← All assessments
Security Leadership Assessment

Is Your Security Org Ready for AI Risk?

Eighteen scored questions for CISOs and security leaders — shadow AI, vendor AI, prompt injection, agentic systems, and the AI-specific attack surface security teams now own.

  • A scored profile across 6 dimensions — see exactly where you're strong and where the gaps are.
  • Your biggest opportunities, mapped to specific next moves.
  • A personalized video walkthrough from Shawn (optional) — a real read on your results.
18 questions 6 min Instant results Free

AI is the first attack surface most security organizations are trying to defend without the tooling, staffing model, or controls library that surface deserves. Employees pull public LLMs into the environment from personal devices. SaaS vendors quietly enable AI features against your tenant. Engineering teams ship agentic systems and MCP integrations that take real actions with inherited permissions. Adversaries adapt prompt injection, model abuse, and jailbreak techniques faster than detection content is written. The result is a category of risk that doesn't fit cleanly into the SIEM, the CASB, the DLP rules, or the IAM lifecycle you spent the last decade building.

This free assessment scores your security organization across six AI-specific dimensions and returns a clear readiness profile in about six minutes. It's built from 27 years of technology leadership across Fortune 500 and growth-stage companies — the same lens a fractional Chief AI Officer would bring to your first conversation about shadow AI, vendor AI features, agent identity, and detection coverage.

What the CISO AI risk readiness assessment measures

AI risk readiness is a profile, not a single number. The assessment scores six dimensions independently so you can see where you're strong and where the exposure is: AI Tool Visibility (do you know what AI is running in your environment), Data Loss & DLP (are sanctioned AI tools leaking your data), Vendor AI Security (have you assessed the AI features your existing SaaS turned on), AI-Specific Attack Surface (are you defended against prompt injection, model abuse, and agentic privilege escalation), Identity for AI Agents (can you grant, scope, and revoke identities to AI agents like you do to humans), and Detection & Response (would you catch an AI-related incident in time). The final question maps the specific gaps — shadow AI, vendor features, agentic risk, detection — where program investment pays off first.

Why AI risk readiness matters before the next incident

Security organizations that wait for a public incident to formalize AI governance spend their first dollars after the damage is done. The orgs that capture defensible posture treat readiness as the first deliverable — they run a shadow-AI discovery sweep, inventory vendor AI features, scope agent identities, and instrument SIEM for AI activity before the first headline lands. A readiness profile turns a vague unease about AI into a sequenced program, and it tells you whether your constraint is visibility, controls, identity, detection, or simply the executive air cover to push the work through.

What you get at the end

You'll see an overall AI risk readiness score, a band that describes where you stand (from Exposed through AI-Secure), a per-dimension breakdown, and a map of the specific gaps across shadow AI, sanctioned tool risk, vendor AI features, agentic systems, detection coverage, and incident response. From there you can request a personalized video walkthrough — a short, recorded read on your specific results and what a fractional Chief AI Officer engagement would do for your security org. No generic sales deck.

Frequently asked questions

What is a CISO AI risk readiness assessment?

It's a structured evaluation of whether a security organization has the visibility, controls, identity governance, attack-surface coverage, and detection capability to govern AI use across the business. Rather than measuring AI knowledge, it measures the preconditions — like shadow-AI discovery and DLP coverage of LLM traffic — that determine whether your program will catch AI-specific incidents or be surprised by them.

How long does the assessment take?

About six minutes. It's 18 scored questions across six dimensions plus a final gap-mapping question covering shadow AI, sanctioned tools, vendor features, agentic risk, logging, and incident response. Your progress auto-saves, so you can leave and resume without losing answers.

Is the assessment free?

Yes. The assessment and your scored results are completely free. You can optionally request a personalized video walkthrough of your results, which is also free.

Who is this assessment for?

It's built for CISOs, deputy CISOs, security directors, and heads of GRC who are responsible for AI risk and want a clear-eyed read on where their program stands — and what to close first if it doesn't.

What AI risks should security teams actually be tracking?

The most common starting points are shadow AI use across the workforce, data leakage to sanctioned and unsanctioned LLMs, AI features enabled by SaaS vendors against your tenant, prompt injection and jailbreak against customer-facing AI features, agentic systems acting under broad inherited permissions, and detection coverage for AI-specific abuse patterns. The assessment's final question maps these so you can see which gaps to close first for your environment.