What the AI Guardrails Report Looks Like

Executive summary for your C-suite

The first 5-8 pages of the report are designed for busy leaders. You get a crisp summary of the top 5 risks identified in your organization, ranked by business impact. Each risk includes a one-sentence description, a severity rating (Critical, High, Medium, Low), and a one-sentence recommendation. You also receive a residual-risk statement that tells you what percentage of your AI surface area is uncontrolled, poorly monitored, or non-compliant with frameworks that matter to your business.

This section is a 10-minute read for a board member or CFO. It answers the question: are we exposed, and what do we do about it?

AI inventory section

The next section catalogs every sanctioned and shadow AI system we discovered in your organization. Entries are broken down by department (Sales, Finance, Operations, etc.), risk tier (High, Medium, Low), and deployment model (SaaS, internal RAG, browser extension, etc.). For each tool, you see the number of active users, what data they typically input, what DLP or approval controls exist, and when we last detected activity.

This is your single source of truth for what AI tools are in use. It's the document you hand to your CIO when they ask: how much ChatGPT is actually running in my org?

Data exposure matrix

This section is a table showing which data classes (PII like names and emails, PHI like medical records, IP like product specs, customer data, financial records, etc.) flow through which AI systems. Each cell in the matrix is colored by severity: green if the data class is not known to flow through that system, yellow if flow is occasional and controls exist, red if flow is frequent and controls are weak.

This matrix is the first thing your cyber insurance broker will look at. It shows exactly where your compliance risk sits.

Policy gap analysis

We compare your current AI governance policies, data handling procedures, and staff training against the requirements of the frameworks we assessed you against (NIST AI RMF, ISO 42001, NY DFS, HIPAA, FINRA, EU AI Act). The report shows gaps as redlines: what you require, what you currently have, and where your policy stops short.

This is the section compliance counsel and your audit team use to scope the policy work needed. We also flag which gaps are business-critical (must fix before deploying new AI) versus nice-to-have (improve over time).

Prioritized remediation roadmap

The final section lays out a 90-day, 6-month, and 12-month remediation plan. Each item includes what needs to be done (e.g., configure M365 DLP to block PII exfiltration to ChatGPT), who owns it (IT, Security, Compliance, Business Owner), an effort estimate (in hours or weeks), a cost estimate (if it requires tooling or external help), and the compliance or business justification.

This roadmap is what you use to brief your board, plan your security budget, and decide whether to engage us for a follow-on Remediation engagement.

Sample report sections available

We're happy to share a redacted version of a prior assessment so you can see the format, depth, and quality of analysis you'll receive. The sample shows real examples (with customer names and specific data redacted) so you can evaluate whether this is the right fit for your organization.

Request the sample during the scoping call, or let us know and we'll send it over within 24 hours.

Frequently asked