Ofreygo
The audit

The Ofreygo Audit

A flat-fee engagement to map, assess, and plan remediation for your company’s Shadow AI. 48-hour discovery window. 5-day analysis. One executive readout. Zero scope creep.

How it works

Discover. Consolidate. Govern.

STEP 01

Discover

We scan your SSO logs, expense reports, Slack, GitHub, and Drive to find every AI tool, agent, API key, and workflow in use. 48 hours.

STEP 02

Consolidate

We map what we found, who owns it, what it costs, and what’s at risk. You get a landscape report, risk register, and 30/60/90 roadmap.

STEP 03

Govern

We deliver the roadmap or help you execute it. Either way, you walk out with a plan your CISO, CTO, and CEO all understand.

What you get

Six deliverables. One flat scope.

Every engagement ships the same six artifacts, rendered as production documents and presented in one executive readout. Preview the format below — figures shown are illustrative.

Ofreygo Audit · Section 01
AI Landscape Map
Tools · agents · keys · workflows · owners
Illustrative · synthetic datapg · 01

AI Landscape Map

Every tool, agent, key, workflow, and owner — on one page.

Ofreygo Audit · Section 02
Risk Register
Ranked · security · continuity · compliance
critUnmanaged prod API key
critShadow VPS workflow
highKeys posted in Slack
highShadow CAI workspace
medPrompts uncontrolled
+ 21 more ranked
Illustrative · synthetic datapg · 02

Risk Register

Ranked security, compliance, and continuity risks with owners.

Ofreygo Audit · Section 03
Spend Analysis
Monthly AI spend · on-ledger vs shadow
Total
$412K
Off-ledger
38%
Savings
$146K
Illustrative · synthetic datapg · 03

Spend Analysis

On-ledger vs off-ledger AI spend and consolidation savings.

Ofreygo Audit · Section 04
30 / 60 / 90 Remediation Roadmap
Prioritized by risk · owner · effort
Day 0-30Stabilize
Rotate keysKill shadow keysMCP inventory
Day 30-60Consolidate
Migrate n8nPool seatsPrompt library
Day 60-90Govern
LLM gatewayQuarterly auditKPI dashboard
Illustrative · synthetic datapg · 04

30 / 60 / 90 Roadmap

Prioritized remediation, sequenced for a 90-day execution window.

Ofreygo Audit · Section 05
Executive Readout
60-minute leadership presentation
Slide 3 of 22
What we found
tools
23
agents
7
keys
9
risks
11
Illustrative · synthetic datapg · 05

Executive Readout

A 60-minute leadership presentation deck your CISO, CTO, and CEO will all accept.

Ofreygo Audit · Section 06
Governance Framework Starter
One-page policy · ready to adopt
01Approved AI tooling
02Data class handling
03API key lifecycle
04Agent & prompt registry
05Incident response
Mapped controls
SOC 2 CC6.1SOC 2 CC7.2ISO A.8ISO A.12NIST AI RMF
Illustrative · synthetic datapg · 06

Governance Starter

One-page policy scaffold, pre-mapped to SOC 2, ISO 27001, and NIST AI RMF controls.

Services

Three engagement tiers. One flat scope.

Every Ofreygo engagement is scoped, priced, and delivered on a fixed fee. No hourly billing. No scope creep. Engagement fees are quoted on a brief qualification call; the structure is the same regardless of tier.

Ofreygo Audit

Up to 250 employees

The standard engagement for AI-native companies.

  • All six deliverables
  • 48-hour discovery window
  • 60-minute executive readout
  • Mutual NDA + DPA included
Book an audit call
Most common

Ofreygo Audit Extended

250–1,000 employees

Multi-team discovery with a drafted governance policy.

  • Everything in Audit
  • Custom governance policy drafted for your org
  • Additional stakeholder interviews across functions
  • Multi-team discovery scope
  • Named senior delivery lead
Book an audit call

Ofreygo Audit Enterprise

1,000+ employees

Scoped to the complexity of a multi-business-unit discovery.

  • Custom scope across business units
  • Integration with existing security + compliance programs
  • Senior advisor engaged per-scope under NDA
  • Board-ready executive package
  • Optional quarterly refresh engagement
Talk to our team
Flat fee·Mutual NDA + DPA·Data deleted 90 days post-delivery·Read-only, revocable access
FAQ

The questions everyone asks

How is this different from a SaaS management tool like Zylo or Torii?

SaaS management tools find the apps on your bill. They can’t see custom GPTs in personal ChatGPT accounts, n8n workflows on someone’s VPS, API keys expensed to personal cards, or MCP servers on internal GitHub. Ofreygo finds all of it.

Why not assign this to an engineer for two weeks?

The job isn’t any single scan — it’s running 10+ discovery sources in parallel and synthesizing them into a deliverable a CISO, CTO, and CEO will all accept. An internal engineer gets ~30% of the way through, then gets pulled back onto product work. Ofreygo ships a dated, defensible snapshot in 7–10 days, on a flat fee, against a methodology mapped to SOC 2, ISO 27001, and NIST AI RMF controls.

Do I need to give you admin access to our systems?

No. Audits use per-engagement, read-only scoped tokens that your team provisions and can revoke at any time — SSO log exports, expense CSVs, scoped Slack/GitHub tokens. We don’t hold persistent admin. We do not modify or delete anything.

What happens to our data after the audit?

All discovery data is deleted from Ofreygo systems 90 days post-delivery. The final deliverables (landscape report, risk register, roadmap) are yours to keep and remain confidential.

Can you sign our MNDA and DPA?

Yes. Standard practice. Ofreygo signs a mutual NDA before any discovery work begins, and a DPA covering any personal data touched during the engagement.

What if you don’t find anything?

Then you have a dated snapshot proving clean governance — useful for board reporting, SOC 2 evidence, and insurance. Still worth the fee.

How fast can we start?

Most audits kick off within 7–10 days of signed SOW. The 48-hour discovery window runs once access is scoped. Full delivery (including analysis and executive readout) runs 5–7 days after that.

What industries do you work with?

The Ofreygo Audit is designed for AI-native and AI-adjacent software companies in the 100–500 employee range. For regulated industries (healthcare, financial services, defense), custom scoping applies — contact us.

Ready to see your AI landscape?

Book a 20-minute call. We’ll walk through your current setup and decide together whether an Ofreygo Audit is a fit.

Book an audit callhello@ofreygo.com

Where Mission Meets Compliance