Pillar 2, protect

Is your AI leaking what makes your business valuable?

AI IP Audit. Fixed scope. Days, not weeks.

A ranked map of how AI is being used across your business: sanctioned tools, shadow tools, vendor terms of service, employee usage patterns, AI-generated content. You leave with a remediation plan. Aligned to NIST AI RMF and ISO/IEC 42001.

Book a scoping call Trust and governance

What an AI IP Audit covers

A fixed-scope review of how AI is being used across your business. Sanctioned tools, shadow tools, vendor terms of service, employee usage patterns, AI-generated content posture. You leave with a ranked exposure report and a remediation plan.

  • The AI surface map. Every AI tool currently in use across the business, sanctioned or not. Browser extensions count. Copilot inside Microsoft 365 counts. The custom GPT a team built on the side counts.
  • The data-out audit. For each tool, what data is leaving the business, where it is going, and whether the vendor's T&Cs let them use it for model training, fine-tuning, or third-party analytics.
  • The employee-usage scan. Patterns of usage that look like routine but are quietly exporting client documents into vendor systems.
  • The output-ownership review. AI-generated content built on your proprietary inputs. Who owns it, who can claim it, who can subpoena it.
  • The ranked exposure report. Each finding scored by impact and likelihood. Items sorted by what to fix first.
  • The remediation plan. Concrete actions: vendor swap-outs, policy changes, technical guardrails, training. Self-servable by your team, or scoped as a follow-on engagement.

Frameworks we align to

  • NIST AI RMF. Govern, Map, Measure, Manage. The overlay used on every audit.
  • ISO/IEC 42001. AI management system controls applied where buyers require certifiable alignment.
  • OWASP LLM Top 10. Reference for the AI Security Testing service that sits under this practice.
  • MITRE ATLAS. Adversarial-tactics catalogue for the agentic red-team service that sits under this practice.

Where this comes from

Matt's chemical-engineering career was spent inside world-scale industrial facilities where the regulator could read every line. When the audit trail is the deliverable, you learn early that what leaves a system matters as much as what runs inside it. That instinct is the foundation of the AI IP Protection practice.

The methodology backbone comes from the sibling practice, Cyber Node, where manual penetration testing has been senior-practitioner-led since September 2023. The same reporting discipline applies: severity-rated findings, reproduction steps, remediation guidance.

Related services under this practice

The AI IP Audit is the diagnostic entry point. Two deeper engagements sit under the same Practice 2 umbrella:

  • AI Security Testing. Manual testing of AI features in production. OWASP LLM Top 10 against the live system.
  • Agentic AI Red Team. Adversarial assessment of agentic AI systems before they ship. Scope drift, evaluation rot, escalation gap.

How to engage

The AI IP Audit is A$8,500 + GST, fixed scope, typically four to five working days. Output is the report and the remediation plan, delivered in one piece, with a sixty-minute verbal debrief. Payment: 50% on scope-lock, 50% on delivery, net 7.

Book a scoping call Trust and governance

Frequently asked

Making sure the AI your business uses is not leaking what makes the business valuable. Four buyer questions: does our data train someone else's models, where do employee-pasted documents go, who owns AI-generated content built on our inputs, are vendor T&Cs letting us down on confidentiality. Core Nova's Practice 2 answers all four.

A fixed-scope review of how AI is currently being used across your business. We map the AI surface (sanctioned tools, shadow tools, vendor T&Cs, employee usage patterns, AI-generated content), rank the IP-exposure points, and hand back a remediation plan. Typically days, not weeks.

Different surface. A cybersecurity audit covers your network, endpoints, identity, and code. An AI IP audit covers the prompts, the documents employees paste in, the vendor terms of service, the AI-generated outputs and their ownership posture. Same governance discipline, different attack surface. We work with our sister practice Cyber Node where the engagement spans both.

NIST AI RMF (Govern, Map, Measure, Manage) is the overlay. ISO/IEC 42001 controls where the buyer requires certifiable alignment. OWASP LLM Top 10 and MITRE ATLAS for the testing services beneath this practice. Each engagement names which controls apply in the SOW.

The audit ends with a remediation plan. The remediation itself can be self-served by the buyer's team, or scoped as a follow-on engagement (typically rolled into a First Workflow build where the workflow itself becomes the IP-safe replacement for the leaky tool). We do not bundle remediation into the audit price because that would compromise the audit honesty.

Related

The cybersecurity practice on this estate is delivered by our sister brand Cyber Node. Where Cyber Node tests the cyber surface, Core Nova audits the AI surface. Same operating entity, same governance discipline, different attack class.