Reduce regulatory exposure
Demonstrate continuous oversight of AI use, as expected by NIS2 Art. 21, DORA ICT risk, EU AI Act Art. 26 and national supervisory authorities.
- NIS2 Art. 21
- DORA ICT
- EU AI Act Art. 26
- ISO 42001
Enterprise AI governance platform
Govern every AI your workforce uses. Before the regulator does.
Aiverto is the single, auditable source of truth for every AI tool a regulated workforce uses — EU-sovereign, aligned with NIS2, DORA, GDPR and the EU AI Act. We work directly with a selected cohort of design partners shaping each release.
Apply as a design partner45 minutes · with the founding team · NDA-ready
- EU-sovereign
- NIS2 · DORA · GDPR · EU AI Act aligned
- Design-partner programme
app.aiverto.eu / overview
Illustrative
AI exposure score
72/ 100 +6 this week
Unsanctioned tools
9
3 high risk
Prompts redacted
1,284
last 7 days
Top unsanctioned AIData class
- CChatGPTCustomer carePIIHigh
- CClaudeFinanceFinancialsHigh
- PPerplexityStrategyConfidentialMed
Board-level liability
Shadow AI is no longer a technology problem. It is a regulatory one.
Every unapproved model, prompt and attachment that leaves your organisation widens an exposure your board, your regulator and your customers will eventually ask you about.
- €670K
Average additional cost of a breach involving shadow AI.
IBM Cost of a Data Breach, 2024 - €35M or 7%
Maximum EU AI Act fine, measured against global annual turnover.
Regulation (EU) 2024/1689, Art. 99 - 71%
Of employees admit to using AI tools outside IT policy.
Salesforce Generative AI Snapshot
Outcomes
What Aiverto delivers to the business.
Aiverto is instrumented against four outcomes regulated buyers measure us on. Every module contributes to them.
Enable AI adoption safely
Say yes to ChatGPT, Copilot and Claude with guardrails, instead of bans your workforce will route around anyway.
- ChatGPT
- Copilot
- Claude
- Local models
Cut audit preparation from weeks to hours
Pre-built evidence packs for internal audit, external auditors, DPOs and regulators — always current, signed and exportable.
- Evidence packs
- Signed exports
- Control mapping
Protect customer and IP data
Stop sensitive data reaching third-party models. Redact PII, customer records and trade secrets before a prompt leaves the endpoint.
- PII
- Source code
- Customer records
- Trade secrets
One platform
One platform for every part of AI governance.
Five modules share one ledger, one policy engine and one evidence layer — adopted in the order that matches your organisation's risk posture.
Shadow AI detection
See every AI tool your workforce uses — browser apps, APIs, IDE assistants, local models, embedded SaaS AI — correlated to user, team and data class.
- Endpoint inventoryBrowser extensions, desktop apps, IDE plugins, local LLMs
- SaaS AI discoveryEmbedded AI features inside 350+ enterprise SaaS apps
- API egress mappingDetects direct model API calls from workstations and runners
- User & team attributionCorrelated to identity provider — not just device
The CISO view
What your security leadership sees on Monday morning.
A single pane covering every AI tool in use, every sensitive prompt redacted before it left the organisation, every policy decision taken — and the compliance evidence that goes with it.
Overview/Monday, 13 April
Search users, tools, prompts
MKAI exposure score
72/ 100
+6 wk
Sanctioned tools
14
+2
Unsanctioned tools
9
+1
Prompts redacted (7d)
1,284
+312
Endpoints covered
4,812/ 4,830
99.6%
AI exposure score · 90 days
72+18 vs. start of programme
Policy violations needing attention
Routed to your SOC queue in Sentinel · 4 open
- HighEngineering team using non-EU model endpoint12 users · Eng / Platform · first seen 3d ago
- HighSource code pasted into public ChatGPT1 user · Eng / Billing · blocked & quarantined
- MediumNew AI-summariser extension in useChrome extension · 41 installs · awaiting review
- MediumUnusual prompt volume from shared accountcall-center-shared-14 · 3.2× baseline
Top unsanctioned AI tools this week
Ranked by data sensitivity × user count
| Tool | Team | Users | Data class | Risk |
|---|---|---|---|---|
C ChatGPT chat.openai.com | Customer care | 214 | Customer PII | High |
C Claude claude.ai | Finance | 63 | Financials | High |
P Perplexity perplexity.ai | Strategy | 88 | Confidential | Medium |
G Gemini gemini.google.com | Marketing | 117 | Marketing | Medium |
M Midjourney midjourney.com | Design | 12 | General | Low |
Prompt redacted in flight
Aiverto · Customer-care workstation · 2 min ago
Redacted on endpoint
What the employee typed
Please summarise this complaint from customer Janez Novak, IBAN SI56 1910 0000 0123 456, regarding contract TS-2025-0471-SLO.
What the model actually receives
Please summarise this complaint from customer [CUSTOMER_01], IBAN [IBAN_01], regarding contract [CONTRACT_01].
Classes redacted
3
Name · IBAN · Contract ID
Model
gpt-4o
via sanctioned enterprise gateway
Employee action
Allowed
Policy: redact-and-send
Compliance posture
Continuous · mapped line-by-line to source regulation
- NIS2Art. 21 supervisory controlsEvidence pack current · signed 2d ago
- DORAICT third-party & incidentRegistry fields populated · 98% complete
- GDPRArt. 32 · AI prompt redaction1,284 events logged this week
- EU AI ActArt. 26 deployer obligationsTwo high-risk tools pending review
- ISO/IEC 42001AI management systemControl mapping in draft
Dashboard preview. Data anonymised for demonstration.
Fits the stack you already run
Slots into the stack your teams already use.
Aiverto publishes every AI-governance signal in the formats a regulated SOC, risk and identity team already operate on. The native integrations below cover the stacks most common across regulated European enterprises.
SIEM & observability
- MSMicrosoft Sentinel
- SSplunk
Identity
- MEMicrosoft Entra ID
- OOkta
Endpoint & EDR
- MDMicrosoft Defender
- CCrowdStrike
ITSM & GRC
- SServiceNow
Collaboration
- MTMicrosoft Teams
- SSlack
Aiverto exposes its full governance telemetry over standards-based interfaces — Syslog/CEF, OCSF, signed webhooks and a documented OpenAPI — so any enterprise stack integrates as a configuration step.Request the integration brief →
How it works
Lightweight to deploy. Immediate to act on.
The architectural detail your security-engineering reviewers will ask for before procurement opens a ticket.
- 01
Deploy in under 30 minutes
A signed user-space agent rolls out through your existing MDM. No kernel modules, no driver reboots, no network rewiring.
- 02
Discover every AI touchpoint
Aiverto maps browser AI tools, APIs, IDE assistants, local models and embedded SaaS AI features — correlated to user, team and data class.
- 03
Govern, anonymise and prove
Apply policy, redact sensitive prompts in flight, and generate the evidence your auditor and regulator actually want to see.
Sovereignty
Built in the EU. Run in the EU. Audited in the EU.
Aiverto is designed for operators of essential services and regulated institutions. The platform, the data it processes and the people who operate it are all within EU jurisdiction.
Hosted in Frankfurt and Helsinki
Two EU regions, active-active. Data never leaves EU jurisdiction. No transatlantic replication.
Outside US CLOUD Act scope
EU-incorporated entity, EU-owned infrastructure partners, EU citizens in every on-call rotation.
Customer-managed encryption keys
BYOK through your existing HSM or KMS. Aiverto cannot decrypt your prompt logs without your key.
Air-gapped deployment option
For critical infrastructure operators, a fully on-premise deployment is available with signed offline update bundles.
Built for regulated industries
Designed with the obligations of your sector in mind.
Telecommunications
AI oversight for essential-service operators.
Telcos are designated essential entities under NIS2 and hold some of the most sensitive personal data in the economy. Aiverto is built for large, distributed, multi-site workforces and for the reporting cadence supervisory authorities now expect.
- NIS2 Art. 21 supervision artefacts, ready to submit
- Protects CDRs, subscriber data and network configuration from model exfiltration
- Works across call-centre, field-engineering and retail endpoints
Financial services
DORA-grade controls over generative AI.
For banks, insurers and market infrastructures, AI is now an ICT risk. Aiverto gives risk functions the continuous evidence DORA expects — and keeps model use out of MiFID-regulated workflows it doesn't belong in.
- DORA ICT third-party registry fields, auto-populated
- Segregation of AI use between front-office, advisory and ops
- MiFID II record-keeping integration for AI-assisted communications
Public sector & critical infrastructure
Sovereign AI governance for national operators.
Ministries, energy operators and defence-adjacent organisations need AI oversight that does not route through US-owned infrastructure. Aiverto can be deployed fully on-premise and runs in classified environments.
- On-premise / air-gapped deployment available
- No foreign government legal reach over operational data
- Role-based access approvals integrated with national PKI
FAQ
What CISOs, DPOs and heads of risk ask us first.
If your auditor, your DPO or your works council would ask something that isn't here, we'll answer it on the briefing call. Every question becomes an artefact we leave with you.
Every prompt, detection and policy decision is logged to a signed, time-stamped ledger held in our Frankfurt and Helsinki regions. Auditors can be granted read-only tenant access, or you can export the ledger as a cryptographically verifiable evidence pack.
Next step
Join the Aiverto design-partner programme.
45 minutes with the founding team. NDA-ready. No sales pitch — we come with a view of the European regulatory landscape and a control-mapping template tailored to your sector. Design partners get early access and direct influence on the roadmap.
Apply as a design partner
Typical first meeting attendees: CISO · DPO · Head of Risk.
- Shape the product before v1 ships — direct influence on the roadmap.
- AI-exposure assessment template you can run before the meeting.
- Early access to evidence-pack drafts mapped to NIS2, DORA and the EU AI Act.
- No recording, no pipeline-forcing — the briefing ends when you say so.