Tier 2

Full AI Security Review

From £2,500 · 7–10 Working Days

Board-ready. Legally structured. Comprehensive. The Full AI Security Review is a deep-dive assessment — everything in the Basic, expanded to full framework depth, plus MITRE ATLAS adversarial threat mapping, a complete DPA audit, and a ready-to-issue 13-clause Staff AI Usage Policy.

Includes Everything in Basic, Plus:

Complete AI tool inventory
EU AI Act risk classification (deployer tier)
OWASP LLM Top 10 assessment
NIST AI RMF & NIST CSF 2.0 maturity snapshot
GRC posture overview
UK GDPR & Data (Use and Access) Act 2025 compliance snapshot
Full risk register with immediate free actions
Prioritised remediation roadmap: This Week / 30 Days / 90 Days
One-page executive summary with overall risk rating
Transparent 5x5 risk scoring methodology
Dual sign-off: CEO + CTO

Additional Sections in the Full Review

12

MITRE ATLAS Adversarial Threat Mapping

Adversarial machine learning threat assessment mapped against MITRE ATLAS, the definitive knowledge base for AI-specific attack techniques. Attack scenarios are written for your sector, not generic theory. Identifies exposure to model inversion, data poisoning, adversarial examples, and AI supply chain attacks.

13

EU AI Act Deployer Gap Analysis

Per-tool, article-by-article deployer obligation analysis under Regulation 2024/1689. AI literacy (Article 4) applies now; transparency duties from August 2026; high-risk deployer obligations from December 2027. Prohibited uses are flagged immediately. Your readiness position is documented and evidenced at each obligation tier.

14

NIST AI RMF Full 4-Function Assessment

Full deep-dive across GOVERN, MAP, MEASURE, and MANAGE with specific findings, evidence requirements, and remediation recommendations per sub-category. Establishes a documented AI risk management baseline suitable for board reporting.

15

NIST CSF 2.0 Full 6-Function Maturity Assessment

IDENTIFY, PROTECT, DETECT, RESPOND, RECOVER, and GOVERN functions all assessed at full depth, with scored maturity levels and targeted uplift actions.

16

GRC Framework Scored 1–10

Governance, Risk, and Compliance individually scored on a 1–10 scale with specific, evidenced findings per pillar. Suitable for inclusion in board risk reporting.

17

UK GDPR + Data (Use and Access) Act 2025 Full Gap Analysis

Comprehensive compliance review covering lawful basis, data subject rights, controller obligations, automated decision-making, and international transfers. Includes the new Articles 22A to 22D introduced by the Data (Use and Access) Act 2025 (DUAA), in force since 5 February 2026, requiring safeguards for AI-influenced significant decisions.

18

Framework Cross-Reference Matrix

A single matrix mapping every finding across every framework in scope simultaneously. Where a gap creates exposure across GDPR, EU AI Act, and OWASP simultaneously, it's flagged and prioritised accordingly.

19

DPA Review

All AI tool providers in your inventory reviewed against a minimum-requirements DPA checklist. Gaps, inadequate clauses, and missing agreements identified. Recommendations for remediation provided.

20

13-Clause Staff AI Usage Policy

A legally-structured, ready-to-issue Staff AI Usage Policy covering: permitted tools, prohibited uses, data handling requirements, personal device restrictions, client data protocols, monitoring provisions, and disciplinary framework. Includes a ready-to-run procedure for handling automated decision-making requests under Articles 22A to 22D (DUAA).

21

90-Day Roadmap with Action Owners

Detailed 90-day implementation plan with named action owners, framework tags, and milestone checkpoints. Suitable for use as a project management document by your internal team.

22

Delivery Walkthrough + 90-Day Reassessment

Includes an extended findings walkthrough call on delivery, plus a 90-day reassessment session to review progress against the roadmap and update your compliance position.

23

Dual Sign-Off: CEO & CTO — Board Ready

Full Review reports are formatted for board distribution. Signed by both CEO and CTO. Suitable for presentation to directors, investors, or auditors.

24

Documented Evidence Register

This is evidence-based work, not interview-based. Settings are inspected, vendor agreements reviewed, and workflows observed. Every material finding is supported by a documented Evidence Register, so every score can be challenged, verified, and tracked over time.

25

Financial Exposure Quantification

Every applicable finding is mapped to UK GDPR fine ceilings (up to £17.5 million or 4% of global annual turnover). You understand the potential financial exposure of each gap, not just the regulatory obligation.

Turnaround

7–10 working days from completion of your discovery call.

QuaZarR Security provides risk assessment and guidance, not legal advice.