QAI Labs

Services

AI safety and security, end to end

From understanding your current risk exposure to building governance frameworks and secure AI systems — senior expertise at every stage.

01

AI Risk Assessment

A structured, fixed-price audit of your current AI exposure. We map every AI tool in use across your business — sanctioned and shadow — identify your data flows, assess your regulatory position, and produce a clear, prioritised risk register.

Most clients are surprised by what we find. Shadow AI is almost universal. Data leaving the business via consumer tools is the norm, not the exception.

  • Full AI inventory — every tool, every workflow, every user
  • Data flow mapping — what's leaving your business and where it goes
  • Regulatory exposure — EU AI Act, GDPR, sector-specific requirements
  • Shadow AI discovery — the tools staff are using without oversight
  • Risk register — prioritised by severity and likelihood
  • Remediation roadmap — what to fix, in what order, at what cost

Engagement Details

Duration
2 weeks
Format
Remote, with structured interviews and tool review
Deliverable
Risk register + prioritised remediation roadmap
Book an AI Risk Assessment
02

AI Governance & Compliance

The policies, controls, and frameworks that make your AI use defensible — to regulators, to clients, and to your board. We design governance structures that are practical to implement and maintain, not documents that gather dust.

  • AI use policy — clear rules on what staff can and can't use AI for
  • Data classification framework — what data can interact with which AI systems
  • EU AI Act compliance mapping — where you stand and what needs to change
  • GDPR and AI intersection — Article 22, DPIAs, lawful basis
  • Vendor due diligence framework — how to evaluate AI suppliers
  • Board-level AI governance reporting

What You Get

AI Use Policy

A practical, enforceable policy covering permitted uses, prohibited uses, and data handling requirements.

Compliance Gap Analysis

Mapped against the EU AI Act, GDPR, and any sector-specific frameworks relevant to your business.

Governance Framework

Oversight structure, accountability model, incident response plan, and ongoing review process.

Board Pack

Executive summary of your AI risk position and governance response — ready to present.

Typical engagement: 4–8 weeks · scoped to your organisation size
03

Secure AI Implementation

When you're ready to build AI into your operations, we design and deliver systems with security built in from the start. Data stays in your control. Decisions are auditable. Access is governed.

  • Private deployment — AI that runs in your infrastructure, not a shared cloud
  • Data isolation — your data never leaves your environment
  • Full audit logging — every input, output, and decision recorded
  • Access controls — role-based permissions and human oversight gates
  • Incident response — what happens when something goes wrong
  • Ongoing monitoring — performance, security, and compliance checks

Engagement Model

Tailored to your requirements
Scope and investment discussed during your free discovery call
Discuss Your Requirements

Common Questions

Do we need this if we're only using off-the-shelf AI tools?

Especially if you're using off-the-shelf tools. Most of the exposure we find comes from staff using ChatGPT, Copilot, or similar tools on sensitive data — not from bespoke AI projects. The risk assessment covers all AI usage, sanctioned or not.

How does the EU AI Act affect UK businesses?

If you operate in the EU, serve EU customers, or use AI systems developed by EU-regulated entities, the Act applies to you. Even businesses purely in the UK should be preparing — the UK's own AI governance framework is in development and likely to follow similar lines. Getting ahead of it now is cheaper than responding to it later.

What does 'shadow AI' mean and why does it matter?

Shadow AI is AI tools being used in your business without IT or compliance oversight — staff pasting client data into ChatGPT, using AI writing tools on confidential documents, or building automations with no security review. It's extremely common and most businesses have no visibility into it. It's usually the biggest risk exposure we find.

We already have a security team. Why do we need specialist AI advice?

General security teams are excellent at traditional threats. AI introduces different risk vectors — data leakage through model inputs, supply chain risks from AI vendors, governance gaps in AI decision-making, and regulatory frameworks that haven't existed before. It's a specialism, and most security teams are still building that knowledge.

How quickly can we complete an AI risk assessment?

Two weeks for a focused assessment of your current AI landscape. If you need a full governance framework built alongside it, that's typically 4–8 weeks total. We can also run a rapid 3-day triage if you need a quick board-level view first.

Can you help with GDPR and AI specifically?

Yes. AI and data protection is a complex intersection — lawful basis for AI processing, automated decision-making requirements under Article 22, Data Protection Impact Assessments for AI systems, and data minimisation principles in ML contexts. We cover all of this.

Start with a free call

30 minutes. Tell us what AI you're using and what you're worried about. We'll give you an honest view of your risk and where to start.

Book a Discovery Call