Consulting Services

AI security expertise — when DIY isn't enough.

Two weeks to a documented governance baseline. Six weeks to deployed controls. Or ongoing executive advisory. Built for SMBs facing cyber insurance riders, audits, and enterprise customer due diligence.

Book Discovery Call Looking for DIY governance tools instead? See our Toolkit

Why now

Three pressures hitting SMBs in 2026

Cyber insurance AI Security Riders

Carriers are conditioning coverage on documented AI governance, AUP, model risk assessments, and training records. Many 2026 policies include AI exclusions: a breach caused by an employee's unsanctioned AI use may not be covered.

→ Affects renewal in next 12 months

EU AI Act enforcement

Enforcement begins August 2026. Any SMB with EU customers, EU data, or EU downstream contracts has documented obligations. State-level laws in CA, CO, TX, NY add a US patchwork.

→ Hard deadline approaching

Enterprise customer due diligence

Vendor questionnaires now include AI governance questions. SOC 2 trust services criteria add AI scope. ISO 42001 references appear in enterprise contracts.

→ Lost deals, no second chance

Engagement options

Three ways to engage. One conversation to start.

Most engagements start with the Sprint. Sprint fee credits toward Implementation if you proceed. Fractional is for clients who want ongoing maturity rather than a one-time project.

Start here

AI Risk Sprint

$5,500 fixed

2 weeks · productized · credit toward Implementation

Two-week productized assessment that produces the documentation your insurance underwriter, auditor, or enterprise customer expects.

AI Tool Inventory (browser telemetry + employee survey + procurement audit)
Risk Classification Matrix (NIST AI RMF–mapped)
Cyber Insurance Rider Gap Analysis
Acceptable Use Policy + employee training outline
90-Day Remediation Roadmap
Executive readout (60-min Zoom)

Book Discovery

Sample report available — request via Discovery call

AI Governance Implementation

$15,000–$35,000

6–10 weeks · fixed-bid · post-Sprint or post-incident

Hands-on rollout of policy enforcement, controls, training, and the insurance-renewal-ready documentation package.

Sanctioned-tier tool migration plan + execution
DLP rules for AI domains; allowlist/blocklist deployment
30-min "Safe AI Use" training delivered to all staff
Vendor DPA repaper (Salesforce, HubSpot, Zoom, etc.)
Insurance documentation package (carrier-aligned)
Quarterly governance review framework
Incident response runbook (AI-specific)

Discuss after Sprint

Sprint fee credited toward Implementation

Fractional AI Security Officer

$4,500–$8,500/mo

6-month minimum · ongoing · for organizations with AI in production

Embedded AI security specialist for organizations that have AI in production and need ongoing governance, vendor evaluation, and renewal support.

Monthly governance review (90 min)
Quarterly risk reassessment
Vendor evaluation as-needed (target: 5-day turnaround)
Insurance renewal documentation package
Executive briefings (board / leadership / customer DD)
Slack channel access for urgent questions
Incident response support

Inquire

Different from a vCISO — narrow AI specialty, fits alongside your existing security leadership

What the Sprint actually looks like

14 days, fixed scope. No surprises.

Day	Phase	Activity
Day 1	Kickoff	60-min call. Scope confirmation, data access setup, survey design.
Days 2–5	Discovery	Browser telemetry sample, anonymous employee survey, expense and procurement review.
Days 6–9	Analysis	Tool classification (NIST AI RMF), framework mapping, insurance rider gap analysis.
Days 10–12	Drafting	Risk report, AUP, remediation roadmap.
Day 13	Internal review	60-min review with you. Feedback incorporated.
Day 14	Final delivery	PDF report, Word AUP, executive readout (60-min).

Built by a hardware-security practitioner. Not a marketer.

Peter Kwidzinski

Founder, Shadow AI Labs

AMD Fellow

Twenty years in platform security architecture, confidential computing, and hardware attestation.

Founding contributor to Caliptra

Open-source hardware root of trust now used across the cloud-and-silicon industry.

20+ years in platform security

Confidential computing (SEV-SNP), DICE, SPDM, supply chain security.

Practitioner, not a marketer

Apply NIST AI RMF, ISO/IEC 42001, OWASP LLM Top 10, EU AI Act in real SMB engagements.

Common questions, answered directly

What size company is this built for?

The Sprint is sized for organizations from roughly 25 to 500 employees. Smaller firms (under 25) typically need a lighter-touch policy adoption — our $497 Toolkit + Strategy Session is usually a better fit. Larger firms (500+) usually have an internal team and benefit more from the Fractional AI Security Officer engagement.

What if our cyber insurance renewal is in 30 days?

We accelerate. The 2-week timeline can be compressed to 10 business days when there's a renewal forcing function. Same deliverable; discovery runs parallel rather than sequential. Mention your timeline on the Discovery call.

Do you do this for highly regulated industries (healthcare, finance, legal)?

Yes. The Sprint deliverable maps cleanly to HIPAA Security Rule, GLBA Safeguards, FFIEC, and bar association ethics opinions on AI use. Vertical context is incorporated into the AUP and remediation roadmap at no extra cost.

What data do you actually need to access?

A one-week sample of egress proxy or SaaS gateway logs, the response to an anonymous employee survey, expense reports for the last 12 months, and the SaaS vendor list. We work under a Mutual NDA. No client data is used for model training. Data retained engagement plus 90 days unless a Fractional retainer extends it.

How does this relate to a SOC 2 / HIPAA / ISO 42001 audit?

The Sprint deliverable can be referenced directly in your auditor's review. The AI Tool Inventory and Risk Classification are designed to be importable into common GRC platforms (Vanta, Drata, Secureframe). If you have an active auditor or compliance consultant, we coordinate handoff with them.

Can you white-label this for our broker / vCISO firm / compliance practice?

Yes. We run a partner program with both white-label and co-branded structures. See the Partner Program page or email partners@shadowailabs.com.

What's the payment structure?

50% deposit on signed engagement letter, balance net-15 from final delivery. We accept ACH and credit card via Stripe. Fractional retainers billed monthly in advance.

Why isn't there a cheaper consulting tier?

There used to be — and the deliverables didn't justify the price for either side. The Sprint at $5,500 is what it actually costs to do this work well. If $5,500 isn't the right fit, the Toolkit starting at $47 is built specifically for DIY implementation.

Two weeks. Five deliverables. One conversation to start.

Book a 20-minute Discovery call. Bring whatever AI questions are on your mind. If we're a fit, you'll have a proposal in 24 hours.

Schedule Discovery hello@shadowailabs.com