Governance Gap Analysis

Identity the hidden risks in your current (lack of) AI strategy.

Risk Factor 1 of 5

Priority #1

Shadow AI Usage

Employees using personal AI accounts (ChatGPT, Claude) for company work without oversight.

🚩 Red Flags:

No corporate enterprise licenses
Sensitive data pasted into web UIs
No visibility into AI traffic

Secure Fully governed & monitored

Low Risk Policy exists, partial enforcement

Moderate Risk Awareness but no controls

High Risk Wild west / shadow usage

Critical Active data leakage detected

Risk Factor 2 of 5

Priority #2

Data Leakage Risks

Proprietary IP or customer PII being exposed to public model training data via default settings.

🚩 Red Flags:

No 'Zero Retention' agreements
PII mixed with general data
No DLP (Data Loss Prevention) for AI

Secure Fully governed & monitored

Low Risk Policy exists, partial enforcement

Moderate Risk Awareness but no controls

High Risk Wild west / shadow usage

Critical Active data leakage detected

Risk Factor 3 of 5

Priority #3

EU AI Act Compliance

Failure to categorize AI systems by risk level and maintain required technical documentation.

🚩 Red Flags:

No inventory of AI systems
No risk categorization
Lack of human oversight logs

Secure Fully governed & monitored

Low Risk Policy exists, partial enforcement

Moderate Risk Awareness but no controls

High Risk Wild west / shadow usage

Critical Active data leakage detected

Risk Factor 4 of 5

Priority #4

Model Dependency

Hard-coded dependency on a single proprietary model provider (e.g., OpenAI wrapper).

🚩 Red Flags:

Direct API calls in code
No gateway abstraction
Unable to switch models easily

Secure Fully governed & monitored

Low Risk Policy exists, partial enforcement

Moderate Risk Awareness but no controls

High Risk Wild west / shadow usage

Critical Active data leakage detected

Risk Factor 5 of 5

Priority #5

Codebase Integrity

Developers using AI coding assistants without attribution or license verification.

🚩 Red Flags:

GPL code injection risk
No scanning of AI-generated code
Junior devs blindly accepting output

Secure Fully governed & monitored

Low Risk Policy exists, partial enforcement

Moderate Risk Awareness but no controls

High Risk Wild west / shadow usage

Critical Active data leakage detected