AI safety
Ship AI you can defend to the board and the regulator
EU AI Act and GDPR compliance. LLM red teaming. Internal usage policies. Audit-ready documentation.
What we cover
EU AI Act mapping
We classify your AI systems by risk tier (minimal, limited, high, unacceptable) and prepare documentation to meet the obligations for each tier.
LLM red teaming
We test prompt injection, jailbreaking, data exfiltration, and bias scenarios. You get a report listing discovered risks and mitigation recommendations.
AI usage policy
We write an internal policy covering what employees may do with AI, which data they may share, and how to report an incident.
GDPR alignment
DPIA review, data processing agreements, data residency, subject rights - all in the context of LLM systems.
Audit documentation
We prepare the documentation internal and external auditors expect: logs, audit trail, data lineage, model cards, risk register.
Leadership briefing
A short session for the executive team and legal: what the AI Act is, why it matters, which decisions you must make, and who has to sign them off.
How an engagement runs
- 01
Kickoff and inventory
We list every AI system you use or plan to - commercial and internal. We identify owners, data, and user groups.
- 02
Risk assessment
For each system we classify risk against EU AI Act, GDPR, and internal policies. Output: a prioritized risk register.
- 03
Red team session
We target your highest-risk LLM applications - we break them and document what works and what doesn't.
- 04
Documentation and report
You receive a usage policy, audit documentation, the red team report, and a board-level summary.
Frequently asked
- If your company operates in the EU or offers an AI system to EU users - yes. Obligations depend on the system's risk tier and your role (provider, deployer, importer).
- Obligations phase in. The prohibition on unacceptable-risk systems applies from Feb 2025, GPAI obligations from Aug 2025, and remaining obligations through 2027. We map your specific requirements in the kickoff session.
- Controlled adversarial testing of your own AI systems before someone else does it to you. We test prompt injection, jailbreaking, data leaks, and unsafe inputs. Focus is on realistic scenarios - not theoretical CVEs.
- Because your employees do - with private ChatGPT accounts, in browsers, with no oversight. The first thing we do is a 'shadow AI' audit - what's actually happening in your organization.