NordTel Communications S.A. — European Telecommunications Operator
The OASAT assessment of NordTel Communications identified significant AI governance gaps across all six control domains. AI adoption has outpaced governance — 23 unapproved AI tools were identified in active use across business units, with no runtime controls, no audit visibility, and material regulatory exposure under the EU AI Act, NIS2, and GDPR. Immediate remediation is required in three critical areas before regulatory deadlines.
Each domain was assessed against the OASF control framework and scored for risk exposure and governance maturity. Maturity is scored 1–5: 1 = Ad hoc, 2 = Developing, 3 = Defined, 4 = Managed, 5 = Optimised.
| Domain | Risk Level | Maturity | Key Gap |
|---|---|---|---|
| Data GovernanceOASF-DG | Critical | 1.4 / 5 | No AI data classification policy. Customer PII flowing to external LLMs without inspection or redaction. |
| Model GovernanceOASF-MG | Critical | 1.2 / 5 | No approved model registry. 23 unapproved AI tools in active use across 8 business units. |
| Access & IdentityOASF-AI | High | 2.1 / 5 | AI interactions not identity-bound. No SSO integration with AI tools. No audit trail linking AI usage to individuals. |
| Operational SecurityOASF-OS | High | 1.8 / 5 | No prompt injection defences. No adversarial input monitoring. No AI-specific threat model. |
| Audit & ComplianceOASF-AC | Critical | 1.0 / 5 | Zero AI interaction logging. No audit trail. Cannot demonstrate compliance to EU AI Act Art. 12 or GDPR Art. 30. |
| Incident ResponseOASF-IR | Moderate | 2.4 / 5 | General IR process exists but has no AI-specific incident categories, playbooks, or escalation procedures. |
Customer service agents are using ChatGPT and other consumer AI tools to draft responses and summarise complaints, including full customer names, contact details, account numbers, and communication content. No data inspection, redaction, or governance controls are in place. This represents an active GDPR breach and EU AI Act non-compliance.
No logging of AI interactions exists anywhere in the organisation. If required by a regulator or in the event of a data breach investigation, NordTel cannot demonstrate what data was processed by which AI system, when, or by whom. This is a direct violation of EU AI Act Art. 12 record-keeping requirements and GDPR Art. 30 processing records obligations.
Assessment identified 23 distinct AI tools in active use across 8 business units — none approved, evaluated, or registered. Tools include consumer LLMs, code generation assistants, document summarisation services, and AI-enabled productivity add-ons. Shadow AI usage is organisation-wide with no central visibility, control, or governance.
Network engineering team members are using AI coding assistants (GitHub Copilot, ChatGPT) to assist with network automation scripts. Assessment confirmed that network topology details, configuration parameters, and IP addressing schemes are being included in prompts. This creates both a security risk and a potential lawful intercept compliance exposure.
NordTel's existing incident response process does not include AI-specific incident categories or response procedures. In the event of an AI-related data breach, model manipulation, or governance failure, the organisation has no defined response path, escalation procedure, or GDPR 72-hour notification readiness.
Two AI use cases identified in the assessment are likely classified as high-risk under EU AI Act Annex III: AI-assisted credit scoring for postpaid contract decisions, and AI-enabled network management for critical infrastructure. Neither has been through the required conformity assessment or human oversight framework required under the EU AI Act.
Assessment mapped NordTel's current AI governance controls against four applicable regulatory frameworks. Gap items represent requirements that are currently unmet and create regulatory exposure.
The assessment recommends a structured three-phase remediation programme aligned to regulatory deadlines and operational risk priority. Phase 1 addresses immediate critical risks. Phase 2 builds the governance architecture. Phase 3 operationalises runtime enforcement.
This is a sample assessment for illustration purposes. A real OASAT assessment is scoped to your organisation — your industry, your AI environment, your regulatory obligations — and defines the governance that Aegis then enforces in production. Fixed price. Delivered in weeks.