DAISEQ Advisory

Lead engagement, diagnostic

The Assurance Paradox Review

3 weeks. Typically £15,000 to £18,000 fixed fee.

Most organisations that have invested heavily in cyber security controls, passed their audits, and reported green to the board carry a quiet unease: nobody is sure whether the controls in place are doing what they claim to do.

Copilot inherits SharePoint and OneDrive permissions exactly as they exist today, surfacing years of accumulated oversharing. Shadow GenAI use through browsers sits outside DLP coverage built for email and endpoint. Sensitivity labels exist but do not propagate cleanly into AI response handling. Non-human identities and service principals carry permissions nobody re-reviewed when AI agents were turned on.

This is the Assurance Paradox: a posture that is audit-ready but exposure-blind. The Review surfaces it concretely, makes the risk visible, and gives the executive owner a defensible answer to the board's question of the moment.

"We have the tools, we passed audit, and I'm still not confident we're protected. What would actually happen if we were breached today?"

What the engagement produces

Four outputs, delivered over three weeks:

  • An exposure baseline across email, endpoint, M365, sanctioned and shadow AI surfaces, and non-human identity access patterns, mapped against your declared controls.
  • A prioritised remediation backlog structured across 30, 60, and 90 days, each item scoped with effort, expected risk reduction, and owning function.
  • A board-ready defensibility statement in plain English, mapped to relevant regulatory expectations including DORA, GDPR, and NIS2.
  • A findings walkthrough with your CISO and nominated counterparts, with priorities adjusted live against business context.

How it is different

This is not a maturity assessment or a compliance gap audit. It is a vendor-neutral diagnostic anchored to a published thesis, with a fixed scope, transparent pricing, and no associate delivery model.

Is this the right engagement?

This engagement fits when one or more of the following is true:

  • You have passed audit but carry genuine unease about real-world exposure.
  • You have rolled out Copilot or sanctioned GenAI and nobody is certain what it is surfacing.
  • Your board or regulator is asking questions you cannot yet answer with confidence.
  • You want an independent read before a major control investment or programme reset.

If your primary need is a vendor decision rather than a posture review, the Data Security Investment Review is likely the better fit. If you need an ongoing senior sparring partner rather than a one-time diagnostic, see the Data and AI Security Advisor retainer.

Commercials

Typically £15,000 to £18,000 for standard scope. Extended scope engagements, including multi-tenant, multi-geo, or post-M&A environments, are priced on request.

Detailed engagement scope, assumptions, and deliverables are confirmed in the proposal following the initial conversation.

Get in touch