Skip to Content

Free AI exposure self-check

Your team already uses AI. You can't see what leaves with it.

Your company's most valuable data, the proposal, the contract, the client base, leaves through the screen without a trace. In three minutes, this self-check shows where your company is exposed when the team uses artificial intelligence, and what stage your AI defense is at.

75%of knowledge workers already use AI at work
78%bring their own tool, without going through the company
5 yearsdata can stay retained on a personal AI account

Microsoft and LinkedIn, 2024 Work Trend Index (31,000 people, 31 countries) · Anthropic official documentation.

Start the self-checkTalk to a specialist

The self-check

Where your AI defense stands today

Twelve questions in business language, organized into the three layers. No technical jargon, no sensitive data: nothing your company uses is collected here. At the end, your AI Defense Stack, layer by layer.

Before we start, three quick answers to calibrate the reading to your context.

1
2
3

Governance

The rules and the proof that you are in control.

Visibility

Seeing the real AI use in your team.

Protection

The technical block at the exact point of risk.

Your result is ready

Get your full AI Defense Stack by email

The summary appears here on the screen. The full report, with the reading of each layer, what is at stake in your sector and the path to close the gaps, goes by email, ready for you to forward to whoever decides.

Get the full report

Report sent

Sent to

It arrives in moments. Because it is an automated message, it may land in your spam or junk folder: if you don't find it, check those folders and mark it as trusted.

Talk to an AI specialist

Why this matters now

The risk is not the AI. It is the data that leaves with it.

AI came in through the back door, one employee at a time. No one means harm: they paste the proposal to summarize, the contract to review. And the most valuable data leaves through the screen, with no record.

The detail almost no one knows

Personal account (free or paid)

The data goes to the maker

What the team types is sent to the company that makes the AI, stored on its servers, and can train its product, for up to five years.

Managed corporate account

The data stays protected

The same use does not train the maker's model, and the data is kept for only thirty days.

Most companies are in the first situation without knowing it. (Anthropic's official documentation for Claude; the other makers follow a similar structure, with details that vary by platform and plan.)

The other side of the risk

And when the attack is against the AI itself?

It is not only data leaving. The AI your team uses becomes a target too. Three real attacks, in plain language:

Prompt injection

Hidden text, in a document, email or website, tricks the AI into acting against you: leaking data or running an order no one gave.

The AI hands over the data

An AI connected to your systems can reveal, by accident, sensitive information it has access to, to someone who should not see it.

The assistant that acts on its own

Assistants that run tasks and code with the employee's access can be manipulated to do damage with that same access.

Attack types cataloged by the OWASP Top 10 for AI Applications (2025).

The full map

Defending AI use has three layers. Most providers deliver only one.

Selling only policy leaves the leak open. Selling only blocking proves control to no one. The three mirror the NIST AI RMF cycle, the official AI risk standard: govern, see the use, and manage the threat.

Prove control

Governance

Sets and proves the AI rules: a usage policy, what may never go into an AI, who approves a tool and the auditable evidence, under the NIST AI RMF and ISO/IEC 42001 standards. It answers: are we in control?

What it delivers

Usage policy, data classification, a catalog of approved tools and auditable evidence under NIST AI RMF and ISO/IEC 42001.

What fails without it

Without it, you may be protected and still not be able to prove to the board, the insurer or the auditor that you are in control.

See reality

Visibility

Uncovers reality: which AIs the team actually uses (ChatGPT, Copilot, Claude, Gemini), on company or personal accounts, and what no one approved. Without seeing it, you cannot protect it. It answers: what is happening now?

What it delivers

Discovery of real AI use, by name, across corporate and personal accounts, and what no one approved.

What fails without it

Without it, you govern and protect in the dark: you cannot tend to what you cannot see.

Block the risk

Protection

Acts at the moment of risk: it keeps sensitive data from leaving, controls which AIs are allowed, defends the company's AI against manipulation and supervises the assistants that take actions. It answers: are we protected now?

What it delivers

Blocking sensitive data at the moment of pasting, controlling which AIs are allowed and defending corporate AIs against manipulation.

What fails without it

Without it, the policy exists on paper, but nothing technically keeps the data from leaving right now.

Before you think: I already have web filtering

Web protection is the right foundation. It just was not built for this.

If your company already blocks dangerous sites, you did the right thing, and that foundation still holds. The point is different: an AI is not a dangerous site to block.

What web protection does, and does well: it blocks the bad site, the scam link, the attack domain. It is the first line of defense of any serious company, and Zamak operates that layer for its clients.
What it was not built to see: ChatGPT and Claude are good sites, which your team should use to produce more. The risk is not entering the site. It is the data that gets pasted into it. Blocking the tool does not solve it, and it pushes the team toward the personal version, beyond your reach. Cyberhaven, which monitors this flow, observes that sensitive corporate data is pasted into AI tools hundreds of times per week at a typical company, almost always through legitimate tools no one blocked.

That is why AI defense does not replace your web protection: it adds a new layer, designed for the exact place where data leaves. Together, they close the gap.

Where Zamak comes in

See, govern and protect AI use. As a program, not as a scare.

Zamak delivers the three layers in a single managed program, and starts with the diagnosis, low commitment, so you see your own reality before deciding the rest.

1. Diagnosis

We install a lightweight agent, discover the real AI use and deliver the exposure map. It is the low-commitment entry point, and it already shows the size of the problem with your own data.

2. Managed governance

We turn the diagnosis into a living program: policy, classification, an approved catalog and evidence ready for audit, board and insurer. Recurring, reviewed every quarter.

3. Technical defense

Defined after the diagnosis, it acts at the point of risk: it keeps data from leaving, controls the allowed tools and protects corporate AIs. The protection that policy alone cannot provide.

  • Assisted diagnosis: the real map of which AIs each area uses, by name, and the governance assessment under the NIST AI standard, with the report of what to prioritize.
  • Managed governance: an AI usage policy, data classification, a catalog of approved tools and auditable evidence under NIST AI RMF and ISO/IEC 42001, with continuous review.
  • Technical defense: blocking data from leaking to an AI, controlling which tools are allowed, reinforcing identity and protecting corporate AIs against manipulation.
  • Migration to managed accounts: moving the team off the personal accounts that train the model and onto a corporate environment that does not train and retains less.

The result: your company reaps the productivity gain of AI without the leak, the fine and the attack that come when no one is in control.

If nothing changes

The data that leaves today does not come back tomorrow.

Postponing AI defense does not freeze the risk, it grows with every week of ungoverned use. The contract lost over a broken data clause, the fine that arrives after the leak, the client who walks away on learning their data ended up in a public AI: none of it warns you first.

And there is the question the board asks afterward, never before: were we in control? Those who have the program answer with evidence. Those who do not answer with silence.

Start the self-check

Zamak has operated protection technology for fifteen years, is a Microsoft Solutions Partner and is a member of the Addee Elite Group. We operate with tools certified under SOC 2 Type II, ISO 27001, HIPAA and PCI DSS, and we act as the backbone behind your team, not as a replacement for it.

Questions that open the subject

What you may not have asked yet

It is the use of AI tools by employees without the company having approved it, or even knowing about it. It happens because AI is easy to adopt and delivers value instantly: the person solves their problem before any rule exists. The point is not the initiative, it is the lack of visibility and control over the data that goes into those tools.

Web protection blocks dangerous sites, and that foundation matters. But ChatGPT and Claude are legitimate sites, which your team should use. The risk is not in reaching the site, it is in the data that gets pasted into it. AI defense adds a layer made for exactly that point, without replacing your current filter.

They are the official standards for artificial intelligence governance. The NIST AI RMF is the AI risk-management framework from the United States standards institute, organized around trustworthiness: security, privacy, the ability to explain how AI reaches a decision, and accountability. ISO/IEC 42001 is the international, certifiable standard, in the same spirit as ISO 27001 for information security. They are the base on which Zamak structures governance.

No. It is a reading of your answers, not a scan of your environment. No sensitive data from your company is collected or sent here. The real usage map is work carried out under a program engagement, with your consent and inside your environment.

Blocking usually backfires: the team needs the tool to produce and ends up moving to the personal version, on the phone or at home, beyond any control. Modern defense does not forbid, it governs: it approves what makes sense, blocks what is risky and keeps productivity. Banning everything just pushes the problem to where you cannot see it.

Before the incident, always. AI adoption is already happening in your company today, and each week without governance raises the chance of important data leaving for good. The cost of structuring the defense is a fraction of the cost of a leak, a fine or a contract lost over a broken data clause.

The next step

See your exposure before someone else discovers it for you.

The self-check is free and takes three minutes. The report is yours to forward to whoever needs to decide.

See my exposure

Take the self-check and get your full AI Defense Stack.

Start now

Talk to a specialist

A conversation about your scenario and the governance assessment under the NIST AI standard.

Book a conversation

Explore the other diagnostics

Zamak's free suite of self-checks, from downtime cost to phishing.

See the suite

A demonstration reading, with no sensitive data collected. Real adequacy is deeper work, under a Zamak program engagement.