Solutions Aegis Industries Insights Pricing Company Request Assessment
Sample Assessment — Fictitious Organisation For Illustration Purposes Only Telecommunications

AI Security Assessment Report

NordTel Communications S.A. — European Telecommunications Operator

Assessment date
Q1 2026
Assessment type
OASAT Tier 2
Employees
~6,800
Assessor
OneCompliant s.r.o.
Note: NordTel Communications S.A. is a fictitious organisation created for demonstration purposes. All findings, scores, and recommendations are illustrative. Real client assessments remain strictly confidential in accordance with applicable privacy and confidentiality obligations.
Executive Summary

Overall AI Governance Posture: High Risk

The OASAT assessment of NordTel Communications identified significant AI governance gaps across all six control domains. AI adoption has outpaced governance — 23 unapproved AI tools were identified in active use across business units, with no runtime controls, no audit visibility, and material regulatory exposure under the EU AI Act, NIS2, and GDPR. Immediate remediation is required in three critical areas before regulatory deadlines.

Overall AI Governance Risk Score
LowModerateHighCritical
72 / 100 — High Risk. Immediate governance action required.
3
Critical findings requiring immediate action
7
High-risk findings requiring action within 30 days
23
Unapproved AI tools identified in active use
4
Regulatory frameworks with material gap exposure
Domain Risk Assessment

Risk and maturity scores across all six OASF domains.

Each domain was assessed against the OASF control framework and scored for risk exposure and governance maturity. Maturity is scored 1–5: 1 = Ad hoc, 2 = Developing, 3 = Defined, 4 = Managed, 5 = Optimised.

Domain Risk Level Maturity Key Gap
Data GovernanceOASF-DG Critical 1.4 / 5 No AI data classification policy. Customer PII flowing to external LLMs without inspection or redaction.
Model GovernanceOASF-MG Critical 1.2 / 5 No approved model registry. 23 unapproved AI tools in active use across 8 business units.
Access & IdentityOASF-AI High 2.1 / 5 AI interactions not identity-bound. No SSO integration with AI tools. No audit trail linking AI usage to individuals.
Operational SecurityOASF-OS High 1.8 / 5 No prompt injection defences. No adversarial input monitoring. No AI-specific threat model.
Audit & ComplianceOASF-AC Critical 1.0 / 5 Zero AI interaction logging. No audit trail. Cannot demonstrate compliance to EU AI Act Art. 12 or GDPR Art. 30.
Incident ResponseOASF-IR Moderate 2.4 / 5 General IR process exists but has no AI-specific incident categories, playbooks, or escalation procedures.
Key Findings

Critical and high-risk findings requiring immediate attention.

OASAT-F-001 · Critical
Customer PII transmitted to external AI models without inspection
Critical

Customer service agents are using ChatGPT and other consumer AI tools to draft responses and summarise complaints, including full customer names, contact details, account numbers, and communication content. No data inspection, redaction, or governance controls are in place. This represents an active GDPR breach and EU AI Act non-compliance.

GDPR Art. 5 — Data minimisation GDPR Art. 32 — Security of processing EU AI Act Art. 10 NIS2 Art. 21
OASAT-F-002 · Critical
Zero AI audit trail — regulatory evidence cannot be produced
Critical

No logging of AI interactions exists anywhere in the organisation. If required by a regulator or in the event of a data breach investigation, NordTel cannot demonstrate what data was processed by which AI system, when, or by whom. This is a direct violation of EU AI Act Art. 12 record-keeping requirements and GDPR Art. 30 processing records obligations.

EU AI Act Art. 12 GDPR Art. 30 NIS2 Art. 23 — Incident reporting
OASAT-F-003 · Critical
23 unapproved AI tools in active enterprise use
Critical

Assessment identified 23 distinct AI tools in active use across 8 business units — none approved, evaluated, or registered. Tools include consumer LLMs, code generation assistants, document summarisation services, and AI-enabled productivity add-ons. Shadow AI usage is organisation-wide with no central visibility, control, or governance.

EU AI Act Art. 9 — Risk management OASF-MG-004 — Shadow AI NIS2 Art. 21
OASAT-F-004 · High
Network configuration data shared with AI coding assistants
High

Network engineering team members are using AI coding assistants (GitHub Copilot, ChatGPT) to assist with network automation scripts. Assessment confirmed that network topology details, configuration parameters, and IP addressing schemes are being included in prompts. This creates both a security risk and a potential lawful intercept compliance exposure.

NIS2 Art. 21 — Network security GDPR Art. 32 OASF-DG-001
OASAT-F-005 · High
No AI-specific incident response capability
High

NordTel's existing incident response process does not include AI-specific incident categories or response procedures. In the event of an AI-related data breach, model manipulation, or governance failure, the organisation has no defined response path, escalation procedure, or GDPR 72-hour notification readiness.

GDPR Art. 33 — 72h notification NIS2 Art. 23 OASF-IR-001
OASAT-F-006 · High
EU AI Act high-risk classification gap — two use cases unaddressed
High

Two AI use cases identified in the assessment are likely classified as high-risk under EU AI Act Annex III: AI-assisted credit scoring for postpaid contract decisions, and AI-enabled network management for critical infrastructure. Neither has been through the required conformity assessment or human oversight framework required under the EU AI Act.

EU AI Act Annex III EU AI Act Art. 14 — Human oversight EU AI Act Art. 17
Regulatory Gap Analysis

Current compliance posture against applicable frameworks.

Assessment mapped NordTel's current AI governance controls against four applicable regulatory frameworks. Gap items represent requirements that are currently unmet and create regulatory exposure.

EU AI Act

Art. 9 — No AI risk management system in place
Art. 10 — No data governance for AI systems
Art. 12 — No record keeping / audit logging
Art. 14 — No human oversight framework
~
Art. 13 — Partial transparency measures

NIST AI RMF

GOVERN — No AI governance policies or accountability
~
MAP — Partial AI risk identification (this assessment)
MEASURE — No AI risk measurement or tracking
MANAGE — No AI risk management or controls

NIS2 Directive

Art. 21 — AI security measures not implemented
Art. 21 — Supply chain AI security not addressed
Art. 23 — No AI incident reporting procedure
~
General security measures partially applicable

GDPR + AI

Art. 5 — Data minimisation not enforced in AI
Art. 30 — No AI processing activity records
Art. 32 — No technical measures for AI security
~
Art. 33 — General breach notification exists
Remediation Roadmap

Prioritised governance programme — three phases.

The assessment recommends a structured three-phase remediation programme aligned to regulatory deadlines and operational risk priority. Phase 1 addresses immediate critical risks. Phase 2 builds the governance architecture. Phase 3 operationalises runtime enforcement.

Phase 1
Immediate Risk Reduction
Weeks 1–6
Implement interim AI usage policy — block consumer LLM access for sensitive roles
Deploy basic AI interaction logging for customer-facing business units
Conduct EU AI Act high-risk assessment for credit scoring and network management AI
Issue OASAP awareness training to customer service and network engineering teams
Establish AI incident response contact and notification procedure
Phase 2
Governance Architecture
Weeks 7–16
Deploy OASF governance framework across all six control domains
Build and publish approved AI model registry
Implement AI data classification policy and handling rules
Develop AI-specific incident response playbooks for all critical categories
Complete OASAP enterprise-wide awareness programme
Phase 3
Runtime Enforcement
Weeks 17–26
Deploy Aegis governed AI gateway as enterprise AI access point
Integrate OASF policy engine with Aegis runtime controls
Enable full AI audit logging and governance reporting
Connect Aegis audit trail to SIEM for continuous monitoring
First governance maturity review — target maturity 3.5+ across all domains

Ready to assess your AI governance posture?

This is a sample assessment for illustration purposes. A real OASAT assessment is scoped to your organisation — your industry, your AI environment, your regulatory obligations — and defines the governance that Aegis then enforces in production. Fixed price. Delivered in weeks.

Request Your Assessment View Assessment Pricing