Free · 10 minutes · No email required

The AI Posture Check.

30 questions. Six dimensions. Instant in-browser results. Mapped to OWASP LLM Top 10, NIST AI RMF, and ISO 42001. Built and operated by CWS.

The Posture Check evaluates six dimensions (governance, data, prompt, model, runtime, vendor) that map into CWS's eight-domain AI Security Program. The check gives you a fast self-scored snapshot. The full program adds AI supply chain, monitoring and response, transparency and oversight, and regulatory compliance as paid engagement workstreams.

0 of 30 answered

01 / 06

Governance

Does your organization have a written AI use policy that has been approved by leadership?

No policy exists 0 Identified the need, no action 1 Draft policy in progress 2 Approved policy in operation 3

Is there a named individual accountable for AI risk at executive level?

No 0 Identified, not assigned 1 Assigned, not yet integrated into risk-management 2 Named owner with signed-off accountability 3

Do you maintain an inventory of AI systems in use across the organization, including both internally-built and SaaS-delivered AI?

No inventory 0 Partial inventory of internally-built systems only 1 Inventory in progress 2 Continuously maintained inventory of internal and SaaS AI 3

Have you mapped your AI use to a recognized framework such as NIST AI RMF, ISO 42001, or the EU AI Act?

No mapping 0 Identified relevant frameworks 1 Mapping in progress 2 Documented mapping with regular reviews 3

Does your AI governance include a process for shadow / unsanctioned AI deployments to be discovered and brought into governance?

No process 0 Discovered through reactive incidents 1 Periodic discovery process 2 Continuous monitoring with documented response process 3

02 / 06

Data

Have you classified data that is permitted versus prohibited for input into AI systems (training, fine-tuning, prompts)?

No classification 0 Aware that classification is needed 1 Partial classification 2 Documented classification policy in operation 3

Do you control which users, systems, or roles can submit prompts containing sensitive data?

No controls 0 Acknowledged the gap 1 Partial controls (specific systems only) 2 Role-based prompt controls with audit trail 3

Are AI prompts and outputs logged for security and compliance review?

No logging 0 Identified the need 1 Partial logging (some systems) 2 Comprehensive logging with retention policy 3

Have you confirmed with your AI vendors that customer data is not used to train their underlying models?

No confirmation 0 Reviewing vendor terms 1 Some vendors confirmed 2 All vendors confirmed in writing 3

Q10

Do you have a process to handle data subject rights requests (deletion, rectification) for data submitted to AI systems?

No process 0 Identified the requirement 1 Process in development 2 Operational process aligned to applicable privacy law 3

03 / 06

Prompt

Q11

Have you tested your AI deployments for prompt injection attacks?

No testing 0 Identified the risk, no action 1 Informal manual testing 2 Formal testing as part of release cycle 3

Q12

Do you have input validation or sanitization in place for prompts before they reach the model?

No validation 0 Aware of the need 1 Partial validation 2 Comprehensive validation with documented rules 3

Q13

Do you have output filtering or classification on AI responses before they reach end users?

No filtering 0 Identified the gap 1 Partial filtering on specific use cases 2 Comprehensive output classification and filtering 3

Q14

Are you aware of the OWASP LLM Top 10 risks and have you mapped which apply to your deployments?

Not aware 0 Aware, no mapping 1 Partial mapping 2 Full mapping with mitigation plans 3

Q15

Do you red-team your AI deployments before production launch?

No red-teaming 0 Identified the gap 1 Informal red-teaming 2 Formal red-teaming with documented methodology 3

04 / 06

Model

Q16

Do you have a documented model selection process that includes security and bias evaluation?

No documented process 0 Process in draft 1 Partial process 2 Documented operational process 3

Q17

Are you aware of which models are in use across your AI deployments and tracking their version history?

No tracking 0 Partial tracking 1 Centralized inventory of model versions 2 Continuous version-tracking with change-management 3

Q18

Have you tested your AI for hallucination, sycophancy, or other model-specific failure modes relevant to your use case?

No testing 0 Identified the need 1 Partial testing 2 Documented testing as part of release cycle 3

Q19

Do you have a process to retire or replace models when better alternatives become available or current models become unsafe?

No process 0 Aware of the need 1 Process in development 2 Operational process with documented criteria 3

Q20

For internally-built or fine-tuned models, do you have controls to prevent model theft or extraction attacks?

No controls 0 Identified the risk 1 Partial controls (rate limiting, etc.) 2 Comprehensive controls including model fingerprinting 3

05 / 06

Runtime

Q21

Do you have rate limiting on AI API calls to prevent abuse?

No rate limiting 0 Identified the gap 1 Partial rate limiting 2 Comprehensive rate limiting with abuse detection 3

Q22

Do you have monitoring and alerting for unusual AI usage patterns (volume spikes, jailbreak attempts, sensitive data leakage)?

No monitoring 0 Identified the need 1 Partial monitoring 2 Comprehensive monitoring with documented response 3

Q23

Are AI deployments isolated such that compromise of one does not affect others?

No isolation 0 Identified the need 1 Partial isolation 2 Strong isolation with tested boundary controls 3

Q24

Do you have an incident response plan specifically for AI-related security incidents?

No specific plan 0 Generic IR plan covers it 1 AI-specific plan in development 2 AI-specific IR plan tested in tabletop 3

Q25

Do you have audit logging on AI usage for compliance and forensics?

No logging 0 Identified the need 1 Partial logging 2 Comprehensive logging with retention aligned to compliance 3

06 / 06

Vendor

Q26

Have you completed security due diligence on the AI vendors you use (Microsoft, OpenAI, Anthropic, Google, others)?

No due diligence 0 Identified the need 1 Partial due diligence 2 Comprehensive due diligence per vendor with documented evidence 3

Q27

Do your contracts with AI vendors include explicit terms on data handling, breach notification, and audit rights?

No specific AI terms 0 Reviewing vendor contracts 1 Partial coverage 2 Comprehensive AI-specific contractual terms 3

Q28

Have you confirmed your AI vendor's compliance posture (SOC 2, ISO 27001, ISO 42001, others) and reviewed the most recent attestation?

No confirmation 0 Aware of the need 1 Partial review 2 Comprehensive review of vendor attestations 3

Q29

Do you have a process to assess and approve new AI vendors before they are used in your environment?

No process 0 Identified the gap 1 Process in development 2 Operational vendor-onboarding process for AI 3

Q30

Do you continuously monitor your AI vendors for security incidents, model changes, and policy updates?

No monitoring 0 Reactive only 1 Periodic monitoring 2 Continuous monitoring with documented response 3

Answer all 30 questions to see your results. Your answers stay in your browser.

What happens next

Instant, private, in-browser.

Score and tier

Your total score (out of 90) plus per-dimension breakdown. A color-coded tier from Foundation to Leading.

Strengths and gaps

Top two dimensions become your strengths. Bottom two become your prioritized gap focus, with the specific question numbers you scored low on.

Recommendations

Three concrete next-step recommendations per gap dimension, citing OWASP LLM Top 10, NIST AI RMF, and ISO 42001.

You decide

Print the page, walk away, or click through to schedule a Discovery Call or Standard Audit with CWS. We don't contact you unless you reach out.