Most small-business AI adoption happens by accident. Someone buys licenses. Teams start using tools. Features turn themselves on inside software you already pay for. The policy, if it ever gets written, comes later.
Before you build governance, buy new tools, or launch automation projects, it helps to know where you actually stand.
The Audit is the diagnosis. The AI Governance Foundation is the treatment.
You can start with the Audit and stop there with something genuinely useful in hand, or carry straight through into the Foundation build.
Start here: the AI Readiness Audit
The AI Readiness Audit is a structured assessment of how AI is actually being used in your business, what it can reach, where risk exists, and where opportunity may be hiding.
The goal is simple: establish a clear picture of your current state before you spend money on policies, platforms, governance work, or automation projects you may not need yet.
We look through four lenses:
- Current state. Which AI tools are in use — including the ones nobody formally approved and the AI features already embedded in software you own — and who makes decisions today, even informally.
- Access & exposure. Who can reach which tools, what those tools can touch, whether multi-factor authentication (MFA — the second login step, like a code sent to your phone) is enforced, and whether employee passwords have appeared in known breaches.
- Risk. How your AI usage lines up with the obligations your industry actually carries: confidentiality, regulated data, client information, intellectual property, and professional duties.
- Opportunity. Where governed AI could realistically create value through efficiency, automation, or improved workflows — routed honestly, not oversold.
Access and exposure is the lens most AI consultants ignore — and the one that matters most when your data is regulated.
What you get
A findings report and prioritized roadmap built to be useful for both business leadership and future decision-making.
It includes:
- Executive summary for decision-makers
- Scope, method, and engagement boundary
- Current-state assessment across all four lenses
- Access and exposure map
- Starter risk list — each risk, who owns it, and what you’re doing about it — built to line up with the frameworks auditors and insurers reference (NIST, ISO)
- Prioritized roadmap with small, medium, and large next-step options
- Interview summaries and tool inventory appendices
The report is independently valuable. Even if you never work with us again, you leave knowing where you stand and what to do first.
See a sample of this deliverable — synthetic and illustrative, but the real shape of the report.
What the Audit is not
The Audit is a readiness and risk assessment.
It is not:
- a formal certification from an outside auditor (like SOC 2)
- a legal opinion
- a penetration test (paying someone to try to hack your systems)
We assess the container, not the contents.
We examine who can access which tools and what those tools can reach. We do not review client files, patient records, matter documents, or proprietary business content.
If you need a formal certification or support getting one, see Compliance Readiness.
Pricing
The Audit is scoped to your business. Final pricing depends on company size, industry, data sensitivity, and interview volume.
If you move forward with the AI Governance Foundation, the Audit fee credits toward the engagement.
After the Audit: AI Governance Foundation
The Audit identifies the issues. The AI Governance Foundation fixes them — turning the findings into the governance documents, operating structure, and measurement discipline required to run AI intentionally instead of informally.
Most consultants deliver documents. We build the operational structure that makes the documents matter.
What the Foundation produces
The governance foundation, finished, externally reviewed, and ready for implementation:
- AI Tool Inventory & Approved Use Registry
- Acceptable Use Policy
- Data Classification Quick Reference (which kinds of data are safe in which tools)
- Tier-to-Data Matching Matrix (which version of each tool — free, paid, or business-grade — is safe for which kind of business data)
- AI Risk Assessment
- Onboarding & Offboarding Procedure
- Staff Disclosure Questionnaire
Plus a practical Measurement & ROI Framework including:
- Success metrics tied to business outcomes
- Pre/post adoption measurement
- Time-savings tracking methodology
- Quarterly review schedule
Governance without measurement becomes paperwork.
This framework is what allows businesses to determine whether AI is actually creating value.
A typical Foundation engagement runs four to six weeks from kickoff to delivery, ending with a leadership debrief and clear next steps.
Pricing
Quoted per engagement.
The Foundation depends on company size, industry, data sensitivity, how much governance you already have in place, and the findings surfaced during the Audit.
Workshop graduates receive a credit toward the full Assessment. Mention it during the consultation.
About identity
An AI governance program built on weak identity security is not governance. It is documentation of the holes. If your identities aren’t secure, your AI governance is incomplete.
AI governance and identity security are the same problem viewed from different angles: who has access to which tools, what those tools can reach, and what happens to the data they touch. We scope identity honestly during the Audit and weight the work to what your business actually needs.
If your accounts and logins are already well secured, we stay focused on governance and measurement. If they are not, we address it as part of the engagement: account inventory, MFA review, checks on whether employee passwords have appeared in known data breaches, and recommendations to fix what we find.
One example: if a staff member’s password turns up in known breach data, the Audit flags it — because whoever holds that credential can reach every AI tool that login opens, and no governance document closes a door that a working password leaves open.
Who this is for
You are a fit if you:
- Run a small or mid-size business between roughly 5 and 150 employees
- Have AI showing up in your business through adoption, client demand, or software vendors adding AI capabilities
- Want to know where you stand before spending money on policies, platforms, governance, or automation
- Need finished work that can stand up to questions from regulators, insurers, enterprise clients, or leadership
This is not a fit if you:
- Just want to understand what is possible. Start with an AI Discovery Session
- Need rough drafts to build collaboratively. The Governance Workshop is the better fit
- Need a formal certification from an outside auditor. See Compliance Readiness
- Need someone to run the program long-term. See Fractional AI Officer
How it works
- Free consultation. We determine whether the Audit is the right starting point.
- Audit intake and interviews. We map tools, access, exposure, risk, and opportunity through interviews and discovery.
- Audit delivery. We review the findings report and roadmap together.
- AI Governance Foundation (optional). We turn the findings into governance documents, operational controls, and a measurement framework.
- Debrief and handoff. The work is finalized, explained, and ready to put into practice.
The boundary
We assess the container, not the contents.
GuardXID examines who has access to AI tools and what those tools can reach inside your business.
We do not read your client files, patient records, matter documents, or proprietary business records, and we never will.
This boundary is what makes the work appropriate for law firms, medical practices, accounting firms, and other organizations operating under professional obligations.
What comes after
The Foundation is the operational baseline.
For businesses that need more, the most common next steps are:
- Fractional AI Officer — ongoing governance, advising, training, automation oversight, and operational leadership
- AI Automation & Systems — implementing governed workflows, automations, and AI systems
- Compliance Readiness — proving governance and controls to auditors, enterprise clients, and insurers (we partner with Vanta, a compliance automation platform)
The right next step depends on the business.
We’ll discuss that honestly in the consultation, including when no additional engagement is necessary.
Do you actually know where AI stands in your business right now?
Book a free consultation. The first conversation is free and runs about 30 minutes. We’ll figure out whether the Audit is the right starting point. If it isn’t, we’ll tell you and point you somewhere useful.