Activity
Tool inventory & shadow-AI review
A discovery pass across browsers, endpoints and expense data to surface the AI tools already in use — sanctioned and otherwise.
Eastbourne · UK
/ AI Consultancy / Vendor due diligenceKnow what your AI tools actually do with your data.
A structured assessment of the AI vendors in your stack — data handling, training opt-outs, residency, sub-processors and software provenance — documented in a register you maintain going forward.
01/ What's involved
The assessment, end to end.
We cover the tools already in use before we look at the ones being requested — shadow AI is almost always the bigger exposure.
Activity
Data-handling assessment
For each vendor: what data leaves your tenant, where it's stored, how long it's retained, who has access, and what the DPA actually says.
Activity
Training opt-outs & model use
Whether prompts and outputs are used to train the vendor's models, whether opt-out is available, and whether it's on by default.
Activity
Residency & sub-processor chain
Where data is processed geographically, which sub-processors are involved, and whether that chain meets UK GDPR transfer requirements.
Activity
Software provenance & supply chain
Model lineage, training-data disclosures, SOC 2 / ISO 27001 attestations, incident history and software-bill-of-materials where relevant.
Activity
Risk rating & approval
Each tool scored on a simple rubric — low / medium / high — with the conditions for approval, conditional use or rejection written down.
02/ What you get
A register you actually keep.
Aligned to the supplier-risk and software-provenance controls Assurix verifies — so a live evidence trail sits behind every vendor decision.
AI vendor register
A single source of truth: every tool in use, its data-handling profile, risk rating and approval status. Reviewed quarterly.
Assessment template
The rubric and questionnaire we use, handed over so your team can run future assessments without us.
Decision log
Every approval, conditional approval and rejection captured with the rationale — the audit trail regulators and insurers want.
Onboarding & review workflow
A light process for requesting a new tool, getting it assessed and getting a decision back — fast enough that people don't route around it.
03/ Typical findings
What the first pass usually uncovers.
A well-run vendor review almost always pays for itself — usually in a licence swap or an opt-out that should have been flipped a year ago.
- Free-tier AI tools used for client work, with prompts retained for training by default.
- Browser extensions with tenant-wide access that nobody formally approved.
- Vendor DPAs signed but sub-processor lists never reviewed since.
- Data residency claimed as UK/EU, but sub-processors in third countries.
- No decision log — approvals happened in Slack threads that have since expired.
- Enterprise tier available at the same cost, with opt-out on by default, but nobody switched.
/ Backed by
Delivered by M-Tech Labs with the compliance and security discipline of M-Tech Systems — Cyber Essentials certified, aligned to NCSC CAF 4.0 and progressing through the Assurix trustmark programme. Code is continuously scanned for quality and security with Aikido, with independent QA and penetration testing by Zoonou available where engagements call for it, and hosted on our own Nutanix / Fortinet platform — continuously pen-tested, current-version, UK-based. See secure development for the full picture.
Back to AI Consultancy/ Start a conversation
Get the AI vendor register written down.
A vendor-due-diligence engagement leaves you with a maintained register, a reusable assessment template and a workflow your team can run without us.