Ofreygo
Enterprise Shadow AI governance

Find the shadow AI
inside your enterprise.

Ofreygo maps every AI tool, agent, API key, and workflow operating inside your company — including the ones nobody’s reporting. A 48-hour discovery engagement mapped to SOC 2, ISO 27001, and the NIST AI Risk Management Framework.

Book an audit callSee a sample report
48-hour discoveryFlat-fee engagementMutual NDA + DPARead-only access
Live discovery
1/11 nodes · 0/14 edges
ToolsAgentsAPI keysWorkflowsShadow AI
Illustrative landscape output

A representative view of what an Ofreygo Audit surfaces: every AI tool, agent, API key, and workflow — ranked by risk and mapped to an owner. Figures below are illustrative, not a real engagement.

Ofreygo — AI landscape report
Illustrative output · all figures synthetic
7.8 / 10
AI tools
23
Monthly spend
$48,210
Custom agents
7
Shadow keys
4
Critical risks
11
Monthly AI spend · last 12mo
+38% YoY
Tool inventory · top findings
% of spend
tool
owner
mo. cost
risk
ChatGPT Enterprise
Eng · 247 seats
$6,175
low
Anthropic API
Platform team
$8,940
high
OpenAI API
Unknown · personal card
$4,220
crit
n8n · self-hosted
D. Okafor · personal VPS
$40
crit
GitHub Copilot
Eng · 120 seats
$2,280
low
Replicate API
ML team
$1,450
low
Zapier + OpenAI
Marketing · shared key
$780
high
+ 16 more tools · see full inventory
Risk register · critical
crit
Unmanaged OpenAI prod key
Charged to personal card. Customer PII flowing to production. Owner unreachable.
crit
n8n on personal VPS
Handles 40% of support triage. No failover. Keys in plaintext env.
high
Keys posted in Slack
3 production keys pasted in #engineering. Not rotated in 8 months.
+ 8 more critical · 14 high
The problem

Your enterprise is running on infrastructure nobody can see.

Somewhere in your company right now, an engineer is running an n8n workflow on a personal VPS. A marketer has a custom GPT with your entire brand guide pasted in. Someone in finance expensed thousands in OpenAI API calls last quarter on a personal card. None of it is documented. None of it is governed. When those people leave, it breaks.

This is Shadow AI. It’s the same pattern as Shadow IT ten years ago — moving faster, with bigger data stakes. Your CISO is worried. Your CEO thinks you’re AI-forward. Both are right, and both are a problem.

The companies most excited about AI are the ones getting hurt most by it.

What we discover

Five categories of invisible infrastructure.

An Ofreygo Audit treats Shadow AI as an inventory problem, not a policy problem. Until you can name what you have, you can’t govern it. Here is what the engagement is designed to surface.

Tools

Every AI SaaS product with any sign of use across the organization — including personal-account access to enterprise models.

Agents

Custom GPTs, Claude Projects, Gemini Gems, internal MCP servers, and the prompts that turn them into unofficial production software.

API keys

Every OpenAI, Anthropic, and provider key in circulation — who owns it, what it costs, where it routes data, and whether it’s on-ledger.

Workflows

n8n, Zapier, Make, and custom scripts that depend on AI — and the single individuals who quietly keep them running.

Prompts & instructions

System instructions, prompt libraries, and SOPs scattered across Slack, Drive, Notion, and GitHub with no version control or ownership.

How it works

Discover. Consolidate. Govern.

STEP 01

Discover

We scan your SSO logs, expense reports, Slack, GitHub, and Drive to find every AI tool, agent, API key, and workflow in use. 48 hours.

STEP 02

Consolidate

We map what we found, who owns it, what it costs, and what’s at risk. You get a landscape report, risk register, and 30/60/90 roadmap.

STEP 03

Govern

We deliver the roadmap or help you execute it. Either way, you walk out with a plan your CISO, CTO, and CEO all understand.

What you get

Six deliverables. One flat scope.

Every engagement ships the same six artifacts, rendered as production documents and presented in one executive readout. Preview the format below — figures shown are illustrative.

Ofreygo Audit · Section 01
AI Landscape Map
Tools · agents · keys · workflows · owners
Illustrative · synthetic datapg · 01

AI Landscape Map

Every tool, agent, key, workflow, and owner — on one page.

Ofreygo Audit · Section 02
Risk Register
Ranked · security · continuity · compliance
critUnmanaged prod API key
critShadow VPS workflow
highKeys posted in Slack
highShadow CAI workspace
medPrompts uncontrolled
+ 21 more ranked
Illustrative · synthetic datapg · 02

Risk Register

Ranked security, compliance, and continuity risks with owners.

Ofreygo Audit · Section 03
Spend Analysis
Monthly AI spend · on-ledger vs shadow
Total
$412K
Off-ledger
38%
Savings
$146K
Illustrative · synthetic datapg · 03

Spend Analysis

On-ledger vs off-ledger AI spend and consolidation savings.

Ofreygo Audit · Section 04
30 / 60 / 90 Remediation Roadmap
Prioritized by risk · owner · effort
Day 0-30Stabilize
Rotate keysKill shadow keysMCP inventory
Day 30-60Consolidate
Migrate n8nPool seatsPrompt library
Day 60-90Govern
LLM gatewayQuarterly auditKPI dashboard
Illustrative · synthetic datapg · 04

30 / 60 / 90 Roadmap

Prioritized remediation, sequenced for a 90-day execution window.

Ofreygo Audit · Section 05
Executive Readout
60-minute leadership presentation
Slide 3 of 22
What we found
tools
23
agents
7
keys
9
risks
11
Illustrative · synthetic datapg · 05

Executive Readout

A 60-minute leadership presentation deck your CISO, CTO, and CEO will all accept.

Ofreygo Audit · Section 06
Governance Framework Starter
One-page policy · ready to adopt
01Approved AI tooling
02Data class handling
03API key lifecycle
04Agent & prompt registry
05Incident response
Mapped controls
SOC 2 CC6.1SOC 2 CC7.2ISO A.8ISO A.12NIST AI RMF
Illustrative · synthetic datapg · 06

Governance Starter

One-page policy scaffold, pre-mapped to SOC 2, ISO 27001, and NIST AI RMF controls.

Who it’s for

Built for AI-forward companies

Ofreygo audits work best for engineering-heavy companies with 100–500 employees. You’re the right fit if:

  • Engineering and ops are building AI workflows faster than IT can track them
  • You’ve rolled out (or are rolling out) Copilot, ChatGPT Enterprise, or Claude for Work
  • Your CISO has started asking questions you can’t fully answer
  • You’ve made it this far without a clear AI governance policy — and it’s starting to show
Industries we serve

Built for enterprises that can’t afford to get AI wrong.

We engage across regulated and unregulated industries, but our practice depth is concentrated where the consequences of unmanaged AI — legal, reputational, operational — are highest.

Financial Services

Banks, insurers, asset managers. AI in underwriting, claims, KYC, and advisory.

Healthcare & Life Sciences

Providers, payers, pharma. HIPAA-aware discovery and clinical-workflow AI mapping.

Enterprise SaaS

B2B platforms with 500–10,000+ employees building AI-native features.

Legal & Professional Services

Am Law firms, consultancies, accounting. Matter-privilege and data-sovereignty rigor.

Manufacturing & Industrial

Operations, supply chain, and plant-floor AI adoption across distributed workforces.

Retail & Consumer

Omnichannel, merchandising, and marketing AI usage across corporate and stores.

Private Equity & Holding Cos.

Portfolio-wide AI diligence and standardized governance across op-co investments.

Public Sector & Defense

Federal, state, and defense contractors. Security-clearance-aware engagement models.

Security & compliance

Built for the procurement review, not around it.

An Ofreygo engagement is designed so that your CISO, head of Legal, and procurement team all sign off in days, not weeks. No persistent access, no data exfiltration, no vendor lock-in.

Read-only, revocable access

Scoped tokens your team provisions and can kill at any moment. No persistent admin. No write operations. Ever.

Mutual NDA + DPA

We sign your paper, not ours. NDA and data processing agreement executed before any discovery work begins.

Data retention: 90 days

All discovery data deleted from Ofreygo systems 90 days post-delivery. Deliverables remain your property, under your control.

Least-privilege discovery

We request the minimum scope needed per source — SSO log export, expense CSV, Slack search token — and nothing else.

SOC 2 Type I on the roadmap

On track ahead of our first product deployment. Enterprise-ready audit posture from day one of the platform.

Security review ready

Dedicated security review packet (architecture, data flow, retention, sub-processors) available on request for procurement.

See before you buy

A 20-page sample, fully anonymized.

Want to see exactly what you’d get? Download our illustrative Ofreygo Audit Report — a synthetic, end-to-end example of the deliverable format. Landscape map, risk register, spend analysis, and the 30/60/90 remediation roadmap, all rendered against representative data.

No marketing spam. Just the report.

ofreygo.com / sample-report / illustrative
Tools
23
Agents
7
API keys
9
Workflows
4
Shadow
4
Discovered by source
SSO / IdP logs
12
Expense / Ramp data
6
GitHub org scan
9
Slack / Teams search
14
Stakeholder interviews
11
Services

Three engagement tiers. One flat scope.

Every Ofreygo engagement is scoped, priced, and delivered on a fixed fee. No hourly billing. No scope creep. Engagement fees are quoted on a brief qualification call; the structure is the same regardless of tier.

Ofreygo Audit

Up to 250 employees

The standard engagement for AI-native companies.

  • All six deliverables
  • 48-hour discovery window
  • 60-minute executive readout
  • Mutual NDA + DPA included
Book an audit call
Most common

Ofreygo Audit Extended

250–1,000 employees

Multi-team discovery with a drafted governance policy.

  • Everything in Audit
  • Custom governance policy drafted for your org
  • Additional stakeholder interviews across functions
  • Multi-team discovery scope
  • Named senior delivery lead
Book an audit call

Ofreygo Audit Enterprise

1,000+ employees

Scoped to the complexity of a multi-business-unit discovery.

  • Custom scope across business units
  • Integration with existing security + compliance programs
  • Senior advisor engaged per-scope under NDA
  • Board-ready executive package
  • Optional quarterly refresh engagement
Talk to our team
Flat fee·Mutual NDA + DPA·Data deleted 90 days post-delivery·Read-only, revocable access
Who delivers the work

Built by operators, not consultants.

Ofreygo is founded and run by Joe Saba — a technology leader with more than a decade of hands-on experience shipping production software, architecting enterprise systems, and leading engineering and operations teams. He builds and operates on the modern AI stack every day, across multiple simultaneous ventures, which is how he kept running into the Shadow AI pattern Ofreygo is built to solve.

For enterprise engagements with deeper scope — regulated industries, security-cleared environments, or multi-business-unit discovery — Ofreygo engages senior advisors under NDA on a per-engagement basis. Introductions are made during qualification, not advertised on a website.

Read the founder story
Methodology over headcount

We scope, price, and deliver engagements against a fixed methodology — not by the hour, not by the seat.

Named senior delivery lead

Every engagement has one senior practitioner as its delivery lead. You know who is on point from the SOW forward.

No procurement theatre

Mutual NDA, DPA, and a one-page security packet available on request. Most engagements clear procurement in days, not weeks.

Engagement-bound access

Per-engagement, read-only, revocable tokens your team provisions and kills. No persistent admin, no retained data after 90 days.

FAQ

The questions everyone asks

How is this different from a SaaS management tool like Zylo or Torii?

SaaS management tools find the apps on your bill. They can’t see custom GPTs in personal ChatGPT accounts, n8n workflows on someone’s VPS, API keys expensed to personal cards, or MCP servers on internal GitHub. Ofreygo finds all of it.

Why not assign this to an engineer for two weeks?

The job isn’t any single scan — it’s running 10+ discovery sources in parallel and synthesizing them into a deliverable a CISO, CTO, and CEO will all accept. An internal engineer gets ~30% of the way through, then gets pulled back onto product work. Ofreygo ships a dated, defensible snapshot in 7–10 days, on a flat fee, against a methodology mapped to SOC 2, ISO 27001, and NIST AI RMF controls.

Do I need to give you admin access to our systems?

No. Audits use per-engagement, read-only scoped tokens that your team provisions and can revoke at any time — SSO log exports, expense CSVs, scoped Slack/GitHub tokens. We don’t hold persistent admin. We do not modify or delete anything.

What happens to our data after the audit?

All discovery data is deleted from Ofreygo systems 90 days post-delivery. The final deliverables (landscape report, risk register, roadmap) are yours to keep and remain confidential.

Can you sign our MNDA and DPA?

Yes. Standard practice. Ofreygo signs a mutual NDA before any discovery work begins, and a DPA covering any personal data touched during the engagement.

What if you don’t find anything?

Then you have a dated snapshot proving clean governance — useful for board reporting, SOC 2 evidence, and insurance. Still worth the fee.

How fast can we start?

Most audits kick off within 7–10 days of signed SOW. The 48-hour discovery window runs once access is scoped. Full delivery (including analysis and executive readout) runs 5–7 days after that.

What industries do you work with?

The Ofreygo Audit is designed for AI-native and AI-adjacent software companies in the 100–500 employee range. For regulated industries (healthcare, financial services, defense), custom scoping applies — contact us.

Ready to see your AI landscape?

Book a 20-minute call. We’ll walk through your current setup and decide together whether an Ofreygo Audit is a fit.

Book an audit callhello@ofreygo.com

Where Mission Meets Compliance