From "no AI policy" to governed agents in production.

What We Cover

A structured discovery across six dimensions:

• Shadow AI inventory — what tools your employees actually use, and what data they send.
• Agent registry baseline — every agent in production, its owner, scope, and blast radius.
• Permission review — for M365 Copilot, Glean, internal RAG, any indexed-data assistant.
• LLM access governance review — model sprawl, cost exposure, compliance fit.
• Secrets & credential exposure scan — long-lived API keys, MCP server config, .env proliferation in agent contexts.
• Defense gap analysis — what controls exist, what's missing, where the highest-blast-radius gaps are. Maps to your existing risk management process.

What You Receive

• Prioritized risk register, with severity ratings and recommended mitigations.
• Defense gap report mapped to your existing risk-management process.
• Board-ready posture summary suitable for executive and risk-committee briefings.
• 90-day prioritized roadmap with named owners and acceptance criteria.

Who Participates

From your side: a security or AI executive sponsor, an architect or platform engineer, a compliance/risk representative. From ours: a senior consultant lead plus subject-matter experts as needed.

What We Design

• Architecture across the five-layer model — discovery, identity, data boundary, action policy, orchestration. Drawings, data flows, and integration points.
• Vendor selection — independent, criteria-driven recommendations across the AI Gateway, Agent Identity, observability, DLP, sandboxing, and credential-custody categories. We document why we recommend what we recommend.
• Pilot design — a scoped, measurable first deployment that earns continued investment. Typically one asset class or operational flow.
• Org design — who owns AI security in your organization, how it interacts with InfoSec, Privacy, Legal, IT, and the lines of business.

What You Receive

• Integration plan with sequenced implementation milestones.
• Vendor recommendation memos with cost, fit, and trade-off analysis.
• Pilot SOW with scope, success criteria, and exit/expansion path.
• Org-design recommendations and RACI mapping for AI governance.

What We Build With You

• Stand up the AI Gateway and route all model traffic through it.
• Deploy agent identity and tier-based autonomy policies (T0 read-only, T1 reversible writes, T2 human-in-the-loop for irreversible actions).
• Wire prompt and tool-call telemetry into your SIEM.
• Implement DLP at the AI gateway and browser layers.
• Migrate long-lived agent credentials to short-lived, scoped tokens.
• Activate vCAIO — the virtual AI agent goes live, taking on day-to-day AI operations management: monitoring, troubleshooting, credential rotation, policy authoring assistance.
• Validate against your acceptance criteria.

What You Receive

• Running systems with documented runbooks.
• Knowledge transfer to your team — your engineers operate what we deliver.
• vCAIO live in production, orchestrating your AI security operations.
• Acceptance testing results validated against your defined criteria.

What's Included

• Quarterly posture reviews against an evolving threat landscape.
• New-agent intake — every new agent added to your fleet is scoped and governed before it goes to production.
• Incident response support when something does go wrong.
• Policy authoring & refresh as your agent fleet grows and the threat landscape evolves.
• Executive briefings & board reporting — vCAIO does the day-to-day; Kangguru provides the human oversight.
• Roadmap input from operating clients — pilot customers help shape vCAIO's product roadmap.