Consulting Services

AI security expertise — when DIY isn't enough.

Two weeks to a documented governance baseline. Six weeks to deployed controls. Or ongoing executive advisory. Built for SMBs facing cyber insurance riders, audits, and enterprise customer due diligence.

Why now

Three pressures hitting SMBs in 2026

1

Cyber insurance AI Security Riders

Carriers are conditioning coverage on documented AI governance, AUP, model risk assessments, and training records. Multiple primary carriers now reference ISO endorsements CG 40 47 (Artificial Intelligence Exclusion) and CG 40 48 (Limited AI Exception), effective January 2026. A breach caused by an employee's unsanctioned AI use may not be covered without documented governance.

Affects renewal in next 12 months

2

State AI laws + EU AI Act

Colorado AI Act effective February 2026 is the live near-term deadline. California, Texas, and New York add a continuing US patchwork. EU AI Act Annex III high-risk obligations follow December 2, 2027 (postponed from August 2026 per the Digital Omnibus, May 2026); Annex I follows August 2028.

Live February 2026; 18-month EU runway

3

Enterprise customer due diligence

Vendor questionnaires now include AI governance questions. SOC 2 trust services criteria add AI scope. ISO 42001 references appear in enterprise contracts.

Lost deals, no second chance

Engagement options

Three ways to engage. One conversation to start.

Most engagements start with the Sprint. Sprint fee credits toward Implementation if you proceed. Fractional is for clients who want ongoing maturity rather than a one-time project.

Start here

AI Risk Sprint

$5,500 fixed

2 weeks · productized · credit toward Implementation

Two-week productized assessment that produces the documentation your insurance underwriter, auditor, or enterprise customer expects.

  • AI Tool Inventory (browser telemetry + employee survey + procurement audit)
  • Risk Classification Matrix (NIST AI RMF–mapped)
  • Cyber Insurance Rider Gap Analysis
  • Acceptable Use Policy + employee training outline
  • 90-Day Remediation Roadmap
  • Executive readout (60-min Zoom)
Book Discovery

Sample report available — request via Discovery call

AI Governance Implementation

$15,000–$35,000

6–10 weeks · fixed-bid · post-Sprint or post-incident

Hands-on rollout of policy enforcement, controls, training, and the insurance-renewal-ready documentation package.

  • Sanctioned-tier tool migration plan + execution
  • DLP rules for AI domains; allowlist/blocklist deployment
  • 30-min "Safe AI Use" training delivered to all staff
  • Vendor DPA repaper (Salesforce, HubSpot, Zoom, etc.)
  • Insurance documentation package (carrier-aligned)
  • Quarterly governance review framework
  • Incident response runbook (AI-specific)
Discuss after Sprint

Sprint fee credited toward Implementation

Fractional AI Security Officer

$4,500–$8,500/mo

6-month minimum · ongoing · for organizations with AI in production

Embedded AI security specialist for organizations that have AI in production and need ongoing governance, vendor evaluation, and renewal support.

  • Monthly governance review (90 min)
  • Quarterly risk reassessment
  • Vendor evaluation as-needed (target: 5-day turnaround)
  • Insurance renewal documentation package
  • Executive briefings (board / leadership / customer DD)
  • Slack channel access for urgent questions
  • Incident response support
Inquire

Different from a vCISO — narrow AI specialty, fits alongside your existing security leadership

What the Sprint actually looks like

14 days, fixed scope. No surprises.

DayPhaseActivity
Day 1Kickoff60-min call. Scope confirmation, data access setup, survey design.
Days 2–5DiscoveryBrowser telemetry sample, anonymous employee survey, expense and procurement review.
Days 6–9AnalysisTool classification (NIST AI RMF), framework mapping, insurance rider gap analysis.
Days 10–12DraftingRisk report, AUP, remediation roadmap.
Day 13Internal review60-min review with you. Feedback incorporated.
Day 14Final deliveryPDF report, Word AUP, executive readout (60-min).

Built by a hardware-security practitioner. Not a marketer.

Peter Kwidzinski

Peter Kwidzinski

Founder, Shadow AI Labs

Fellow-Level Security Architect

Two decades in platform security at semiconductor leaders Intel and AMD — confidential computing, hardware attestation, secure boot.

Founding contributor to Caliptra

Open-source hardware root of trust now used across the cloud-and-silicon industry.

20+ years in platform security

Confidential computing (SEV-SNP), DICE, SPDM, supply chain security.

Practitioner, not a marketer

Apply NIST AI RMF, ISO/IEC 42001, OWASP LLM Top 10, EU AI Act in real SMB engagements.

Common questions, answered directly

What size company is this built for?
The Sprint is sized for organizations from roughly 25 to 500 employees. Smaller firms (under 25) typically need a lighter-touch policy adoption — our $497 Toolkit + Strategy Session is usually a better fit. Larger firms (500+) usually have an internal team and benefit more from the Fractional AI Security Officer engagement.
What if our cyber insurance renewal is in 30 days?
We accelerate. The 2-week timeline can be compressed to 10 business days when there's a renewal forcing function. Same deliverable; discovery runs parallel rather than sequential. Mention your timeline on the Discovery call.
Do you do this for highly regulated industries (healthcare, finance, legal)?
Yes. The Sprint deliverable maps cleanly to HIPAA Security Rule, GLBA Safeguards, FFIEC, and bar association ethics opinions on AI use. Vertical context is incorporated into the AUP and remediation roadmap at no extra cost.
What data do you actually need to access?
A one-week sample of egress proxy or SaaS gateway logs, the response to an anonymous employee survey, expense reports for the last 12 months, and the SaaS vendor list. We work under a Mutual NDA. No client data is used for model training. Data retained engagement plus 90 days unless a Fractional retainer extends it.
How does this relate to a SOC 2 / HIPAA / ISO 42001 audit?
The Sprint deliverable can be referenced directly in your auditor's review. The AI Tool Inventory and Risk Classification are designed to be importable into common GRC platforms (Vanta, Drata, Secureframe). If you have an active auditor or compliance consultant, we coordinate handoff with them.
Can you white-label this for our broker / vCISO firm / compliance practice?
Yes. We run a partner program with both white-label and co-branded structures. See the Partner Program page or email partners@shadowailabs.com.
What's the payment structure?
Full payment at engagement-letter signing via Stripe invoice or payment link (ACH or card). Kickoff is scheduled on payment. Refunds: 100% up to 48 hours before kickoff, 50% inside 48 hours, none after kickoff. Fractional retainers bill monthly in advance.
Why isn't there a cheaper consulting tier?
There used to be — and the deliverables didn't justify the price for either side. The Sprint at $5,500 is what it actually costs to do this work well. If $5,500 isn't the right fit, the Toolkit starting at $47 is built specifically for DIY implementation.

Two weeks. Five deliverables. One conversation to start.

Book a 20-minute Discovery call. Bring whatever AI questions are on your mind. If we're a fit, you'll have a proposal in 24 hours.