What we audit. What it costs.
Most AI pilots fail for the same reasons. These six failure modes appear, in some combination, in nearly every engagement we take.
The conformance gap
Your documented process and what employees actually do diverge by 30–70%. Automating the documented version automates the wrong thing.
- GDPR
Data classification before AI touches anything
When a process touches personal data, client records, or HR information, sharing it with an AI tool creates a data processing relationship under GDPR. No agreement in place means a violation, not a technicality.
- SECURITY
Skill file and agent instructions
Every AI skill file, agent, or 'AI assistant' you enable contains instructions an LLM executes verbatim. Those instructions may include data exfiltration or scope creep. The LLM executes without independent judgment. Nobody checks by default.
- DATA
Vendor AI features as undeclared data access
When your SaaS vendor enables an 'AI assistant' tab, you have granted read access to your business data. The data processor agreement was not reviewed before that happened.
No baseline, no measurement
If you cannot measure whether the AI made things better or worse after 90 days, you did AI tourism, not AI adoption. Most pilots have no baseline. The tool runs. Nobody knows if it helped.
Agent sprawl
Fifty disconnected AI workflows with no shared governance. No consistency, no auditability, no way to turn off something that starts producing wrong output at scale.
- Process inventory as actually performed — not as documented
- Data classification per process: what is touched, where it lives, what rules apply
- AI readiness assessment per process: ready, not yet, or never
- Security flag on every process that crosses a regulated data line
- One validated use case with a measurable baseline set before anything runs
- Written summary and session recordings you keep
Full refund if we cannot identify at least one AI use case worth piloting.
- Skill file review: any AI skill or vendor AI feature your team wants to deploy is audited before it runs
- Data flow documentation: what goes in, what comes out, what stays on-premises
- Team training: how to evaluate what you share with AI, how to recognise bad output, when to escalate
- One process set up with AI, with baseline tracking active
- Compliance bridge: GDPR and E-ITS gaps surfaced in Phase 2 are documented and flagged
You can. The framework is free — the skill file runs in any LLM. What you get from us is the judgment the LLM cannot have: direct experience with how real business processes interact with GDPR, E-ITS, and the specific failure modes of AI adoption in non-IT organisations. The framework is the thinking. The engagement is for the understanding.
Read the framework →
Klaus Jogi
Certified Information Security Auditor
ISO 27001 Certified Lead Auditor (PECB)
Over a decade auditing information systems and business processes in non-IT organisations — bringing the same rigour to AI adoption.
AI tools are used throughout the framework; every recommendation is reviewed and signed off by the auditor.
LinkedIn- All sessions are conducted via video call — no travel, no on-site visits.
- Minimal data access. You describe your processes; we never handle production data or credentials.
- Typically two to four sessions of 90 minutes each, spread over two to three weeks.