FREE 30-DAY AI RISK ASSESSMENT — FIRST 50 MID-MARKET ORGANIZATIONS
See what your AI is actually doing.
Armorstack is conducting a no-cost 30-day AI Risk Assessment for the first 50 qualifying mid-market organizations. You will receive a complete shadow-AI inventory, NIST AI Risk Management Framework risk-tier classification, an observability-gap analysis, and a board-ready summary you can take into your next executive or audit-committee meeting. There is no contract requirement to participate; the assessment is offered as the entry point to our AI Adoption Security Framework and stands on its own.
What you receive
- Shadow-AI Inventory Report. A complete map of every AI service touching organizational data — including SaaS-embedded AI you did not separately license, employee use of public LLM interfaces, and departmental AI tooling adopted outside IT review. Classified by department, data type, vendor, and authorization status.
- NIST AI RMF Risk Classification. Each identified AI use case mapped to the NIST AI Risk Management Framework (AI RMF 1.0) Map function, scored on likelihood and impact across confidentiality, integrity, availability, privacy, fairness, and accountability — cross-referenced against the regulatory framework governing the data the AI is touching (HIPAA, CMMC 2.0, PCI-DSS, GLBA, FERPA, NIST 800-171, as applicable).
- Observability-Gap Analysis. Where your existing security operations center sees AI activity today, where it does not, and the specific telemetry and detection rules required to close each gap. Vendor-neutral; written against your existing SIEM and tooling baseline.
- Board-Ready Summary. A short executive-readable narrative of what was found, what the risk concentration looks like, what is appropriate to disclose to the board and the audit committee, and what the recommended next steps are. Designed to be useful as-is in a board packet.
- Recommendations Workshop. A 90-minute working session with your security and executive leadership to walk through the findings, prioritize treatment, and decide what to do next.
The 30-day timeline
| Days | Phase | What happens |
|---|---|---|
| 1–5 | Intake and scoping | Kickoff call, NDA, access to telemetry and SaaS administrative consoles in read-only mode, employee survey distribution. Your IT and security leads designate single points of contact. |
| 6–14 | Discovery and inventory | API-based discovery against major SaaS platforms, network telemetry analysis against AI service domains, endpoint and browser telemetry review, employee survey collection. Inventory compiled and reviewed with your team. |
| 15–21 | Risk classification and gap analysis | Each inventoried AI use case mapped to NIST AI RMF risk tiers and cross-referenced to your regulatory framework. Observability-gap analysis run against your current SIEM and tooling baseline. |
| 22–28 | Synthesis and board-ready summary | Findings synthesized into the deliverable package — inventory, risk register, gap analysis, board-ready summary. Draft reviewed with your security and executive leads. |
| 29–30 | Recommendations workshop | 90-minute working session to walk through findings, prioritize treatment, and decide on next steps. Final deliverables transferred. No contractual commitment to continue. |
Eligibility
The assessment is offered to mid-market organizations that meet the following criteria:
- Between 100 and 2,500 employees
- Headquartered in the United States
- Primary vertical: healthcare, manufacturing, defense contracting, financial services, or K-12 education
- Operate at least one production AI system, AI-augmented SaaS tool, or AI-enabled workflow — or believe you might, which is precisely the situation the assessment is designed to address
- Have an executive sponsor (CIO, CISO, COO, or CEO) who will participate in the recommendations workshop
Applications close when 50 qualifying organizations have been accepted. Organizations not selected for the no-cost cohort can engage on a paid-equivalent scope and the same deliverables; pricing is shared on request.
Why this is credible
- NIST AI RMF aligned. The classification work uses the published NIST AI Risk Management Framework (AI RMF 1.0) Map function — the same methodology federal agencies are required to use.
- 24 years of mid-market security operations. Armorstack was founded in 2002 as Caspian Technologies; the rebrand to Armorstack in January 2026 reflected the converged Managed Intelligence Provider operating model — not the start of a new operating history.
- 100+ technical experts. The assessment is delivered by Armorstack’s vCISO, SOC, and penetration-testing practices working in coordination; the framework is the operating model these practices were built to run.
- Aligned to your existing compliance framework. Whatever regulatory regime governs your data — HIPAA, CMMC 2.0, PCI-DSS, GLBA, FERPA, NIST 800-171 — the assessment cross-references AI use cases against the controls regime you already operate under.
Frequently Asked Questions
Is this really free?
Yes. The 30-day assessment, the deliverable package, and the recommendations workshop are offered at no cost to the first 50 qualifying organizations. The assessment is the entry point to our AI Adoption Security Framework; organizations that choose to engage Armorstack for ongoing program work do so on a normal commercial basis. Organizations that do not are welcome to act on the deliverables internally or with any other provider.
What’s the catch?
The catch, if there is one, is that we want your time. The assessment requires read-only access to your major SaaS administrative consoles, telemetry from your SIEM and endpoint tooling, and approximately 12 to 16 hours of your security and executive leadership’s time across the 30 days. If that time investment is not available, the assessment will not produce useful output.
What if we’re not selected for the 50?
Organizations not selected for the no-cost cohort can engage on a paid-equivalent scope and the same deliverables. We will also notify the next 50 organizations on the waitlist when capacity opens, typically as the no-cost cohort completes.
Do we have to sign a multi-year contract afterward?
No. There is no contract requirement to participate in or complete the assessment. The deliverables are yours; what you do with them is your call.
Will Armorstack see our sensitive data during the assessment?
No. The assessment is designed to enumerate AI activity from administrative-console metadata and telemetry summaries — not from inspecting payload content. Where deeper inspection would be required to characterize a specific use case, we will request it explicitly and only under your written authorization. The standard scope produces the inventory and the risk register without payload access.
How do we apply?
Use the contact form at armorstack.ai/contact/ with “AI Risk Assessment” in the subject line, or email [email protected]. We will respond within one business day with eligibility confirmation and a scoping call.
What if our organization is just outside the 100–2,500 employee range?
Contact us. Organizations slightly below 100 employees with substantive AI exposure, and organizations slightly above 2,500 employees that fit the mid-market operating profile, are evaluated case-by-case.
Prefill the intake
Tell us about your organization. We will respond within one business day and confirm your fit for the 30-day cohort.
Apply for the AI Risk Assessment.
50 spots. No cost. No contract. Apply now while the cohort is open.