Activity
Tool inventory & shadow-AI review
A discovery pass across browsers, endpoints and expense data to surface the AI tools already in use — sanctioned and otherwise.
M-Tech Labs AIEastbourne · UK
/ AI Consultancy / Vendor due diligenceKnow what your AI tools actually do with your data.
A structured assessment of the AI vendors in your stack — data handling, training opt-outs, residency, sub-processors and software provenance — documented in a register you maintain going forward.
01/ What's involved
The assessment, end to end.
We cover the tools already in use before we look at the ones being requested — shadow AI is almost always the bigger exposure.
Activity
Data-handling assessment
For each vendor: what data leaves your tenant, where it's stored, how long it's retained, who has access, and what the DPA actually says.
Activity
Training opt-outs & model use
Whether prompts and outputs are used to train the vendor's models, whether opt-out is available, and whether it's on by default.
Activity
Residency & sub-processor chain
Where data is processed geographically, which sub-processors are involved, and whether that chain meets UK GDPR transfer requirements.
Activity
Software provenance & supply chain
Model lineage, training-data disclosures, SOC 2 / ISO 27001 attestations, incident history and software-bill-of-materials where relevant.
Activity
Risk rating & approval
Each tool scored on a simple rubric — low / medium / high — with the conditions for approval, conditional use or rejection written down.
02/ What you get
A register you actually keep.
Aligned to the supplier-risk and software-provenance controls Assurix verifies — so a live evidence trail sits behind every vendor decision.
- 01
AI vendor register
A single source of truth: every tool in use, its data-handling profile, risk rating and approval status. Reviewed quarterly.
- 02
Assessment template
The rubric and questionnaire we use, handed over so your team can run future assessments without us.
- 03
Decision log
Every approval, conditional approval and rejection captured with the rationale — the audit trail regulators and insurers want.
- 04
Onboarding & review workflow
A light process for requesting a new tool, getting it assessed and getting a decision back — fast enough that people don't route around it.
03/ Typical findings
What the first pass usually uncovers.
A well-run vendor review almost always pays for itself — usually in a licence swap or an opt-out that should have been flipped a year ago.
- Free-tier AI tools used for client work, with prompts retained for training by default.
- Browser extensions with tenant-wide access that nobody formally approved.
- Vendor DPAs signed but sub-processor lists never reviewed since.
- Data residency claimed as UK/EU, but sub-processors in third countries.
- No decision log — approvals happened in Slack threads that have since expired.
- Enterprise tier available at the same cost, with opt-out on by default, but nobody switched.
/ Backed by
Delivered by M-Tech Labs with the compliance and security discipline of M-Tech Systems — Cyber Essentials certified, aligned to NCSC CAF 4.0 and progressing through the Assurix trustmark programme.
Back to AI Consultancy/ Start a conversation
Get the AI vendor register written down.
A vendor-due-diligence engagement leaves you with a maintained register, a reusable assessment template and a workflow your team can run without us.