Tier 2
Full AI Security Review
From £2,500 · 7–10 Working Days
Board-ready. Legally structured. Comprehensive. The Full AI Security Review is a deep-dive assessment — everything in the Basic, expanded to full framework depth, plus MITRE ATLAS adversarial threat mapping, a complete DPA audit, and a ready-to-issue 13-clause Staff AI Usage Policy.
Includes Everything in Basic, Plus:
Additional Sections in the Full Review
12
MITRE ATLAS Adversarial Threat Mapping
Adversarial machine learning threat assessment mapped against MITRE ATLAS, the definitive knowledge base for AI-specific attack techniques. Attack scenarios are written for your sector, not generic theory. Identifies exposure to model inversion, data poisoning, adversarial examples, and AI supply chain attacks.
13
EU AI Act Deployer Gap Analysis
Per-tool, article-by-article deployer obligation analysis under Regulation 2024/1689. AI literacy (Article 4) applies now; transparency duties from August 2026; high-risk deployer obligations from December 2027. Prohibited uses are flagged immediately. Your readiness position is documented and evidenced at each obligation tier.
14
NIST AI RMF Full 4-Function Assessment
Full deep-dive across GOVERN, MAP, MEASURE, and MANAGE with specific findings, evidence requirements, and remediation recommendations per sub-category. Establishes a documented AI risk management baseline suitable for board reporting.
15
NIST CSF 2.0 Full 6-Function Maturity Assessment
IDENTIFY, PROTECT, DETECT, RESPOND, RECOVER, and GOVERN functions all assessed at full depth, with scored maturity levels and targeted uplift actions.
16
GRC Framework Scored 1–10
Governance, Risk, and Compliance individually scored on a 1–10 scale with specific, evidenced findings per pillar. Suitable for inclusion in board risk reporting.
17
UK GDPR + Data (Use and Access) Act 2025 Full Gap Analysis
Comprehensive compliance review covering lawful basis, data subject rights, controller obligations, automated decision-making, and international transfers. Includes the new Articles 22A to 22D introduced by the Data (Use and Access) Act 2025 (DUAA), in force since 5 February 2026, requiring safeguards for AI-influenced significant decisions.
18
Framework Cross-Reference Matrix
A single matrix mapping every finding across every framework in scope simultaneously. Where a gap creates exposure across GDPR, EU AI Act, and OWASP simultaneously, it's flagged and prioritised accordingly.
19
DPA Review
All AI tool providers in your inventory reviewed against a minimum-requirements DPA checklist. Gaps, inadequate clauses, and missing agreements identified. Recommendations for remediation provided.
20
13-Clause Staff AI Usage Policy
A legally-structured, ready-to-issue Staff AI Usage Policy covering: permitted tools, prohibited uses, data handling requirements, personal device restrictions, client data protocols, monitoring provisions, and disciplinary framework. Includes a ready-to-run procedure for handling automated decision-making requests under Articles 22A to 22D (DUAA).
21
90-Day Roadmap with Action Owners
Detailed 90-day implementation plan with named action owners, framework tags, and milestone checkpoints. Suitable for use as a project management document by your internal team.
22
Delivery Walkthrough + 90-Day Reassessment
Includes an extended findings walkthrough call on delivery, plus a 90-day reassessment session to review progress against the roadmap and update your compliance position.
23
Dual Sign-Off: CEO & CTO — Board Ready
Full Review reports are formatted for board distribution. Signed by both CEO and CTO. Suitable for presentation to directors, investors, or auditors.
24
Documented Evidence Register
This is evidence-based work, not interview-based. Settings are inspected, vendor agreements reviewed, and workflows observed. Every material finding is supported by a documented Evidence Register, so every score can be challenged, verified, and tracked over time.
25
Financial Exposure Quantification
Every applicable finding is mapped to UK GDPR fine ceilings (up to £17.5 million or 4% of global annual turnover). You understand the potential financial exposure of each gap, not just the regulatory obligation.
Turnaround
7–10 working days from completion of your discovery call.
QuaZarR Security provides risk assessment and guidance, not legal advice.