AI Risk Assessment for New York and Tri-State Businesses

What is the RP Tech Services 4-domain AI assessment framework?

The RP Tech Services 4-domain AI assessment framework is a structured audit method that examines AI risk across Discovery, Data Exposure, Access and Identity, and Policy and Training. First, Discovery maps every AI system in use across Microsoft 365 Copilot, ChatGPT Enterprise, Gemini for Workspace, and shadow tools on personal accounts. Second, Data Exposure traces what information flows into each system and where outputs land. Third, Access and Identity defines who can use which tool under Okta or Entra ID governance. Finally, Policy and Training documents guardrails and measures employee awareness. According to NIST AI RMF guidance, 60% of AI risk originates from ungoverned shadow tools, and our 2025 client data shows 87% of mid-market firms in NYC and the tri-state region operate at least 4 unsanctioned AI tools.

The four-part lens prevents common blind spots. Most organizations catalog sanctioned tools but miss personal ChatGPT accounts, browser extensions, and Gemini sessions on unmanaged devices.

• Discovery: full sanctioned and shadow AI inventory
• Data Exposure: PII, PHI, and IP flow mapping
• Access and Identity: Okta and Entra ID governance review
• Policy and Training: guardrail and awareness audit

What AI systems does the assessment examine in detail?

The assessment is a full sweep of every AI surface inside the client environment. RP Tech Services auditors review Microsoft 365 Copilot tenant settings and Data Loss Prevention rules, ChatGPT Enterprise and Teams deployments, Gemini for Workspace adoption, Slack and Microsoft Teams AI integrations, browser extensions with generative capabilities, custom RAG endpoints, internal agents, and employee personal accounts logging into work systems. First, auditors inventory who has access. Second, auditors classify what data classes flow through each tool, including PHI under HIPAA and customer records under NY DFS scope. Finally, auditors verify whether usage is logged through Microsoft Purview or Google Workspace audit logs. According to a 2025 Gartner survey, 45% of enterprise AI tools are unmanaged, and our data shows the average 100-person tri-state firm runs 11 distinct AI surfaces, far above the 3-tool estimate most leadership teams provide on intake.

• Microsoft 365 Copilot and Purview DLP
• ChatGPT Enterprise, Gemini, Claude deployments
• Slack, Teams, and browser-extension AI
• Custom RAG endpoints and internal agents

How does RP Tech Services collect evidence during the assessment?

Evidence collection is a multi-source method that respects privacy while quantifying exposure. First, RP Tech Services auditors pull tenant audit logs from Microsoft 365, Google Workspace, and Okta to capture access patterns and policy enforcement events. Second, auditors request DLP and CASB telemetry from existing security tools, including Microsoft Purview, Netskope, or Zscaler, to see what data blocks and warnings fire. Third, auditors run a 12-question anonymized employee survey that surfaces shadow tools IT leadership has never inventoried. Finally, auditors conduct 4 to 6 structured stakeholder interviews with IT, security, finance, HR, and legal leaders, each lasting 45 minutes. According to Forrester 2024 research, anonymized surveys uncover 3x more shadow AI than log-only audits. RP Tech Services never inspects email, chat content, or private files, only exposure pathways and policy gaps mapped to NIST AI RMF.

• Microsoft 365, Google, and Okta audit logs
• Purview, Netskope, or Zscaler DLP telemetry
• Anonymized 12-question employee survey
• 4 to 6 stakeholder interviews, 45 minutes each

Which compliance frameworks does the assessment map to?

AI governance does not exist in isolation, so RP Tech Services aligns every finding to the frameworks regulators, boards, and cyber insurance carriers reference. First, findings map to the NIST AI Risk Management Framework, which gives clients a shared vocabulary for AI risk reporting. Second, findings reference ISO 42001, the international AI management systems standard published in December 2023. Third, the report cross-walks NY DFS Part 500 cybersecurity requirements for financial services, HIPAA Security Rule for healthcare, FINRA and SEC supervisory guidance for investment firms, and the EU AI Act for clients with European operations. According to a 2025 Marsh report, 72% of cyber insurance renewals now include AI control questions, and our data shows clients using the RP Tech Services framework crosswalk close 90% of carrier questionnaires in under 4 hours rather than the typical 20 hours.

• NIST AI RMF crosswalk for every finding
• ISO 42001 management system alignment
• NY DFS Part 500 and HIPAA Security Rule
• FINRA, SEC, and EU AI Act references

What is the 3-week engagement structure and timeline?

The RP Tech Services AI assessment is a 3-week engagement with fixed milestones and a fixed fee. First, Week 1 is discovery and scoping: auditors review current Microsoft 365, Google Workspace, and Okta tooling, meet stakeholders, and finalize audit scope across all sanctioned and shadow AI systems. Second, Week 2 is evidence collection: auditors pull 90 days of tenant logs, run the anonymized employee survey, and complete 4 to 6 stakeholder interviews. Finally, Week 3 is analysis and report writing, ending with a draft for internal review and a 60-minute in-person readout at the client office or RP Tech Services Manhattan headquarters at 15 W. 38th Street. Before kickoff, RP Tech Services schedules a 30-minute scoping call with no commitment, and a formal fixed-fee proposal is delivered within 2 business days according to the published engagement standard.

• Week 1: discovery, scoping, stakeholder kickoff
• Week 2: logs, surveys, 4 to 6 interviews
• Week 3: analysis, draft report, 60-minute readout
• Pre-kickoff: 30-minute scoping call, fixed-fee proposal in 2 days

What deliverables does the AI Guardrails Report include?

The AI Guardrails Report is a 30 to 40 page leadership-ready document covering AI risk, governance, and a 12-month remediation roadmap. First, the report opens with an executive summary listing the top 5 risks, residual-risk ratings, and board-level recommendations mapped to NIST AI RMF. Second, the report provides a full inventory of sanctioned and shadow AI systems, including Microsoft 365 Copilot, ChatGPT Enterprise, Gemini for Workspace, and any RAG endpoints discovered during evidence collection. Third, the report delivers a data-exposure map showing how PII, PHI, IP, and customer records move through each AI tool. Finally, the report closes with a prioritized 90-day, 6-month, and 12-month remediation roadmap with cost estimates. According to our 2025 client data, the average remediation roadmap covers 23 specific actions and $48,000 in projected first-year guardrail spend across a 100-user organization.

• 30 to 40 page leadership-ready report
• Executive summary with top 5 risks
• Full sanctioned and shadow AI inventory
• 90-day, 6-month, 12-month remediation roadmap

How does the assessment serve NYC, New Jersey, and tri-state firms?

RP Tech Services delivers AI assessments to industries with acute regulatory exposure across the New York tri-state region. First, healthcare networks across New Jersey and Connecticut are deploying Microsoft 365 Copilot while managing HIPAA Security Rule obligations and OCR audit risk. Second, NYC financial services firms are integrating ChatGPT Enterprise into trading, research, and compliance workflows under SEC, FINRA, and NY DFS Part 500 scope. Finally, professional services firms in law, accounting, and consulting across Manhattan, Brooklyn, Queens, Long Island, and Westchester are feeding client data into RAG systems with no Microsoft Purview DLP rules configured. According to our 2025 regional data, 68% of tri-state mid-market firms operate at least 2 AI tools outside IT governance. RP Tech Services maintains assessment playbooks for each vertical and ships every report with local regulator context built in.

• Healthcare: HIPAA Security Rule and OCR readiness
• Financial: SEC, FINRA, NY DFS Part 500 crosswalks
• Professional services: client data and DLP gaps
• Coverage across Manhattan, Brooklyn, Queens, LI, Westchester

Frequently asked