The AI era changed your attack surface and your control expectations at the same time. DSE is the security and governance partner for healthcare, government, financial-services, and other sensitive-data teams putting LLMs, copilots, and agents into production — vendor and model risk, adversarial testing, incident readiness, shadow-AI discovery, privacy, and social-engineering defense — delivered as senior-led, fixed-scope readiness and advisory work. Not a generic managed-security shop; a boutique built for regulated AI risk where privacy, oversight, and buyer diligence all matter at once.
DSE designs, assesses, and advises. Every engagement on this page is readiness, assessment, or advisory work — we do not certify, attest to, or audit your controls, and no engagement guarantees a regulatory or examination outcome. For ongoing monitoring we design the program and orchestrate a vetted managed-detection (MDR) partner on your behalf; we do not operate a 24/7 SOC. Frameworks are used as reference, not as promised certifications.
Each line below is a scoped, senior-led engagement that ends in findings and a plan you can act on — not a binder. Pick the one that sounds like your problem and book a scoping call; the fee is fixed in writing after we scope it together.
Your biggest AI exposure is often a vendor's model, not your own. We review the AI inside the tools you buy and the partners you rely on — what data they touch, how models are governed, and where the concentration and fourth-party risk sit — and hand back a board-ready AI vendor risk register and a remediation roadmap you can defend to an examiner.
Scope a vendor AI risk review →Proportionate, SR 26-2-aligned validation-readiness for the AI and ML systems that behave like models. We help you tier what counts, document assumptions, data, and limitations, stand up effective-challenge and monitoring practices, and route generative and agentic AI to the right framework — so your models are controlled and auditable before anyone asks. Right-sized for mid-market banks and larger credit unions, not a big-bank model-risk factory.
Scope model-risk readiness →A facilitated, scenario-driven exercise for the failure modes AI introduces — a prompt-injection breach, a leaking copilot, a hallucinated decision, a poisoned model or dataset. We pressure-test who decides, who communicates, and how you contain it, then leave you with a gap report and an IR playbook outline your team actually owns.
Scope an AI IR tabletop →Find where staff are already pasting company data into public AI tools, map the real exposure, and stand up an acceptable-use policy and lightweight controls before it spreads. A fixed-scope 3–4 week sprint that ends with an exposure map, a control roadmap, and an AI acceptable-use policy framework.
Scope a shadow-AI sprint →A data-protection impact assessment scoped for AI systems: what personal and sensitive data flows into training, prompts, and logs; the lawful basis and retention story; and the controls that keep it defensible. A readiness assessment and gap analysis with a remediation roadmap — not a certification or legal opinion.
Scope an AI privacy / DPIA →Voice clones, deepfake video, and AI-crafted phishing have made impersonation cheap and convincing. We assess how exposed your people and processes are — payment approvals, executive impersonation, help-desk verification — and hand back a prioritized readiness plan to harden the human layer against AI-assisted fraud.
Scope a deepfake defense read →The new lines above sit on top of a security and private-AI practice that already ships. These offerings have their own pages — start there, or book a scoping call and we will route you.
A point-in-time threat model and adversarial test of an AI system — prompt injection, tool and agent abuse, and data-leakage pathways — with severity-ranked findings and remediation. Senior-led and fixed-fee.
Scope an assessment →Adversarial testing built for RAG, copilots, and agents — direct and indirect prompt injection, tool/function abuse, agentic-loop abuse, and data exfiltration — wired into your release cadence with remediation evidence.
Scope a red-team engagement →For teams deploying private or self-hosted LLMs on regulated data: deployment-boundary and data-egress controls, access control on model calls, audit logging, change control, and a compliance-evidence map — walked against your actual environment.
Scope private-AI security →The hub of DSE's free, browser-local AI-governance tools built on one shared AI register — inventory, risk tiering, and Gen-AI risk scoring — plus the advisory that turns the output into a controlled, auditable program.
Scope a governance build →We design the program; a vetted partner runs the monitoring. When you need continuous detection and response, we set direction on an advisory retainer and orchestrate a vetted managed-detection (MDR) partner on your behalf. DSE owns the strategy, the risk register, and the reporting cadence — we do not operate a 24/7 SOC, and we are transparent about that boundary so you know exactly what you are buying.
Scope an oversight retainer →Three free, 100% client-side tools that pair with the practice above. Nothing you enter leaves your browser — bring the output to a scoping call and we pick up from there.
Assemble a tailored AI vendor DDQ covering governance, model validation, data and security, third- and fourth-party risk, incident response, and ongoing monitoring.
Build a vendor DDQ →Answer a few questions to get a materiality-based read on whether an AI system counts as a model in scope, and the structured tier and controls that follow.
Tier a model →Walk a structured questionnaire to see where an AI system lands across the EU AI Act risk categories, so you know the obligations before you build.
Classify a system →Last reviewed: 2026-07-03 · Initial release. This pillar is the hub for DSE's AI-era security and cyber-risk practice; the new service lines are described here and scoped on a call. All work is readiness, assessment, and advisory — not certification, attestation, or audit.