Putting AI in front of enterprise data: how we govern it.

Our AI Identity & Access Risk engagement. The questions a CIO should answer before the first Copilot rollout — and the artefacts we leave behind so the answers stay good.

AI assistants are now reading mailboxes, customer records, contracts, source code, and cloud configuration. The access is real, the entitlements are blurry, and the audit trail is thinner than most organisations realise.

Our AI Identity & Access Risk engagement is a six-week piece of work that answers, in writing, four questions a CIO should be able to answer before any further AI rollout.

First: what data can each assistant see, today, at run time, including indirect access through tools and connectors. Not what the policy says — what the configuration permits.

Second: when an assistant performs an action on a user's behalf, whose identity is on the line, and whose log records the action. The machine's, the user's, or neither.

Third: what happens when the assistant gets it wrong. Where is the rollback, the human-in-the-loop, the rate limit, the kill switch.

Fourth: when an employee leaves, what does the assistant still remember, and on whose authority does that memory persist.

The deliverable is a governance pack. Tenant configuration changes, role and entitlement design, agent identity standards, prompt and tool policy, evaluation harness, and an incident runbook for AI-specific failure modes.

It is a service engagement, not a product purchase. We do not sell licences. We make existing tools — Microsoft Purview, Okta, your IDP, your DLP — do the work they were bought to do.