The Ofreygo Audit, end to end.
A finite, flat-fee engagement broken into three phases. Each phase has a fixed duration, a defined deliverable, and a direct mapping to the controls your existing compliance program already runs against.
Discover
Scoped, read-only access is provisioned by your team. Ofreygo runs ten-plus discovery streams in parallel, working to a fixed discovery checklist. All activity is logged and shared with your security lead in real time.
- ·Raw inventory across 5 data categories
- ·Provenance log of every discovery source queried
- ·Preliminary risk flags surfaced during collection
Okta, Google Workspace, Entra — signed-in apps
Ramp, Brex, QuickBooks — API keys and SaaS on personal cards
Scoped queries for shared keys, prompts, custom GPTs
MCP servers, agent code, automation scripts, leaked credentials
Prompt libraries, SOPs, "system instructions" docs
Targeted conversations across Eng, Ops, Marketing, Finance
Synthesize
Raw inventory is reconciled, de-duplicated, and mapped to owners. Every finding is categorized against SOC 2, ISO 27001, and NIST AI RMF control families so it lands cleanly with your existing governance program.
- ·AI Landscape Map rendered as a production document
- ·Risk Register ranked by severity × business-impact × remediation effort
- ·Spend Analysis with on-ledger vs off-ledger breakdown
- ·Draft 30/60/90 remediation roadmap
Deliver
Sixty-minute leadership presentation covering findings, risks, spend, and the remediation roadmap. Followed by a one-page governance framework starter your team can adopt on day one.
- ·Executive readout deck (22 slides)
- ·One-page governance framework starter
- ·Remediation roadmap hand-off with named owners
- ·Full raw-data export for internal continuity
Mapped to the frameworks your program already runs against.
Every finding in an Ofreygo Audit is categorized against at least one mapped control, so discovery outputs can be consumed directly by your existing compliance, audit, and risk programs.
SOC 2
Trust Services Criteria| Control | Name | How Ofreygo maps to it |
|---|---|---|
| CC6.1 | Logical access controls | Audit inventories every unmanaged access path to AI systems and assigns an owner. |
| CC6.6 | Boundary protection | Shadow workflows crossing trust boundaries (personal VPS, shared accounts) are identified and closed. |
| CC7.2 | System monitoring | Discovery establishes a baseline inventory monitoring can be operated against. |
| CC8.1 | Change management | Prompt libraries and agent configurations are brought under version-controlled change governance. |
ISO 27001
Annex A| Control | Name | How Ofreygo maps to it |
|---|---|---|
| A.5.9 | Inventory of information assets | AI tools, agents, keys, and workflows added to the information-asset inventory with assigned owners. |
| A.8.2 | Privileged access rights | Unmanaged API keys (personal-card, shared-key) surfaced and scheduled for rotation or revocation. |
| A.8.16 | Monitoring activities | Baseline established for ongoing monitoring of AI consumption and drift. |
| A.8.28 | Secure coding | Agent code and prompts brought under review processes consistent with existing SDLC. |
NIST AI RMF
Core Functions| Control | Name | How Ofreygo maps to it |
|---|---|---|
| GOVERN | Govern | Governance framework starter surfaces accountability, policy, and roles across AI usage. |
| MAP | Map | The audit itself IS the Map function: establishing context, categorizing AI systems, and mapping risks. |
| MEASURE | Measure | Risk register quantifies severity, business impact, and remediation effort for every finding. |
| MANAGE | Manage | 30/60/90 roadmap operationalizes risk responses with owners and timelines. |
Send your team the full methodology PDF
A single PDF covering the three-phase methodology, per-phase deliverables, discovery-source checklist, and control mappings to SOC 2, ISO 27001, and NIST AI RMF. Sent to your work email within one business day.
No marketing. Just the PDF.
Ready to see your AI landscape?
Book a 20-minute call. We’ll walk through your current setup and decide together whether an Ofreygo Audit is a fit.
Where Mission Meets Compliance