← All Initiatives
AI · Security

Six-week AI Security and Compliance Initiative

Full AI risk assessment covering model security, data leakage exposure, prompt injection surface (OWASP LLM Top 10, LLM01:2025), shadow AI inventory, and regulatory alignment (NIST AI RMF, EU AI Act Articles 9 to 15, current US federal AI policy guidance, state AI laws, sector-specific guidance). Controls mapped into your existing security architecture rather than bolted on. We design the architecture; your team or your existing partners implement. Four weeks for focused environments; six for multi-jurisdiction or sector-regulated scopes.

Scope this initiativeSee full scope →
4 to 6 weeks20 to 30 working days
Fixed priceagreed at scoping
Posture document + control architecturedelivered on the date

Who this is for

AI risk and compliance posture documented end-to-end, board-defensible.

CISO

AI usage is expanding and you need a defensible control architecture before the next audit or board review.

CCO

Regulatory exposure on AI is rising and you need a documented posture before disclosure obligations land.

GC

You need AI governance posture documented in a form that holds up to regulator or plaintiff review.

Board / Audit Committee

You want AI risk reported in the same format you already use for other technology risk.

Scope

What this initiative delivers, and what it does not.

Scope is fixed at signing. Items tagged TOP are available inside the broader Technology Operating Partner retainer; the initiative alone does not include them. Items tagged with an outside source require a separate specialty engagement.

In scope

20 to 30 working days
  • Shadow AI inventory via tenant scans (Microsoft 365 Copilot, Microsoft 365 audit log, Azure AI Foundry, third-party SaaS AI features)
  • Model security posture (which models, where, with what data access)
  • Data leakage exposure mapping (prompt-to-storage paths, retention behavior, training-data inclusion risk)
  • Prompt injection surface map (mapped to OWASP LLM Top 10: LLM01:2025 Prompt Injection, LLM02 Sensitive Information Disclosure, LLM06 Excessive Agency, across user-facing AI, agentic AI, and third-party AI inside SaaS)
  • Regulatory alignment review (NIST AI RMF; EU AI Act Articles 9 to 15 for high-risk systems and Article 50 for transparency; current US federal AI policy guidance including OMB memoranda and FTC enforcement positions; state AI laws including Colorado AI Act and NYC Local Law 144; sector-specific guidance)
  • Control architecture designed to integrate with existing security controls (identity, DLP, logging, access)
  • Board-defensible AI posture document

Out of scope

Available elsewhere
  • Implementation of control architectureTOP
  • Red-team adversarial testing or model jailbreaking validationSpecialty firm
  • Custom model security tuning or fine-tuningAI build firm
  • Selecting AI vendors or replacing existing AI toolingTOP
  • Litigation support or regulatory responseQualified counsel
TOP Available via Technology Operating Partner retainerSpecialty firm Engage a qualified third party

Inputs

What we need from you

Provided at kickoff. Missing inputs delay the initiative; they do not change scope.

  • Read-only access to Microsoft 365 / Azure tenant for shadow AI discovery
  • Existing security architecture documentation
  • List of approved AI tools and any current AI governance policy
  • Four to six interviews (CISO, IT lead, GC or compliance lead, data lead, business AI sponsor if any)
  • Recent audit findings or regulatory inquiries touching AI usage, if any

Timeline

Week by week

Daily visibility throughout. Mid-initiative check confirms direction before the deliverable lands.

Week 1

Inventory and regulatory map

Shadow AI discovery via tenant scans. Regulatory exposure mapping against NIST AI RMF, EU AI Act Articles 9 to 15, current US federal AI policy guidance, state AI laws (Colorado AI Act, NYC Local Law 144), and sector-specific rules. Model-security inventory drafted.

Week 2

Risk surface and interviews

Data leakage paths and prompt-injection surface mapped. Four to six structured interviews. Mid-Initiative check with CISO.

Week 3

Control architecture design

Controls integrated with existing security architecture. Gap-to-current state documented. Architecture reviewed with CISO and IT lead.

Week 4

Documentation and walkthrough

Board-defensible posture document drafted. Walkthrough with CISO and GC. Focused environments deliver here.

Weeks 5 to 6 (if required)

Multi-jurisdiction and sector extension

Multi-tenant scopes, regulated sectors (healthcare, financial services, defense), or EU-AI-Act high-risk classification work typically uses the additional two weeks.

Output

What you walk away with

  • Written AI security and compliance posture document
  • Shadow AI inventory and risk classification
  • Control architecture map integrated with existing security stack
  • Regulatory alignment summary
  • Board-presentation deck
  • Walkthrough call

Honest framing

What this initiative is not

This Initiative produces a posture document and control architecture. Implementation of the architecture is your responsibility or that of your existing security partners. Red-team adversarial testing, custom model fine-tuning, and active regulatory response are outside scope. Regulatory alignment is sized to the frameworks named in scope; sector-specific or jurisdictional advice may require qualified legal counsel.

If you are a portfolio company

How the work calibrates to the PE-backed seat.

Companies inside a PE portfolio operate against constraints generalist enterprise framing does not cover. Each of these shapes how the Initiative is scoped and sequenced.

  • Board reporting cycle. Output is sized to land before the next quarterly board read, not the company's annual planning calendar.
  • Exit window math. Decisions made 12 to 24 months ahead of exit show up at the bid. Where applicable, findings are tagged for the exit-window timeline they affect.
  • Add-on integration tempo. Findings that pertain to acquisition integrations are surfaced separately so the deal team can either price them in or sequence the integration around them.
  • Cost discipline by hold position. Recommendations are calibrated to where the portco sits in the hold cycle. A company in early hold has different cost flex than one 12 months from exit.

Related

Initiatives that pair with this one

AI · 1 to 2 weeks

Two-week AI Technical Readiness Initiative →

Rapid assessment across Preside's four-foundation framework (data quality and access, infrastructure and tooling, governance and policy, team capability), structured to map to NIST AI RMF's four functions (Govern, Map, Measure, Manage).

Security · 3 weeks

Three-week Security Posture Initiative →

Architectural gap analysis against NIST CSF 2.0, mapped to your current environment.

Compliance · 3 to 4 weeks

Four-week Compliance Readiness Initiative →

Control-by-control gap assessment against the relevant SOC 2 Trust Service Criteria, HIPAA Security Rule, CMMC Level 2, PCI DSS 4.0, ISO 27001 Annex A, NERC CIP, or your chosen framework.

FAQ

Questions buyers ask first

What is prompt injection and why does it matter?

Prompt injection is the AI-era equivalent of SQL injection. An attacker hides instructions inside text the model processes, and the model follows those instructions instead of the operator's. OWASP ranks it the number-one risk for LLM applications and it appears in a majority of production AI deployments tested in industry research. The AI Security Initiative inventories every AI integration, tests for direct and indirect prompt injection, and documents the controls each application actually has, mapped to NIST AI RMF.

How do we secure AI agents in the enterprise?

Cisco's 2026 State of AI Security report found that 83 percent of organizations plan to deploy agentic AI and only 29 percent feel ready to do so securely. The gap is controls. Agents need identity, scoped permissions, action logging, and a kill switch the security team owns. The AI Security Initiative puts those four in place, plus a third-party assessment of the agents already in production, plus an inventory of the data each agent can touch.

For your role

Where this initiative fits into the wider Preside view

For Boards and Audit Committees →

What agentic AI means for fiduciary oversight, and what the board should be asking before the first agent goes into production.

For Chief Compliance Officers →

The compliance officer view: OWASP LLM Top 10, NIST AI RMF mapping, EU AI Act transparency obligations, prompt-injection testing.

Inside the broader program

When the initiative becomes the standing engagement

This Initiative is a one-time fixed-price engagement. The Technology Operating Partner relationship continues the work on a quarterly cadence at one of four Program tiers: the dashboard gets re-run, the savings get re-baselined, the architecture gets re-mapped, and the board gets the same format every meeting. Most clients begin with an Initiative like this one and decide on the tier after the deliverable lands.

Program Tiers & Pricing →Operating Partner overview →Inside the Program →

Ready to scope this

From shadow AI to a board-defensible posture document. Four to six weeks.

One email. Brief description of the situation. We respond within one business day with initiative confirmation or a recommendation of a better fit.

Scope this initiativeCompare all initiatives

Not sure this is the right initiative for your situation? Take the four-question path-finder for a personalized recommendation.