What is a Sovereign AI Audit?

A fixed-scope assessment of how your AI and data interact. It maps exactly where your data leaves your walls, identifies which decisions are being made by a model when deterministic code should be making them, catalogues the privacy and sovereignty risks, and ends with a prioritised roadmap to a local-first version. It is delivered as a written report and a readout call.

Is this a compliance certification?

No. It is an engineering assessment, not a certification. You receive a written, prioritised view of the leaks, the risky model boundaries, and the order in which to fix them — with the evidence to back each finding. Whether you then pursue ISO 27001, SOC 2, EU AI Act conformity or anything else is a separate question.

Do we need to share source code?

Not necessarily. The audit works from the boundary: configuration, network egress, deployed surfaces, telemetry, and a short set of guided interviews. Where a closer look is warranted, a scoped code review is agreed up front during the scoping consultation.

Service · Sovereign AI Audit

Know exactly where your AI and data leak.

A fixed-scope assessment: a map of where your data leaves your walls, where a model is deciding things deterministic code should decide instead, the privacy and sovereignty risks, and a prioritised roadmap to a local-first version. A roadmap, not a sales pitch.

Book a scoping consultation Email us →

Most teams adopting AI know, in the abstract, that they are sending data somewhere. Far fewer can answer, concretely, where. Which endpoints, on which days, carrying which fields, called by which model, sitting in which log on which provider's machine. The result is a quiet gap between the policy on paper and the behaviour on the wire — and that gap is where the regulatory exposure lives.

The Sovereign AI Audit closes that gap. It is a fixed-scope engineering assessment that produces three artefacts you can act on: a data-flow map of everything that leaves your walls, a model-boundary review of every place a model is being asked to decide something code should decide, and a sovereignty and privacy risk register with a prioritised roadmap. It is delivered as a written report and a readout call.

The point is not to shame the stack you have. The point is to put the leaks, the risky boundaries, and the order in which to fix them on a single page, with evidence — so the next decision is an engineering one, not a guess.

What the audit covers

Five lenses, one prioritised roadmap.

Data-flow map

An evidence-backed picture of what leaves your walls: which endpoints, which fields, on which schedules, called by which model and tool. The map is the spine the rest of the report hangs on.

Deterministic-vs-model boundary review

A pass over every decision in the surface, asking whether a language model is doing work a few lines of code should be doing. Each finding names the boundary, the risk, and a cheaper, more reliable replacement.

Third-party and data-leak findings

Where data goes you didn't expect: logging pipelines, telemetry SDKs, vector stores, retrieval caches, model-vendor sub-processors. Each finding is ranked by what is leaving, to whom, and how often.

Sovereignty and privacy risk register

A plain register of risks against the regimes that actually matter to you — GDPR, the EU AI Act, sectoral rules, customer contracts — with severity, evidence, and a recommended response.

Prioritised roadmap to a local-first version

Findings ordered by leverage, not by chronology. Quick wins, structural changes, and a small number of architectural decisions that, once taken, make most of the rest unnecessary.

Readout call

A scheduled walkthrough of the report with the people who will act on it. Questions answered in the room, not over a chain of emails. The call is the deliverable, not a courtesy.

Request the audit.

A scoping consultation is the entry point. In it we agree the surface area in scope — which products, which environments, which data classes — and from that we set the fixed audit price. No surprises after the fact.

Scoping consultation (EUR 500). A focused session to agree the boundary of the assessment and the evidence available to us.
Fixed-scope audit. The five-lens assessment above, run against the agreed boundary, evidence-backed and reproducible.
Report and readout. A written report with a prioritised roadmap, delivered in a scheduled call with the people who will act on it.

Book a scoping consultation Email us →