Example report

Anonymised AI Governance Assessment

This is the structure and level of detail clients receive. Names, sectors, and specifics are removed.

Client: anonymised. B2B SaaS, ~80 staff, UK-based.

Scope: AI use cases in customer support and sales enablement.

Date: .

Executive summary

We assessed the client's AI use cases against five governance frameworks. Overall: solid foundations in security and data quality; gaps in GDPR documentation, AI ethics governance, and data sovereignty mapping. Three high-priority recommendations at the end of the report.

Findings by framework

GDPR: Partial

DPA in place with primary AI provider. Lawful basis documented for support chatbot.

Gaps

  • No ROPA entry for AI use cases.
  • Privacy notice does not mention AI processing.
  • No process documented for subject-access requests involving AI-held data.

Recommendations

  • Add AI use cases to Record of Processing Activities.
  • Update privacy notice; include AI in DPIAs for new use cases.

AI Ethics: Gaps

No formal accountability for AI decisions. Support responses not tested for bias. Sales scoring uses historical data that may under-represent newer segments.

Recommendations

  • Define AI decision owner (e.g. Head of Support, Head of Sales).
  • Run bias check on support response samples before scaling.
  • Add ethics criteria to AI procurement checklist.

Data Quality: Good

Support tickets and CRM data are well-structured. Some duplicate accounts in CRM; recommend deduplication before feeding to sales AI.

Recommendations

  • Run deduplication on CRM before scaling sales AI.
  • Define quality metrics and baseline before next phase.

Security: Good

Access control in place. Audit logs enabled. Provider has SOC 2. One gap: no prompt-injection testing documented.

Recommendations

  • Run OWASP LLM Top 10 checklist; document prompt-injection mitigations.

Sovereignty: Partial

Provider offers EU region; currently using US default. UK/EU customer data may be processed in US.

Recommendations

  • Switch to EU region for support and sales AI; document in data-residency matrix.
  • Review contract for exit and data-deletion clauses.

Prioritised next steps

  1. Immediate. Switch AI provider region to EU for UK/EU personal data.
  2. Within 4 weeks. Update ROPA and privacy notice for AI use cases.
  3. Within 8 weeks. Assign AI accountability; run bias check on support samples.
Book a 30-min call Service overview