- 3–6 weeks for our fixed-scope version. The variable is access: the faster we can talk to system owners and see the actual tools, the closer to the short end you land.
- How much does an AI risk assessment cost?
- $20,000 to $80,000; where in that range depends on scope: how many systems and teams we assess, company size, and regulatory exposure. That's our published range, not a starting point for a quote dance. Most firms selling this work don't publish one, which is why we do.
- How is this different from an AI readiness assessment?
- Direction. A readiness assessment asks whether you're prepared to adopt AI and where it would pay off. A risk assessment asks what could go wrong with the AI you already have. If you've deployed anything, risk usually comes first.
- We only use vendor AI tools. Do we still need this?
- Probably a smaller version of it. Vendor tools still carry data-leak, error, and compliance exposure, and in our experience the inventory alone surprises people. If the assessment finds your exposure is low, the report says so and the engagement ends there.
Tell us about the work.
A few lines is enough. We read every enquiry ourselves and reply within one business day.