Your Team Is Already Using AI — the Question Is Whether You Know How
Microsoft Copilot licenses are shipping in every M365 renewal. ChatGPT, Gemini, and Claude are a browser tab away. Employees across sales, finance, HR, and operations are using these tools daily — often with company data, and almost always without IT’s knowledge.
For most Texas SMBs, the gap between “we have AI tools” and “we govern AI tools” is wide enough to create real exposure. Industry research consistently shows that SMB Copilot adoption sits near 12%, not because organizations lack licenses, but because nobody scoped the data, identity, and governance prerequisites before flipping the switch. Meanwhile, the median 100-employee company runs 14 to 22 unsanctioned AI tools that IT has never vetted.
The result: shadow AI adds $670,000 to the average data breach, Copilot deployments stall without ROI, and compliance obligations under TRAIGA and TDPSA go unaddressed.
This assessment exists to close that gap. It is a structured, deliverable-driven engagement — not a general consulting conversation — designed for companies with 50 to 500 employees that want to adopt AI safely and get value from their existing licenses.
What the Assessment Covers
The engagement evaluates three areas that determine whether AI will work for your organization — or create risk you can’t see.
Copilot Readiness
Evaluate your M365 tenant, data architecture, identity controls, and user workflows against the prerequisites for a successful Copilot deployment.
Shadow AI Discovery
Identify every unsanctioned AI tool in use across your organization, map the data flowing into each one, and quantify the exposure.
Governance & Compliance
Build the policy, technical controls, and documentation framework required for TRAIGA and TDPSA compliance — before enforcement tightens.
Copilot Readiness: Why Most Deployments Stall
Microsoft sells Copilot as a productivity multiplier. For organizations that are ready, it is. For those that aren’t, it’s a $30-per-user cost that generates confusion and security questions without delivering results.
What we evaluate
- M365 tenant configuration — licensing, Entra ID roles, conditional access policies, and whether your tenant is structured for Copilot’s data access model
- SharePoint and OneDrive permissions — Copilot inherits the user’s access. If your SharePoint permissions are overly broad (they usually are), Copilot surfaces content users should never see.
- Data classification and sensitivity labels — which data is labeled, which isn’t, and what Copilot can reach by default
- DLP and retention policies — whether your existing data loss prevention rules account for AI-generated content and Copilot interactions
- User readiness — which roles and workflows will benefit most from Copilot, and which need governance guardrails before access
The goal is a clear yes-or-no on Copilot readiness per department, with a remediation checklist for every gap. If your environment is ready, you’ll know exactly which users to license first and what training they need. If it’s not, you’ll know what to fix before spending another dollar on Copilot seats.
Shadow AI Discovery: Finding What You Can’t See
Your employees are not waiting for an AI strategy. They are solving problems today with tools they found themselves. That initiative is valuable — but unmanaged, it creates data exposure that traditional security tools miss entirely.
How shadow AI evades your current security stack
Firewalls, EDR, and network monitoring were not designed for this. An employee pasting customer data into a free ChatGPT account looks identical to normal web browsing. No malware, no exploit, no policy violation your existing tools will flag. HTTPS encryption means your network monitoring sees the destination but not what data was shared.
What we look for
- SaaS and browser-based AI tools — ChatGPT, Gemini, Claude, Perplexity, Jasper, Otter.ai, and dozens of vertical-specific AI apps employees adopt without IT approval
- Data flows — what types of business data (customer records, financial data, employee information, proprietary documents) are entering each tool, and under what terms of service
- AI features embedded in existing tools — many SaaS platforms your team already uses have quietly added AI features that process your data. CRMs, project management tools, and communication platforms are training models on your inputs unless you opt out.
- Copilot and M365 agent sprawl — unauthorized Power Automate flows, Copilot actions, and AI agents running inside your M365 tenant without centralized visibility
What you get
A complete inventory of every AI tool and AI-enabled feature in use across your organization, mapped to the data each one touches, the risk each one introduces, and a recommended action for each: approve, restrict, or replace.
Governance and Compliance: TRAIGA and TDPSA Are Not Optional
Texas now has two laws that directly affect how your business uses AI.
The Texas Responsible AI Governance Act (TRAIGA) took effect January 1, 2026, and the Attorney General’s complaint portal opens September 1. Any employee, customer, or competitor can file a complaint about how your business uses AI. Penalties range from $10,000 per curable violation to $100,000+ for intentional discrimination through AI systems.
The Texas Data Privacy and Security Act (TDPSA) governs how businesses collect, process, and share personal data — and every AI tool your employees feed business data into is a processing activity that falls under its scope.
What we deliver
- AI inventory and risk classification — every AI system in use, classified by TRAIGA’s risk framework (discriminatory potential, biometric processing, government-facing use)
- Gap analysis against NIST AI RMF — TRAIGA provides a safe harbor for businesses that adopt the NIST AI Risk Management Framework. We map your current state against NIST AI RMF and identify what you need to close the gap.
- Acceptable Use Policy — a ready-to-deploy AI policy covering which tools are approved, what data can enter them, who approves new AI tools, and how violations are handled. Built specifically for your organization, not a template.
- TDPSA data processing audit — which AI tools process personal data, whether your data processing agreements cover AI use, and where your privacy notices need updating
- Documentation package — the compliance artifacts (governance policy, risk assessments, audit trail procedures) that demonstrate good faith if a complaint is filed
Who This Assessment Is For
This is built for Texas and Oklahoma businesses with 50 to 500 employees that fit at least one of these profiles:
- You have Copilot licenses but adoption is flat. Users got licenses, tried it once, and went back to their old workflow. You’re paying $30/user/month for a tool nobody uses because nobody prepared the environment.
- You suspect shadow AI but can’t quantify it. You know employees use ChatGPT and other tools, but you don’t know which tools, what data, or how exposed you are.
- You need AI governance before September 1. The TRAIGA complaint portal opens in weeks and you don’t have an AI policy, an inventory, or a plan.
- Your cyber insurance questionnaire now asks about AI. Underwriters are adding AI governance questions to renewals. You need documented controls and policies to answer them honestly.
The practitioners who built this assessment bring decades of experience in IT governance, M365 security architecture, and regulatory compliance for Texas businesses. This is not an AI vendor selling you more AI — it’s your IT and security partner making sure you adopt AI safely.
Assessment Deliverables
Every engagement produces a written report with clear findings and actionable recommendations — not a slide deck full of generalities.
Copilot Readiness Scorecard
Department-by-department readiness assessment with pass/fail criteria for M365 tenant configuration, permissions, data classification, and user workflows.
Shadow AI Inventory
Complete catalog of every AI tool and AI-enabled feature in use, mapped to data flows, risk classification, and recommended disposition (approve, restrict, replace).
Governance & Compliance Package
AI acceptable use policy, NIST AI RMF gap analysis, TRAIGA risk classification, TDPSA data processing audit, and the documentation artifacts needed for safe harbor.
Prioritized Remediation Roadmap
Sequenced action plan covering quick wins (policy deployment, immediate shadow AI restrictions) through long-term governance maturity (monitoring, audit cadence, Copilot rollout phases).
Related Resources
Practical tools and guides to start evaluating your AI readiness today.
AI Readiness Assessment
Evaluate your organization's readiness across data, workflows, skills, and governance before investing in AI.
AI Implementation Playbook
A phased framework for moving from AI strategy to production deployment.
AI Use Case Prioritization Guide
Score and rank AI opportunities by business impact, feasibility, and organizational readiness.
Most engagements complete in two to three weeks. The first week covers tenant analysis and shadow AI discovery. The second and third weeks produce the governance package, remediation roadmap, and final report. Timeline depends on the size of your M365 tenant and the number of locations.
The Copilot readiness pillar is specific to M365, but the shadow AI discovery and governance pillars apply to any organization using AI tools. If you're on Google Workspace or another platform, we adjust the scope to focus on what matters for your environment.
That's the best time to do this assessment. Evaluating your environment before buying licenses prevents wasted spend and ensures your data, permissions, and governance are ready before users get access. We'll tell you exactly when your environment is ready and which departments should go first.
TRAIGA applies to any business that deploys AI systems in Texas, regardless of size. "Deploy" includes using Copilot, ChatGPT, or any AI-powered tool your employees interact with. The AG's complaint portal opens September 1, 2026, making enforcement frictionless. The five-step compliance plan covers what you need to do before that date.
Our AI consulting practice covers broad AI strategy — LLM evaluation, build-vs-buy decisions, implementation planning. This assessment is a focused, productized engagement with defined deliverables: Copilot readiness scoring, shadow AI inventory, and TRAIGA/TDPSA compliance documentation. Think of it as the diagnostic that tells you where you stand before making strategic decisions about AI investment.
It means that successful AI adoption depends more on governance — policies, permissions, data classification, training, and compliance — than on the AI technology itself. Organizations that invest in governance before or alongside their AI rollout see higher adoption, fewer incidents, and better ROI. Organizations that skip governance end up with abandoned licenses and unmanaged risk.
Find out where you stand before September 1
Schedule your AI readiness and shadow AI assessment. We'll show you exactly what's running, what's at risk, and what to do about it.
Schedule AssessmentReady to Get Started?
Contact us today for a complimentary assessment valued at up to $25,000.